Malware Analysis Report

2024-08-06 13:12

Sample ID 240618-xgxeqavapc
Target win5i.zip
SHA256 8a6f75426c02db73affeb070b56bebcbfb8769387dfc15f94018ffc1f63d3938
Tags
persistence privilege_escalation spyware stealer upx rat default pyinstaller asyncrat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a6f75426c02db73affeb070b56bebcbfb8769387dfc15f94018ffc1f63d3938

Threat Level: Known bad

The file win5i.zip was found to be: Known bad.

Malicious Activity Summary

persistence privilege_escalation spyware stealer upx rat default pyinstaller asyncrat discovery

Asyncrat family

AsyncRat

Async RAT payload

Async RAT payload

UPX packed file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Runs ping.exe

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Remote System Discovery
T1018
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:50

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 18:50

Reported

2024-06-18 18:52

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win5.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Users\Admin\AppData\Local\Temp\win5.exe
PID 4376 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Users\Admin\AppData\Local\Temp\win5.exe
PID 2140 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2656 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2140 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1480 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2140 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 3556 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3556 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2140 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 4052 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4052 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2140 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 4436 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4436 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2140 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 1560 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1560 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2140 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 4676 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4676 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Windows\system32\cmd.exe
PID 3084 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3084 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win5.exe"

C:\Users\Admin\AppData\Local\Temp\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win5.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\win5.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.cloudflare.com udp
US 104.16.123.96:443 www.cloudflare.com tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 96.123.16.104.in-addr.arpa udp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 44.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:65421 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI43762\python310.dll

MD5 08812511e94ad9859492a8d19cafa63e
SHA1 492b9fefb9cc5c7f80681ebfa373d48b3a600747
SHA256 9742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c
SHA512 6f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e

C:\Users\Admin\AppData\Local\Temp\_MEI43762\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

memory/2140-89-0x00007FFED0DF0000-0x00007FFED1256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\base_library.zip

MD5 fb522f7496ed38b91b04a4c1cccde046
SHA1 10da3b26d0905aa0b9dbe4ab7204fac0d81428c0
SHA256 89518c2367b2bc4521a131a7ea0462b42995285f9282b0c07bee291027d1aee5
SHA512 37d9024203212f8793ccb47069809f0f654b9fb36fef11c0707843664e42d048cfd8bdd384a99239f4bc87cd54296fb4a079b5e5ccfeae3b16e3e98e29138215

C:\Users\Admin\AppData\Local\Temp\_MEI43762\_ctypes.pyd

MD5 58ecf4a9a5e009a6747580ac2218cd13
SHA1 b620b37a1fff1011101cb5807c957c2f57e3a88d
SHA256 50771b69dced2a06327b51f8541535e783c34b66c290096482efcfd9df89af27
SHA512 dec698a310eb401341910caae769cbdf9867e7179332e27f4594fd477e3686c818b2f3922d34e0141b12e9e9542ad01eb25d06c7bb9d76a20ce288610a80e81a

C:\Users\Admin\AppData\Local\Temp\_MEI43762\python3.DLL

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

C:\Users\Admin\AppData\Local\Temp\_MEI43762\libffi-7.dll

MD5 da6331f94e77d27b8124799ad92e0747
SHA1 55b360676c6702faf49cf4abfc33b34ffa2f4617
SHA256 3908a220d72d4252ad949d55d4d76921eeca4ab2a0dca5191b761604e06ae136
SHA512 faf3ec3d28d90ca408b8f07563169ebc201d9fb7b3ea16db9da7e28979bf787537ad2004fbde9443a69e8e1a6f621c52ff6b3d300897fb9e8b33763e0e63f80c

C:\Users\Admin\AppData\Local\Temp\_MEI43762\_lzma.pyd

MD5 6516e2f6c5fb9cdee87a881507966e4d
SHA1 626a8713059d45a2ac7b5555db9295b33a496527
SHA256 92a3d1698b95e7d03d9b4dce40e2ef666c00d63bb5c9b8c7327386daa210b831
SHA512 0331ddfbe324884df3af8915c014f6a0d042a16360b48732988c37e7fce1d55b7156a0ba41a125a5a56db2207f6c2a847c244bb491a0832c9d48a657f2418872

C:\Users\Admin\AppData\Local\Temp\_MEI43762\_socket.pyd

MD5 329d4b000775ec70a6f2ffb5475d76f6
SHA1 19c76b636391d70bd74480bf084c3e9c1697e8a4
SHA256 f8da40be37142b4cb832e8fc461bed525dbaae7b2e892f0eca5a726d55af17a6
SHA512 5ee676215cf87639e70caa4de05dc676cd51a38aea4d90de4ce82c90976895faf15e5cbc821a08554a9171d82bef88c30e247a36c54f75668a52843229146ca5

memory/2140-106-0x00007FFEE40F0000-0x00007FFEE411C000-memory.dmp

memory/2140-105-0x00007FFEE4DC0000-0x00007FFEE4DD8000-memory.dmp

memory/2140-104-0x00007FFEE6540000-0x00007FFEE654F000-memory.dmp

memory/2140-103-0x00007FFEE0250000-0x00007FFEE0274000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\_bz2.pyd

MD5 37327e79a5438cbd6d504c0bbd70cd04
SHA1 7131a686b5c6dfd229d0fff9eba38b4c717aedb5
SHA256 7053a4bd8294112e45620b2c15e948b516c3a6c465226a08a3a28b59f1fa888d
SHA512 99472a2a68e1d4e5f623d4a545eca11d3ae7d9f626142f2a66e33e5a50cd54d81b6b36a6e1d499a9d479d7667a161d4a1d838fadb4a999c71ff70aad52001603

C:\Users\Admin\AppData\Local\Temp\_MEI43762\pyexpat.pyd

MD5 9e92c1438b1e45452cd56a06ec7acfd9
SHA1 387a59128ce01459f827c37ab6f6bbe262d897a1
SHA256 806e53be1719d5915adb52aa4b5cb7491f9d801b7a0a0b08dc39a0d2df19f42e
SHA512 ab7576ee61c2ece0bcae9eb8973212a7cd0beb62a645e4b5f20030496fbe0f70c85166143b87f81c1b23d1016953675ffd93ec4c4267a7eef8103778ac1e26be

C:\Users\Admin\AppData\Local\Temp\_MEI43762\select.pyd

MD5 def0aa4c7cbaac4bcd682081c31ec790
SHA1 4ff8f9df57a2383f4ad10814d77e30135775d012
SHA256 6003e929e7e92e39482a2338783aa8e2a955a66940c84608a3399876642521a1
SHA512 35a080c44b5eee298dd1f0536e7442bf599ca53efc664b91c73f5a438cb7b643da5542ccbeea6e5a38b83132bacfdf09521e040cb1a3a05bddfbec0cfd79fdc4

memory/2140-114-0x00007FFEE0140000-0x00007FFEE0175000-memory.dmp

memory/2140-112-0x00007FFEE4EE0000-0x00007FFEE4EED000-memory.dmp

memory/2140-111-0x00007FFEE40D0000-0x00007FFEE40E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\_queue.pyd

MD5 ba0e6f7bb8c984bf3bf3c8aab590bd06
SHA1 4d7879a0ccbd763470687f79aa77cd5e2bb8df5c
SHA256 13cefe24c807a11fb6835608e2c3e27b9cdcddb3015848c30c77a42608b52b19
SHA512 ecf5d4f058fd101d44b6aa7fe7aa45b9490fcfe2c001936b98032fe54514a8fdf4460ff9d1f6d53e991cc1bffdce66a8897d45f3aa7b123f931ff97dd2ee2001

C:\Users\Admin\AppData\Local\Temp\_MEI43762\pywin32_system32\pywintypes310.dll

MD5 a391254584f1db07899831b8092b3be5
SHA1 2ea8f06af942db9bbd10a5ae0b018e9fd910aedb
SHA256 cc3335aeef6bdaca878ad9c4b65a8b7e4d36e417aed5758654062aee71905e08
SHA512 2a7cdd0c35c3d3d6306b89a6fd3be8d6edfda05d67c866bf1459b4d319584b0a6841dd952641e50dac504a97eca086bd4f1cfaef6e89528929f2f4c9160f876c

C:\Users\Admin\AppData\Local\Temp\_MEI43762\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI43762\pywin32_system32\pythoncom310.dll

MD5 ad1f902970ba4d8a033b00e8f023f418
SHA1 711ba4ec9c64a9a988e68e805810227036036d7d
SHA256 851c2929e954ed54ae2562fcc9926fd841ece7cf27527eba66b7acace3e6b4ed
SHA512 7bc40705eb9ac8e0be8ef11b34318865d593cbc5bc0e77545564ce59281d9a58ed5ed23b42a69566944cb3de2ce8c241545ca75a7813dc96a4f065bff2bed25c

memory/2140-126-0x00007FFEE0110000-0x00007FFEE013E000-memory.dmp

memory/2140-127-0x00007FFEE02D0000-0x00007FFEE038C000-memory.dmp

memory/2140-120-0x00007FFEE40C0000-0x00007FFEE40CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\win32\win32api.pyd

MD5 f97aec050182a9812f9fa5e5389171d7
SHA1 102ce68032e31f9ea9b778ec9e24958847e11060
SHA256 408d6b3cadb55b78af16fd5a365da69a82c06a19fb5ad73421ed276791d5177d
SHA512 6c3d86dedb03540a88ee1a4058d177679c451fdb360a111764ded2c124d5183098e407dd7db74d5203e554afb3479a6f855c53df1aae6fcb874b691ca2d75461

memory/2140-131-0x00007FFEE0020000-0x00007FFEE004B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\_uuid.pyd

MD5 b68c98113c8e7e83af56ba98ff3ac84a
SHA1 448938564559570b269e05e745d9c52ecda37154
SHA256 990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2
SHA512 33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

C:\Users\Admin\AppData\Local\Temp\_MEI43762\psutil\_psutil_windows.pyd

MD5 785ebe1a8d75fd86e6f916c509e5cf50
SHA1 576b9575c06056f2374f865cafecbc5b68fa29c8
SHA256 e4e8cbd99258b0b2b667fe9087a3b993861ee8ba64785320f8f9abfa97a8d455
SHA512 3665d9b97e5ab674fe8b2edd47212521ea70197e599ce9c136013b2a08a707c478b776642293a0457bf787b4067ba36ed5699ab17c13a2e26e7061e8f3813c3a

memory/2140-135-0x00007FFEDFFE0000-0x00007FFEDFFFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\_ssl.pyd

MD5 318a431cbb96d5580d8ebae5533bf3bf
SHA1 920c2338a5a5b35306201e89568fac9fbfd8aad8
SHA256 88bc111e9df1eb452cd9e8cd742ce9b62a7729bafb77d233f954e12122c695b7
SHA512 adfa5fa9c6401320b3d6317e4c39db5011e7ea4f83b4a13920c64a6869f5c1cc4fb0422684a3a5720c8a021a6054960e351d90078517b2bfd06ff2baeed7fa87

C:\Users\Admin\AppData\Local\Temp\_MEI43762\libcrypto-1_1.dll

MD5 720d47d6ac304646aadb93d02e465f45
SHA1 e8d87c13fc815cdda3dbacb9f49d76dc9e1d7d8c
SHA256 adfe41dbb6bc3483398619f28e13764855c7f1cd811b8965c9aac85f989bdcc1
SHA512 fb982e6013fa471e2bb6836d07bbd5e9e03aec5c8074f8d701fc9a4a300ae028b4ef4ec64a24a858c8c3af440855b194b27e57653acdd6079c4fb10f6ea49b38

C:\Users\Admin\AppData\Local\Temp\_MEI43762\libssl-1_1.dll

MD5 0e65d564ff5ce9e6476c8eb4fafbee5a
SHA1 468f99e63524bb1fd6f34848a0c6e5e686e07465
SHA256 8189368cd3ea06a9e7204cd86db3045bd2b507626ec9d475c7913cfd18600ab0
SHA512 cff6a401f3b84c118d706a2ac0d4f7930a7ce7aefb41edbbb44324f4bc3ebdb95d4f25906be28ef75ddc2aed65af974ec2cd48378dab1e636afc354e22cac681

memory/2140-145-0x00007FFED0DF0000-0x00007FFED1256000-memory.dmp

memory/2140-144-0x00007FFEDF8A0000-0x00007FFEDF958000-memory.dmp

memory/2140-141-0x00007FFEDFE90000-0x00007FFEDFEBE000-memory.dmp

memory/2140-146-0x0000016238040000-0x00000162383B9000-memory.dmp

memory/2140-147-0x00007FFED0A70000-0x00007FFED0DE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\zstandard\backend_c.cp310-win_amd64.pyd

MD5 7142a05614d2b9af1f2d9c0a579d9df7
SHA1 18543d1c02a43ebafc500946a9977848d729ee50
SHA256 f33e887aa9e6eeb5c111b9fb5069e119032c44f72e0c80423611ef9fc51874d6
SHA512 8e90a6c51eea02888039cd772648928a900cefc2f64b61825cd7787657755245f658dc053d01f9a4f032a527737e6e0f4b9e4428e9a2270543b7d9435600e365

C:\Users\Admin\AppData\Local\Temp\_MEI43762\charset_normalizer\md.cp310-win_amd64.pyd

MD5 8e797a3cf84bdffd5f9cd795e6499fea
SHA1 f422d831507ef9e0592ad8687d8a37df20b7f4c2
SHA256 0bc1ee228af2774d4011acba687b201995b9b1f192062140341d07b6b5f66e5f
SHA512 6d9b30634a27f8bf6a1d3e169aa45595e414f5c8f0dce12b00b56e1428ad71f88925bb553dad160cb7d99fb26d5f4834924e9bcf79708a57037e748a886af252

memory/2140-157-0x00007FFEDFFB0000-0x00007FFEDFFBB000-memory.dmp

memory/2140-156-0x00007FFEDFE70000-0x00007FFEDFE85000-memory.dmp

memory/2140-155-0x00007FFEDF460000-0x00007FFEDF4E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\_hashlib.pyd

MD5 b2e9c716b3f441982af1a22979a57e11
SHA1 fb841dd7b55a0ae1c21e483b4cd22e0355e09e64
SHA256 4dece1949a7ad2514bb501c97310cc25181cb41a12b0020c4f62e349823638a2
SHA512 9d16d69883054647af2e0462c72d5035f5857caaa4194e8d9454bf02238c2030dfa5d99d648c9e8a0c49f96f5ad86f048b0a6a90be7c60771704d97cabea5f42

C:\Users\Admin\AppData\Local\Temp\_MEI43762\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 4ae75ebcf135a68aca012f9cb7399d03
SHA1 914eea2a9245559398661a062516a2c51a9807a7
SHA256 cde4e9233894166e41e462ee1eb676dbe4bee7d346e5630cffdfc4fe5fd3a94b
SHA512 88e66f5ddebeea03cf86cdf90611f371eef12234b977976ab1b96649c162e971f4b6a1d8b6c85d61fa49cdb0930a84cbfcd804bdef1915165a7a459d16f6fb6e

C:\Users\Admin\AppData\Local\Temp\_MEI43762\unicodedata.pyd

MD5 e4273defe106039481317745f69b10e0
SHA1 a8425164e78a3ab28ad0a7efaf9d9b0134effd57
SHA256 9247f28ff6ba4f7ae41e2d69104717b01a916dbb36944115184abbec726d03df
SHA512 7b87dcd1406f3e327bb70450d97ac3c56508c13bbeee47b00f47844695951371fe245d646641bc768b5fdc50e0d0f7eef8b419d497240aef39ae043f74ba0260

memory/2140-162-0x00007FFEE0080000-0x00007FFEE00A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\_sqlite3.pyd

MD5 3b9ae6c00a7519bffdfde41390c4e519
SHA1 cefcccb40c0dfb61e96c2512bf42289ab5967ab8
SHA256 9a7ddfd50ca0fdc2606d2bf293b3538b45cf35caae440fa5610cc893ce708595
SHA512 a9628fbd393d856e85fc73d8016fbda803a6d479da00ff7cc286c34ddddc7bfc108d9b32a2d8c7e9d5c527c94f3653233ca22c0466cf18b7f03af0318b99d1dc

C:\Users\Admin\AppData\Local\Temp\_MEI43762\sqlite3.dll

MD5 7e7228ddf41d2f4cd6f848121550dcb7
SHA1 e803025ce8734b8dc8427aa5234bc50d069724d4
SHA256 3ad86547fcfb8478f0825d4b72311eb3a9fc6ed6441c85821000a763828deb8e
SHA512 2bf6e37b5bd87d2a5cb9903a550607c50a51d306fbdbf86ca879268cdf78c95fc82c8868e07f1dc146467facdab2437de18f9b2f6ca06cc58c201451bb55a1ff

memory/2140-169-0x00007FFED0180000-0x00007FFED02FA000-memory.dmp

memory/2140-168-0x00007FFEE0980000-0x00007FFEE099F000-memory.dmp

memory/2140-163-0x00007FFED14B0000-0x00007FFED15C8000-memory.dmp

memory/2140-161-0x00007FFEE40D0000-0x00007FFEE40E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\Crypto\Cipher\_raw_ecb.pyd

MD5 a59d0338d1ec2141e1b7224304bb4ad0
SHA1 c29834a0ad7991abd25c55021d40179ee96214a6
SHA256 477f4cb7f7af895dce3e661b7758bdca90b5a93ab9532fff716df56f30c37e1f
SHA512 ca79d092a4e35d982c26969ef02c2be9a449a028e52b16f96043a4b721e2467d89ef6489172ce8112748d34b16fa9810e3c85c5e721c823518448768c43521e6

C:\Users\Admin\AppData\Local\Temp\_MEI43762\Crypto\Cipher\_raw_cbc.pyd

MD5 517a8f3253f90ece747345acd703c078
SHA1 f430ca09f77bc0f74f9f2a01a90d0846f5fb526e
SHA256 3f18b801cff71cc1fdba29b3a4f614588a8d46c6db907e28e7c57069eb0f29cd
SHA512 59d2a36e3c20c8fd6694563db53fc3b0f6e77c1f06fd21427d142033b9437a31e95b2cf8b20dcab31e9786dbebbf326ad5210c919c64c07d4ebb9265e1a61ea8

memory/2140-180-0x00007FFEDFC10000-0x00007FFEDFC1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43762\Crypto\Cipher\_raw_ofb.pyd

MD5 d09e8561788b80cc248f990f5a604509
SHA1 6a7ed31508520d1f99b2b45acff1aea79a2a50cf
SHA256 e58673cd9bd054c299c469fd694ae16a16b5c9ba3fb1f6a98390dd069374297c
SHA512 18818a7afcee0beee09b3779475fde5be086e98a07e41fcd09175e1712e4c931cdf84dc893461c4d01080170ee63d689293a57f9ddff90f82563828b12cf995e

C:\Users\Admin\AppData\Local\Temp\_MEI43762\Crypto\Cipher\_raw_cfb.pyd

MD5 97dd8bc6330e9957b58b238b2b1e295f
SHA1 b7286fd2af1a41dfde3f9d07728be96cfe69a4b8
SHA256 f08e5d38771b7d0c59f3d04409006246711629a439751c006e72be05ec176ce1
SHA512 038a727c4a0b578c44d08c8d8e8111a7408355595d79f0f98ef807bf01b90a5e01b5f5bc0ca9bf876d9e2a412010056b92b8315be45a02aa26c7cbbc3ab73fec

memory/2140-177-0x00007FFEE02D0000-0x00007FFEE038C000-memory.dmp

memory/2140-176-0x00007FFEE0060000-0x00007FFEE006B000-memory.dmp

memory/2140-175-0x00007FFEE0070000-0x00007FFEE007B000-memory.dmp

memory/2140-183-0x00007FFEDFC00000-0x00007FFEDFC0C000-memory.dmp

memory/2140-187-0x00007FFEDF8A0000-0x00007FFEDF958000-memory.dmp

memory/2140-190-0x00007FFEDFBD0000-0x00007FFEDFBDD000-memory.dmp

memory/2140-194-0x00007FFEDF340000-0x00007FFEDF34C000-memory.dmp

memory/2140-193-0x00007FFEDF330000-0x00007FFEDF33B000-memory.dmp

memory/2140-192-0x00007FFEDF350000-0x00007FFEDF35C000-memory.dmp

memory/2140-191-0x0000016238040000-0x00000162383B9000-memory.dmp

memory/2140-189-0x00007FFEDFBE0000-0x00007FFEDFBEC000-memory.dmp

memory/2140-201-0x00007FFED1D50000-0x00007FFED1D79000-memory.dmp

memory/2140-200-0x00007FFEDC600000-0x00007FFEDC60C000-memory.dmp

memory/2140-199-0x00007FFEDC610000-0x00007FFEDC622000-memory.dmp

memory/2140-198-0x00007FFEDE9F0000-0x00007FFEDE9FD000-memory.dmp

memory/2140-197-0x00007FFEDEA00000-0x00007FFEDEA0C000-memory.dmp

memory/2140-196-0x00007FFEDF2A0000-0x00007FFEDF2AC000-memory.dmp

memory/2140-195-0x00007FFEDF2B0000-0x00007FFEDF2BB000-memory.dmp

memory/2140-188-0x00007FFEDFBF0000-0x00007FFEDFBFB000-memory.dmp

memory/2140-186-0x00007FFEDFE90000-0x00007FFEDFEBE000-memory.dmp

memory/2140-185-0x00007FFEDFBA0000-0x00007FFEDFBAE000-memory.dmp

memory/2140-184-0x00007FFED0A70000-0x00007FFED0DE9000-memory.dmp

memory/2140-182-0x00007FFEDFFE0000-0x00007FFEDFFFC000-memory.dmp

memory/2140-181-0x00007FFEE0050000-0x00007FFEE005C000-memory.dmp

memory/2140-207-0x00007FFECFF20000-0x00007FFED0172000-memory.dmp

memory/2140-206-0x00007FFED0180000-0x00007FFED02FA000-memory.dmp

memory/2140-205-0x00007FFED14B0000-0x00007FFED15C8000-memory.dmp

memory/2140-204-0x00007FFEE0080000-0x00007FFEE00A3000-memory.dmp

memory/2140-211-0x00007FFEDC5F0000-0x00007FFEDC600000-memory.dmp

memory/2140-210-0x00007FFED1260000-0x00007FFED1274000-memory.dmp

memory/2140-209-0x00007FFEE0980000-0x00007FFEE099F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\Temp\PhXDW4LvmZ.tmp

MD5 9df444e0de734921d4d96deeeac4b16e
SHA1 31542622ecf896b93d830e21595091aef8742901
SHA256 1d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900
SHA512 2de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957

C:\Users\Admin\AppData\Local\Temp\sbPuBgeWx2.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

memory/2140-280-0x00007FFED0A70000-0x00007FFED0DE9000-memory.dmp

memory/2140-287-0x00007FFED0180000-0x00007FFED02FA000-memory.dmp

memory/2140-286-0x00007FFEE0980000-0x00007FFEE099F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

MD5 2d923377dc63e74e4c6bd895778e8fa3
SHA1 385c6c32176284b7650f42814079961212705afc
SHA256 7a37357a655908136d72d46a5855b651edbe90fcb114e3640ba317215ba123b2
SHA512 ff96c3acccf5b16c03d87cc3be6e0756c26f51a3bb77e97e22e20187fbbe3b8d6f5ee04372ed0cd30d51da50f26f428e364dba7e89e0052f9983ac821fc055bd

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

MD5 190c46b5065a4bdf11f434a3e8f49ae4
SHA1 f47dbf81648cfcdd9817f60e55326dab0a2cb5cb
SHA256 9d89630da3bde9505d4c2cc684eb01c2d4d7d11028d01d309aca12b064f779e6
SHA512 8f71ea206e367f2f32bf241dd8513a9f436ec4980c401527f4941048a66159b5909438381f7a36179208399fd7a0b41f208c9904e1afd5d0dd0ef8edb56661c6

memory/2140-279-0x00007FFEDF8A0000-0x00007FFEDF958000-memory.dmp

memory/2140-278-0x00007FFEDFE90000-0x00007FFEDFEBE000-memory.dmp

memory/2140-275-0x00007FFEE02D0000-0x00007FFEE038C000-memory.dmp

memory/2140-274-0x00007FFEE0110000-0x00007FFEE013E000-memory.dmp

memory/2140-266-0x00007FFEE0250000-0x00007FFEE0274000-memory.dmp

memory/2140-265-0x00007FFED0DF0000-0x00007FFED1256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\PingRestart.xlsx

MD5 b152de6fa6f2ce7d28ee5ce60c8d5a2c
SHA1 68b1d06b9b0643a5f8246a06b12ff2b93e0aee6a
SHA256 7eb7fa049316760891f241e0f267bdb47844a972832ebf0b9d276dcbf24743c6
SHA512 79ea075fcae79518c7fe6b7c028fc75144d1b80ca2f2d041c040e5fea0eb93e4ff9ea53eca935e1d5f60f99120253155e3cc985bb12e06aaa984423bc3d89b83

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\ResolveEnter.zip

MD5 82fb981d60d4be6ac0273e6877016834
SHA1 af4c67d6a6170f2678c6ec9fd61188c41e864019
SHA256 ef14acea093a5f81ed5cad9184d6aa5deba24ec6ea5f82d49fb731e6cb1d7733
SHA512 909bdfb90660244d7148a60e9b0833b870c8ece61cabf4f37af19b71a793747be76838f54005d228eeff22263fed8ad74c57709f275be54d2b212d5d386cbff2

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\ReadRemove.pdf

MD5 5ce33939f2ce9015f4d8aa2ca91dce16
SHA1 101389a44bc0152aaec0a134dfc7463ffe65df99
SHA256 4cfc55d204473dfbdfff3ed25b8ed3c73a8e7b1147a64fce8e4c41bb9ae27345
SHA512 c46ce73f2ffc55537b56604f6d29569c067c39bc77d97139d7f96255ff750954b79b209d3e5c3e3eefb534fb027e9ceb605d65ec0e5081c80013d72681313ab3

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\BackupResolve.xlt

MD5 d2fcff6cd97a64e92ce366456e0f3907
SHA1 ef2595164f24d6947b9c5ef85055846a3fc93c93
SHA256 e95dbdd1cb38d775db59fcf7a24b5ae1bb40b8652e61142b2025c147e495efc0
SHA512 78baeb2994b5b717640fcae812f63873cdba69d16e95028711d00aa1b92d4a4706e6578784831b7da5cbe0018065c896c4f2e10a5589ca955fcc2e460a6117a2

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\BackupInstall.docx

MD5 02b934dc057d59c7053edf09789327d5
SHA1 bd1b30f7db3f242872c6e8314126dd64b0df9467
SHA256 5e7f115c7e03e05b3af6b5c7fc5f872bc5d179662b41724c2a12b620448c1000
SHA512 07e8325652593e1aa2b78891334f7e7cd5d025bff25895bdfae60738132ff5b7fbd04b5e2df1ed2e837aa14cf9c20caa56601de8ed83134665a058d5eb51ddeb

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\PushCopy.rar

MD5 1c6e1c1a9473f1fee72fa17f95e9465f
SHA1 52cd447c7a6b669eb223e863de5a03ff8d95783e
SHA256 723258b3e3917674288bb74a66ad2ecdb0e005cb675ce2b7a093803e3bfc6b1b
SHA512 7506c5459e724b75b576dce28cdb5c974a48d48720365da1d3114f8d63f45a03b1a2e7c894431d02808dc78faa0afbf066960c1a6269e8405402e31dcf02d905

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(2)\WriteDisconnect.png

MD5 94929a268a86a28ed9be7c2935b28fed
SHA1 968a4b2e8086436ba358fe2868a1b6dc5bc8d285
SHA256 7dc0735b4760843bf8575fa84b81d50ba3e551393678a76e110e803e0075b929
SHA512 d6655014c2f75c4fea124751e462177a092c20001bec93eed6b9207bd521a04495f41438a53145750467312f678c20968c7af6ba5ea8b63e2b21ef492a1c70fd

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(2)\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(1)\DisableRegister.png

MD5 0471fe00f2c2ad5702fb0c8133880509
SHA1 9d1b08c7beaf16aee1ce4d47c512592e1706e098
SHA256 1544b1c856bd646d49f4f2a1c8ab53b9d461b512889603381cace57240cd1a3f
SHA512 25cee0d0df555b00a736a3b5b8df6ba26dc4bc0a35b68b614611ecfdbcf08fbd18a33ac341d1b0c54eb08433bbe71de4a7063948c55ea164a09b3853c524e0b4

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\TestStop.doc

MD5 58a1e53939f123fbeb7166a8237d21f1
SHA1 756dd359d16ac63b412be6956b2b49bff5e2b68f
SHA256 9f0db619552ef75178c02c611d1f165ab38075e568d03988ef7d6fe39b529198
SHA512 9c3102ab7b9a7bb4bd06861319108f0bde1f23a04c0b9e3c04cbc69a20b4db42be7166a3f4f851c47095dd9cfa0b2e735a6e90114a7c578456d7d8c3096b33eb

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\SubmitSearch.jpeg

MD5 da16e78d5c007df17bad9369af99eed2
SHA1 f4d8ca7f77756e9760619639fe3b46c4d3927ea9
SHA256 57677bcff42614a79d85f8aa53006de0fb5b9205283059db4d0a4b4d25ec05a5
SHA512 2b23b9248573707a68fdcae9a4d59f55d898987d2769222146b6939a910e629e42bc49cef2acf6066137e3b5bdd4cda907962b81d0ee7c1bd50f9e6b811287d0

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\SkipShow.docx

MD5 61052a9dba6ccec7a05f3631d1c1e5b2
SHA1 456c1465caea98ca9aac747378248bf985685b72
SHA256 b0a42b94f20ba7d9374b85be031e614e233e11d18800bda4c7914cd10d7aa9fb
SHA512 c4426123f93fb935feff7efa5809d056596a173273af95bd8ea8e1f8afb5457c7e08e56b5feb80da1140129e87811007095708200917634d3bd1ad1b3411ea9d

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\OptimizeConvertFrom.rar

MD5 81f23f7e62c4d0c0e35e4b0841766fb0
SHA1 34fff268be2d5c8782f65fe55a8ae763a8db811f
SHA256 a65045cd8cc1e264b2054bac4271a03f92e0e4d2757534cb07d1b7aa096bc8fc
SHA512 55953544ef823fec44741684bd1a543e40006f8cf5347b4265a8f25f425db1fb3162a8d62f203240b1a6db917a9c71771005a49de57587b01371358a4abb0bf8

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\LockSubmit.csv

MD5 ef96604cd2e9beb840bdde374f15270c
SHA1 6991a56849ba40cb9e73de436c20344936ec200e
SHA256 4a89ecb0bc2891d2c4d447f9c64e50435a61298eb85f2d1d08095ec16aa86b4c
SHA512 c06022cef9f381fcb90fd9dcc5d204172b5d04e067d4a731454e42b425a1dd021f26f13f2bd2529e1bc5037d30d31ef1060da1d1f0cc845ab079b287aee4d198

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\HideReceive.pdf

MD5 91c890d1bf326d73a809ea399f47ffbc
SHA1 139b74553158fa205183bbae0434f9930edfbd50
SHA256 26b636230f4381baf0d05c3bd2efba24f1e83a0a5135923246e1593b0b95be1e
SHA512 dbad976fa7e943bdb2b92ee19cfff850e0134b62106226f7a9038eab299d1f6c388c487614219868cbf16ad656977346b7ba3ed4ca9f8ec9d7939fef64fb1b60

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\FormatAdd.docx

MD5 b4797165bbb29acd7b8134077c72875d
SHA1 e90ee4b6b808c372967e18165199db2cb38c9e3f
SHA256 abbfc37dbfd761c2ed7e9d690bfb000cb7ef1ddcbc73c9385166879247659b05
SHA512 c891c60efa8d6308216217f637c0cd5b9cbefd781e437028774391e6e3f78d30c34bf29ada201e0b1ddf18992c858e17adf6d3debbebd52f93a9da4a9ce5f1ea

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\ExportGroup.png

MD5 f32255c842535ae720b0a4a4e143a841
SHA1 f859a8c3ad7a97ce1a590e76d86c78d270646cc4
SHA256 5bd4283f94f08db6350ea7954717730f0e2192adda86eda9ecdf38baae673d32
SHA512 5e3a095999d0b3941f099c5b25b949cbcc179a0301c462502b771ceb32b6d9b324f2cfdb807ea96a5dd65e761768841e6fbd02b727d9661871476628b3a3c240

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\UnprotectComplete.doc

MD5 0396afd145a19fe4f2d602a0e799042a
SHA1 16a1c0c627bbb5e95395f5b528e03e62374e791f
SHA256 d4e42554525edd45dd2c5e87342d0ee08d24f44cff3e5f1368bbab552961f3a7
SHA512 fb9ef4d7a03e6790296b88dc1b5fe7433f511d8921b6564c828278bc92cc68541f1d5ba15daadeae8b6c01a2f6297dd730225e001d736983a6bdf08aba0dde0b

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\UnlockPush.csv

MD5 1da36eee3f42a8c69fd58b52e9ae480f
SHA1 82629f8075bcf49c3378b761f6eee4ee753259f8
SHA256 ad0f408cd2e515cf2c9515b723e75f555eed6201f2b992dadf090fb1fe55891a
SHA512 e958c1b57672df85ed396321a6dbe5f9e47a4745e8cef01b7273b31b8257eb1466d2d9c1386d33e6809157a95ffd7c350c653405f45bcaec09e87e5dc64a0498

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\common(0)\ResolveSkip.png

MD5 b58813a3ba015731f56cc21de700882f
SHA1 b62a7685e4f56e58937e1c81368644c562ffc925
SHA256 8b14ab8e905e1cf24eb3da3f57b57ba0d7ba675b9f6e04e1e79b78b29d9e079a
SHA512 d513bba374ee06046c24b9c65f523afc7377b063cbac94ac4cab436a0eab12afa6c7f9137fda0728833b4c224e6b5e55f75c1ad807cd24025f2e3b2ffc4ad7b0

memory/1784-1149-0x000001D5877A0000-0x000001D5877C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_petoy3ve.jp1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\KcSt2uCju7\clipboard.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

memory/2140-1200-0x00007FFEDFE90000-0x00007FFEDFEBE000-memory.dmp

memory/2140-1217-0x00007FFEDFBA0000-0x00007FFEDFBAE000-memory.dmp

memory/2140-1216-0x00007FFEDFBD0000-0x00007FFEDFBDD000-memory.dmp

memory/2140-1215-0x00007FFEDFBE0000-0x00007FFEDFBEC000-memory.dmp

memory/2140-1214-0x00007FFEE0050000-0x00007FFEE005C000-memory.dmp

memory/2140-1213-0x00007FFED0180000-0x00007FFED02FA000-memory.dmp

memory/2140-1212-0x00007FFEDFC10000-0x00007FFEDFC1B000-memory.dmp

memory/2140-1211-0x00007FFEDFBF0000-0x00007FFEDFBFB000-memory.dmp

memory/2140-1210-0x00007FFEE0070000-0x00007FFEE007B000-memory.dmp

memory/2140-1209-0x00007FFEDFC00000-0x00007FFEDFC0C000-memory.dmp

memory/2140-1208-0x00007FFEE0980000-0x00007FFEE099F000-memory.dmp

memory/2140-1207-0x00007FFED14B0000-0x00007FFED15C8000-memory.dmp

memory/2140-1206-0x00007FFEE0080000-0x00007FFEE00A3000-memory.dmp

memory/2140-1205-0x00007FFEDFFB0000-0x00007FFEDFFBB000-memory.dmp

memory/2140-1204-0x00007FFEDFE70000-0x00007FFEDFE85000-memory.dmp

memory/2140-1203-0x00007FFEDF460000-0x00007FFEDF4E7000-memory.dmp

memory/2140-1202-0x00007FFEDF350000-0x00007FFEDF35C000-memory.dmp

memory/2140-1201-0x00007FFEDF340000-0x00007FFEDF34C000-memory.dmp

memory/2140-1199-0x00007FFEDFFE0000-0x00007FFEDFFFC000-memory.dmp

memory/2140-1198-0x00007FFEE0020000-0x00007FFEE004B000-memory.dmp

memory/2140-1197-0x00007FFEE02D0000-0x00007FFEE038C000-memory.dmp

memory/2140-1196-0x00007FFEE0110000-0x00007FFEE013E000-memory.dmp

memory/2140-1195-0x00007FFEE40C0000-0x00007FFEE40CD000-memory.dmp

memory/2140-1194-0x00007FFEE0140000-0x00007FFEE0175000-memory.dmp

memory/2140-1193-0x00007FFEE4EE0000-0x00007FFEE4EED000-memory.dmp

memory/2140-1192-0x00007FFEE40D0000-0x00007FFEE40E9000-memory.dmp

memory/2140-1191-0x00007FFEE40F0000-0x00007FFEE411C000-memory.dmp

memory/2140-1190-0x00007FFEE4DC0000-0x00007FFEE4DD8000-memory.dmp

memory/2140-1189-0x00007FFEE6540000-0x00007FFEE654F000-memory.dmp

memory/2140-1188-0x00007FFEE0250000-0x00007FFEE0274000-memory.dmp

memory/2140-1187-0x00007FFEE0060000-0x00007FFEE006B000-memory.dmp

memory/2140-1179-0x00007FFED0A70000-0x00007FFED0DE9000-memory.dmp

memory/2140-1178-0x00007FFEDF8A0000-0x00007FFEDF958000-memory.dmp

memory/2140-1164-0x00007FFED0DF0000-0x00007FFED1256000-memory.dmp

memory/2140-1219-0x00007FFEDF2B0000-0x00007FFEDF2BB000-memory.dmp

memory/2140-1223-0x00007FFEDC610000-0x00007FFEDC622000-memory.dmp

memory/2140-1222-0x00007FFEDE9F0000-0x00007FFEDE9FD000-memory.dmp

memory/2140-1221-0x00007FFEDEA00000-0x00007FFEDEA0C000-memory.dmp

memory/2140-1220-0x00007FFEDF2A0000-0x00007FFEDF2AC000-memory.dmp

memory/2140-1218-0x00007FFEDF330000-0x00007FFEDF33B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:50

Reported

2024-06-18 18:52

Platform

win7-20240220-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\runtime.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Checks installed software on the system

discovery

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2996 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2996 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2172 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2172 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2172 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2996 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe
PID 2996 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe
PID 2996 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\runtime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1719.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'

C:\Users\Admin\AppData\Roaming\win.exe

"C:\Users\Admin\AppData\Roaming\win.exe"

Network

Country Destination Domain Proto
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp

Files

memory/2356-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

memory/2356-1-0x00000000011B0000-0x00000000011C8000-memory.dmp

memory/2356-3-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1719.tmp.bat

MD5 1e2271d38277e5a2df86d753a83a1b8e
SHA1 afa35b4909e3f40ac53a27314e8d6790488e8d73
SHA256 8fc4460873e08b0031f0cc838ca15316847c3e4fbd0435bd3c665ec0fac45f7a
SHA512 9e60fa1549ac9e8973ae097572a622e8c044e1c54a68755975bc5e442b2de650672e910eb95599fed0364ee102c6e9d72267049bfa10932392bfc1626f3b453d

memory/2356-11-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

memory/2356-14-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\win.exe

MD5 4fa7b1eec1fc84eb3a13c29e5a37aae7
SHA1 dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326
SHA256 5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
SHA512 5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

memory/2860-18-0x0000000000A70000-0x0000000000A88000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3C4C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 18:50

Reported

2024-06-18 18:52

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\runtime.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\System32\cmd.exe
PID 2288 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\System32\cmd.exe
PID 2288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\system32\cmd.exe
PID 2288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\runtime.exe C:\Windows\system32\cmd.exe
PID 2448 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2448 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1220 wrote to memory of 4024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 4024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2448 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe
PID 2448 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\runtime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4C99.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'

C:\Users\Admin\AppData\Roaming\win.exe

"C:\Users\Admin\AppData\Roaming\win.exe"

Network

Country Destination Domain Proto
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 52.111.229.48:443 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp

Files

memory/2288-0-0x00007FFDE63E3000-0x00007FFDE63E5000-memory.dmp

memory/2288-1-0x0000000000810000-0x0000000000828000-memory.dmp

memory/2288-3-0x00007FFDE63E0000-0x00007FFDE6EA1000-memory.dmp

memory/2288-8-0x00007FFDE63E0000-0x00007FFDE6EA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C99.tmp.bat

MD5 3a6081c814f6222373fa753468472aac
SHA1 dd43cfb66443c43c2975a07d9324420f2640e31d
SHA256 e45e6e936ce82eb39170359acc7fc057c5550b9409f3f82ba110f82798a9bfa6
SHA512 a30ede459a607742617836fac3297008119c06af23feb818e12d21f91b0ff17506b689a015257275fdddad09d6df51040e0dfb8932b49f495de969753ebc6951

C:\Users\Admin\AppData\Roaming\win.exe

MD5 4fa7b1eec1fc84eb3a13c29e5a37aae7
SHA1 dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326
SHA256 5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
SHA512 5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 18:50

Reported

2024-06-18 18:52

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win5.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Users\Admin\AppData\Local\Temp\win5.exe
PID 2320 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Users\Admin\AppData\Local\Temp\win5.exe
PID 2320 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\win5.exe C:\Users\Admin\AppData\Local\Temp\win5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win5.exe"

C:\Users\Admin\AppData\Local\Temp\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win5.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23202\python310.dll

MD5 08812511e94ad9859492a8d19cafa63e
SHA1 492b9fefb9cc5c7f80681ebfa373d48b3a600747
SHA256 9742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c
SHA512 6f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e

memory/2888-87-0x000007FEF61C0000-0x000007FEF6626000-memory.dmp