Analysis Overview
SHA256
87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624
Threat Level: Known bad
The file 87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe was found to be: Known bad.
Malicious Activity Summary
Exelastealer family
Exela Stealer
Grants admin privileges
Modifies Windows Firewall
Clipboard Data
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Network Service Discovery
UPX packed file
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Launches sc.exe
Unsigned PE
Browser Information Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Detects Pyinstaller
System Network Connections Discovery
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Detects videocard installed
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Uses Task Scheduler COM API
Gathers system information
Collects information from the system
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-15 15:46
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 15:45
Reported
2024-11-15 15:48
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"
C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe /T"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /query /TN "IrisUpdateService""
C:\Windows\system32\schtasks.exe
schtasks /query /TN "IrisUpdateService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "IrisUpdateService" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "IrisUpdateService" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "IrisUpdateService2" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc hourly /mo 1 /rl highest /tn "IrisUpdateService2" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:57635 | tcp | |
| N/A | 127.0.0.1:57645 | tcp | |
| N/A | 127.0.0.1:57651 | tcp | |
| N/A | 127.0.0.1:57658 | tcp | |
| N/A | 127.0.0.1:57660 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:57977 | tcp | |
| N/A | 127.0.0.1:57979 | tcp | |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI13962\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\python310.dll
| MD5 | b9d896d5f748793d3dc44be7b2e43ba7 |
| SHA1 | fb81bb8cfba3c5f2caffe0be3e17babf669de42a |
| SHA256 | 686dc3e3104a45f2a38821cd0c43c17d2e4b3f41a30de94fc7bebef3b882ac83 |
| SHA512 | 6835873e751851c3ea9bc53f744f27d89eb1f3bc4a6a88f36de93ac0be3e2eb151c4f57879a07d25dacde51720ca36dd12e390c80535bebd64c9e0390b691736 |
memory/3184-103-0x00007FFA20D50000-0x00007FFA211BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\base_library.zip
| MD5 | 6add86f741a99793b73392a9294eb1b2 |
| SHA1 | 7c5da35537ef33fedb8393f707013fbeb652b8b0 |
| SHA256 | 678adfe16f38c82850d8c9b498dd7d89f708fe37380108a02b5e54763bdf21bf |
| SHA512 | 77033b8a18612ed268bb63ceef6be02465269a66baa2c0901879bb1e25241473596473e1b446b1b093a3110298361cd3568955fb3022c19dcf0e7949a5625320 |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\python3.DLL
| MD5 | 07bd9f1e651ad2409fd0b7d706be6071 |
| SHA1 | dfeb2221527474a681d6d8b16a5c378847c59d33 |
| SHA256 | 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5 |
| SHA512 | def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_ctypes.pyd
| MD5 | b1e2c169b4d27363ba74cab4f80ef169 |
| SHA1 | 3a87101abe2935c91430146bdc0eeb243ab5a8bf |
| SHA256 | a8f521ef235c1590d3d717912479185602afa8d7ffbe6a8d719ee517339fcf52 |
| SHA512 | 6e2fea022a93468aa7300aaaa32a83ad71a8cfdc046a6b02a6973961b04b6a9870fd7f19457c657b4c1d15e8b101db357c0071e3c1492ecb170f1c62ddb87834 |
memory/3184-111-0x00007FFA34950000-0x00007FFA34974000-memory.dmp
memory/3184-113-0x00007FFA39B30000-0x00007FFA39B3F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\libffi-7.dll
| MD5 | 8e1d2a11b94e84eaa382d6a680d93f17 |
| SHA1 | 07750d78022d387292525a7d8385687229795cf1 |
| SHA256 | 090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82 |
| SHA512 | 213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_socket.pyd
| MD5 | 713f166fbaf2c758677129653c792fd7 |
| SHA1 | 12229626b4cfe1750c31c70115152c4d6ec1eba1 |
| SHA256 | 0d71adce0df6917b5836ba03f76df3deaa7b1aaa2cbd803a734884d1c1bb0059 |
| SHA512 | 4c9675632b4e2776bff8b558485a91bec5d08f5ff0deb55cd577bd95531cfa5883dc80bee39af86c4ec5a7ac818396c2c03a60341b9b02a1e8b521f80e660a98 |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\select.pyd
| MD5 | 9d4a187b10cc415cee48d9408f687cef |
| SHA1 | fd8ac4cc6086658a48e5dea3de5a43b924b60df7 |
| SHA256 | 45c715f5ccf0da358855a7d3b01a166e34a82ce6244f7111ed4c81e4d12f2049 |
| SHA512 | 1c8b040cd4f38e16e9c061a0ce2eb76583266a7b514c325cc3fb728bdcf514ce5d12961011a8c2c860837e99af285fdbc5d9624c8e6f6fa02d2003200019356e |
memory/3184-119-0x00007FFA34DF0000-0x00007FFA34DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_bz2.pyd
| MD5 | 3ac1ec2319523918a50f8ba33ffa4d2f |
| SHA1 | eb9aecb4402bed654a52013759ce9d5d69c33a5b |
| SHA256 | 4f22e9ce6f0232643cfdb9c35c4f3453ab73b103a4dbf633d445863f0251b134 |
| SHA512 | bffcd8bf09a61250b1957af2bd7c3b8b7c761997b7fa83235f48ab1779b7b27ae44b296458b3830d22d880f37e0c5d21a351d33a38c024f97631e87ad45dede2 |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\sqlite3.dll
| MD5 | 709d45be5411647c1526235bec94c168 |
| SHA1 | 27c1597b7a0b7fc19e1f8efee41cb355b3e4212e |
| SHA256 | d45d561f4694055ff072349d86458155505598fa29080bbb7e9691b8509dcdb3 |
| SHA512 | 62aab6333a286df25148b2bde6a41d62f75e7b6da6acf2ef8ca892cbade1dd1daf91961ac52da31cccab415749a6349b2f51a89654846a4bc10b8df3f3086b24 |
memory/3184-131-0x00007FFA20A30000-0x00007FFA20B99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_ssl.pyd
| MD5 | 92c1b0608e4aa51aa1bc4369559fdad8 |
| SHA1 | 5a57fe482100b694ff2b1fe4256f75c90669134c |
| SHA256 | b9cf399774fea53fe3fe7357c0df65a19315fc7f525fb96758ba8568360fa18d |
| SHA512 | c99c9f9f3f99cbc26e40cc832fe69b7d8ff2e611e5438b8bf5c549d88d138c6294e7d930ab4238b4e01d27cc71e723df1d97dee1dee0cd1880f4e294cf686270 |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\libcrypto-1_1.dll
| MD5 | ef98f0bfd75bfca256dfdde36ab79c56 |
| SHA1 | db0c976dd286d6b4a046e19d669ea9366a8d6b0c |
| SHA256 | 17fded0a4337fc353a1a06f40bc7a4c4d6ae4e74a7d563f8bb7fa512daa82f99 |
| SHA512 | 27fa2e78c3153f4c1b824ddc8291af6f4eefd4754b7847917e84e096723c7947da1a8695120fe8071312d6e8963841a82813ea32559457fe9ffb37ff3f75b705 |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\libssl-1_1.dll
| MD5 | 594f9b1d3f3f2217896a3d07f861d55a |
| SHA1 | a84a68606a65077258979d9a17b0ae2d83067939 |
| SHA256 | 1ed537c1c1db991ea9297be1e48b4c24d9ddd93ff8b277eea0f5bd228a4c92e2 |
| SHA512 | e61aaa93a4b4e820697a5b02f1aea3152544e5c2af2b5bbdfd86cd8267f69cd09f9321c4791bc81ff05cb2ee7aef57fc0ef1c5ed211c643419ded648f209358d |
memory/3184-134-0x00007FFA30C40000-0x00007FFA30C6E000-memory.dmp
memory/3184-144-0x00007FFA34950000-0x00007FFA34974000-memory.dmp
memory/3184-143-0x00007FFA206B0000-0x00007FFA20A27000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_overlapped.pyd
| MD5 | ff7cba7ce768f7f8c638be282f844f0e |
| SHA1 | 406126bad5813b2d09b1cbd17edc05aa5029c7e5 |
| SHA256 | ed9a6782039007f90422a5b981ce66deee0c581052c14e247446c924b09833fa |
| SHA512 | 04d71776010e0c1aab2dd0fdd06b4807739129b9df2d8081927be202d7861a048e92f8fc0162d237478fdb08b9580ef77552c8ece28ce48ea119f8c6c576a5d2 |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\multidict\_multidict.cp310-win_amd64.pyd
| MD5 | 9781e6bfedeffddb3220de3e49632d4d |
| SHA1 | 06b13c4623888f0703c0e71d2773c5e9201b0374 |
| SHA256 | d0f937783eeadd70654685bd1b49cda9289896c3b719ec37874ac7fe1221e682 |
| SHA512 | 6b2b799f519699fcce94577a4c1aed0e155e8f56750557c24fbe30b10efa55d826e2358827cfb451753830394c5a841471082fda99729d66e0c785cf3cd18f82 |
memory/3184-151-0x00007FFA34DE0000-0x00007FFA34DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_hashlib.pyd
| MD5 | 484c70992d2102a7843540593dfc12e0 |
| SHA1 | 350144bd486f9648319dae5332a18ec4dd979f78 |
| SHA256 | 92b2ca8ae281a5559ce071756b392b0937b25ca531dbcba01395027b86a9889b |
| SHA512 | eaea83ec64bf3537302c52dee0b8d75526793543ea1d5396adfea5ab96c7b115d23aedceb7931756929bbd4893eda497dce19c926b6e36cbefa2355827e9404f |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\unicodedata.pyd
| MD5 | 7fdbd3fc6609dec6ac6028513167502b |
| SHA1 | 7d031e081f45f70fe6cd1fc38ca602cd3172052c |
| SHA256 | 8713294d8edd6227fd31114d36033dee58f563b179ca274280e528c4bb085af0 |
| SHA512 | 7a97e8358acbffe14b3e657bad975bb1f4e262eb25bcc783cd4d369a47e29e7e3936548a12333fdb5bb5f1b9dfdd9e7ef6edfaae993107aa7683d9c2f965cee9 |
memory/3184-161-0x00007FFA20590000-0x00007FFA206A8000-memory.dmp
memory/3184-160-0x00007FFA30C70000-0x00007FFA30C9D000-memory.dmp
memory/3184-157-0x00007FFA30970000-0x00007FFA30984000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\yarl\_quoting_c.cp310-win_amd64.pyd
| MD5 | fdc577588ffd0f939c02b236fde9fbae |
| SHA1 | 6e8c7a3456870a2bf2fabae861209aed29475498 |
| SHA256 | 2ed79904384fda527647ba6927abfed3062e7b83a308c41d2890685a19e6b883 |
| SHA512 | 3472bb46a90b620a181f73dd5d4b2258fe02a7db4144d22d8feeb8dad6f667940482cb285c77e0c1c7592e3468be4ed126a0caad76a3cfc1bb615c20fe77b7e3 |
memory/3184-165-0x00007FFA30950000-0x00007FFA3096C000-memory.dmp
memory/3184-164-0x00007FFA30E70000-0x00007FFA30E8F000-memory.dmp
memory/3184-156-0x00007FFA30990000-0x00007FFA309A4000-memory.dmp
memory/3184-150-0x00007FFA35880000-0x00007FFA35899000-memory.dmp
memory/3184-147-0x00007FFA30C20000-0x00007FFA30C35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_asyncio.pyd
| MD5 | 223915a05f124498a473e1caab2d14ad |
| SHA1 | 62d7d236dc1db0adb4e9769597a3d18cc2de65e1 |
| SHA256 | 77306c7c5c9411db1846bc1b5ef70aef5e52999f2442f1e39a0901df320b6202 |
| SHA512 | ea162e1b4287d7cf3814b8eeee55884e838a4c81d0699093cbea09f73307a8ba50ccbb6405de002bdca8f7200e8ff5840c5f4d45d039e6401e262aa3ef0dbb2a |
memory/3184-142-0x000002AFECB40000-0x000002AFECEB7000-memory.dmp
memory/3184-141-0x00007FFA300C0000-0x00007FFA30177000-memory.dmp
memory/3184-169-0x00007FFA30930000-0x00007FFA30943000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\MSVCP140.dll
| MD5 | 72f3d84384e888bf0d38852eb863026b |
| SHA1 | 8e6a0257591eb913ae7d0e975c56306b3f680b3f |
| SHA256 | a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde |
| SHA512 | 6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6 |
C:\Users\Admin\AppData\Local\Temp\_MEI13962\aiohttp\_http_parser.cp310-win_amd64.pyd
| MD5 | f3a43ee9a1cd3da4b1e8856832d37fb5 |
| SHA1 | e5b257f6b70f033ccc250d8063fa277d294578f6 |
| SHA256 | 5cd0986d4b79c7079bd472df2fb41dc2056fb3f7db6d6776d5fe5f883de45fe1 |
| SHA512 | 1bebd434cb40c9f21cd2ed99429010a7f307ce22822d34a21ceeb7df6566dd8ea056ccecab78be3e98f9e25515ff6bb16d61f3ae4e05734381ebf244ac995e64 |
memory/3184-190-0x00007FFA30AA0000-0x00007FFA30AAE000-memory.dmp
memory/3184-189-0x00007FFA30C20000-0x00007FFA30C35000-memory.dmp
memory/3184-188-0x00007FFA275F0000-0x00007FFA27631000-memory.dmp
memory/3184-193-0x00007FFA30070000-0x00007FFA3007A000-memory.dmp
memory/3184-200-0x00007FFA21860000-0x00007FFA21876000-memory.dmp
memory/3184-199-0x00007FFA20590000-0x00007FFA206A8000-memory.dmp
memory/3184-198-0x00007FFA21AB0000-0x00007FFA21AD5000-memory.dmp
memory/3184-201-0x00007FFA30950000-0x00007FFA3096C000-memory.dmp
memory/3184-202-0x00007FFA1F940000-0x00007FFA1FF9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
| MD5 | 92f129c2699477b0db7087a02ccefca7 |
| SHA1 | 553753e30a0c6a92e8916b80d44053b2b85f11c9 |
| SHA256 | fef9870e40b5ca337ad325fd2dcb503bb550864df6656a35c8d734f00eec48ae |
| SHA512 | f4875e1842195b354a34c4ba919d57cafa36137e869e685e64514535bfcef63f3ced8f6bbb45dd7cae04a19ec0fc728cba75532d36348c893540653140881845 |
memory/3184-197-0x00007FFA2FF10000-0x00007FFA2FF1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\charset_normalizer\md.cp310-win_amd64.pyd
| MD5 | 7b305a0e94a78e72820fa4ddec303ad6 |
| SHA1 | c42ae66f78fc333849e500115d045604ad5bf1a0 |
| SHA256 | 7d69e30849fdbfbafb6d39e7a69568771b80be39e92fb184c63af0d089781592 |
| SHA512 | 5e8f029da7d9fd5d40ed3c64475b4c1239854fe5c63282872d884984c8554211472c6d901f12b0541aa081daf55787dc6e204d6f73faa2ea1d2d4f3879ae1556 |
memory/3184-204-0x00007FFA1F900000-0x00007FFA1F938000-memory.dmp
memory/3184-205-0x00007FFA1F8A0000-0x00007FFA1F8F1000-memory.dmp
memory/3184-203-0x00007FFA30930000-0x00007FFA30943000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_uuid.pyd
| MD5 | 8571d3c1ef8bb47ccdec7b9dab62626c |
| SHA1 | 6d1461e7042c18f5282ac284ab8b8c7c7bd72c80 |
| SHA256 | 9003cb2351efe9f0d392c413ee460d3f29ba70058aefaa018c2402a16d44de55 |
| SHA512 | dcbf20132a9382d2d0aea126badb038afd427c66368cfb2756f125864a3dd2b67b4f5f64fd86a1331fc73f49506318dfeb76f0344b155cca615c29e20f08727a |
memory/3184-215-0x00007FFA204B0000-0x00007FFA2058F000-memory.dmp
memory/3184-241-0x00007FFA2FF40000-0x00007FFA2FF4D000-memory.dmp
memory/2548-249-0x0000025FBD430000-0x0000025FBD452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pltbztxe.zef.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3184-240-0x00007FFA275F0000-0x00007FFA27631000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\aiohttp\_websocket.cp310-win_amd64.pyd
| MD5 | 7ea40c5cde77804709ca1652bbdf22c1 |
| SHA1 | 03813e28850f8205c09eaa2412d39227e6bede9b |
| SHA256 | 9dd0fb7690b61fa84713e8fe3ac5b9962124e9573073322508d9c6459eeb263c |
| SHA512 | 4a8ab360eca08065f3b4d2deb0b30be98ecd6ee1bec3e4a15b5cd6ee7ce95dd2b5786bbadb578226614fb5ed665bff8e579f7bc12ea90cb12188673b99f5d99c |
memory/3184-185-0x00007FFA206B0000-0x00007FFA20A27000-memory.dmp
memory/3184-182-0x00007FFA204B0000-0x00007FFA2058F000-memory.dmp
memory/3184-181-0x000002AFECB40000-0x000002AFECEB7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\VCRUNTIME140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
memory/3184-178-0x00007FFA300C0000-0x00007FFA30177000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_brotli.cp310-win_amd64.pyd
| MD5 | 50ca8b574270390ae93fbe452c852555 |
| SHA1 | 1d8dcfe22835a3d92cf63fae6c25e2b4f01b8610 |
| SHA256 | f1d8c9316751c9550aadd94a8ee4bdbb55e143ce967d293f82f1f3cd84e91284 |
| SHA512 | 9c1986adefd2dc2ee8a6c7ac76de78545d27bbea41d156c3f9fff032313bcf737c9ee98360c762b57987a9477d00179786894ed3689f3adc34dda7168e4a4747 |
memory/3184-174-0x00007FFA30910000-0x00007FFA30925000-memory.dmp
memory/3184-173-0x00007FFA30C40000-0x00007FFA30C6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\aiohttp\_http_writer.cp310-win_amd64.pyd
| MD5 | a4c8dd79a38b8fadecf723c204935ffe |
| SHA1 | 3d71c55aa83c89694204bfd0aade8dc60e0f84f8 |
| SHA256 | 02b68eafcfe40db926f671bafa01db9a691b178103b06377ffa3d1d5df3b1530 |
| SHA512 | d573340437a7b9d4634eca845da94244bb463005e1bb049b4c7753610f4624679ebdff0b80320d416d4363f7e387e8789345d4df8cd5a707fe5eaad588196c73 |
memory/3184-168-0x00007FFA20A30000-0x00007FFA20B99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\aiohttp\_helpers.cp310-win_amd64.pyd
| MD5 | f7e02ab5fdaceb53d35ce588d1eaa264 |
| SHA1 | 390485a21881334894e63f5a4843c552518fb75c |
| SHA256 | e781d6205149306f4aa80a11ad8c654b7572bfaf0cc5517f2b2daef0ac016229 |
| SHA512 | 4c015d21f33b6fee07d24d060c02ece75aec4bbbffa4a490b2961d92e1ae821f142ee6a32d13c491acef927c14d511112bdfc0412c800b81394d530a9518cbc7 |
memory/3184-140-0x00007FFA20D50000-0x00007FFA211BE000-memory.dmp
memory/3184-129-0x00007FFA30E70000-0x00007FFA30E8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_sqlite3.pyd
| MD5 | 42dbc994bc3000b1dd46579ef47afc64 |
| SHA1 | 6356883c4219cf3f485b0ccde32a24d9adcedc95 |
| SHA256 | aed5d832a89528ecb203775cd2ee413c8c7895857ff30403b341fe0a8331efc9 |
| SHA512 | 1999d1f3115d2656fb26488eae9525c41aaa4f94a029e337e5f34edaec53a7dd2d714025987191eca519ea7183682c908bcd18142df46a0d4d2c0176894f4c85 |
memory/3184-125-0x00007FFA30C70000-0x00007FFA30C9D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_lzma.pyd
| MD5 | d5f861984f70e876bb113c9a996493d1 |
| SHA1 | 66868d0a65ee23ef22af34c103220b759bbbfe05 |
| SHA256 | ac55608d663cc5e5ef0d430d1bf98b9d1688ce9c12e8491f4921f452399b6725 |
| SHA512 | 386859aa0ff6322d385487713912fdfe5432f0670fa70987bdf22f14ef8b1d05f336af80b7db3cc05588c045d2bd4e44bbdae95e82f10581e5f43ca39963160f |
memory/3184-123-0x00007FFA30E90000-0x00007FFA30EA9000-memory.dmp
memory/3184-116-0x00007FFA35880000-0x00007FFA35899000-memory.dmp
memory/3184-258-0x00007FFA30070000-0x00007FFA3007A000-memory.dmp
memory/3184-267-0x00007FFA1F940000-0x00007FFA1FF9A000-memory.dmp
memory/3184-299-0x00007FFA1F900000-0x00007FFA1F938000-memory.dmp
memory/3184-289-0x00007FFA275F0000-0x00007FFA27631000-memory.dmp
memory/3184-287-0x00007FFA30910000-0x00007FFA30925000-memory.dmp
memory/3184-286-0x00007FFA30930000-0x00007FFA30943000-memory.dmp
memory/3184-285-0x00007FFA30950000-0x00007FFA3096C000-memory.dmp
memory/3184-281-0x00007FFA34DE0000-0x00007FFA34DF0000-memory.dmp
memory/3184-280-0x00007FFA30C20000-0x00007FFA30C35000-memory.dmp
memory/3184-276-0x00007FFA20A30000-0x00007FFA20B99000-memory.dmp
memory/3184-268-0x00007FFA20D50000-0x00007FFA211BE000-memory.dmp
memory/3184-297-0x00007FFA1F8A0000-0x00007FFA1F8F1000-memory.dmp
memory/3184-275-0x00007FFA30E70000-0x00007FFA30E8F000-memory.dmp
memory/3184-269-0x00007FFA34950000-0x00007FFA34974000-memory.dmp
memory/3184-319-0x00007FFA30950000-0x00007FFA3096C000-memory.dmp
memory/3184-314-0x00007FFA30C20000-0x00007FFA30C35000-memory.dmp
memory/3184-321-0x00007FFA30910000-0x00007FFA30925000-memory.dmp
memory/3184-313-0x00007FFA206B0000-0x00007FFA20A27000-memory.dmp
memory/3184-312-0x00007FFA300C0000-0x00007FFA30177000-memory.dmp
memory/3184-311-0x00007FFA30C40000-0x00007FFA30C6E000-memory.dmp
memory/3184-302-0x00007FFA20D50000-0x00007FFA211BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\BackupStop.css
| MD5 | 646c671cafbabeab4c6edc03afeb658f |
| SHA1 | 1c5c806d759bf3e6b4ea4d9732b2966351037319 |
| SHA256 | 47359f18516d51eb5c466993054780d2e5f896b21d5a2196e33e9ac7795fd639 |
| SHA512 | f173f98d24b8a54413764b04bdd13386410e6c0d3e7d98fbe9eff382e1b2e07c987bb99adb8fba054c045402be4078bd4908e87df559abebf71213d388ad01bf |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\ConvertFromWrite.xlsx
| MD5 | 394170569de087c4ee7b60d2a07b244e |
| SHA1 | 4fa48131b2168d21ad4eaa7aa4f16f603f22c10c |
| SHA256 | 54e429c32a120d5a1e1daa934ec08de6f8c0a79b59a55643b5a16b393451c2d2 |
| SHA512 | a53959f978bb10db53ce0f0147ff1b63a5baa5b745c341ced715b0be0efbeb665163d4eed350a96bead7ec92a058fe5777b0b2d4d8ec9efdedafe1ba93668043 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\NewConnect.png
| MD5 | eaf6835d265bb8d9d45f46da14d53baa |
| SHA1 | b4d3cafeedc411a9ea018407371e41e198b82df2 |
| SHA256 | d919f8f417c90a3241536eeb347879aa680390788f5fdce91bfab2b30cbc96b4 |
| SHA512 | 25506a5806e707ab1cc5f3ff4ef76a4ccfb1d62d197f0eb72c70c3477da01647a3532443b6d2e1a50db9922ea3e13aa0af4db715f8d5722bded551175761c940 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\ReceiveMeasure.xlsx
| MD5 | a54d2a6353e73516770ede279a0b81ac |
| SHA1 | 901dbb3a55249f2319c22c2d271cd8609a2e7109 |
| SHA256 | 9ef7bca0e1478096e0d96e4e059d0f4debea6df5e05371b967ecf52dcab342a6 |
| SHA512 | 55478c15d5fa2d3cb292532ce28d8ba5f8ad1386bead8d9ba9b4be76aed087ac5591abad9d50726bced3aa0b24f1ee5196ef89c79ed9b15c349d72ee561057ce |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\ResizeConvertFrom.xlsx
| MD5 | ef1eb7118f3d69717d9dd262f68df671 |
| SHA1 | 515888eb39cb63c9796ff78ba445b060165cd140 |
| SHA256 | 26b0ff9dce77ce7fbf60c737b8b870433800fa38d8b163fa4d3615113d410499 |
| SHA512 | 388fbbbfc9f760cbb94ea511eed204faa8c40f4142a55b4e5464c2e7e0a14cfbbacb2240211b7764242406e317799a3231658c052b922375a6826edccf69c33d |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\ShowPush.jpeg
| MD5 | 1fee2d741987b3774dec824177d2f50d |
| SHA1 | 3aff0361e067258061c948d2d6c0e7fda0381190 |
| SHA256 | d872d4bd8293d4064e6f2768123e9ee33c3870ecf31c2646a50909c820d6030b |
| SHA512 | abc3e739976e7d53119257edad247197f31c46f086c493010326813ac95a6c2f3d3f84d8f124db0a911f5c443dcd3c94b429ccadf56a12b44085b9d41f4dcb8a |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\ShowStep.doc
| MD5 | c299a215e2ba9af53257e8ec2cd1e7db |
| SHA1 | 7aea6d6dae4c2fcae4330c84beab24cf9baf0b99 |
| SHA256 | 4215d6276f7a5fe2ca92bee7574c3ad614465f42006c82fd70d7faae9e803cc8 |
| SHA512 | 2f50a735d5df80369e788c4a5d08f1ce39079ce0f21d2bdf568209fa43ec2a8266268a11887c5ffa9ddfd233b459cf4e605fefeefe252aad9f07c0ccfdd9e00f |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\UpdateSave.xls
| MD5 | f3f17623f0b95ac033c8cccc593590bd |
| SHA1 | e76a4617973ba4d7b18cf3bb8dead3cdf3975ea9 |
| SHA256 | c6cfbe23dee924f2ee10ccfab106e5ae19d07a4ee081a208118ec691108e1fa9 |
| SHA512 | c41e27d4069636f063c9263dd2a275dcf4541582132548e687ef407d1aab40ce8921500302059c05ce9039c0f69e6d030945d7e2d33cb47ee007a537f944e4fe |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\RenameBackup.odt
| MD5 | 876107a50193502d846f946b1f869242 |
| SHA1 | cb56e5baf85f9ddbf712988ad663f23076c457d7 |
| SHA256 | 240aaf04e79ed1af89521134469e77db45762d8309f784cdb1d8ab2b520fc796 |
| SHA512 | 3fea75560e7814c0fd033b9c6e72f8ebfab97e845b384e8cc5b9709022c160aa31eb4016489c5f427e4da1e5910e071561f6ab32d48cd0a6407c738029fc9abc |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\ExitCopy.mp3
| MD5 | 20cdf3318f6fa1454d11ead1f464dcb0 |
| SHA1 | 31da9e102c36b14d795042f2b774113a4aed4327 |
| SHA256 | fdcdc38b4c6d3115b5ae9535abb8f62d32cc00caa0d8b5b8687d286632c487f2 |
| SHA512 | e1c48ff071a3261b4dfcf24dc00a43e905c6c1fab484519d3a07e5a7d9fc0d19190f4ea4c63ff19d537090a0ea0a30c375ed24970dba1d3f4c03b7856018ad96 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\BackupFormat.TS
| MD5 | a644feebd2deab59ba64ff408fb65a46 |
| SHA1 | 798e61c373f6cf2778bada73989f512bdf5e9c03 |
| SHA256 | 8b5bbce36f4d0bc8434b84b1cde8a72723cfe758685aad37cd61aa5a2cf191d6 |
| SHA512 | 0b1fb5cc39c649f02704be413f38cbee9534d4589929db5c575d35502daed4e4414fc59fe90ce79833514f7125d1d479599db38f5162f1390e8e8b1e1980afbc |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\BackupConnect.eps
| MD5 | 6fbb38d63709d680d8c53d1a3a98af6d |
| SHA1 | 574f342d0245deb6e12ea5eabde4109afd733665 |
| SHA256 | 04afd6535daef9f111cf95ad8efc45533fb05cb4c68c40ade2a0e1b8c21ff584 |
| SHA512 | d4e7ac74424c7e07580433babb90c8d6f8ef23638c7a61d97dab3533803f9976cef6ea168c7c6e58558f4b84ca207446fe7b490037fccacadd20194a872e89f2 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\StepSet.xls
| MD5 | 55f8b8c05c0738330a8b0defed6eafd9 |
| SHA1 | 12de6862d0c051b1dc361c708375965849cb98df |
| SHA256 | 794f28bad59b4605ba6058c2a60da0a8e9a2536ba07d45f1f3065d08d5a2cc72 |
| SHA512 | 4616b9515355763992fa52d7638b5d27bc7c0e07fc986112fc5d307b289ddd76acb0dc6e36c44c9dbfabc972cfd7d1566ebb7df0ee641d91a08d21cd1e0e7172 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\RequestBackup.wm
| MD5 | 963af91c2a52f76534563e51837fb084 |
| SHA1 | 4b6961f86f1946fe664ce61edd53647b9868ef7a |
| SHA256 | 8326b8706edfe8b7cbf83efb3ea7d2c2e72d98e0c07752135e4b4bf34dba5c83 |
| SHA512 | 8c815767364b7025f64e6dd4f799a16f8b98a8494cb08e24ab994bfe38a089db8eb7c03454329800e3719e416eaa6dda0e3e8cf38de873c75078b1182de0fc91 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\ApproveRename.docx
| MD5 | 1e3cae0aacd743fc01d3300e0e8eb413 |
| SHA1 | 86ed4e652e5f316e3cea854e54dabbcf29953f84 |
| SHA256 | 0e520ec0476d28801a5d38a6f65413d09725360f0286ae29043c37519a9998cd |
| SHA512 | af87411f90272c72384582f4377f0dacc650983b3683fcfdc018894b982c54ce5058ce3e60146a8a09c580c40599713dc125368bace367fd97d67efe4b880ffb |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\SplitPop.xls
| MD5 | b5d5107fdd36b43577f15016354ab352 |
| SHA1 | facbbea72e2d0d5d72c77e0a805686afced0932c |
| SHA256 | a72a4c12296c47edb7528b31dba95dc4ffe42369309f349aad65c24f185db466 |
| SHA512 | cb61628dc86e79fb8c55df00c689a93de8ecfb84e355e0eb975dec1540ac85cce3db1c976c88de71e56ca9192d4773bffc0feccc8ef85e5c2ac3f723cb1dc139 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\ResumePing.xlsx
| MD5 | 898725503bb553dd995a7a1be46b560d |
| SHA1 | a514a4d7664edd074edad54ba8b0efb9b8793662 |
| SHA256 | 30d9a85674238c4428ce4f7c51da6578df4f422ec478ca57fbae583d273bffb7 |
| SHA512 | 4e9a09c98ba7d3b705f536e066effd6734e9e084e8960f068077f3b1bbd28ee4cc409a9e64100990e71a1fe8784e7529997ee8c0a741f6beb2c22c8bdc8cec63 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\ResetLimit.xlsx
| MD5 | 2410039d9e40536b1c4cafce3eb7bbb5 |
| SHA1 | 3efe4fdb275af5af67aa2822267d02978bfe35f0 |
| SHA256 | b5a7ff12b193cf8416d3b4b8df62cb222348edfd5a35412691daf81c700d9d4a |
| SHA512 | f33c4b2db41c13ec7167127538d3a685a45cf089ed6af41e75b88138760acc71f364eb608e9595d50a6e52b6aa36a6d5fe84b4df594bd829482b7746b94bf5dc |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\DismountUnblock.xlsx
| MD5 | 40e61772a975f4e2963f30fe74011c05 |
| SHA1 | 6da81afd202dca46c9a568494b00aa728ba19452 |
| SHA256 | f6c001f3e738b2467eed1507ccd9a826557346de6401be3084dd975e62c7fb18 |
| SHA512 | 8abb0678120a1c40085f1cb798a20248e11ab3165148ff87deb415026ca47f9aa90ed5126222e010a318939b6c57ac349644b2806a2623a2db3ec4cfcdaad972 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\CompleteProtect.jpg
| MD5 | 3ee16bf61874bde9f309343cef3ce12d |
| SHA1 | 286a068b31cac224f4454fae4b6f4ca34d7134d6 |
| SHA256 | 5e1baf76457cbb3d18c78fccd6be585df7e2725fb7da274616435a10d7e9470a |
| SHA512 | 667ff42168040c18a7599202639bf97ca09c7f3310e231896fa98642ca8707f8c6e70cc8c2ac9a7c83de9cd1a32b023f0a2dfe81216c3b150dc56c5b09b272d0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\ConfirmUnpublish.png
| MD5 | b3d313e16a1a225a10dddf8aff6b0a4f |
| SHA1 | 2c97397a02dd2c3f0020d1f2be08fb837c4bd460 |
| SHA256 | eea075f884a3af745853845e32121ecae3af5601f006ff1e8ccfd0f7c19903be |
| SHA512 | 1b8e1b2e8260040e52a081849ecf1716d0e9e68da06116fa698e4bcf8ddebf89e1b016a43aa45f5cad2055c246c36246007a9d1b8615987b35191add81cecdbb |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\DenyShow.png
| MD5 | a4ace2b06265292acd915fa2da4ca0cb |
| SHA1 | f3377f7d07048f7dff26028bbb6e667b13093655 |
| SHA256 | 505aeb1412e8bb284b1cebcec68fef03d8edfafa084d6450e6ac83370d852190 |
| SHA512 | e9291e1f5ea58fb2c0bc38c7b1d607cde28690342cb5baf2fb06175269fb2ecd7f45d8c48b9f08b4ecaece921aba865fb4da0b34cbd350457519bc1ed3a637b1 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\StepReceive.jpg
| MD5 | b69aab45daefb584281ded755e74526d |
| SHA1 | 2e16dd00ab41787bc42b0d40ec994062095e143b |
| SHA256 | 90608b73d683163c499a468f0c4a2fb1542870e9fc6be6700f937156ee2e34db |
| SHA512 | 033e41e4c849f61ab676d1f8d15332df6ff3a466b3aeab04898fa15d0b7fc8520f61282ae802f29352862d7229562a35615ff8b69df8b7c2441d46e534a870f4 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\UnpublishEdit.png
| MD5 | 43af91ff335d78f8cd0d07c6b2e8e1c7 |
| SHA1 | a2667462c1228872fa5c3c0c2931d993e4a57d9c |
| SHA256 | 31cf01c9f30621345b6f05cc5f71f38ce0b6cd379183d74b410e3e4520dc419f |
| SHA512 | c9ef07436983566f1ed5a6963da67e3df979bf0e13e25fd06015175dc91e9b6dfc9c0d8b7a862a095bab28cc0753a86ec9454a30a894eb2f087dbc4804826327 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
memory/3184-792-0x00007FFA206B0000-0x00007FFA20A27000-memory.dmp
memory/3184-799-0x00007FFA30E70000-0x00007FFA30E8F000-memory.dmp
memory/3184-802-0x00007FFA300C0000-0x00007FFA30177000-memory.dmp
memory/3184-801-0x00007FFA30C40000-0x00007FFA30C6E000-memory.dmp
memory/3184-812-0x00007FFA204B0000-0x00007FFA2058F000-memory.dmp
memory/3184-822-0x00007FFA2FF40000-0x00007FFA2FF4D000-memory.dmp
memory/3184-821-0x00007FFA1F8A0000-0x00007FFA1F8F1000-memory.dmp
memory/3184-820-0x00007FFA1F900000-0x00007FFA1F938000-memory.dmp
memory/3184-819-0x00007FFA1F940000-0x00007FFA1FF9A000-memory.dmp
memory/3184-818-0x00007FFA21860000-0x00007FFA21876000-memory.dmp
memory/3184-817-0x00007FFA21AB0000-0x00007FFA21AD5000-memory.dmp
memory/3184-816-0x00007FFA2FF10000-0x00007FFA2FF1B000-memory.dmp
memory/3184-815-0x00007FFA30070000-0x00007FFA3007A000-memory.dmp
memory/3184-814-0x00007FFA30910000-0x00007FFA30925000-memory.dmp
memory/3184-813-0x00007FFA275F0000-0x00007FFA27631000-memory.dmp
memory/3184-811-0x00007FFA30AA0000-0x00007FFA30AAE000-memory.dmp
memory/3184-810-0x00007FFA30930000-0x00007FFA30943000-memory.dmp
memory/3184-809-0x00007FFA30950000-0x00007FFA3096C000-memory.dmp
memory/3184-808-0x00007FFA20590000-0x00007FFA206A8000-memory.dmp
memory/3184-807-0x00007FFA30990000-0x00007FFA309A4000-memory.dmp
memory/3184-806-0x00007FFA30970000-0x00007FFA30984000-memory.dmp
memory/3184-805-0x00007FFA34DE0000-0x00007FFA34DF0000-memory.dmp
memory/3184-804-0x00007FFA30C20000-0x00007FFA30C35000-memory.dmp
memory/3184-803-0x00007FFA20D50000-0x00007FFA211BE000-memory.dmp
memory/3184-800-0x00007FFA20A30000-0x00007FFA20B99000-memory.dmp
memory/3184-798-0x00007FFA30C70000-0x00007FFA30C9D000-memory.dmp
memory/3184-797-0x00007FFA30E90000-0x00007FFA30EA9000-memory.dmp
memory/3184-796-0x00007FFA34DF0000-0x00007FFA34DFD000-memory.dmp
memory/3184-795-0x00007FFA35880000-0x00007FFA35899000-memory.dmp
memory/3184-794-0x00007FFA39B30000-0x00007FFA39B3F000-memory.dmp
memory/3184-793-0x00007FFA34950000-0x00007FFA34974000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 15:45
Reported
2024-11-15 15:48
Platform
win7-20240729-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2540 wrote to memory of 2232 | N/A | C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe | C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe |
| PID 2540 wrote to memory of 2232 | N/A | C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe | C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe |
| PID 2540 wrote to memory of 2232 | N/A | C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe | C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"
C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI25402\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI25402\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 724223109e49cb01d61d63a8be926b8f |
| SHA1 | 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b |
| SHA256 | 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210 |
| SHA512 | 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c |
C:\Users\Admin\AppData\Local\Temp\_MEI25402\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1c58526d681efe507deb8f1935c75487 |
| SHA1 | 0e6d328faf3563f2aae029bc5f2272fb7a742672 |
| SHA256 | ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2 |
| SHA512 | 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1 |
\Users\Admin\AppData\Local\Temp\_MEI25402\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 517eb9e2cb671ae49f99173d7f7ce43f |
| SHA1 | 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab |
| SHA256 | 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54 |
| SHA512 | 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be |
C:\Users\Admin\AppData\Local\Temp\_MEI25402\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | d12403ee11359259ba2b0706e5e5111c |
| SHA1 | 03cc7827a30fd1dee38665c0cc993b4b533ac138 |
| SHA256 | f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781 |
| SHA512 | 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI25402\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
C:\Users\Admin\AppData\Local\Temp\_MEI25402\python310.dll
| MD5 | b9d896d5f748793d3dc44be7b2e43ba7 |
| SHA1 | fb81bb8cfba3c5f2caffe0be3e17babf669de42a |
| SHA256 | 686dc3e3104a45f2a38821cd0c43c17d2e4b3f41a30de94fc7bebef3b882ac83 |
| SHA512 | 6835873e751851c3ea9bc53f744f27d89eb1f3bc4a6a88f36de93ac0be3e2eb151c4f57879a07d25dacde51720ca36dd12e390c80535bebd64c9e0390b691736 |
memory/2232-111-0x000007FEF5BC0000-0x000007FEF602E000-memory.dmp