Analysis Overview
SHA256
ceb14b7e4b21acd79ccac5ab40102550e36290d24e22e946746cea9f16b7ccab
Threat Level: Likely malicious
The file 241026-vanswswdrh_pw_infected.zip was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Detects Pyinstaller
Modifies registry class
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:35
Reported
2024-11-13 20:43
Platform
win10ltsc2021-20241023-en
Max time kernel
449s
Max time network
438s
Command Line
Signatures
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO0E3FECE9\bot_start.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0E3FECE9\bot_start.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\proxy_check.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\ProgramData\\MyHiddenFolder\\VC_redistx64.exe" | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
Command and Scripting Interpreter: JavaScript
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO0E3FECE9\bot_start.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\bot_start.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zFM.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0E3FECE9\bot_start.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\bot_start.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Youtube-Viewer Bot 1.9.rar"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0E374DF7\urls.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0E39B109\urls.txt
C:\Users\Admin\AppData\Local\Temp\7zO0E3FECE9\bot_start.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0E3FECE9\bot_start.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\urls.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Readme.txt
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Readme.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\search.txt
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\bot_start.exe
"C:\Users\Admin\Desktop\bot_start.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\killdrive.bat" "
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chromedriver.exe
C:\Users\Admin\Desktop\bot_start.exe
"C:\Users\Admin\Desktop\bot_start.exe"
C:\Users\Admin\Desktop\proxy_check.exe
"C:\Users\Admin\Desktop\proxy_check.exe"
C:\Users\Admin\Desktop\proxy_check.exe
"C:\Users\Admin\Desktop\proxy_check.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
C:\Users\Admin\Desktop\bot_start.exe
"C:\Users\Admin\Desktop\bot_start.exe"
C:\Users\Admin\Desktop\bot_start.exe
"C:\Users\Admin\Desktop\bot_start.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Readme.txt
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\search.txt
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
C:\Users\Admin\Desktop\bot_start.exe
"C:\Users\Admin\Desktop\bot_start.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
C:\Users\Admin\Desktop\bot_start.exe
bot_start.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86626594-90d1-4f1b-ae3f-f844028415db_always_active.zip.5db\data\inject.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | downloadsparrow.com | udp |
| US | 172.67.176.186:443 | downloadsparrow.com | tcp |
| US | 8.8.8.8:53 | 186.176.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.61.93:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 172.67.176.186:443 | downloadsparrow.com | tcp |
| US | 172.67.176.186:443 | downloadsparrow.com | tcp |
| US | 172.67.176.186:443 | downloadsparrow.com | tcp |
| US | 172.67.176.186:443 | downloadsparrow.com | tcp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
| US | 172.67.176.186:443 | downloadsparrow.com | tcp |
| US | 172.67.176.186:443 | downloadsparrow.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO0E374DF7\urls.txt
| MD5 | 77c013e4372e091f18185584b5041742 |
| SHA1 | b3928c0096d371eee2787132afa740ff9b97b081 |
| SHA256 | 2338a06a68f5f5d1ed3d89345a1f502cec63dbe2ee419fd83a7084f5eed4ae03 |
| SHA512 | 764f2d981eca850b36719c5dcec01f8bd2aa38bb6d9cca44cead32fac308e27af0be48048cfa53649fe5fd3436fb9d2856feb2b5c30efbcacf4fdf664ed130a7 |
C:\Users\Admin\AppData\Local\Temp\7zO0E3FECE9\bot_start.exe
| MD5 | eeab16ca43e01044c35b670866242328 |
| SHA1 | 00be20e05b74df73920276df6f57c72375531b85 |
| SHA256 | e04d2ce74f48f9c6cb8cea905e7f0f4e56b703d240cc1693ddaedf75a8a04bd3 |
| SHA512 | e77a4aa72ff23f63a35ac850dd48a8d73fa559f0d093ffbea836e0d5f6f73fd85487c4ffc019764c6eda62835864f3e3b176c7f9c0425d50b3b55b88a438e395 |
memory/4040-31-0x0000000000110000-0x000000000013C000-memory.dmp
memory/4040-32-0x0000000002520000-0x0000000002526000-memory.dmp
memory/4040-33-0x00000000045D0000-0x00000000045EE000-memory.dmp
memory/4040-34-0x0000000002530000-0x0000000002536000-memory.dmp
memory/4040-35-0x0000000008800000-0x000000000880A000-memory.dmp
C:\Users\Admin\Desktop\Readme.txt
| MD5 | 268fb99b4f4dfc6841629030004b9a7e |
| SHA1 | 15f694bf602b0991d85dc19dfbf03433cfaa1efa |
| SHA256 | 9ea1a34ad9759d3c22a65dbf470a55e789565d72fb6cfb28309d13fe287df7e5 |
| SHA512 | e19b7515b4c6526efa96ae1d6ef9476e2ae41139b15730e8cf098e3f446b369c656be0b1056ae0c07dca4ee01fe46da762f5660e82e36438ada868de5f58046a |
memory/4040-59-0x00000000051B0000-0x0000000005756000-memory.dmp
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
| MD5 | e71fadab9273ec97c7dc2b5272f9f724 |
| SHA1 | f9e53d160b7dafc3173602899f3d54bc5a57b67f |
| SHA256 | b6d21693e278a3ac5bb18d4f9ffb9d4c7eea46f0b7673b7b67141df3fa6f0688 |
| SHA512 | d1fddca0754a0795b7e375a9e346ea1cd0508448d78e835db15ec38860f6aee28633553e9fc3847552abeea6fca9405c92a67be5ef57714e6234f2616b6065ad |
memory/1240-71-0x00007FFA6F7B0000-0x00007FFA6F7B2000-memory.dmp
memory/1240-72-0x00007FF619940000-0x00007FF61ADB2000-memory.dmp
memory/1240-84-0x00007FF619940000-0x00007FF61ADB2000-memory.dmp
C:\Users\Admin\Desktop\search.txt
| MD5 | 3897c0a715ba928d950daceaf6f1efcb |
| SHA1 | e089bd2c2833fcef1c22b291f6f43dfbda6d4334 |
| SHA256 | f016b55631fd529b3c36ab5b619cbca4aeeabfa42180f541ec2a625a46f7298f |
| SHA512 | 7fa2c0efa45cebe6a869035be97eb72171778858b3abd2386a4114c9c2c3f2ccdedb2ed590e4b5b378fd54934566c5d5468876600d4958cc4fe135f8bfacb79a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bot_start.exe.log
| MD5 | 6257cf0ec1ffec35dff3e4398fec301c |
| SHA1 | 3f38053578645a794e61b0d74a38b4a0b712a5e9 |
| SHA256 | fde8b3a7d62382619da42f8c7b4cefbedfc08f6788a663831e8e4fc3d67b8703 |
| SHA512 | 169b7116fdf8759b5df0b1ff26de332bd6753d652cda1741cf97a37d50a4917fe9ba2fd6ef3b9e1076fdfce5bdc10371751dcd90ea01a570f8b07921330cef98 |
C:\Users\Admin\Desktop\killdrive.bat
| MD5 | 0e9d25e12331e23e5c20e0256b139361 |
| SHA1 | 34e8b8ba2b0b5d19efe0735269f5b09b283c7075 |
| SHA256 | 1083a21b34a0fc0fcce343213aac68161c9a04d7873ec5f7c8d8f4437b7f956f |
| SHA512 | da669a19d75062f6796dc61b5524b906434be4763674e31ad289f1cc84ff1fc0bf6cdbe4cf42890c708377a6f55fdad8402337e15162e89c616b32f2dbe7b315 |
C:\Users\Admin\Desktop\proxy_check.exe
| MD5 | d56922bbcc712e596f864d70a857f281 |
| SHA1 | b8e6e46003e0a2ea411cb07310db84c8629276d8 |
| SHA256 | c330ba9970db91edc3e2c9f8f889cfce2ab3dd32c6595cb00c0a5efa7bc826cf |
| SHA512 | 237a0a0fb012cf09fdddc7354c0ce92c89cc922ac475eacf0544f1f4322571cd09b0df7c9f4482c6c3b63193c2046f50d452055c01163a704eb77861371a4072 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\python39.dll
| MD5 | 5871ae2a45d675ed9dd077c400018c30 |
| SHA1 | ddc03af9d433c3dfad8a193c50695139c59b4b58 |
| SHA256 | 5d0ff879174faec03eb173eb2088f2e7519f4663dd6bfe5b817ec602c389ae20 |
| SHA512 | d87a90dbf42c528bc3fa038eb83d4318d2e8577a590bf9c84641c573b5b2fea83aac91bb108968252e07497424ed85f519a864e955f94a7f8e87bfc38e0f4b7b |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\VCRUNTIME140.dll
| MD5 | a87575e7cf8967e481241f13940ee4f7 |
| SHA1 | 879098b8a353a39e16c79e6479195d43ce98629e |
| SHA256 | ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e |
| SHA512 | e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\base_library.zip
| MD5 | 9d026940a77d7eb386f79163c076a006 |
| SHA1 | 6c0a2048b4aac42d6e2bba660eea2049f081ae8d |
| SHA256 | ed180c1aa586c49a99ba13e9e0fe969922a68f917d1ac6de679ac245d582a9f0 |
| SHA512 | 655dcfbd707c66694ac196674566645ca167ba8438084df337a73adb163c720a123d07112730387dcd921ccfd1f19975f8728a1cf96a99f78133b478c8b432d9 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\_ctypes.pyd
| MD5 | 22cf43eaca1f0745896ccd7e8910f9e4 |
| SHA1 | 3df4d9f7386a044943fdcea6665acc0a13ed9fce |
| SHA256 | aaf9f6487b618aeb15dfe7d77b3f0d58185718fd68631323e56392ddef1d000f |
| SHA512 | 2e6d1cfabda0f617cd3acef0a9255e4c56868e66a7545a36f2da441ea27a40a45450887a48e0164a542fec1d6ae59f2933c2b6d95a4ea5cf4d2c249a3e886e10 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\python3.dll
| MD5 | 2ddd2ee635db86575c416f075c41ac8c |
| SHA1 | 99d03f524823059066995181ba21be29d90f2488 |
| SHA256 | be0b573bc6f005235354c246e1f9f626793687f50ad632feb2e767398f414fe3 |
| SHA512 | b84d4b3ca1298897cfafe195394ec6fdb51ed42ce0ca9ea0ab60dc2a8c31b2c865c4cc4fe0df3ffe1c813d21ca6013661e0cb83a91614472c7f6e3a7c78c1f06 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\select.pyd
| MD5 | 0906200f02e2ee5eb3da08a64f10a69e |
| SHA1 | 5afcb2cc53a6d8ca85d1fe51389632b8b84d5194 |
| SHA256 | fb4fa3aed7a7955d4f78a3fbc2a6e6e1ab8d9e3768bb8b3f3a85866d1f2d74d5 |
| SHA512 | b69e9f7fdd77f776acd056cc8a2d8b34da76e1f30a50117b9aa6bf467a9ce7178407fc6b5e2126c0eea6f995ffa8ae94f92e0632c566fc39bab29ff278193cbc |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\libcrypto-1_1.dll
| MD5 | 63c756d74c729d6d24da2b8ef596a391 |
| SHA1 | 7610bb1cbf7a7fdb2246be55d8601af5f1e28a00 |
| SHA256 | 17d0f4c13c213d261427ee186545b13ef0c67a99fe7ad12cd4d7c9ec83034ac8 |
| SHA512 | d9cf045bb1b6379dd44f49405cb34acf8570aed88b684d0ab83af571d43a0d8df46d43460d3229098bd767dd6e0ef1d8d48bc90b9040a43b5469cef7177416a2 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\libssl-1_1.dll
| MD5 | 86556da811797c5e168135360acac6f2 |
| SHA1 | 42d868fc25c490db60030ef77fba768374e7fe03 |
| SHA256 | a594fc6fa4851b3095279f6dc668272ee975e7e03b850da4945f49578abe48cb |
| SHA512 | 4ba4d6bfff563a3f9c139393da05321db160f5ae8340e17b82f46bcaf30cbcc828b2fc4a4f86080e4826f0048355118ef21a533def5e4c9d2496b98951344690 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\_ssl.pyd
| MD5 | e7d8bbca8b419f220c8cd81b285cb4ae |
| SHA1 | c83d4e44704d46ddafb186526666bcf37aa927ea |
| SHA256 | 5e54983cb975784a358b2a02738d9db1296e0ab7aee1503277d3fdd8cf43e41c |
| SHA512 | 628107783757d52efdedd0a13ecbc9ef4c6422916104716c7dcb62bcb5beb735ca30ff990dee2916f752c4a643438c464cd6f5fb63c1366060a8b9ec52c45dbd |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\_queue.pyd
| MD5 | aac0035f5b5868a3e92df59f19e00773 |
| SHA1 | b3215c188385010af8519af0a66b9075644c4760 |
| SHA256 | 1ff1c01be25fd6797b263474c1c8df45107796a7e4d465e32a908d572d647b64 |
| SHA512 | a65975f3a1af79653a728aea801bc79de2274efcb5965f6433856c80f5584d16b46e339268068a3d5ca93216f0f3d81c7e79ac5a4eef2928dfeae0ed156d0b15 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\_lzma.pyd
| MD5 | ecd60b380b7875d2521739e7acf365fc |
| SHA1 | 487ffde1f1a31f321a87658d22a1763624600304 |
| SHA256 | 1dcb9689a2a3eb1c2554caec217d4f6a10cf677701bcb6f762d6cc2111d14c4a |
| SHA512 | 37db64611f7098c08089b17a88db638ec329fa2b652689a3a7509566110afe8eca3ac5e047530d628503d713e15584ad376631576fa9d3e9efb4a1ca0c3c1709 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\_bz2.pyd
| MD5 | c013236b137b64ff2f30dc0c2af56084 |
| SHA1 | 3d600c348794b3116c0d3230a40672be350142f7 |
| SHA256 | c435022d2cc868e26cde10e7749862ee8a177fced3289d49c3bc33af0c949d3f |
| SHA512 | 8fc14cafc32331af3f04257ea38d562d419c2c8c89ccaa8ace51593e708ec9cb27d9e1bd241bc717f929bd2d8c68aa78824af6b5adf1bde0e25812ec4de15852 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\_socket.pyd
| MD5 | ac90b2535025c3d2d88632591b619b73 |
| SHA1 | eee7a2803412a7bb362bd64cba378cfb5808d42b |
| SHA256 | ed1d6e0aa8237e491dde3c3fdfa6f4df35585eadf4716473f98aa86aa0a910d9 |
| SHA512 | 5fa573e3e2f712925cfc48ec5809493ef43db5c6694d2e244bebe6b9d2ceecfa5979619730321fd2a88ad59bbd5eb2b70672045e5062748ecd53fd216d116202 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\unicodedata.pyd
| MD5 | 814d6938da8e46d79b64326aa967a1a0 |
| SHA1 | 6d020c9ca51d7d4e77c197f5394d7e157482cea3 |
| SHA256 | 4059acb95b05b4536c983ebd232dc5aec00828914e61f31674b0fdf41656deb6 |
| SHA512 | f286b6e813bcd3ee9aad25f804689e3e8bbe13a41bb5715e49bcc1dc7ccae2f0c7595dbaabad806fea65825952e5e31d32ac9b31e583bf4b7cdf716ae6fa08d1 |
C:\Users\Admin\Desktop\temp\proxy_check\_MEI26762\_hashlib.pyd
| MD5 | 96bdc361b3127f01eefbf0b54dc2813a |
| SHA1 | f5900e228f6ccd1fe44a99a23cd27e6a71d2d88b |
| SHA256 | 95760d2f49b695cb0dc03720e2cdce34d1215285023f2bb7690f268e434c7871 |
| SHA512 | 6a9a481d130eef5a98b5d2b40ddca1d7aa83d7abb255368f3fdca85c395b0cd0711765143a6ec8f14696599cfd4876375449272f013969a59e7f26618a730b36 |
memory/2676-178-0x00007FF7FC370000-0x00007FF7FC3F4000-memory.dmp
memory/4548-179-0x00007FFA6F7B0000-0x00007FFA6F7B2000-memory.dmp
memory/4548-180-0x00007FF7DB300000-0x00007FF7DC772000-memory.dmp
memory/2780-183-0x00007FF7FC370000-0x00007FF7FC3F4000-memory.dmp
memory/756-198-0x00007FFA6F7B0000-0x00007FFA6F7B2000-memory.dmp
memory/756-199-0x00007FF7B2700000-0x00007FF7B3B72000-memory.dmp
memory/2780-204-0x00007FF7FC370000-0x00007FF7FC3F4000-memory.dmp
memory/2676-221-0x00007FF7FC370000-0x00007FF7FC3F4000-memory.dmp
memory/1644-240-0x00007FFA6F7B0000-0x00007FFA6F7B2000-memory.dmp
memory/1644-241-0x00007FF679480000-0x00007FF67A8F2000-memory.dmp
memory/1612-256-0x00007FFA6F7B0000-0x00007FFA6F7B2000-memory.dmp
memory/1612-257-0x00007FF686B10000-0x00007FF687F82000-memory.dmp
memory/972-280-0x00007FFA6F7B0000-0x00007FFA6F7B2000-memory.dmp
memory/972-281-0x00007FF73FFF0000-0x00007FF741462000-memory.dmp
C:\Users\Admin\Desktop\New folder
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |