Malware Analysis Report

2025-01-22 13:46

Sample ID 240830-e8jntswgpg
Target FOXAUTO V8.zip
SHA256 6e9cab5ac9495c9799c87056bdf570dc36a2e03eab08703ed659cc7b8b35ac12
Tags
pyinstaller persistence njrat hacked defense_evasion evasion execution privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e9cab5ac9495c9799c87056bdf570dc36a2e03eab08703ed659cc7b8b35ac12

Threat Level: Known bad

The file FOXAUTO V8.zip was found to be: Known bad.

Malicious Activity Summary

pyinstaller persistence njrat hacked defense_evasion evasion execution privilege_escalation trojan

njRAT/Bladabindi

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Hide Artifacts: Hidden Window

Detects Pyinstaller

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 04:36

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 04:36

Reported

2024-08-30 04:37

Platform

win7-20240705-en

Max time kernel

36s

Max time network

28s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1460 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1460 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1460 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
PID 1460 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
PID 1460 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
PID 1988 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1988 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1988 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2916 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
PID 2916 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
PID 2916 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe

Processes

C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe

"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe

"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe

"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 proxy-cheap.blogspot.com udp
GB 142.250.200.33:443 proxy-cheap.blogspot.com tcp
US 8.8.8.8:53 amazonhost.thedreamsop.com udp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
GB 142.250.200.33:443 proxy-cheap.blogspot.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp

Files

memory/1460-0-0x000007FEF5F73000-0x000007FEF5F74000-memory.dmp

memory/1460-1-0x00000000002D0000-0x00000000013EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ee76425b767c9ab812a53c133b8363f8
SHA1 1daa4700a5f1849eb7e810986ac24bd58786da61
SHA256 f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747
SHA512 004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b

memory/2400-10-0x0000000000E90000-0x0000000000F08000-memory.dmp

\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe

MD5 0f2eea5fa223ff94ac2027f4c6c2d851
SHA1 83ebd61a8e21967c94a34a72926b641c5c07c321
SHA256 5bd88a3dc2360e1ea8dc2a5023a65b6fb59c81f3befebbb20c58ada689ecba84
SHA512 638f40fc75cf5bcd46a8a403b1c5aec8c4d4b64eea2e57d1123a2eb4e42abbee8f8ed621d61fe463e43074591f659181e7b9fbb382833abc30b01fad6b59996a

memory/1988-22-0x00000000002E0000-0x000000000030A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

MD5 d64c44bbca049d3f19402c195840c33f
SHA1 cd7b0eff352490ad82953ee5cb1314d1a5e6311d
SHA256 f6533a93d1fe59bfe49976a24c0c828ade9981d5e94d7882f2460b533c8c3843
SHA512 de7a1e074ee5dc56e1f01112a5f613dcd2ce1dfd1d7e72d464b46789e750eb286f79d5c4d801984239a4505314ab0221d1bb62d08ddc7961c34cd466b558780b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 f36e535fdc82208fca08acfa44f790c6
SHA1 a3cc1aa7d614094faebada2aed1e6c519bd18c94
SHA256 51efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc
SHA512 631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af

memory/2680-60-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/2680-54-0x00000000011C0000-0x0000000001216000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29162\python310.dll

MD5 7e45e4d723e4775f6e26628315f370ad
SHA1 76a8104c5d073c6f7619872426d440bcabd18bb9
SHA256 7cc15b7440710f8fecaa67396b83436b3b2962e3757482dfbaf926ee74f86882
SHA512 4e11316ebbf6af953dcf991148cca98a155d48d4f8b5ee068f2bc7a56aa14c8a7661d52ecce9bc3c4aa5495868503b81010d81c4fe3a15fa789f13ce081c82fb

memory/2400-81-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 794d834f4a9a70041b3cad4d0002030f
SHA1 facc1ed8ade82799866c8414406d80549c190a9b
SHA256 2ee18c24d8d7d58e740e3b12b8eacb747d2deb2139db95c4c9bb40930b40911b
SHA512 2b1a9d2a423c4ed1365b960fd706346620af4820312f67a177cf399bbf81d38acaf49830d21d3b7822072a2b1de08c028ca0855414ef7d0a53853d099736f565

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 04:36

Reported

2024-08-30 04:37

Platform

win10v2004-20240802-en

Max time kernel

43s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1408 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1408 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1408 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1408 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
PID 1408 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
PID 1460 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1460 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1640 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1640 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2844 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
PID 2844 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 4920 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 4920 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2028 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe \??\c:\windows\system32\cmstp.exe
PID 2028 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe \??\c:\windows\system32\cmstp.exe
PID 4956 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 1068 wrote to memory of 3740 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 3740 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4956 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 3564 wrote to memory of 4712 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3564 wrote to memory of 4712 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4956 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 2228 wrote to memory of 5044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 5044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3448 wrote to memory of 3696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3448 wrote to memory of 3696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4860 wrote to memory of 4300 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4860 wrote to memory of 4300 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 4720 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 4720 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 4668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 4668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3704 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
PID 3704 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
PID 5328 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe C:\Windows\SYSTEM32\netsh.exe
PID 5328 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe C:\Windows\SYSTEM32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe

"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe

"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe

"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

\??\c:\windows\system32\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\0gdesoe3.inf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

C:\Windows\system32\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"

C:\Windows\SYSTEM32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 proxy-cheap.blogspot.com udp
GB 142.250.200.33:443 proxy-cheap.blogspot.com tcp
GB 142.250.200.33:443 proxy-cheap.blogspot.com tcp
US 8.8.8.8:53 amazonhost.thedreamsop.com udp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 33.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 239.41.180.107.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 dlvcrecoveryfirst.com udp
US 8.8.8.8:53 youfox.co udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 acpanel.hackcrack.io udp
US 147.124.205.158:16164 acpanel.hackcrack.io tcp

Files

memory/1408-0-0x00007FFDB7253000-0x00007FFDB7255000-memory.dmp

memory/1408-1-0x0000000000260000-0x000000000137A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ee76425b767c9ab812a53c133b8363f8
SHA1 1daa4700a5f1849eb7e810986ac24bd58786da61
SHA256 f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747
SHA512 004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b

memory/1460-14-0x0000000000430000-0x00000000004A8000-memory.dmp

memory/1460-15-0x0000000000C40000-0x0000000000C6A000-memory.dmp

memory/1460-17-0x00007FFDB7250000-0x00007FFDB7D11000-memory.dmp

memory/1460-18-0x00007FFDB7250000-0x00007FFDB7D11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe

MD5 0f2eea5fa223ff94ac2027f4c6c2d851
SHA1 83ebd61a8e21967c94a34a72926b641c5c07c321
SHA256 5bd88a3dc2360e1ea8dc2a5023a65b6fb59c81f3befebbb20c58ada689ecba84
SHA512 638f40fc75cf5bcd46a8a403b1c5aec8c4d4b64eea2e57d1123a2eb4e42abbee8f8ed621d61fe463e43074591f659181e7b9fbb382833abc30b01fad6b59996a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 f36e535fdc82208fca08acfa44f790c6
SHA1 a3cc1aa7d614094faebada2aed1e6c519bd18c94
SHA256 51efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc
SHA512 631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af

memory/1040-58-0x000000001B930000-0x000000001B938000-memory.dmp

memory/1460-65-0x00007FFDB7250000-0x00007FFDB7D11000-memory.dmp

memory/1040-43-0x0000000000C60000-0x0000000000CB6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup.exe.log

MD5 7ca69c3a50dd1e107b36424371d545aa
SHA1 af96b7133f339588b8de9e29be762dd8fbe2da08
SHA256 fb56bfa6682034270cd833c70e9ab03a606372aef15b2e305da0318873394664
SHA512 bf3b5a590335e671cd44f244bf20fc30028a56c55f69f4f8b0a46aba787b248c343391998ed5267b5ca9aa0075697e169056120c18837ddc3ca97c5ace83c6fd

C:\Users\Admin\AppData\Local\Temp\_MEI28442\python310.dll

MD5 7e45e4d723e4775f6e26628315f370ad
SHA1 76a8104c5d073c6f7619872426d440bcabd18bb9
SHA256 7cc15b7440710f8fecaa67396b83436b3b2962e3757482dfbaf926ee74f86882
SHA512 4e11316ebbf6af953dcf991148cca98a155d48d4f8b5ee068f2bc7a56aa14c8a7661d52ecce9bc3c4aa5495868503b81010d81c4fe3a15fa789f13ce081c82fb

C:\Users\Admin\AppData\Local\Temp\_MEI28442\VCRUNTIME140.dll

MD5 a87575e7cf8967e481241f13940ee4f7
SHA1 879098b8a353a39e16c79e6479195d43ce98629e
SHA256 ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512 e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

C:\Users\Admin\AppData\Local\Temp\_MEI28442\base_library.zip

MD5 f002a5b9ddb1156f6913da74a9d6ae39
SHA1 792d6e4f8d8c50148c035f6bdb6a8e9d9411ebd2
SHA256 c0feec51e98bd92409ae650763440dca90cc58f29236c70b20e1210dfb58f843
SHA512 cd5978b57efd4b3be708f2ebbb79d2654b17c0cdeaf5f70ce8e45fb0826b5aadd26fd820cadaabe0f41ada7a1771bd0b054edfa7f478d596b568573867d47530

C:\Users\Admin\AppData\Local\Temp\_MEI28442\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ctypes.pyd

MD5 b754feac42b118dbeb2d005bcf8036e3
SHA1 c48d63eea9868ed2f071e8baeb8faa7d323b48d9
SHA256 e880e94d0035bcca283a071bd5f18024d247564c2c68f41b381270eae08e1f7c
SHA512 1f6212e63bcfe562dcf611c8bd794318e76f702483cfd039062dddb0356742776d3efce96196b820a7c06208a35f4bb12cfa27996a9dc7d4e549912c9b9cb8f1

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_socket.pyd

MD5 b85ad6a94540aa911f19c325e5930963
SHA1 3237b849265802124197a48c84bf320612e1197e
SHA256 7dadd3b369db35cd752e11c901a7f77329cdfb9bf027120e224446453a1463a2
SHA512 c9675e4b994ade44828c7f2d5e8e0085c09abc83a08ea4716aebf2aca93ab3c4b9478228247945ebb5fe8ffffb109568d862419e61e1776410c2bb61db8562f9

C:\Users\Admin\AppData\Local\Temp\_MEI28442\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_hashlib.pyd

MD5 4b4e3c144d07513be4c724741df080b7
SHA1 ee07182142982134237df15afd94c4034573bc6a
SHA256 0b2e389a4aaf10cde846629171926c87ff2d39e13bdfd2dc2a97b17f0cda659e
SHA512 b7e0399d0c855dee1a64bb50e72b278438c1cd59df7c78fa243e755eaa0d06172e6446f5bc4e8157603d91cea094246cabdfd7635a6885eb8b2967b90cc6a0fb

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_queue.pyd

MD5 f19d04c23de0358b3fc042dc5a5b1809
SHA1 06bcdeebe51c8b273fb8f145b8a4cacdff944118
SHA256 c05c38143268b736c494611af451cc50e26c558c58a71e625ab82f1c700799e8
SHA512 65b7b03008c8b9619b78a93ad172efd5ce72fbab1f2a51caaec47a6823773e28fa18bad7bb3df9f7a2165b40a2effd1b06048aaff00125ff6e36c7fc65a59f4b

C:\Users\Admin\AppData\Local\Temp\_MEI28442\unicodedata.pyd

MD5 686beb1c76bce6bff2985da9acc8aa53
SHA1 b3c8feba2d45ae77dee5aca599c9f29df15e0e93
SHA256 2350440b5db37cad0fbf65b4eea4f9254870d041436209eae5ae7012844615db
SHA512 ad2c42de8ca1d754f2ae5f206b1235fd412c1591475897459122115a12f5559c54ccb668308bbdd45c887e13f83116bea6e72e804e1c40014165e43d2beb581e

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_lzma.pyd

MD5 28cb83c31e2bc5cdb02091196d8cc249
SHA1 b8a22821889fd85cf1f332639e5ee7befad56823
SHA256 86ff13abf066184cb9a272541baf4e6b673d33643e104113e343876c65ec923e
SHA512 5299f35455050f431c8d7704c36c54adf2dfa6505fc5446bc98555739c648d4c245251f9edce43d87446470f85f44d281e58643bbfe99d0c872d1f775761c28c

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_bz2.pyd

MD5 f25a6086f553912823debfac50022783
SHA1 e7aa566b85990bc538b56cdea4b167675fe4d6f5
SHA256 460ba09fe832a852be740473343017321d3d1104d80896cd4b6e9c144c72433b
SHA512 841f3f5d13dd77ed9576f7dc4f944b45ee3113a77e2fa82711098829f7dec0bd2dc303bc07953dd08397cf4051cb2bd03c80a6c9c18af6708f20fdfa9e4d0443

C:\Users\Admin\AppData\Local\Temp\_MEI28442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 c6c87fc7bd7555026bb1738857066cff
SHA1 3c89dcbc228a7b689860545495f7a081721c5a12
SHA256 1a6961fd249dbb3a9ccc903fe5ec4631616594edefb19db423fb488b3dba619a
SHA512 63d5b76830d17f90c7d846c8481fac33d86cf1e606d4e33cbe5af868b41d35e7c8c95b93906258d1954809d13a46036fabad093a8693bd29121c020f743faeaa

C:\Users\Admin\AppData\Local\Temp\_MEI28442\charset_normalizer\md.cp310-win_amd64.pyd

MD5 0e2a2addd0d5b21193dbaae162604181
SHA1 526b25822b2571307fe8d4208c83227c0c64cb10
SHA256 ab0a8fd8f085766a2a7001380e6ee219d5ae68d0194498eeb8d3866f922fbcae
SHA512 6e0f0fa11fff0853e4063f5e1a526936cd682303f94b13da0bd4fb6b2da5efdbb3acb378951508ee3a2dea7f7e2c1d6f968e00ae63d1b6063cc2ad932a3856e9

C:\Users\Admin\AppData\Local\Temp\_MEI28442\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ssl.pyd

MD5 f540e92976041ff33b224e50bef20126
SHA1 e77f0afb4cb8aea2fd18c3c8e4ac3efdc9101b8b
SHA256 f1377098d32690a8a62c275bf0581417e9f179dfe97671eb98fc4bf565daddca
SHA512 277ad1284ec41d2a063d254453ffe3c11a968e4afb7f03dc10d4a01fa22b4a57e5874d1b3cd59db9c65fbf28e2d47da754676fdfe6a0ada0e2e04e62f8b4e7d2

C:\Users\Admin\AppData\Local\Temp\_MEI28442\select.pyd

MD5 a67a37cd1f39e95ced02b6f3e7a0c17c
SHA1 4c261ca2e826b9ec54ecae706545206f5b6c5f72
SHA256 f060ecc836852323d69d9fed9457528de58a841ad1d48130863f9a0a917014fb
SHA512 409290b6b40c27e3bdcd95675fa002fdff6dcb3f4c734521c350373e6d4f634dc7c02f67d060607d14e2c4b91f17dea6ffa415c33e167c3cfaf1d84ff5d65a31

C:\Users\Admin\AppData\Local\Temp\_MEI28442\python3.dll

MD5 f5cb0f83f8a825d4bedcddae9d730804
SHA1 07385f55b69660b8abc197cfab7580072da320ea
SHA256 a62a9c7966cf614b3083740dc856ca9a1151ddcc0b110ebc3494799511ed392b
SHA512 2bfa35eb4b8fff821b4504eccad94ed8591ef42e0cdb39a18458395789508b4d2da76f0de3708d963c3187b8b1ced66b37c66834f17eeca0ceb45a62b3a69974

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_decimal.pyd

MD5 34c83e4a5ef95e9722b7758259c1d9d8
SHA1 75537cafb06d0f8fdaeff73e0b9c56522421d062
SHA256 ebf380f395b1db8d305d65b8568d91790b234a0e0650f27b645d299ff305bb03
SHA512 fb0eae45691489b353f28423565c749546a5854b6186bd245ce1924a46d5233eba6d4beeca86631f9227be19c572a971a2f2f26ae130b5a45184b5817075ade4

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_uuid.pyd

MD5 0d98febeb51ac1ccf107ae166aec31b9
SHA1 ec5bb535f505c96c326bc93229ba90e7e00045e5
SHA256 59b4d0b9c0390a402cbb2b174be4c425a3b63abaf7d4af8ec0e330296d531cdc
SHA512 2440b094b41e207a221024f0c12d92197a577efc031deea272612e92828bf999a9089389afac8ca3d7f495e6bcc4e41123ec98dcf09cf000a50735b084422fb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip

MD5 c4e46c34047251d044082214f6c98e43
SHA1 f8a878adb7ccc995201849ea5399ea3ece227b54
SHA256 1c8b4c860f47344463708b975441129a37d64741810c5814f057d1b0108207ba
SHA512 dc320b161eb9e612501af389c8e9551b42c496e8cb05c3584d2f73d23f7231b42488186e1ebeeb0c0734390aa1a9bb166b2483f2c2109806ea5cb7617c790956

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 794d834f4a9a70041b3cad4d0002030f
SHA1 facc1ed8ade82799866c8414406d80549c190a9b
SHA256 2ee18c24d8d7d58e740e3b12b8eacb747d2deb2139db95c4c9bb40930b40911b
SHA512 2b1a9d2a423c4ed1365b960fd706346620af4820312f67a177cf399bbf81d38acaf49830d21d3b7822072a2b1de08c028ca0855414ef7d0a53853d099736f565

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 cafd74774ee92e32d33d986aa1d02887
SHA1 4eba3d811e150ea0e03193916820ceb1353d7d3a
SHA256 a9a2445fa2c7695be72695fb46f2d5fbb7106691d7840d454fac2b91ddd014b0
SHA512 27baef4953ca7ffd10dfc22d6ee2e6b961c1c08aa2a9813737afb4a265bfa9dfa56d577b20b0aefa84c157ab8fbc3fc4a7456c4e5093dd480f22c3fbdef30bf6

memory/3704-149-0x000000001B850000-0x000000001B8F6000-memory.dmp

memory/2028-152-0x000000001C8B0000-0x000000001CD7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0gdesoe3.inf

MD5 6f1420f2133f3e08fd8cdea0e1f5fe27
SHA1 3aa41ec75adc0cf50e001ca91bbfa7f763adf70b
SHA256 aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242
SHA512 d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

memory/3704-155-0x0000000000C80000-0x0000000000C8C000-memory.dmp

memory/2028-156-0x000000001BE40000-0x000000001BEDC000-memory.dmp

memory/2028-157-0x0000000001680000-0x0000000001688000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

MD5 c9ee90b6246b82685a26af067eada50c
SHA1 247dcdc29bdf134535c0142bc22a0a15e1033c28
SHA256 d9402ee82fb2cfc8965666cf3157bdf39547838814189106d565541522b8335e
SHA512 de676e0a7af1e59e2fd25393a976223414e6ee378f2607a409a00b37283800bacff0fd4393fca4cc53bbe1915ed46f775557a61134281aecbc27f9d98f66bb28

memory/4712-166-0x000001D3D2C60000-0x000001D3D2C82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbl33qbp.u0i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9