Analysis Overview
SHA256
7382e6823dc5b6f0ae9b4a67f30a6fe8dc400dfa95278ec647d06e6550ada24e
Threat Level: Known bad
The file broadcom5.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
CryptBot
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Unsigned PE
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks processor information in registry
Modifies registry class
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-09 07:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 07:29
Reported
2024-09-09 07:32
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\broadcom5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\broadcom5.exe
"C:\Users\Admin\AppData\Local\Temp\broadcom5.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs
| MD5 | 5bbb490df19cbff919dc8338db84f363 |
| SHA1 | 1acb4bdbd0ff2b9c38613191c5f11e4ae35156c2 |
| SHA256 | 738a9b1cd2c12511e87076fefbfe39aff55278ed86b3cc32fb968078cc6e6a03 |
| SHA512 | 6b1ccd500347c13ac37f5b214db7717d35879cc6d4c909b7b8ecb7ce54e1cfe8b6d0202afe5edc77721f08e4f94291e8ae97abfb77cb8e758f15a62c6054d40f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe
| MD5 | 489841193bb17bed86528363199e802d |
| SHA1 | b21527944d7f543b568aedbbe9833ffdb621b06a |
| SHA256 | 9e551b2304a6d8b72f38080a717d35900365dda5ce2aea2f2b14e90eba59cd7f |
| SHA512 | 85c250271c44ccafd753495356a9a1bd8d940a8c3443c51e1d8d1fbe1d79ab39226e9e18402b088ec340b05f45e0caeb8a2f7c195479e3b5e9cdbd23260405df |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\python312.dll
| MD5 | 0eac9fa387647c388fab4239bfe5a0b5 |
| SHA1 | fafb679a58b8d85b50af18a4c0a7402fa890ee39 |
| SHA256 | 65900b1bc22af5bb974385f7f2a8742ffd12860010cbe0aedb62ff5598998414 |
| SHA512 | 70042322b98681c73f83f05e03f61a8ad985944cf07633653706c9b87be738e6698099f40328058ee80d4063f8e85aba7c674c3af079cf082376fb1dc9005e86 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-09 07:29
Reported
2024-09-09 07:32
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
CryptBot
Lumma Stealer, LummaC
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\broadcom5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
| N/A | N/A | C:\Users\Public\Channel5.exe | N/A |
| N/A | N/A | C:\Users\Public\File1.exe | N/A |
| N/A | N/A | C:\Users\Public\Windows.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4892 set thread context of 3936 | N/A | C:\Users\Public\Channel5.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 732 set thread context of 4272 | N/A | C:\Users\Public\File1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Channel5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\File1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\broadcom5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Windows.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Public\Windows.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Public\Windows.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\broadcom5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\broadcom5.exe
"C:\Users\Admin\AppData\Local\Temp\broadcom5.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\cscript.exe
cscript.exe C:\Users\Public\make.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\Channel5.exe /F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM C:\Users\Public\Channel5.exe /F /t
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "saps C:\Users\Public\Channel5.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\cscript.exe
cscript.exe C:\Users\Public\make.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\File1.exe /F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM C:\Users\Public\File1.exe /F /t
C:\Users\Public\Channel5.exe
"C:\Users\Public\Channel5.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "saps C:\Users\Public\File1.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\cscript.exe
cscript.exe C:\Users\Public\make.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\Windows.exe /F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM C:\Users\Public\Windows.exe /F /t
C:\Users\Public\File1.exe
"C:\Users\Public\File1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "saps C:\Users\Public\Windows.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\cscript.exe
cscript.exe C:\Users\Public\make.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\xarirogemi.exe /F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM C:\Users\Public\xarirogemi.exe /F /t
C:\Users\Public\Windows.exe
"C:\Users\Public\Windows.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\cscript.exe
cscript.exe C:\Users\Public\make.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\setup1.exe /F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM C:\Users\Public\setup1.exe /F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\cscript.exe
cscript.exe C:\Users\Public\make.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\385104.exe /F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM C:\Users\Public\385104.exe /F /t
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| US | 8.8.8.8:53 | 211.147.130.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| NL | 62.133.61.172:80 | tcp | |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.16.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| US | 8.8.8.8:53 | muggudrowiwm.shop | udp |
| US | 8.8.8.8:53 | preachstrwnwjw.shop | udp |
| US | 104.21.47.108:443 | preachstrwnwjw.shop | tcp |
| US | 8.8.8.8:53 | complainnykso.shop | udp |
| US | 104.21.48.131:443 | complainnykso.shop | tcp |
| US | 8.8.8.8:53 | 108.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basedsymsotp.shop | udp |
| US | 104.21.78.130:443 | basedsymsotp.shop | tcp |
| US | 8.8.8.8:53 | charistmatwio.shop | udp |
| US | 172.67.193.197:443 | charistmatwio.shop | tcp |
| US | 8.8.8.8:53 | grassemenwji.shop | udp |
| US | 8.8.8.8:53 | 131.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.78.21.104.in-addr.arpa | udp |
| US | 104.21.48.158:443 | grassemenwji.shop | tcp |
| US | 8.8.8.8:53 | ignoracndwko.shop | udp |
| US | 172.67.207.50:443 | ignoracndwko.shop | tcp |
| US | 8.8.8.8:53 | stitchmiscpaew.shop | udp |
| US | 172.67.136.135:443 | stitchmiscpaew.shop | tcp |
| US | 8.8.8.8:53 | 197.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | commisionipwn.shop | udp |
| US | 104.21.38.33:443 | commisionipwn.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 50.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.38.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tenntysjuxmz.shop | udp |
| US | 104.21.39.10:443 | tenntysjuxmz.shop | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.39.21.104.in-addr.arpa | udp |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| US | 8.8.8.8:53 | thirtv13sb.top | udp |
| RU | 195.133.13.230:80 | thirtv13sb.top | tcp |
| US | 8.8.8.8:53 | 230.13.133.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58yongzhe.com | udp |
| RU | 194.58.114.223:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs
| MD5 | 5bbb490df19cbff919dc8338db84f363 |
| SHA1 | 1acb4bdbd0ff2b9c38613191c5f11e4ae35156c2 |
| SHA256 | 738a9b1cd2c12511e87076fefbfe39aff55278ed86b3cc32fb968078cc6e6a03 |
| SHA512 | 6b1ccd500347c13ac37f5b214db7717d35879cc6d4c909b7b8ecb7ce54e1cfe8b6d0202afe5edc77721f08e4f94291e8ae97abfb77cb8e758f15a62c6054d40f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe
| MD5 | 489841193bb17bed86528363199e802d |
| SHA1 | b21527944d7f543b568aedbbe9833ffdb621b06a |
| SHA256 | 9e551b2304a6d8b72f38080a717d35900365dda5ce2aea2f2b14e90eba59cd7f |
| SHA512 | 85c250271c44ccafd753495356a9a1bd8d940a8c3443c51e1d8d1fbe1d79ab39226e9e18402b088ec340b05f45e0caeb8a2f7c195479e3b5e9cdbd23260405df |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\python312.dll
| MD5 | 0eac9fa387647c388fab4239bfe5a0b5 |
| SHA1 | fafb679a58b8d85b50af18a4c0a7402fa890ee39 |
| SHA256 | 65900b1bc22af5bb974385f7f2a8742ffd12860010cbe0aedb62ff5598998414 |
| SHA512 | 70042322b98681c73f83f05e03f61a8ad985944cf07633653706c9b87be738e6698099f40328058ee80d4063f8e85aba7c674c3af079cf082376fb1dc9005e86 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\VCRUNTIME140.dll
| MD5 | 17f01742d17d9ffa7d8b3500978fc842 |
| SHA1 | 2da2ff031da84ac8c2d063a964450642e849144d |
| SHA256 | 70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e |
| SHA512 | c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\base_library.zip
| MD5 | 8dad91add129dca41dd17a332a64d593 |
| SHA1 | 70a4ec5a17ed63caf2407bd76dc116aca7765c0d |
| SHA256 | 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783 |
| SHA512 | 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_socket.pyd
| MD5 | dc3270c15c0bb4bff94a16575377f403 |
| SHA1 | 333c5003215e0a903cbdc9f8d1747d46df34ada2 |
| SHA256 | ebfc54652c2d3b4fc0f69b06972b056060e55f6aab06bf0caa1328c5e76eb118 |
| SHA512 | 327ff12b3b5ad264aa6478227658d3d59073a6606ec675236df0f0d33d723fa9e7fbf8a80b5cdbab1b2522ae51769c5425fd95f2c870fb546199de95478e3e88 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_ssl.pyd
| MD5 | ff678e483e580cfb5c78b0485645fc59 |
| SHA1 | fe3e0db48f4ae86040a4cda5f0c5cf012a09fd28 |
| SHA256 | 0e97b0f87c7b9ec74d9162fc6e41a800f60825167c50845031c2207dcddf3346 |
| SHA512 | 637e3662f6d541d14ac2817e301b3d882e159bbf08f15f8bac1eee2a29973cd999efde1252db0a4a085741f8ea0d99bbbfb175114058937e2074dc7aa1d419cb |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_queue.pyd
| MD5 | aad725ff62836169e0b09a8833c70b7a |
| SHA1 | 09b5c0d4ea306c67708cf853e8e89a34f9b1682b |
| SHA256 | 0cb74d8aad8805c081c5585aef216828c010545469164067294d38b9410d3e2c |
| SHA512 | 995862ed27b01cdff796d376def382f3e16010a726b0ccbb5444eafaffd6515d7a1c1d8af11915c0df19860601f113a3e047a6094e579ce1939a039afef6a89a |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\select.pyd
| MD5 | c66bc949390c8af8573f877f506d2a6c |
| SHA1 | 68730f0ac9e023eecfec9c8b1546e6c8678dc54f |
| SHA256 | ac861ea9320c0ec16c1c8eaa68fbf35dcff977d4e980bd50cdc7195d6f00e9e4 |
| SHA512 | fd498a872596843e3161955d482371c7ca4690105b5ed4417d26b3b9533c0ac1e7a9627c4900d38320800eb30fc20b1377bb64bbf909b896e31ec401e057d0a8 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\libssl-3.dll
| MD5 | 8b8fb5ec8d5fca88463bb9ad9fa23344 |
| SHA1 | cbc26ffca78f03b146c84925749029ca2777b30a |
| SHA256 | b777ccc04c05ca5b0a6ff68e6c46ad9837dc02311ee132ad6a81910f4a1ed54f |
| SHA512 | 3763752732822b80622d5260745313575993f535b1fed49434483b644009eb09ab91a1a7f32df22ada477d873ddb0726e0ab5e9416b08fa70e6446d8e981104d |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\libcrypto-3.dll
| MD5 | 2e9277a5dd088949086d450da0e5f4e8 |
| SHA1 | c939886464bb65dc4667d8e477d97a619eadddfc |
| SHA256 | 7de51a1913ca3b10027f83d99ccccb166d6a3c06ca5d6358f260342dbacdbf6a |
| SHA512 | 9f16c77cd90e1b6657f3d2cbd131273bf24becff01c198690ebadb2c454e3f84b88a7e9c6fecdb7f564e1aa99a5583bbd1933e5db408efce3a9095776fa1a056 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_bz2.pyd
| MD5 | 7768e3da5a04fa817e7dccc2508a411c |
| SHA1 | 2bbd7b9ffea0fe8f19992b39593910dc5808c013 |
| SHA256 | fe351e980e0c098f33615e0d54aef87eb79aebb9a0b179f33bcf0f93fc9a6338 |
| SHA512 | e219cf8a0929a211336d4e6e4345603ddc209df5994755ac144870b93d6d72d96cb4617aace8015195e62c031146043b255409576b3bbd89a725fe8c1ef8ba67 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_lzma.pyd
| MD5 | 3445dfd51b2f41d60d5c2508b4be33d5 |
| SHA1 | bd40e271e588bbfffc3624c50fcd15cb5cf382be |
| SHA256 | e2ca5e4bd2fbdb52069c90182fea1873b111a2045f7e26cdb3772896d1a199ef |
| SHA512 | 5da1c72b1749db04f1cd71c20e536b8899d2fe05ca730233bd5e6db91cbfa7e45d2ec157668fe5d7a1ef28377b206f277a945106dff6a635942129810ab62c74 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_hashlib.pyd
| MD5 | 144ea77a7bf8cebd601ba88147b1e3a5 |
| SHA1 | 1c198c5d5a11bb1a6f7e8482741d7c201b095929 |
| SHA256 | 05f013509826fb8a690403baa9e8879d577b67fc9a7e8c1f09aa054a9339eca2 |
| SHA512 | 20dce3609d932c6c7d40d70d69d826448c6175470c27fabbde132bfb198b207b5d7477dbc53280dee5ed40d88a646ab1164a3826803b961180db46d628c3ab55 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\python3.dll
| MD5 | 97386f12a1c19e14451f5e4697e5fdc8 |
| SHA1 | 6bee5f0a7b8863779a02491c93cb46cd8b6916ef |
| SHA256 | 130632508b1a7f6293bb67e13441e0e21164a5df8e5dabaec9ebe73a35544bad |
| SHA512 | 66dbf574585bd72f2487f341026a811533740241bea1a33395f8967c4b9283aa35c7d765a03337cdec4f56ea5940ef02491d9fdee497a2deb5fc4296d19261e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\pywin32_system32\pywintypes312.dll
| MD5 | 7aa3274f9d767fe6c2994b455fe33a64 |
| SHA1 | b1bd2b0635710fa8252b1300a96700c9569e84cb |
| SHA256 | 5beb99a5e1e83b8f5e4a6c6185348f689f73071c0b68b6a70964ea53c5c17f22 |
| SHA512 | 9fa282afc951612ca26c5b78bb3e2091b6cb3b17b2ad21f67a2f79387161519dbf80c52c2ad62e8575abebfef7ec48a296390a9a8a678db31bb09d01ff04f4cc |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\pywin32_system32\pythoncom312.dll
| MD5 | fada0e603afb67d1893cde008e118dc7 |
| SHA1 | cb13da46b767c873ba9b563dc69ab3c6dd45d6ed |
| SHA256 | b02fd24536f917bbd110da4712106a391e453cc6323f4e6c60a683f077b1514e |
| SHA512 | 3f6a2ee6f612d3b18708318660ac0a00efb2bdab202eba9dd0539f65bf8f2a125c3717b6cf254c15520b0a34b016ea9ccd1d06e88d408bad94f79a2b1a5a4da3 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\win32\win32api.pyd
| MD5 | 91c7e0eda0d840c320815c6e914b02cf |
| SHA1 | 7024fe76f7585b8a634e762a1d5686fbba5f6437 |
| SHA256 | 0ac64c91f49af4a1b86446c85e53e9ee899e27047368f9819a3c16c6e53454ab |
| SHA512 | 3e59849b891a833807c6c6eb6253c57effcf3c2b95bb430a17ce676e4b5bb3fb0d335effd6a794e2a910f29fa68d11f81e6ddc3a8e18336fc5e80c49891d8cf0 |
C:\Users\Public\make.vbs
| MD5 | dfeb6563fc630d666751198da478e60b |
| SHA1 | 5daaa7e50685dced4398fda98f507b4bbe54fbf8 |
| SHA256 | e068d932251118af2d66569cdee1b2b7c27e432a15bd7f5060023d09a7ca3ba8 |
| SHA512 | 80c4eeeb512a2328296a4ff8aa5273c44cf2fbadd3cfa8fcdc773b9863a4b9636c6228484a045e2e9a846bcb1f5c014faaeae7e0414626ea93c728c4d9737add |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\unicodedata.pyd
| MD5 | c190e5d70fdcdd1cbeaa23de04795c97 |
| SHA1 | 86abddf9d67aabd6d744e12114c2764d2cba2156 |
| SHA256 | 4e60bd8e5d8676f1b2ca30f06c5bb858cd6db35801ffbf6b6ceec336d880e808 |
| SHA512 | 328e80e68391d0e84b8a02c6b1a9231a8376c45286e6669880a65a140943f55e9e0e83c16dd4fc636811298f583d4570ca9b718bd0ee19ef8ec75f711af428d3 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_decimal.pyd
| MD5 | bfddafd620167cd795a3d17895e4f5d7 |
| SHA1 | 2c545940e7da32caddc07fbc96e3b543a085a34d |
| SHA256 | 2f994d1555703739de1f4498d0196c5f96dfffad0eb60b161718c16168b53bd1 |
| SHA512 | 55dbfcd5083e411d1361b2219c752543a2aa7587c4eeb876407b33d421b64fb432da2cedc629e92c8d45702058cd47e74d645aedac730b3dd3d65b611e9c260e |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_cffi_backend.cp312-win32.pyd
| MD5 | 795674562f6495081500cd0e7c1770f1 |
| SHA1 | bfe59f036f08213b8299ab6c1a5cbf361b387210 |
| SHA256 | 1f841ec41003f74e656735ed74b84365427ef6e330c312fa458d2cee9cedc99b |
| SHA512 | fa6250afb16f5a69d070dc261df858b23d740054beaf8469842018d805e4af0803cb98d3247e14c09f0613745d7282f5b3290f9157a5d3c96a0f8f313286db2d |
C:\Users\Public\make.vbs
| MD5 | 24edf70cd3dfaed22ccbfcdb46fedb6a |
| SHA1 | 34ce910db6cc63654a3bbc117397ad26c6136ac9 |
| SHA256 | 2d2114848d90467e84cce62f55f894488f751e1c5ce38d9a83f265d5b330b4ed |
| SHA512 | 657cbf6b5bcaf8a20169636b55537cdf5dcc7995406fec3ed83941826c1292b118632f780183b2b8ea4bb251ac4740e7dfa472d73c9d9863efcdf3ef441a7a69 |
memory/1048-95-0x0000000002620000-0x0000000002656000-memory.dmp
memory/1048-96-0x0000000004DF0000-0x0000000005418000-memory.dmp
memory/1048-97-0x0000000004B40000-0x0000000004B62000-memory.dmp
memory/1048-98-0x0000000005490000-0x00000000054F6000-memory.dmp
memory/1048-104-0x0000000005500000-0x0000000005566000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ka0imwmg.nca.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1048-109-0x0000000005670000-0x00000000059C4000-memory.dmp
memory/1048-110-0x0000000005AD0000-0x0000000005AEE000-memory.dmp
memory/1048-111-0x0000000005B20000-0x0000000005B6C000-memory.dmp
memory/1048-113-0x0000000006030000-0x00000000060C6000-memory.dmp
memory/1048-114-0x0000000005FC0000-0x0000000005FDA000-memory.dmp
memory/1048-115-0x0000000006C90000-0x0000000006CB2000-memory.dmp
memory/1048-116-0x0000000007270000-0x0000000007814000-memory.dmp
C:\Users\Public\Channel5.exe
| MD5 | 3861a0771a80ee4a0fee71d27e55ea3b |
| SHA1 | ec3ce37a9a1cb7be6203a2f8f0ca0905c6fe15ff |
| SHA256 | ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876 |
| SHA512 | 1f9b74dd8fbe10d9d2e26053ca374f7a8f18c10a153c7a4b8c46032033fdc155f5f5310fdd516d3a4632644f7d76137447694958c28485bd506aa68775c34f6d |
memory/4892-121-0x0000000000F80000-0x00000000016C6000-memory.dmp
memory/4892-122-0x0000000006020000-0x00000000060BC000-memory.dmp
memory/4892-123-0x0000000006210000-0x0000000006518000-memory.dmp
memory/4892-124-0x0000000005F40000-0x0000000005F62000-memory.dmp
memory/3936-125-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3936-129-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3936-127-0x0000000000400000-0x00000000005DF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4e55b42d326b24bef5bd415891725b28 |
| SHA1 | 92a78f46dc2e28078d71135a9911a02b9a779e7b |
| SHA256 | f98bad06aa5c1a91be60f59325addf86fe076e0e97a0ee6295c89496e35ec0de |
| SHA512 | 3e360444498fcf62e00703501889a3239fef1037228075b1c071766bcaf943e259fe4a3d56524cb5d87ff149c9d85e47f3783a35f68144729c4445d62b2fac93 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
C:\Users\Public\make.vbs
| MD5 | cc3d3ed7869701b037203bea64221135 |
| SHA1 | 88a4818165efc31cfac7534aa1cef73dc08972ce |
| SHA256 | a1340d619e4952340929cf07848de213d5ab27e2b9ab8399a52d1c8fdec8ab67 |
| SHA512 | f0d8d4fd64e1aaa30d0045017cbc36c5297dd6725a87a4dd8d528f80cc838de9295e2483eae5296ab774616b88bccdce0061f495c3e93c317236301dcece7981 |
memory/4924-154-0x00000000064D0000-0x0000000006824000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a3198df52c95a2cf065805d8afbff2fd |
| SHA1 | a524cc7901aa55718d4d3ba2caa660f9d16403ce |
| SHA256 | c764ac779af983a14355281b26887092d97252c4071624f6ba9f21d04c6e9dbd |
| SHA512 | 0e90ab22e399f157860ace5447d0b9ad4b5c8331441ec4ab5582c9fa32db2edd89f626e44744bbbf1f586aff21befb3762ad725bf589771c3a2dfd2b962b33c8 |
memory/4924-156-0x0000000006B90000-0x0000000006BDC000-memory.dmp
C:\Users\Public\File1.exe
| MD5 | 115d4283a126ef5b8da99582cfaf9b17 |
| SHA1 | bc3343e28434368e95ab31f1edeaa1baaffc9e95 |
| SHA256 | e1cad6961c9fcbbcb8a974c5d6cc58a248d2d69880d1ca8355ef8a92c3bc8afc |
| SHA512 | 1d78d9f9b8a2e7bb3c7505edd808e3dae5b9b782483ecd1de07012e3dd30eb21e3b13712177b64a5c8aa229244f1eb2c6794aa44b5ea2dd2771b5b3109a0f4e4 |
memory/732-160-0x0000000000490000-0x00000000004E4000-memory.dmp
memory/4272-162-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4272-164-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4272-166-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Public\make.vbs
| MD5 | 66232297ab8364e4ab1413149fa28778 |
| SHA1 | b94045bf663494af1907a461ec36d60d5e2c2b0c |
| SHA256 | 317a69633fe3714a2321edb7223a9dc68f84aab3477567f400772a3abe16c13f |
| SHA512 | 01abaf92bec4ddb5f64c13aecbd24a58d814dacc32218709cef1c8d53cdce32ad030957661364b8d4a6bb6ae0b8f430aba1064d888bd89e0e18d8587ef21d9ec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4f0aa5e5b20e44070696496d75ddbc3b |
| SHA1 | 7e2884323ec3127cbf598babc46a31d11d4db06a |
| SHA256 | f09d573489b037f4ea820eafdd89a0941ee40fdd480e33514cd2d246d1b030b8 |
| SHA512 | 164ac7b906eebe82ee525624779a083e79d4b13556d3ebf2aaeaa984eaf08c98f5db31e077808da10441c3e3afdc4e57207f5134738193feabc11ef6251950e4 |
memory/2740-191-0x0000000006010000-0x000000000605C000-memory.dmp
C:\Users\Public\Windows.exe
| MD5 | cc70a5edd4a5a8db874c97d21119f59d |
| SHA1 | 4b1d7b51e875a4b6aa05967459e17ea0d3286f39 |
| SHA256 | 4311121804332b647e02280a9c551c85c16a46f24f2d2107a9bdceaa8923afa1 |
| SHA512 | f2806d7988073539723708821f0246021a77724c992901282036f77bdb57ddf7e495644d7f00c6f96fd3aa0fa65e6142ed9e823c2cab1474d41ee5bc083b2268 |
C:\Users\Public\make.vbs
| MD5 | 2984059e341e42c0f34e0b5fe4f2f3d1 |
| SHA1 | 444fd218f43d8a4286c024f08d84a8ac38e18bba |
| SHA256 | 6214a167b290b206611f527f281ae5ace91918cd8d6e77a1c8a01a13465b99ba |
| SHA512 | 786be5ea24debffbfbc5737fa497ccef97507bb0a76f93544a9f8e5f02f89a5e83382aa78058d962de3330addd86aee5be32b8c15382f79666ff94885cace168 |
memory/452-200-0x0000000000400000-0x0000000001065000-memory.dmp
C:\Users\Public\make.vbs
| MD5 | ed2fc077f746f28281b9fe0626c41b61 |
| SHA1 | fac7d476679773b6beef32c9c99a3d9d5df9ceed |
| SHA256 | b48e03c1e333435ab55a86861d9655f6ddab65cde214995dfd1cf07e6b821b6d |
| SHA512 | 77e5d23a2139afaeeee9aad0b8ca1751b6187b1e8bdf72114fdbd094f34aee00ef952305575e9c5976a0a80fb049dba1ae1a2030c24b48c60643ebfcb5966f77 |