Malware Analysis Report

2024-09-22 06:35

Sample ID 240619-r9xcjaxbmr
Target 08b0e2870a7fc2dcd71879d84ff235b6f3b27ed5fa2d320a03821d55ce6d6726.zip
SHA256 08b0e2870a7fc2dcd71879d84ff235b6f3b27ed5fa2d320a03821d55ce6d6726
Tags
persistence privilege_escalation spyware stealer upx rat default pyinstaller asyncrat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08b0e2870a7fc2dcd71879d84ff235b6f3b27ed5fa2d320a03821d55ce6d6726

Threat Level: Known bad

The file 08b0e2870a7fc2dcd71879d84ff235b6f3b27ed5fa2d320a03821d55ce6d6726.zip was found to be: Known bad.

Malicious Activity Summary

persistence privilege_escalation spyware stealer upx rat default pyinstaller asyncrat discovery

AsyncRat

Asyncrat family

Async RAT payload

Async RAT payload

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Detects Pyinstaller

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Unsigned PE

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 14:54

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 14:54

Reported

2024-06-19 14:56

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Users\Admin\AppData\Local\Temp\win7\win5.exe
PID 2844 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Users\Admin\AppData\Local\Temp\win7\win5.exe
PID 3288 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 4600 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4600 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3288 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1300 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3288 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 804 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3288 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 4388 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4388 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3288 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3324 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3288 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1580 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3288 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4452 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3288 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4924 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\win7\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

C:\Users\Admin\AppData\Local\Temp\win7\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\win7\win5.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.cloudflare.com udp
US 104.16.123.96:443 www.cloudflare.com tcp
US 8.8.8.8:53 ipapi.co udp
US 8.8.8.8:53 96.123.16.104.in-addr.arpa udp
US 104.26.8.44:443 ipapi.co tcp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.8.44:443 ipapi.co tcp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.8.44:443 ipapi.co tcp
US 8.8.8.8:53 44.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:62028 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI28442\python310.dll

MD5 08812511e94ad9859492a8d19cafa63e
SHA1 492b9fefb9cc5c7f80681ebfa373d48b3a600747
SHA256 9742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c
SHA512 6f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e

C:\Users\Admin\AppData\Local\Temp\_MEI28442\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

memory/3288-89-0x00007FFCCD920000-0x00007FFCCDD86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\base_library.zip

MD5 4f5d0a65688077974c1de3d449171067
SHA1 a67e200580c058c632d2fda71a3314994897dca7
SHA256 af2360ebd547b584bc279cf3f69bfb067ecfd21c68a54d39a4118aed5a3352c3
SHA512 77831af6f6cca7b11d1f931f7e7a3368ddaeb09ac1b3d7e60732b98c90316b63b5f1aec8ab70439a07b5d3c50489b9ca3c1800f60d9f1fef53c925437042d83e

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ctypes.pyd

MD5 58ecf4a9a5e009a6747580ac2218cd13
SHA1 b620b37a1fff1011101cb5807c957c2f57e3a88d
SHA256 50771b69dced2a06327b51f8541535e783c34b66c290096482efcfd9df89af27
SHA512 dec698a310eb401341910caae769cbdf9867e7179332e27f4594fd477e3686c818b2f3922d34e0141b12e9e9542ad01eb25d06c7bb9d76a20ce288610a80e81a

C:\Users\Admin\AppData\Local\Temp\_MEI28442\python3.DLL

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

C:\Users\Admin\AppData\Local\Temp\_MEI28442\libffi-7.dll

MD5 da6331f94e77d27b8124799ad92e0747
SHA1 55b360676c6702faf49cf4abfc33b34ffa2f4617
SHA256 3908a220d72d4252ad949d55d4d76921eeca4ab2a0dca5191b761604e06ae136
SHA512 faf3ec3d28d90ca408b8f07563169ebc201d9fb7b3ea16db9da7e28979bf787537ad2004fbde9443a69e8e1a6f621c52ff6b3d300897fb9e8b33763e0e63f80c

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_bz2.pyd

MD5 37327e79a5438cbd6d504c0bbd70cd04
SHA1 7131a686b5c6dfd229d0fff9eba38b4c717aedb5
SHA256 7053a4bd8294112e45620b2c15e948b516c3a6c465226a08a3a28b59f1fa888d
SHA512 99472a2a68e1d4e5f623d4a545eca11d3ae7d9f626142f2a66e33e5a50cd54d81b6b36a6e1d499a9d479d7667a161d4a1d838fadb4a999c71ff70aad52001603

memory/3288-99-0x00007FFCE5A20000-0x00007FFCE5A2F000-memory.dmp

memory/3288-103-0x00007FFCE3140000-0x00007FFCE3158000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_lzma.pyd

MD5 6516e2f6c5fb9cdee87a881507966e4d
SHA1 626a8713059d45a2ac7b5555db9295b33a496527
SHA256 92a3d1698b95e7d03d9b4dce40e2ef666c00d63bb5c9b8c7327386daa210b831
SHA512 0331ddfbe324884df3af8915c014f6a0d042a16360b48732988c37e7fce1d55b7156a0ba41a125a5a56db2207f6c2a847c244bb491a0832c9d48a657f2418872

memory/3288-98-0x00007FFCDDA30000-0x00007FFCDDA54000-memory.dmp

memory/3288-105-0x00007FFCDDA00000-0x00007FFCDDA2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_socket.pyd

MD5 329d4b000775ec70a6f2ffb5475d76f6
SHA1 19c76b636391d70bd74480bf084c3e9c1697e8a4
SHA256 f8da40be37142b4cb832e8fc461bed525dbaae7b2e892f0eca5a726d55af17a6
SHA512 5ee676215cf87639e70caa4de05dc676cd51a38aea4d90de4ce82c90976895faf15e5cbc821a08554a9171d82bef88c30e247a36c54f75668a52843229146ca5

memory/3288-108-0x00007FFCDD8F0000-0x00007FFCDD909000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\select.pyd

MD5 def0aa4c7cbaac4bcd682081c31ec790
SHA1 4ff8f9df57a2383f4ad10814d77e30135775d012
SHA256 6003e929e7e92e39482a2338783aa8e2a955a66940c84608a3399876642521a1
SHA512 35a080c44b5eee298dd1f0536e7442bf599ca53efc664b91c73f5a438cb7b643da5542ccbeea6e5a38b83132bacfdf09521e040cb1a3a05bddfbec0cfd79fdc4

memory/3288-111-0x00007FFCDE570000-0x00007FFCDE57D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\pyexpat.pyd

MD5 9e92c1438b1e45452cd56a06ec7acfd9
SHA1 387a59128ce01459f827c37ab6f6bbe262d897a1
SHA256 806e53be1719d5915adb52aa4b5cb7491f9d801b7a0a0b08dc39a0d2df19f42e
SHA512 ab7576ee61c2ece0bcae9eb8973212a7cd0beb62a645e4b5f20030496fbe0f70c85166143b87f81c1b23d1016953675ffd93ec4c4267a7eef8103778ac1e26be

memory/3288-114-0x00007FFCDD750000-0x00007FFCDD785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_queue.pyd

MD5 ba0e6f7bb8c984bf3bf3c8aab590bd06
SHA1 4d7879a0ccbd763470687f79aa77cd5e2bb8df5c
SHA256 13cefe24c807a11fb6835608e2c3e27b9cdcddb3015848c30c77a42608b52b19
SHA512 ecf5d4f058fd101d44b6aa7fe7aa45b9490fcfe2c001936b98032fe54514a8fdf4460ff9d1f6d53e991cc1bffdce66a8897d45f3aa7b123f931ff97dd2ee2001

memory/3288-117-0x00007FFCDD9F0000-0x00007FFCDD9FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\pywin32_system32\pywintypes310.dll

MD5 a391254584f1db07899831b8092b3be5
SHA1 2ea8f06af942db9bbd10a5ae0b018e9fd910aedb
SHA256 cc3335aeef6bdaca878ad9c4b65a8b7e4d36e417aed5758654062aee71905e08
SHA512 2a7cdd0c35c3d3d6306b89a6fd3be8d6edfda05d67c866bf1459b4d319584b0a6841dd952641e50dac504a97eca086bd4f1cfaef6e89528929f2f4c9160f876c

C:\Users\Admin\AppData\Local\Temp\_MEI28442\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

memory/3288-125-0x00007FFCDD6F0000-0x00007FFCDD71E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\pywin32_system32\pythoncom310.dll

MD5 ad1f902970ba4d8a033b00e8f023f418
SHA1 711ba4ec9c64a9a988e68e805810227036036d7d
SHA256 851c2929e954ed54ae2562fcc9926fd841ece7cf27527eba66b7acace3e6b4ed
SHA512 7bc40705eb9ac8e0be8ef11b34318865d593cbc5bc0e77545564ce59281d9a58ed5ed23b42a69566944cb3de2ce8c241545ca75a7813dc96a4f065bff2bed25c

memory/3288-127-0x00007FFCDD420000-0x00007FFCDD4DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\win32\win32api.pyd

MD5 f97aec050182a9812f9fa5e5389171d7
SHA1 102ce68032e31f9ea9b778ec9e24958847e11060
SHA256 408d6b3cadb55b78af16fd5a365da69a82c06a19fb5ad73421ed276791d5177d
SHA512 6c3d86dedb03540a88ee1a4058d177679c451fdb360a111764ded2c124d5183098e407dd7db74d5203e554afb3479a6f855c53df1aae6fcb874b691ca2d75461

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_uuid.pyd

MD5 b68c98113c8e7e83af56ba98ff3ac84a
SHA1 448938564559570b269e05e745d9c52ecda37154
SHA256 990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2
SHA512 33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

memory/3288-134-0x00007FFCCD920000-0x00007FFCCDD86000-memory.dmp

memory/3288-137-0x00007FFCDDA30000-0x00007FFCDDA54000-memory.dmp

memory/3288-136-0x00007FFCDD570000-0x00007FFCDD58C000-memory.dmp

memory/3288-135-0x00007FFCDD590000-0x00007FFCDD5BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ssl.pyd

MD5 318a431cbb96d5580d8ebae5533bf3bf
SHA1 920c2338a5a5b35306201e89568fac9fbfd8aad8
SHA256 88bc111e9df1eb452cd9e8cd742ce9b62a7729bafb77d233f954e12122c695b7
SHA512 adfa5fa9c6401320b3d6317e4c39db5011e7ea4f83b4a13920c64a6869f5c1cc4fb0422684a3a5720c8a021a6054960e351d90078517b2bfd06ff2baeed7fa87

C:\Users\Admin\AppData\Local\Temp\_MEI28442\libcrypto-1_1.dll

MD5 720d47d6ac304646aadb93d02e465f45
SHA1 e8d87c13fc815cdda3dbacb9f49d76dc9e1d7d8c
SHA256 adfe41dbb6bc3483398619f28e13764855c7f1cd811b8965c9aac85f989bdcc1
SHA512 fb982e6013fa471e2bb6836d07bbd5e9e03aec5c8074f8d701fc9a4a300ae028b4ef4ec64a24a858c8c3af440855b194b27e57653acdd6079c4fb10f6ea49b38

C:\Users\Admin\AppData\Local\Temp\_MEI28442\libssl-1_1.dll

MD5 0e65d564ff5ce9e6476c8eb4fafbee5a
SHA1 468f99e63524bb1fd6f34848a0c6e5e686e07465
SHA256 8189368cd3ea06a9e7204cd86db3045bd2b507626ec9d475c7913cfd18600ab0
SHA512 cff6a401f3b84c118d706a2ac0d4f7930a7ce7aefb41edbbb44324f4bc3ebdb95d4f25906be28ef75ddc2aed65af974ec2cd48378dab1e636afc354e22cac681

C:\Users\Admin\AppData\Local\Temp\_MEI28442\psutil\_psutil_windows.pyd

MD5 785ebe1a8d75fd86e6f916c509e5cf50
SHA1 576b9575c06056f2374f865cafecbc5b68fa29c8
SHA256 e4e8cbd99258b0b2b667fe9087a3b993861ee8ba64785320f8f9abfa97a8d455
SHA512 3665d9b97e5ab674fe8b2edd47212521ea70197e599ce9c136013b2a08a707c478b776642293a0457bf787b4067ba36ed5699ab17c13a2e26e7061e8f3813c3a

memory/3288-147-0x00007FFCCD180000-0x00007FFCCD4F9000-memory.dmp

memory/3288-146-0x00007FFCDCFB0000-0x00007FFCDD068000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\zstandard\backend_c.cp310-win_amd64.pyd

MD5 7142a05614d2b9af1f2d9c0a579d9df7
SHA1 18543d1c02a43ebafc500946a9977848d729ee50
SHA256 f33e887aa9e6eeb5c111b9fb5069e119032c44f72e0c80423611ef9fc51874d6
SHA512 8e90a6c51eea02888039cd772648928a900cefc2f64b61825cd7787657755245f658dc053d01f9a4f032a527737e6e0f4b9e4428e9a2270543b7d9435600e365

memory/3288-152-0x00007FFCDD8F0000-0x00007FFCDD909000-memory.dmp

memory/3288-155-0x00007FFCDD2A0000-0x00007FFCDD2B5000-memory.dmp

memory/3288-154-0x00007FFCD8BC0000-0x00007FFCD8C47000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_hashlib.pyd

MD5 b2e9c716b3f441982af1a22979a57e11
SHA1 fb841dd7b55a0ae1c21e483b4cd22e0355e09e64
SHA256 4dece1949a7ad2514bb501c97310cc25181cb41a12b0020c4f62e349823638a2
SHA512 9d16d69883054647af2e0462c72d5035f5857caaa4194e8d9454bf02238c2030dfa5d99d648c9e8a0c49f96f5ad86f048b0a6a90be7c60771704d97cabea5f42

memory/3288-148-0x0000029E4FA70000-0x0000029E4FDE9000-memory.dmp

memory/3288-143-0x00007FFCDD070000-0x00007FFCDD09E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\charset_normalizer\md.cp310-win_amd64.pyd

MD5 8e797a3cf84bdffd5f9cd795e6499fea
SHA1 f422d831507ef9e0592ad8687d8a37df20b7f4c2
SHA256 0bc1ee228af2774d4011acba687b201995b9b1f192062140341d07b6b5f66e5f
SHA512 6d9b30634a27f8bf6a1d3e169aa45595e414f5c8f0dce12b00b56e1428ad71f88925bb553dad160cb7d99fb26d5f4834924e9bcf79708a57037e748a886af252

C:\Users\Admin\AppData\Local\Temp\_MEI28442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 4ae75ebcf135a68aca012f9cb7399d03
SHA1 914eea2a9245559398661a062516a2c51a9807a7
SHA256 cde4e9233894166e41e462ee1eb676dbe4bee7d346e5630cffdfc4fe5fd3a94b
SHA512 88e66f5ddebeea03cf86cdf90611f371eef12234b977976ab1b96649c162e971f4b6a1d8b6c85d61fa49cdb0930a84cbfcd804bdef1915165a7a459d16f6fb6e

memory/3288-162-0x00007FFCD44D0000-0x00007FFCD44F3000-memory.dmp

memory/3288-161-0x00007FFCDD350000-0x00007FFCDD35B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\unicodedata.pyd

MD5 e4273defe106039481317745f69b10e0
SHA1 a8425164e78a3ab28ad0a7efaf9d9b0134effd57
SHA256 9247f28ff6ba4f7ae41e2d69104717b01a916dbb36944115184abbec726d03df
SHA512 7b87dcd1406f3e327bb70450d97ac3c56508c13bbeee47b00f47844695951371fe245d646641bc768b5fdc50e0d0f7eef8b419d497240aef39ae043f74ba0260

C:\Users\Admin\AppData\Local\Temp\_MEI28442\sqlite3.dll

MD5 7e7228ddf41d2f4cd6f848121550dcb7
SHA1 e803025ce8734b8dc8427aa5234bc50d069724d4
SHA256 3ad86547fcfb8478f0825d4b72311eb3a9fc6ed6441c85821000a763828deb8e
SHA512 2bf6e37b5bd87d2a5cb9903a550607c50a51d306fbdbf86ca879268cdf78c95fc82c8868e07f1dc146467facdab2437de18f9b2f6ca06cc58c201451bb55a1ff

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_sqlite3.pyd

MD5 3b9ae6c00a7519bffdfde41390c4e519
SHA1 cefcccb40c0dfb61e96c2512bf42289ab5967ab8
SHA256 9a7ddfd50ca0fdc2606d2bf293b3538b45cf35caae440fa5610cc893ce708595
SHA512 a9628fbd393d856e85fc73d8016fbda803a6d479da00ff7cc286c34ddddc7bfc108d9b32a2d8c7e9d5c527c94f3653233ca22c0466cf18b7f03af0318b99d1dc

memory/3288-164-0x00007FFCCD800000-0x00007FFCCD918000-memory.dmp

memory/3288-170-0x00007FFCCD000000-0x00007FFCCD17A000-memory.dmp

memory/3288-169-0x00007FFCDCC20000-0x00007FFCDCC3F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28442\Crypto\Cipher\_raw_ecb.pyd

MD5 a59d0338d1ec2141e1b7224304bb4ad0
SHA1 c29834a0ad7991abd25c55021d40179ee96214a6
SHA256 477f4cb7f7af895dce3e661b7758bdca90b5a93ab9532fff716df56f30c37e1f
SHA512 ca79d092a4e35d982c26969ef02c2be9a449a028e52b16f96043a4b721e2467d89ef6489172ce8112748d34b16fa9810e3c85c5e721c823518448768c43521e6

C:\Users\Admin\AppData\Local\Temp\_MEI28442\Crypto\Cipher\_raw_cfb.pyd

MD5 97dd8bc6330e9957b58b238b2b1e295f
SHA1 b7286fd2af1a41dfde3f9d07728be96cfe69a4b8
SHA256 f08e5d38771b7d0c59f3d04409006246711629a439751c006e72be05ec176ce1
SHA512 038a727c4a0b578c44d08c8d8e8111a7408355595d79f0f98ef807bf01b90a5e01b5f5bc0ca9bf876d9e2a412010056b92b8315be45a02aa26c7cbbc3ab73fec

C:\Users\Admin\AppData\Local\Temp\_MEI28442\Crypto\Cipher\_raw_ofb.pyd

MD5 d09e8561788b80cc248f990f5a604509
SHA1 6a7ed31508520d1f99b2b45acff1aea79a2a50cf
SHA256 e58673cd9bd054c299c469fd694ae16a16b5c9ba3fb1f6a98390dd069374297c
SHA512 18818a7afcee0beee09b3779475fde5be086e98a07e41fcd09175e1712e4c931cdf84dc893461c4d01080170ee63d689293a57f9ddff90f82563828b12cf995e

C:\Users\Admin\AppData\Local\Temp\_MEI28442\Crypto\Cipher\_raw_cbc.pyd

MD5 517a8f3253f90ece747345acd703c078
SHA1 f430ca09f77bc0f74f9f2a01a90d0846f5fb526e
SHA256 3f18b801cff71cc1fdba29b3a4f614588a8d46c6db907e28e7c57069eb0f29cd
SHA512 59d2a36e3c20c8fd6694563db53fc3b0f6e77c1f06fd21427d142033b9437a31e95b2cf8b20dcab31e9786dbebbf326ad5210c919c64c07d4ebb9265e1a61ea8

memory/3288-199-0x00007FFCCD5E0000-0x00007FFCCD609000-memory.dmp

memory/3288-198-0x00007FFCCE9C0000-0x00007FFCCE9CC000-memory.dmp

memory/3288-197-0x00007FFCCEAC0000-0x00007FFCCEAD2000-memory.dmp

memory/3288-196-0x00007FFCCEAE0000-0x00007FFCCEAED000-memory.dmp

memory/3288-195-0x00007FFCCEAF0000-0x00007FFCCEAFC000-memory.dmp

memory/3288-194-0x00007FFCCEB00000-0x00007FFCCEB0C000-memory.dmp

memory/3288-193-0x00007FFCCEB10000-0x00007FFCCEB1B000-memory.dmp

memory/3288-192-0x00007FFCCEB20000-0x00007FFCCEB2B000-memory.dmp

memory/3288-191-0x00007FFCCEC20000-0x00007FFCCEC2C000-memory.dmp

memory/3288-190-0x00007FFCCEC30000-0x00007FFCCEC3C000-memory.dmp

memory/3288-189-0x00007FFCCEC40000-0x00007FFCCEC4E000-memory.dmp

memory/3288-188-0x00007FFCCEC50000-0x00007FFCCEC5D000-memory.dmp

memory/3288-187-0x00007FFCD3E10000-0x00007FFCD3E1C000-memory.dmp

memory/3288-186-0x00007FFCD44C0000-0x00007FFCD44CB000-memory.dmp

memory/3288-185-0x00007FFCD6600000-0x00007FFCD660C000-memory.dmp

memory/3288-184-0x00007FFCD8BB0000-0x00007FFCD8BBB000-memory.dmp

memory/3288-183-0x00007FFCDBDA0000-0x00007FFCDBDAC000-memory.dmp

memory/3288-182-0x00007FFCDCAC0000-0x00007FFCDCACB000-memory.dmp

memory/3288-181-0x00007FFCDCB30000-0x00007FFCDCB3B000-memory.dmp

memory/3288-180-0x00007FFCDD420000-0x00007FFCDD4DC000-memory.dmp

memory/3288-200-0x00007FFCCCAF0000-0x00007FFCCCD42000-memory.dmp

memory/3288-202-0x00007FFCDCFB0000-0x00007FFCDD068000-memory.dmp

memory/3288-201-0x00007FFCDD570000-0x00007FFCDD58C000-memory.dmp

memory/3288-207-0x00007FFCCE010000-0x00007FFCCE020000-memory.dmp

memory/3288-206-0x00007FFCCD180000-0x00007FFCCD4F9000-memory.dmp

memory/3288-204-0x00007FFCDD070000-0x00007FFCDD09E000-memory.dmp

memory/3288-203-0x00007FFCCD510000-0x00007FFCCD524000-memory.dmp

memory/3288-208-0x0000029E4FA70000-0x0000029E4FDE9000-memory.dmp

memory/3288-233-0x00007FFCD44D0000-0x00007FFCD44F3000-memory.dmp

memory/3288-232-0x00007FFCCD000000-0x00007FFCCD17A000-memory.dmp

memory/3288-231-0x00007FFCDCC20000-0x00007FFCDCC3F000-memory.dmp

memory/3288-225-0x00007FFCCD180000-0x00007FFCCD4F9000-memory.dmp

memory/3288-224-0x00007FFCDCFB0000-0x00007FFCDD068000-memory.dmp

memory/3288-220-0x00007FFCDD420000-0x00007FFCDD4DC000-memory.dmp

memory/3288-219-0x00007FFCDD6F0000-0x00007FFCDD71E000-memory.dmp

memory/3288-210-0x00007FFCCD920000-0x00007FFCCDD86000-memory.dmp

memory/3288-223-0x00007FFCDD070000-0x00007FFCDD09E000-memory.dmp

memory/3288-215-0x00007FFCDD8F0000-0x00007FFCDD909000-memory.dmp

memory/3288-211-0x00007FFCDDA30000-0x00007FFCDDA54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\win7\downloads_db

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\vault\cookies.txt

MD5 ba27bf11c8e858b02c10e432678831c8
SHA1 e46aa137412c5450b37238abf8a62e14acb65fe8
SHA256 24b23a11b8b2bf3af18f6393332786cf1143db544802fa0f1a2882fe4d58517e
SHA512 bec220e69f41002cb81e559375e3bf06c551e88dcea50360857207af255b3008b9785969717da0c87a88ce06572bebe5a1bb22de50802312686487c0f24e88f4

C:\Users\Admin\AppData\Local\Temp\ERhonjYGDY.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\win7\downloads_db

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\hNo0O5B6nn.tmp

MD5 df95ab0b4975069f0523698fcee83b8e
SHA1 7951baf8445eb50b6ad0f9c9e0a86b0a8d85cef7
SHA256 00b207076648a940ac2156391f3a5ea391317a4bee33722d8cf117f3e9c31c51
SHA512 78baf6b7ffb91ff40c07229a20f46f1069e12452c1e1f3779e002b54da39135a1cc3657e2ccfabc93feffd0e958c61a49901d175ffb2630690171040709a72ff

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

MD5 81f08967dff006a1e9647c15ac3752fc
SHA1 d3cae067378254ec1478326097d0781916f4a041
SHA256 6c6aca2dfa4e48f91acc1807e54ddf7447f41bd991ca39a9945abada32f85463
SHA512 31f6a78f9263bbf767cca7f44d3b4c67230a99ae6e0806c226290d63e7dde045c40758b1380b1753ee90affc9ad959ebb001de1c5b27f2de991f5d74fb4203b6

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

MD5 f67672c18281ad476bb09676baee42c4
SHA1 fb4e31c9a39545d822b2f18b0b87ca465e7768c9
SHA256 d96b3d82465808c49ce3c948745074d143504d00f44a9ff3b26a42f0c88e1f61
SHA512 ff37752848af570cb284f5fb65837472ddf9941992fffceb049a70c36d858c37e4e87016176b4e62d0eda63c235ca742411947d50d163cbc7823c50a734f0898

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG.old

MD5 7080bb142dcdde02684777b258d108c6
SHA1 20a1b1ae72f8ab1fcea3f909574730d2af10ac59
SHA256 92dca38d9f4ed9924b678ade438283d667c76871b52ca184c5d7c17b68d708a4
SHA512 6e04c6f09c906b81ea93fac6297e082fd4d7ee16a93dcf3dace7f5975848a85d7769d08aabde00f36982d385c54d1165caaf604c126c7cebad300178bef88c56

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\GroupJoin.txt

MD5 0830e0869f21a6243fd2c040b654e087
SHA1 a381b6c1f2a1eaca02df34ece40da767579bb3d0
SHA256 242ea99360ebe67027a81ca2a36fe29315ab3912f7e2f97fc1104952ad50fce5
SHA512 7641fb2bb9ec9bdf116875f4b2566e991041612c50baf5e12abb5022677c4176c08c470b1c438cf112cc0a98f43c6dd5abb2753c10eb8bff7c4c4b2a77772af0

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\ExitResume.pdf

MD5 321b8dd9ba283654652482020df559e6
SHA1 a8588f5b75796a9130a4763147d4c5d9f348d7b0
SHA256 fe3d2af084b91225236d2bf8019bf14caa51263148055aeb9de565b6e7e10a3a
SHA512 4adc92cb3b1926a70cd562dbb9163cadf7e66298a887ab5df49a4f88d03d766aa56b385b8e3056c3876582921033869ade774e19a55d77413b2cdbd2ada02415

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\EditSelect.csv

MD5 b1ef2438b6c7bcd6c24dba94f051d070
SHA1 cf4c76a6d28e34334bf959d4f720887aab770bba
SHA256 9b2351ed0025a1718733a919a1f8e1de41f83d2be8cd9da22aa68c0a75924721
SHA512 0bf2904b857d91528bd3ceda6f0ac7719cdb04ef897cda33f5c8cf6eaf5fe9b75b8474f4c90556ca0f9352cd293f7aab7a62eba07bb4521cdd23951e5beb4403

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\CloseDebug.txt

MD5 d8d43e49c41bb1805c9bd6689ec179a3
SHA1 d8ce723fa74f7fe79c6e5f20a004865c13a92fb9
SHA256 cf9d6445f7e3a661a0100f3573fc021d14e6344f9a65a638bf9c758d448a885d
SHA512 34434472a17f751fd93973f4026150337d96a1fc33d244b78833707a8b3d14fed2c61e2a33ff366621d775c881c5584d8bd22ffc40ff9f0af55edd0eaed4b607

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\CheckpointDebug.xls

MD5 f0cfdcfc7eadb9c22b4324152ebb4da1
SHA1 667be258151bcb2c6e9ca969bb8bc312fca9dbda
SHA256 320a9fb7f8fac6930f7cc59b24e9300753a823251d78a6496dbb58fd8e80319d
SHA512 38fd6c54685f08548eab5d8ac64b3a13c8270a1ea4e378e27b03a66720cd1215d5325e51b00c0c3b4cad409b9a558bd67ac9c920fa8ec3268c4c95bace6ed0e3

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\PublishStop.zip

MD5 9b4c8bd7869747cbe81e1ff127c6220a
SHA1 632e162e119a4fea05f2498d1d1a5ee145b909d7
SHA256 5c74a72a15652c728b15b973ac169d7dfa3cf03a32a2e4aedbcdf7c3f5ad10d9
SHA512 1e6665af3589243558e69670bcf841f87ca5b9bc48dc8093bc24911cc546a82520e7c92cd4bbb16708fd1ac1e44cc355c6a3a287ef0c2a196229d4a81cd19b2e

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\GroupRead.pdf

MD5 587aa18b0781ba3dd08bd933644a026b
SHA1 e9878eeac893ccd2d3fb3d62e1553b9953673936
SHA256 89639b7a3d3f47ec235187618599ef2a1ab8723962eb6fb8833eee4b48c739d1
SHA512 99d749dd3962e4302a49b4af3678c2a382bf6720c7bfefdc10a1c5a33c9b46706b44bfc779b003dd58a0e63ab59a3bd11ffa978c6e3ff7d2af9d049e2f872f74

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\MountWrite.csv

MD5 a0592ffa39f5b38f379d29bdc2516f6c
SHA1 c8bff63f71f7af9e533f9d8a70146d9ed727e58b
SHA256 27660de90265d552f8985d026196943264187999d301a41021d322e60bb6ec6d
SHA512 356abb329c2d0e4c5fba213515e6834a5e33de55dbe3b588be29eafa473e757cd73cef9432ee28fab1eef0880038bcae5debbf1594e2a1040d3cbe588a94ff5c

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\RegisterRepair.jpeg

MD5 af526974fd45294bde567c250de4740e
SHA1 ea933bc54bb69f3c4b585d54c5009dbf5f220495
SHA256 e4a63bd8d768b0abec456d80b1a05a855d8a56bf815e960c8f3a5da3a2cbf1e1
SHA512 a487403c0b7ebfc4323c64cf18e4df52d5dfe444b3e79cd517ad6d70522c56e0c625eae94cfd7353790bf22592cd35a7ce5f42ba106ae034a097d460071dce8d

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\MoveRevoke.csv

MD5 ce2222ff54228eb3df74202a230a366c
SHA1 6ca500d8df91004f21bf640a469a0fca5b5fbf6f
SHA256 92ffbdf6925b2a2c2f334599da557ebc157e1685ae12140fc3875204cafcf1f0
SHA512 386d3c47500d3005295ff79c2f47749c8ed918bfcaecbc47f31c01f53b749b10f702f147a1430a39366d55a7e5820bc71fe88645dd1b8d4652f22fe64868e8f1

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\ConvertFromComplete.doc

MD5 e58cc06285cac3e144602808f529203f
SHA1 ca5b0862f7c6eca35acfe020855313cd5495547f
SHA256 5da4917c94c4c139750a83d9564792a3468561c86b935cdd607a8e6258cf8949
SHA512 4ccaed709180f576531554ede87bef609ddbf3a5a91364d97721bbabe12a9cff2e1ab4b9f282d5e4b695385d7fb4745b4dac27ca3d829e8c9b3565501c960efa

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\SetClose.docx

MD5 f457a3730262dee961305da2ee3ef273
SHA1 a1fee1b241a7a0bfc364ba1a537a6df4cbfa55c3
SHA256 ed2499731e6be21c3d25a6177668ac5e4ae816701d1c403eb930508afbfc02c8
SHA512 05c803e4bea2a51771dd774e71739cb7243226112f557eb9937190172d315be1851680242abb913a0ee2327daa6caa727544d76738dc4df3e0ac28760e1e69ce

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\OW1FMzyqy8\common(0)\OutEnter.csv

MD5 08044f7f0887009d20e964e25052240f
SHA1 4cfdafe2851c00fed87be4b09a49cb7c1f683e50
SHA256 65e574c000746d775dbd733749750f1723baf4a5c6a6e2117280d3afe9e7674a
SHA512 ad59a262499d69202993d6fbe99bf7594f8e70b541e4c08ac000f085e410927a5a4fc6322167cb104b94ad566d6e4114f0d33ec564390ec6f8c22e5648e5b0bc

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dccsyfw2.lnk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4564-850-0x0000019F40EB0000-0x0000019F40ED2000-memory.dmp

memory/3288-853-0x00007FFCDCC20000-0x00007FFCDCC3F000-memory.dmp

memory/3288-872-0x00007FFCCD180000-0x00007FFCCD4F9000-memory.dmp

memory/3288-891-0x00007FFCDD590000-0x00007FFCDD5BB000-memory.dmp

memory/3288-892-0x00007FFCDD070000-0x00007FFCDD09E000-memory.dmp

memory/3288-914-0x00007FFCCD510000-0x00007FFCCD524000-memory.dmp

memory/3288-913-0x00007FFCCCAF0000-0x00007FFCCCD42000-memory.dmp

memory/3288-912-0x00007FFCCD5E0000-0x00007FFCCD609000-memory.dmp

memory/3288-911-0x00007FFCCE9C0000-0x00007FFCCE9CC000-memory.dmp

memory/3288-910-0x00007FFCCEAC0000-0x00007FFCCEAD2000-memory.dmp

memory/3288-909-0x00007FFCCEAE0000-0x00007FFCCEAED000-memory.dmp

memory/3288-908-0x00007FFCCEAF0000-0x00007FFCCEAFC000-memory.dmp

memory/3288-907-0x00007FFCCEB00000-0x00007FFCCEB0C000-memory.dmp

memory/3288-906-0x00007FFCCEB10000-0x00007FFCCEB1B000-memory.dmp

memory/3288-905-0x00007FFCCEB20000-0x00007FFCCEB2B000-memory.dmp

memory/3288-904-0x00007FFCCEC20000-0x00007FFCCEC2C000-memory.dmp

memory/3288-903-0x00007FFCCEC30000-0x00007FFCCEC3C000-memory.dmp

memory/3288-902-0x00007FFCCEC40000-0x00007FFCCEC4E000-memory.dmp

memory/3288-901-0x00007FFCCEC50000-0x00007FFCCEC5D000-memory.dmp

memory/3288-900-0x00007FFCD3E10000-0x00007FFCD3E1C000-memory.dmp

memory/3288-899-0x00007FFCD44C0000-0x00007FFCD44CB000-memory.dmp

memory/3288-898-0x00007FFCD6600000-0x00007FFCD660C000-memory.dmp

memory/3288-897-0x00007FFCD8BB0000-0x00007FFCD8BBB000-memory.dmp

memory/3288-896-0x00007FFCDBDA0000-0x00007FFCDBDAC000-memory.dmp

memory/3288-895-0x00007FFCDCAC0000-0x00007FFCDCACB000-memory.dmp

memory/3288-894-0x00007FFCDCB30000-0x00007FFCDCB3B000-memory.dmp

memory/3288-893-0x00007FFCCE010000-0x00007FFCCE020000-memory.dmp

memory/3288-890-0x00007FFCDD420000-0x00007FFCDD4DC000-memory.dmp

memory/3288-889-0x00007FFCDD6F0000-0x00007FFCDD71E000-memory.dmp

memory/3288-888-0x00007FFCDD9F0000-0x00007FFCDD9FD000-memory.dmp

memory/3288-887-0x00007FFCDD750000-0x00007FFCDD785000-memory.dmp

memory/3288-886-0x00007FFCDE570000-0x00007FFCDE57D000-memory.dmp

memory/3288-885-0x00007FFCDD8F0000-0x00007FFCDD909000-memory.dmp

memory/3288-884-0x00007FFCDDA00000-0x00007FFCDDA2C000-memory.dmp

memory/3288-883-0x00007FFCE3140000-0x00007FFCE3158000-memory.dmp

memory/3288-882-0x00007FFCE5A20000-0x00007FFCE5A2F000-memory.dmp

memory/3288-881-0x00007FFCDDA30000-0x00007FFCDDA54000-memory.dmp

memory/3288-880-0x00007FFCDD570000-0x00007FFCDD58C000-memory.dmp

memory/3288-879-0x00007FFCCD000000-0x00007FFCCD17A000-memory.dmp

memory/3288-878-0x00007FFCDCC20000-0x00007FFCDCC3F000-memory.dmp

memory/3288-877-0x00007FFCCD800000-0x00007FFCCD918000-memory.dmp

memory/3288-876-0x00007FFCD44D0000-0x00007FFCD44F3000-memory.dmp

memory/3288-875-0x00007FFCDD350000-0x00007FFCDD35B000-memory.dmp

memory/3288-874-0x00007FFCDD2A0000-0x00007FFCDD2B5000-memory.dmp

memory/3288-873-0x00007FFCD8BC0000-0x00007FFCD8C47000-memory.dmp

memory/3288-871-0x00007FFCDCFB0000-0x00007FFCDD068000-memory.dmp

memory/3288-857-0x00007FFCCD920000-0x00007FFCCDD86000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-19 14:54

Reported

2024-06-19 14:56

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\win7\win6.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2340_133632824583806000\main.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\onefile_2340_133632824583806000\main.exe

MD5 677a4308b447726c114cabae725f8cb0
SHA1 440ac32a073a81a5afd1c695fb55b6df5f8813d2
SHA256 9be96084ae3f0f51038b6061a33f74acc16aaf02f3f6061f9170295f4b11900d
SHA512 a4826acecb86d38de53330ee623d396f73a018039e45849e4b37c8a9f44c60c1de65fdde0dc215e42f5fde1bd624bef640e94b98dd4ea7f12e200c39f4677618

C:\Users\Admin\AppData\Local\Temp\onefile_2340_133632824583806000\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

memory/2000-58-0x000000013F1B0000-0x000000013FE5A000-memory.dmp

memory/2340-111-0x000000013FA30000-0x00000001402C2000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-19 14:54

Reported

2024-06-19 14:56

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\win7\win6.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 1184 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\win7\win6.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4576 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 1164 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 1164 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 3584 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe
PID 4668 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4668 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 400 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 400 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4188 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4188 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2972 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2972 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2976 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2976 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3584 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3076 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3076 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3264 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3264 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3532 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 4464 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4464 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3532 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4844 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 916 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 916 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3584 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3260 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3260 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3584 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe C:\Windows\system32\cmd.exe
PID 1020 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1020 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com

Processes

C:\Users\Admin\AppData\Local\Temp\win7\win6.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=716"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=724"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=736"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=764"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=788"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im opera.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im opera.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im browser.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=996"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=1004"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=1008"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=832"

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe" "--multiprocessing-fork" "parent_pid=4576" "pipe_handle=776"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 71.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:49998 tcp
N/A 127.0.0.1:50001 tcp
N/A 127.0.0.1:50008 tcp
GB 172.217.16.227:443 gstatic.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 127.0.0.1:50016 tcp
N/A 127.0.0.1:50019 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:50031 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
GB 172.217.16.227:443 gstatic.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:50037 tcp
N/A 127.0.0.1:50041 tcp
N/A 127.0.0.1:50047 tcp
NL 149.154.167.220:443 api.telegram.org tcp
GB 172.217.16.227:443 gstatic.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:50053 tcp
N/A 127.0.0.1:50057 tcp
N/A 127.0.0.1:50061 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
GB 172.217.16.227:443 gstatic.com tcp
N/A 127.0.0.1:50068 tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:50072 tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:50078 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\main.exe

MD5 677a4308b447726c114cabae725f8cb0
SHA1 440ac32a073a81a5afd1c695fb55b6df5f8813d2
SHA256 9be96084ae3f0f51038b6061a33f74acc16aaf02f3f6061f9170295f4b11900d
SHA512 a4826acecb86d38de53330ee623d396f73a018039e45849e4b37c8a9f44c60c1de65fdde0dc215e42f5fde1bd624bef640e94b98dd4ea7f12e200c39f4677618

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\_ssl.pyd

MD5 7910fb2af40e81bee211182cffec0a06
SHA1 251482ed44840b3c75426dd8e3280059d2ca06c6
SHA256 d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f
SHA512 bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\zstandard\backend_c.pyd

MD5 4652c4087b148d08adefedf55719308b
SHA1 30e06026fea94e5777c529b479470809025ffbe2
SHA256 003f439c27a532d6f3443706ccefac6be4152bebc1aa8bdf1c4adfc095d33795
SHA512 d4972c51ffbce63d2888ddfead2f616166b6f21a0c186ccf97a41c447c1fac6e848f464e4acde05bea5b24c73c5a03b834731f8807a54ee46ca8619b1d0c465d

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\_queue.pyd

MD5 d8c1b81bbc125b6ad1f48a172181336e
SHA1 3ff1d8dcec04ce16e97e12263b9233fbf982340c
SHA256 925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14
SHA512 ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd

MD5 f0027550d46509b0514cf2bf0cc162bc
SHA1 5b5a9fd863a216b2444ccbd51b1f451d6eca8179
SHA256 77300a458bb8dc0d4ff4d8bddb3289e90cb079418dbed3e20d2c9a445f39746e
SHA512 bb09b814dbe3e4361abbafec4768208c98a7f455ef311b653d61b0b6098197bdac43e74e2e3868e486819f147b8f7c442c76e5181cc5a7eb13b6e2c2e07bf9b7

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\charset_normalizer\md__mypyc.pyd

MD5 e9454a224d11e1bd68c7069b7f5f61a7
SHA1 793098653d93652415f8bace81434f6f4490cf1a
SHA256 711f292ace44576f5de4f592adebd9d21faf569357c289425251d8dce4fa84cc
SHA512 17d993a0c4b56219e8c224eb2bdea92d9cc4bd3809b0f9fa4cf0ddfdc5eab4371441d488ea851abf2f88c691d57a268d5cdcaa9d11d4dd091bc130638fe36460

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\_asyncio.pyd

MD5 33d0b6de555ddbbbd5ca229bfa91c329
SHA1 03034826675ac93267ce0bf0eaec9c8499e3fe17
SHA256 a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5
SHA512 dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\_overlapped.pyd

MD5 fdf8663b99959031780583cce98e10f5
SHA1 6c0bafc48646841a91625d74d6b7d1d53656944d
SHA256 2ebbb0583259528a5178dd37439a64affcb1ab28cf323c6dc36a8c30362aa992
SHA512 a5371d6f6055b92ac119a3e3b52b21e2d17604e5a5ac241c008ec60d1db70b3ce4507d82a3c7ce580ed2eb7d83bb718f4edc2943d10cb1d377fa006f4d0026b6

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_uuid.pyd

MD5 b68c98113c8e7e83af56ba98ff3ac84a
SHA1 448938564559570b269e05e745d9c52ecda37154
SHA256 990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2
SHA512 33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\_sqlite3.pyd

MD5 5279d497eee4cf269d7b4059c72b14c2
SHA1 aff2f5de807ae03e599979a1a5c605fc4bad986e
SHA256 b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc
SHA512 20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

MD5 914925249a488bd62d16455d156bd30d
SHA1 7e66ba53f3512f81c9014d322fcb7dd895f62c55
SHA256 fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4
SHA512 21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\win32crypt.pyd

MD5 acc2c2a7dd9ba8603ac192d886ff2ace
SHA1 eae213d0b86a7730161d8cc9568d91663948c638
SHA256 4805c4903e098f0ae3c3cbebd02b44df4d73ab19013784f49a223f501da3c853
SHA512 23b97707843d206833e7d4f0dfcad79a597de0867bab629026dd26bff9f1c640bb4cd1bc6bce7abe48353feac8c367e93ea7b15425d6ff8b1aea07a716f5e491

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pywintypes310.dll

MD5 ceb06a956b276cea73098d145fa64712
SHA1 6f0ba21f0325acc7cf6bf9f099d9a86470a786bf
SHA256 c8ec6429d243aef1f78969863be23d59273fa6303760a173ab36ab71d5676005
SHA512 05bab4a293e4c7efa85fa2491c32f299afd46fdb079dcb7ee2cc4c31024e01286daaf4aead5082fc1fd0d4169b2d1be589d1670fcf875b06c6f15f634e0c6f34

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\Crypto\Cipher\_raw_cbc.pyd

MD5 ff2c1c4a7ae46c12eb3963f508dad30f
SHA1 4d759c143f78a4fe1576238587230acdf68d9c8c
SHA256 73cf4155df136db24c2240e8db0c76bedcbb721e910558512d6008adaf7eed50
SHA512 453ef9eed028ae172d4b76b25279ad56f59291be19eb918de40db703ec31cddf60dce2e40003dfd1ea20ec37e03df9ef049f0a004486cc23db8c5a6b6a860e7b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Cipher\_raw_ctr.pyd

MD5 a33ac93007ab673cb2780074d30f03bd
SHA1 b79fcf833634e6802a92359d38fbdcf6d49d42b0
SHA256 4452cf380a07919b87f39bc60768bcc4187b6910b24869dbd066f2149e04de47
SHA512 5d8bdca2432cdc5a76a3115af938cc76cf1f376b070a7fd1bcbf58a7848d4f56604c5c14036012027c33cc45f71d5430b5abbfbb2d4adaf5c115ddbd1603ab86

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Util\_strxor.pyd

MD5 3af448b8a7ef86d459d86f88a983eaec
SHA1 d852be273fea71d955ea6b6ed7e73fc192fb5491
SHA256 bf3a209eda07338762b8b58c74965e75f1f0c03d3f389b0103cc2bf13acfe69a
SHA512 be8c0a9b1f14d73e1adf50368293eff04ad34bda71dbf0b776ffd45b6ba58a2fa66089bb23728a5077ab630e68bf4d08af2712c1d3fb7d79733eb06f2d0f6dbf

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\Crypto\Cipher\_raw_ofb.pyd

MD5 619fb21dbeaf66bf7d1b61f6eb94b8c5
SHA1 7dd87080b4ed0cba070bb039d1bdeb0a07769047
SHA256 a2afe994f8f2e847951e40485299e88718235fbefb17fccca7ace54cc6444c46
SHA512 ee3dbd00d6529fcfcd623227973ea248ac93f9095430b9dc4e3257b6dc002b614d7ce4f3daab3e02ef675502afdbe28862c14e30632e3c715c434440615c4dd4

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\Crypto\Cipher\_raw_cfb.pyd

MD5 fe489576d8950611c13e6cd1d682bc3d
SHA1 2411d99230ef47d9e2e10e97bdea9c08a74f19af
SHA256 bb79a502eca26d3418b49a47050fb4015fdb24bee97ce56cdd070d0fceb96ccd
SHA512 0f605a1331624d3e99cfdc04b60948308e834aa784c5b7169986eefbce4791faa148325c1f1a09624c1a1340e0e8cf82647780ffe7b3e201fdc2b60bcfd05e09

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\Crypto\Cipher\_raw_ecb.pyd

MD5 821aaa9a74b4ccb1f75bd38b13b76566
SHA1 907c8ee16f3a0c6e44df120460a7c675eb36f1dd
SHA256 614b4f9a02d0191c3994205ac2c58571c0af9b71853be47fcf3cb3f9bc1d7f54
SHA512 9d2ef8f1a2d3a7374ff0cdb38d4a93b06d1db4219bae06d57a075ee3dff5f7d6f890084dd51a972ac7572008f73fde7f5152ce5844d1a19569e5a9a439c4532b

C:\Users\Admin\AppData\Local\Temp\onefile_1184_133632824637116080\vcruntime140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

memory/2056-141-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/1164-142-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/3584-143-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/3532-140-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/4236-139-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/380-161-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/2796-163-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/2568-162-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/4576-160-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/3104-165-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/2976-164-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/1184-159-0x00007FF6013E0000-0x00007FF601C72000-memory.dmp

memory/4576-169-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/4576-173-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\archive1.zip

MD5 ef1a3642037435deeecf8f3bcbda9838
SHA1 2beda3bc88a7d4d8bee5a24319233c8d5e702606
SHA256 2135a24ca1cef7841472eefd524b98b2df0c6e960683e7bad8c10239014c6d7f
SHA512 2af6a48ea5f1828e4b5f46c4b90437834ab68b409799cc312e02359f31e3f3185efd5dd2701023ed86284e833aa41b9fb85d45719cafa4c287574664afb464d0

memory/4576-176-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/4576-179-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/4576-183-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/4576-186-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/4576-189-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/4576-190-0x00007FF65F010000-0x00007FF65FCBA000-memory.dmp

memory/1184-196-0x00007FF6013E0000-0x00007FF601C72000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 14:54

Reported

2024-06-19 14:56

Platform

win7-20240220-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\System32\cmd.exe
PID 840 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\System32\cmd.exe
PID 840 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\System32\cmd.exe
PID 840 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\system32\cmd.exe
PID 840 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\system32\cmd.exe
PID 840 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 3004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1688 wrote to memory of 3004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1688 wrote to memory of 3004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2476 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2476 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2476 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2476 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe
PID 2476 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe
PID 2476 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\win.exe

"C:\Users\Admin\AppData\Roaming\win.exe"

Network

Country Destination Domain Proto
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp

Files

memory/840-0-0x000007FEF5893000-0x000007FEF5894000-memory.dmp

memory/840-1-0x0000000001370000-0x0000000001388000-memory.dmp

memory/840-3-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

memory/840-11-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.bat

MD5 da31ed8d96baae2d8662a5aa2e7b7538
SHA1 54a0db111ee12eef0a9eafe4e0b75c1e148a4458
SHA256 9b7943e9801f0b48c207148354a29f1362d9807f777ef734a4676bec1d8c4ad1
SHA512 1ff06eb72d0798ffb2863a47a90b17afa2cef39850df1d3f54e4dd666a622744e1e2c7e75466d33e70a8f52e3a900e03080dd410471aa2ea31d5a12e49de6789

memory/840-13-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

C:\Users\Admin\AppData\Roaming\win.exe

MD5 4fa7b1eec1fc84eb3a13c29e5a37aae7
SHA1 dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326
SHA256 5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
SHA512 5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

memory/2584-18-0x0000000001240000-0x0000000001258000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4033.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 14:54

Reported

2024-06-19 14:56

Platform

win10v2004-20240508-en

Max time kernel

126s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4352.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'

C:\Users\Admin\AppData\Roaming\win.exe

"C:\Users\Admin\AppData\Roaming\win.exe"

Network

Country Destination Domain Proto
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp

Files

memory/2340-0-0x00007FF816413000-0x00007FF816415000-memory.dmp

memory/2340-1-0x0000000000D80000-0x0000000000D98000-memory.dmp

memory/2340-3-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/2340-8-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4352.tmp.bat

MD5 db659f2c8f7432eb6bf69da13b6eec3e
SHA1 4f210a4eb82ee488b48a8cb3d0208eb9d68deeb6
SHA256 66d8b294dda91ca437b2e215f459e736c5d0c9b6f2ea3553c8e583f0c72576a3
SHA512 2ee1a9ab51e061e5067990a40d92be44c2ed6eb537c273e2d05b6fcf721e0e17ec072aa97c12d44096b62997c65997f29985521a0c9022e99f6a02f769ed98eb

C:\Users\Admin\AppData\Roaming\win.exe

MD5 4fa7b1eec1fc84eb3a13c29e5a37aae7
SHA1 dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326
SHA256 5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
SHA512 5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 14:54

Reported

2024-06-19 14:56

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\win7\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

C:\Users\Admin\AppData\Local\Temp\win7\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI8482\python310.dll

MD5 08812511e94ad9859492a8d19cafa63e
SHA1 492b9fefb9cc5c7f80681ebfa373d48b3a600747
SHA256 9742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c
SHA512 6f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e

memory/2516-87-0x000007FEF5A00000-0x000007FEF5E66000-memory.dmp