Analysis

  • max time kernel
    88s
  • max time network
    83s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-06-2024 09:25

General

  • Target

    Gtad Robux.exe

  • Size

    15.6MB

  • MD5

    af57a521d895d3e45f0a318d2fb22d59

  • SHA1

    ea6b0219e72bf8389959c5dac06857a1b1b445e6

  • SHA256

    a0716b835b01a9873d6db1f42bcbfed80b98e30ef35d28299943317be11e8358

  • SHA512

    a3c1ddcad6ea71b5cad0770987f75ac6a05d24eb1ae9000c9fd2cabaa8898a2fb12d2697e0dea183819b2fd1ec1f82cd7384ea4bb2b25c44d506d3fda4bd86e2

  • SSDEEP

    393216:CvrwQDo4Maa+hMR/9b44A+6QhUyEXkb3mFMU5GryM/pVD:crXo4XJhMR/FAuU1Xk3mFUtpVD

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 23 IoCs
  • Drops file in Windows directory 1 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe
    "C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe
      "C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:372
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3612
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4540
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3720
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:64
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "start bound.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Users\Admin\AppData\Local\Temp\bound.exe
          bound.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Users\Admin\AppData\Local\Temp\bound.exe
            bound.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:1560
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:492
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3312
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1580
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
    1⤵
      PID:660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\VCRUNTIME140.dll
      Filesize

      116KB

      MD5

      be8dbe2dc77ebe7f88f910c61aec691a

      SHA1

      a19f08bb2b1c1de5bb61daf9f2304531321e0e40

      SHA256

      4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

      SHA512

      0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\_bz2.pyd
      Filesize

      83KB

      MD5

      223fd6748cae86e8c2d5618085c768ac

      SHA1

      dcb589f2265728fe97156814cbe6ff3303cd05d3

      SHA256

      f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

      SHA512

      9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\_decimal.pyd
      Filesize

      245KB

      MD5

      3055edf761508190b576e9bf904003aa

      SHA1

      f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

      SHA256

      e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

      SHA512

      87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\_hashlib.pyd
      Filesize

      64KB

      MD5

      eedb6d834d96a3dffffb1f65b5f7e5be

      SHA1

      ed6735cfdd0d1ec21c7568a9923eb377e54b308d

      SHA256

      79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

      SHA512

      527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\_lzma.pyd
      Filesize

      156KB

      MD5

      05e8b2c429aff98b3ae6adc842fb56a3

      SHA1

      834ddbced68db4fe17c283ab63b2faa2e4163824

      SHA256

      a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

      SHA512

      badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\_socket.pyd
      Filesize

      81KB

      MD5

      dc06f8d5508be059eae9e29d5ba7e9ec

      SHA1

      d666c88979075d3b0c6fd3be7c595e83e0cb4e82

      SHA256

      7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

      SHA512

      57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\_tkinter.pyd
      Filesize

      62KB

      MD5

      1df0201667b4718637318dbcdc74a574

      SHA1

      fd44a9b3c525beffbca62c6abe4ba581b9233db2

      SHA256

      70439ee9a05583d1c4575dce3343b2a1884700d9e0264c3ada9701829483a076

      SHA512

      530431e880f2bc193fae53b6c051bc5f62be08d8ca9294f47f18bb3390dcc0914e8e53d953eee2fcf8e1efbe17d98eb60b3583bccc7e3da5e21ca4dc45adfaf4

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\base_library.zip
      Filesize

      1.3MB

      MD5

      8dad91add129dca41dd17a332a64d593

      SHA1

      70a4ec5a17ed63caf2407bd76dc116aca7765c0d

      SHA256

      8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

      SHA512

      2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\libcrypto-3.dll
      Filesize

      5.0MB

      MD5

      e547cf6d296a88f5b1c352c116df7c0c

      SHA1

      cafa14e0367f7c13ad140fd556f10f320a039783

      SHA256

      05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

      SHA512

      9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\python312.dll
      Filesize

      6.6MB

      MD5

      3c388ce47c0d9117d2a50b3fa5ac981d

      SHA1

      038484ff7460d03d1d36c23f0de4874cbaea2c48

      SHA256

      c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

      SHA512

      e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\select.pyd
      Filesize

      29KB

      MD5

      92b440ca45447ec33e884752e4c65b07

      SHA1

      5477e21bb511cc33c988140521a4f8c11a427bcc

      SHA256

      680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

      SHA512

      40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\tcl86t.dll
      Filesize

      1.7MB

      MD5

      21dc82dd9cc445f92e0172d961162222

      SHA1

      73bc20b509e1545b16324480d9620ae25364ebf1

      SHA256

      c2966941f116fab99f48ab9617196b43a5ee2fd94a8c70761bda56cb334daa03

      SHA512

      3051a9d723fb7fc11f228e9f27bd2644ac5a0a95e7992d60c757240577b92fc31fa373987b338e6bc5707317d20089df4b48d1b188225ff370ad2a68d5ff7ba6

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\tcl\encoding\cp1252.enc
      Filesize

      1KB

      MD5

      e9117326c06fee02c478027cb625c7d8

      SHA1

      2ed4092d573289925a5b71625cf43cc82b901daf

      SHA256

      741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

      SHA512

      d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\tk86t.dll
      Filesize

      1.5MB

      MD5

      9fb68a0252e2b6cd99fd0cb6708c1606

      SHA1

      60ab372e8473fad0f03801b6719bf5cccfc2592e

      SHA256

      c6ffe2238134478d8cb1c695d57e794516f3790e211ff519f551e335230de7de

      SHA512

      f5de1b1a9dc2d71ae27dfaa7b01e079e4970319b6424b44c47f86360faf0b976ed49dab6ee9f811e766a2684b647711e567cbaa6660f53ba82d724441c4ddd06

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\unicodedata.pyd
      Filesize

      1.1MB

      MD5

      16be9a6f941f1a2cb6b5fca766309b2c

      SHA1

      17b23ae0e6a11d5b8159c748073e36a936f3316a

      SHA256

      10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

      SHA512

      64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

    • C:\Users\Admin\AppData\Local\Temp\_MEI28282\zlib1.dll
      Filesize

      143KB

      MD5

      297e845dd893e549146ae6826101e64f

      SHA1

      6c52876ea6efb2bc8d630761752df8c0a79542f1

      SHA256

      837efb838cb91428c8c0dfb65d5af1e69823ff1594780eb8c8e9d78f7c4b2fc1

      SHA512

      f6efef5e34ba13f1dfddacfea15f385de91d310d73a6894cabb79c2186accc186c80cef7405658d91517c3c10c66e1acb93e8ad2450d4346f1aa85661b6074c3

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\VCRUNTIME140.dll
      Filesize

      74KB

      MD5

      afa8fb684eded0d4ca6aa03aebea446f

      SHA1

      98bbb8543d4b3fbecebb952037adb0f9869a63a5

      SHA256

      44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e

      SHA512

      6669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\_bz2.pyd
      Filesize

      66KB

      MD5

      72d50e0665ac1765ea38534a332ce8a4

      SHA1

      055bbc256a5ecafb14f7a63e3124e0a8e2590a62

      SHA256

      90f1cdc5248c10e591385fbe76cb18bcaa171f8eac0a0d96d2bf738bf5c74c0a

      SHA512

      2a739936066b2b1ef99612c086d64e2c395cfbac651bc007078f8b1924845481a6ed381580f167af054f4c80f58479f9f12be22303e43d28f5f1b5f26d5e6670

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\_ctypes.pyd
      Filesize

      100KB

      MD5

      4cc177b6bc8e54290bf211b0e910c87e

      SHA1

      a4445f42721e6d3e36ad82730ceb78e0e5d5b275

      SHA256

      d823f14f3e7a0beff0897d70127ec8b5ba49ee8655d4ec271331194d29eb8640

      SHA512

      f847225a9d706a7d9ac0caa13b4be8661f80d454d9f74328f8b17397e4a71e342cc84fc64fd0d613db174a0e01ca434cd754e52d0d2048f77543d8adfb917569

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\_decimal.pyd
      Filesize

      186KB

      MD5

      36025e9d9afa1b181335cffb07adafdc

      SHA1

      3af9726ecb6b16aadbe6405ec2c828e39a75161c

      SHA256

      a08d00cf489e55d15e32fe3438ec72722e16459e79ec77ce0090b5c01b7c633e

      SHA512

      ca1873a6193e35c7393a292475d74ca43a141d2a8c4fc3f09756544aecb2ad73334d78316a63b584610d29eef43c0009619c0699fb56cc6735005c80bb9ef134

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\_hashlib.pyd
      Filesize

      43KB

      MD5

      4314887edc666e92cf2fc202f7526949

      SHA1

      1d7dffe99547b0f3eb0cac41d9dc39633a7aed9a

      SHA256

      63eb8e2c3362221453cbf3ccce59be0d32b5a6ba5a56acfc2c9409e6b0d1c14b

      SHA512

      cb8fadbcb1b9eb51f9bff0c34de13db3d75fbd21e55b5b1dad7e1d2720b5f115134c145a1250270bd47c105fa62051040628fe3d44936af6dc56ba46a7794134

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\_lzma.pyd
      Filesize

      139KB

      MD5

      c132ba1c7d8e958be2e099003695bfcd

      SHA1

      029b4e4b4ad5123474e4680a6b80678bc58e341f

      SHA256

      ae6cdc8cc21177717d82246633d1b38902dc8e35a84d4a6cd8ea1c09619ff771

      SHA512

      70afa4401a3d86b4b7761f95ce2c218232d782a98e4de7a4c0cfee8683633266579f37e9abe1be1def4dbb64cea978c6feafdeea5c23d5611344d06a57ed7f7d

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\_queue.pyd
      Filesize

      23KB

      MD5

      0ee3265aa08e199a46e725783c6681ce

      SHA1

      c0435c711a45bd128ef99703ae3ba89896898d1e

      SHA256

      d4f2dfb15939d639e15713916e4c0755635f278086ed7d3d994ebdb493778f59

      SHA512

      8dffb3fe347a15c4e75cc0a82c5dcc2c53f68c6789a9cde863cf1a9d1690b54b4b0f8f878f1b5f59ab3f8df13d2ba0892284ca17a508ac2b86ad9de0b6f1c2bb

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\_socket.pyd
      Filesize

      63KB

      MD5

      87040cae57e97bed41987184d828a741

      SHA1

      e754e4a05f1cdd1d20328092e30c279deb9606c9

      SHA256

      34a8dcc36321976d2b73a9ecdf3eddba9643f2972b429e1acac22959cba41000

      SHA512

      a6c37c74dd8b3bb852d06bf84a83a3d7c72481b927b27ffcaa5d1179b463d579292b2a6723b49905462419a5c83e1a917a4166bd10661c3ec198268620304b5f

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\_sqlite3.pyd
      Filesize

      66KB

      MD5

      064baef1101bdbe1306459f9270d030f

      SHA1

      00534ad450629e65e4347aec71b4417aaf302e7c

      SHA256

      c79fe582d64b74ea9ca90e9ceafca9c35c7872e5726b774dd1b0acc3d2ebe1c7

      SHA512

      9f95bff833633f8c1eb3b36adf2a1bb7469f8f71bc6f74349b53f09697199536226b1ff979382dbc9d90496a9e74ebcf087a9c8352ae4efca96e686dcc8985f1

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\_ssl.pyd
      Filesize

      133KB

      MD5

      7f589dfe7461c08cdf6b51774e53352a

      SHA1

      a6bd4ca0988cc7884c51ea9f5162f64b629c2e48

      SHA256

      a5542a7e6162214882dc8a1c804b349f07526a1679691343118f2bc698fde0be

      SHA512

      3f7d491b67375a958950cff260840c36de96d1112dbd0299e15148720590d53d11dc8ec492a22133c427b580f07ae3a2a937c013c760c5fe93faabc4f8b9eba6

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\base_library.zip
      Filesize

      858KB

      MD5

      5e0227944397e9075e254fe03249e61a

      SHA1

      01c3ab9740c31ed29a09b29f1ea3a0fcc6b3b08b

      SHA256

      94085e85495cc0fdf278071bb80b230f8d1cfcac87189fe0a85581b77e876d95

      SHA512

      1acbc098a89602c5d851f9421dc616f15b2026a78f78e7215c121fefb5a815a6ce89914ecdbd4330e04158b008d34b295b2cf1e3666d7878e5bebd4dcd76ceb3

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\blank.aes
      Filesize

      75KB

      MD5

      99bf43c610fca1ad5d0435d9165d42fb

      SHA1

      2fc4ab44def7d69dd3285b48d7940505d7f6a07a

      SHA256

      7d7a744719cf88f51b34c6f1fb63b1732a2ce42f43450b838ac785af6ecda5b0

      SHA512

      ae27967e3a6414e52688598c069c34c5536f5d638adc03a60e0758a9afa6f2624c8f0dfe9690232d9597bbd83f42d38dce4fc89c06b839754fa4152601359962

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\bound.blank
      Filesize

      9.6MB

      MD5

      682e2c57175581b8e6b95eac22b938cf

      SHA1

      15f34a04e81e9c677621dec77762634b38472245

      SHA256

      01a0369b99f2c1038e72afd80a6d79452bd8b94b7dc678d80be78f8f6393d5fa

      SHA512

      992fbc770589b457f7173a8a3c8e2bf45f72822a1eaea0eb3f0d66ebe159868d9b334684de7691bfad999329bbb4706ed2d9e201f8ec4826ff65c9bb1463eab9

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\libcrypto-1_1.dll
      Filesize

      2.2MB

      MD5

      31c2130f39942ac41f99c77273969cd7

      SHA1

      540edcfcfa75d0769c94877b451f5d0133b1826c

      SHA256

      dd55258272eeb8f2b91a85082887463d0596e992614213730000b2dbc164bcad

      SHA512

      cb4e0b90ea86076bd5c904b46f6389d0fd4afffe0bd3a903c7ff0338c542797063870498e674f86d58764cdbb73b444d1df4b4aa64f69f99b224e86ddaf74bb5

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\libffi-7.dll
      Filesize

      28KB

      MD5

      bc20614744ebf4c2b8acd28d1fe54174

      SHA1

      665c0acc404e13a69800fae94efd69a41bdda901

      SHA256

      0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

      SHA512

      0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\libssl-1_1.dll
      Filesize

      531KB

      MD5

      8471e73a5594c8fbbb3a8b3df4fb7372

      SHA1

      488772cb5bbb50f14a4a9546051edef4ae75dd20

      SHA256

      380bb2c4ce42dd1ef77c33086cf95aa4fe50290a30849a3e77a18900141af793

      SHA512

      24025b8f0cc076a6656eba288f5850847c75f8581c9c3e36273350db475050deee903d034ad130d56d1dede20c0d33b56b567c2ef72eb518f76d887f9254b11b

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\python310.dll
      Filesize

      3.9MB

      MD5

      934f7575ca8310462b184ec35fa910aa

      SHA1

      dec2ca44143f7ae4bc12aa482487bca1c18a7a98

      SHA256

      63a625f652ec13115d14bcc85a076e6ced62691e3d57e3a9c08c7506878761af

      SHA512

      b3d1f627859624f7ec4169e7008793d17391d3b56555b66ed3ea9efa614483e49081601e4b543d3d15ace14d1749bf2866cd93169af564fa6a5b73ee13ff1539

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\rar.exe
      Filesize

      615KB

      MD5

      9c223575ae5b9544bc3d69ac6364f75e

      SHA1

      8a1cb5ee02c742e937febc57609ac312247ba386

      SHA256

      90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

      SHA512

      57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\rarreg.key
      Filesize

      456B

      MD5

      4531984cad7dacf24c086830068c4abe

      SHA1

      fa7c8c46677af01a83cf652ef30ba39b2aae14c3

      SHA256

      58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

      SHA512

      00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\select.pyd
      Filesize

      22KB

      MD5

      2c1fcd150cca37a6c6edaa534dc9d887

      SHA1

      948eaf776c8a56149a8872feb50c8fc16d0a243c

      SHA256

      585c8325b7eadc42d508577186868d096eb4272e35f6b91c1eed781f57f40a66

      SHA512

      d2d963850a1f700196eaf2419af62cddf86db47ca2fd254e71a07f056fc719fd7338756e021a5ccdd2d57e9f3f0102384c692abdf7d4057a4c90cbefcc739a8d

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\sqlite3.dll
      Filesize

      1.1MB

      MD5

      03535b9dad84a5e2a869a587d8035bd4

      SHA1

      6419e59741b9bcc3d84f7fea58e9148f44b5570f

      SHA256

      c69728c71863c40c397799376ea95c52c57afd7c998e8b4aa676930eb4526abb

      SHA512

      fb39576bc879ba16e83811410dfeeaa27b56062dfac10062c7351f7e4ce3550177a898b81d87b1cd3a285271beedb29d3b67c32329d104ba049ce7f8cbc6e672

    • C:\Users\Admin\AppData\Local\Temp\_MEI49202\unicodedata.pyd
      Filesize

      1.1MB

      MD5

      0d9e0bffac07835866f869856ff15e80

      SHA1

      b1c191b3e622436ff481efa0a1876ed8f3ae460f

      SHA256

      62380943a167c7acd7556c42df4f2cd592d269811d74215e48ad7088163f24c5

      SHA512

      519e4798953f3b1d4144b5264ae8641e945f6a9136980c7f11e9fe41019cec35aaf71e9f49ee4147ddcbd9064c0de54a016a4ff9230df98fce1d58128ac4ab86

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_toq5cmzu.ubs.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    • C:\Users\Admin\AppData\Local\Temp\bound.exe
      Filesize

      9.8MB

      MD5

      ea90e8033ff0744627b8fa880d79f127

      SHA1

      459b0cd536af15c80d77fc4c833f3a4e57798744

      SHA256

      c6ca26ee22c273aa3c500194f647d287990682e1f7fa816cbd338bdb11d56ac5

      SHA512

      6e473ef4f959e5e002d5fc8e8d83e0509b2865492dea0aaf41de6828ea338097d7cb166be9e67b05b5edddd9191d9f0abb0a5094dd348c2c2d67e6db3483dec8

    • memory/64-842-0x0000000007BF0000-0x0000000007C66000-memory.dmp
      Filesize

      472KB

    • memory/64-1113-0x0000000008D90000-0x0000000008E35000-memory.dmp
      Filesize

      660KB

    • memory/64-1119-0x0000000008F70000-0x0000000009004000-memory.dmp
      Filesize

      592KB

    • memory/64-566-0x00000000078F0000-0x000000000793B000-memory.dmp
      Filesize

      300KB

    • memory/64-525-0x0000000007880000-0x000000000789C000-memory.dmp
      Filesize

      112KB

    • memory/64-160-0x0000000006BC0000-0x0000000006BE2000-memory.dmp
      Filesize

      136KB

    • memory/64-1104-0x0000000008A20000-0x0000000008A3E000-memory.dmp
      Filesize

      120KB

    • memory/64-1101-0x0000000071DE0000-0x0000000071E2B000-memory.dmp
      Filesize

      300KB

    • memory/64-76-0x0000000000C40000-0x0000000000C76000-memory.dmp
      Filesize

      216KB

    • memory/372-269-0x00000000075D0000-0x0000000007636000-memory.dmp
      Filesize

      408KB

    • memory/372-1100-0x0000000071DE0000-0x0000000071E2B000-memory.dmp
      Filesize

      300KB

    • memory/372-1099-0x0000000009060000-0x0000000009093000-memory.dmp
      Filesize

      204KB

    • memory/372-270-0x0000000007650000-0x00000000076B6000-memory.dmp
      Filesize

      408KB

    • memory/372-368-0x00000000076C0000-0x0000000007A10000-memory.dmp
      Filesize

      3.3MB

    • memory/372-1660-0x0000000009330000-0x000000000934A000-memory.dmp
      Filesize

      104KB

    • memory/372-1705-0x0000000009310000-0x0000000009318000-memory.dmp
      Filesize

      32KB

    • memory/1560-1753-0x00007FFA4C0B0000-0x00007FFA4C0DA000-memory.dmp
      Filesize

      168KB

    • memory/1560-1759-0x00007FFA4C0B0000-0x00007FFA4C0DA000-memory.dmp
      Filesize

      168KB

    • memory/4540-78-0x0000000007090000-0x00000000076B8000-memory.dmp
      Filesize

      6.2MB

    • memory/4540-1114-0x0000000071DE0000-0x0000000071E2B000-memory.dmp
      Filesize

      300KB