Malware Analysis Report

2025-03-15 03:46

Sample ID 241115-tg24esxblb
Target 19961176322.zip
SHA256 0da05a2b74ed0b0c6ba4bcc6b8d750b313861bac4e35eb0336b7cb538a0ae93d
Tags
exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0da05a2b74ed0b0c6ba4bcc6b8d750b313861bac4e35eb0336b7cb538a0ae93d

Threat Level: Known bad

The file 19961176322.zip was found to be: Known bad.

Malicious Activity Summary

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx pyinstaller

Exela Stealer

Exelastealer family

Grants admin privileges

Modifies Windows Firewall

Loads dropped DLL

Clipboard Data

Reads user/profile data of web browsers

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Network Service Discovery

Hide Artifacts: Hidden Files and Directories

Enumerates processes with tasklist

UPX packed file

Launches sc.exe

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Network Configuration Discovery: Wi-Fi Discovery

Permission Groups Discovery: Local Groups

Detects Pyinstaller

Browser Information Discovery

System Network Connections Discovery

Collects information from the system

Views/modifies file attributes

Gathers network information

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Kills process with taskkill

Runs net.exe

Scheduled Task/Job: Scheduled Task

Gathers system information

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Detects videocard installed

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 16:02

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 16:02

Reported

2024-11-15 16:05

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3280 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
PID 3280 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
PID 2612 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2532 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2532 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2612 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 3168 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3168 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4384 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4384 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2648 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2648 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2612 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 1856 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1856 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2612 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 1508 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1508 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1580 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1580 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2612 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 3720 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3720 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2612 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2548 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2548 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2612 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3908 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2612 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2040 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2612 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 848 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 848 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2612 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe C:\Windows\system32\cmd.exe
PID 4760 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4760 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe

"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"

C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe

"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe /T"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /query /TN "IrisUpdateService""

C:\Windows\system32\schtasks.exe

schtasks /query /TN "IrisUpdateService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "IrisUpdateService" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "IrisUpdateService" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "IrisUpdateService2" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc hourly /mo 1 /rl highest /tn "IrisUpdateService2" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:51103 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:51112 tcp
N/A 127.0.0.1:51117 tcp
N/A 127.0.0.1:51123 tcp
N/A 127.0.0.1:51125 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
N/A 127.0.0.1:51381 tcp
N/A 127.0.0.1:51383 tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI32802\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI32802\python310.dll

MD5 b9d896d5f748793d3dc44be7b2e43ba7
SHA1 fb81bb8cfba3c5f2caffe0be3e17babf669de42a
SHA256 686dc3e3104a45f2a38821cd0c43c17d2e4b3f41a30de94fc7bebef3b882ac83
SHA512 6835873e751851c3ea9bc53f744f27d89eb1f3bc4a6a88f36de93ac0be3e2eb151c4f57879a07d25dacde51720ca36dd12e390c80535bebd64c9e0390b691736

C:\Users\Admin\AppData\Local\Temp\_MEI32802\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

memory/2612-103-0x00007FFDB4D80000-0x00007FFDB51EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\base_library.zip

MD5 6add86f741a99793b73392a9294eb1b2
SHA1 7c5da35537ef33fedb8393f707013fbeb652b8b0
SHA256 678adfe16f38c82850d8c9b498dd7d89f708fe37380108a02b5e54763bdf21bf
SHA512 77033b8a18612ed268bb63ceef6be02465269a66baa2c0901879bb1e25241473596473e1b446b1b093a3110298361cd3568955fb3022c19dcf0e7949a5625320

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_ctypes.pyd

MD5 b1e2c169b4d27363ba74cab4f80ef169
SHA1 3a87101abe2935c91430146bdc0eeb243ab5a8bf
SHA256 a8f521ef235c1590d3d717912479185602afa8d7ffbe6a8d719ee517339fcf52
SHA512 6e2fea022a93468aa7300aaaa32a83ad71a8cfdc046a6b02a6973961b04b6a9870fd7f19457c657b4c1d15e8b101db357c0071e3c1492ecb170f1c62ddb87834

C:\Users\Admin\AppData\Local\Temp\_MEI32802\python3.DLL

MD5 07bd9f1e651ad2409fd0b7d706be6071
SHA1 dfeb2221527474a681d6d8b16a5c378847c59d33
SHA256 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5
SHA512 def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

memory/2612-111-0x00007FFDC4D10000-0x00007FFDC4D34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\libffi-7.dll

MD5 8e1d2a11b94e84eaa382d6a680d93f17
SHA1 07750d78022d387292525a7d8385687229795cf1
SHA256 090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82
SHA512 213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e

memory/2612-113-0x00007FFDC82D0000-0x00007FFDC82DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_socket.pyd

MD5 713f166fbaf2c758677129653c792fd7
SHA1 12229626b4cfe1750c31c70115152c4d6ec1eba1
SHA256 0d71adce0df6917b5836ba03f76df3deaa7b1aaa2cbd803a734884d1c1bb0059
SHA512 4c9675632b4e2776bff8b558485a91bec5d08f5ff0deb55cd577bd95531cfa5883dc80bee39af86c4ec5a7ac818396c2c03a60341b9b02a1e8b521f80e660a98

memory/2612-117-0x00007FFDC5FC0000-0x00007FFDC5FD9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\select.pyd

MD5 9d4a187b10cc415cee48d9408f687cef
SHA1 fd8ac4cc6086658a48e5dea3de5a43b924b60df7
SHA256 45c715f5ccf0da358855a7d3b01a166e34a82ce6244f7111ed4c81e4d12f2049
SHA512 1c8b040cd4f38e16e9c061a0ce2eb76583266a7b514c325cc3fb728bdcf514ce5d12961011a8c2c860837e99af285fdbc5d9624c8e6f6fa02d2003200019356e

memory/2612-119-0x00007FFDC4AB0000-0x00007FFDC4ABD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_bz2.pyd

MD5 3ac1ec2319523918a50f8ba33ffa4d2f
SHA1 eb9aecb4402bed654a52013759ce9d5d69c33a5b
SHA256 4f22e9ce6f0232643cfdb9c35c4f3453ab73b103a4dbf633d445863f0251b134
SHA512 bffcd8bf09a61250b1957af2bd7c3b8b7c761997b7fa83235f48ab1779b7b27ae44b296458b3830d22d880f37e0c5d21a351d33a38c024f97631e87ad45dede2

memory/2612-123-0x00007FFDC4980000-0x00007FFDC4999000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_lzma.pyd

MD5 d5f861984f70e876bb113c9a996493d1
SHA1 66868d0a65ee23ef22af34c103220b759bbbfe05
SHA256 ac55608d663cc5e5ef0d430d1bf98b9d1688ce9c12e8491f4921f452399b6725
SHA512 386859aa0ff6322d385487713912fdfe5432f0670fa70987bdf22f14ef8b1d05f336af80b7db3cc05588c045d2bd4e44bbdae95e82f10581e5f43ca39963160f

memory/2612-126-0x00007FFDC4950000-0x00007FFDC497D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_sqlite3.pyd

MD5 42dbc994bc3000b1dd46579ef47afc64
SHA1 6356883c4219cf3f485b0ccde32a24d9adcedc95
SHA256 aed5d832a89528ecb203775cd2ee413c8c7895857ff30403b341fe0a8331efc9
SHA512 1999d1f3115d2656fb26488eae9525c41aaa4f94a029e337e5f34edaec53a7dd2d714025987191eca519ea7183682c908bcd18142df46a0d4d2c0176894f4c85

memory/2612-129-0x00007FFDC48F0000-0x00007FFDC490F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\sqlite3.dll

MD5 709d45be5411647c1526235bec94c168
SHA1 27c1597b7a0b7fc19e1f8efee41cb355b3e4212e
SHA256 d45d561f4694055ff072349d86458155505598fa29080bbb7e9691b8509dcdb3
SHA512 62aab6333a286df25148b2bde6a41d62f75e7b6da6acf2ef8ca892cbade1dd1daf91961ac52da31cccab415749a6349b2f51a89654846a4bc10b8df3f3086b24

memory/2612-131-0x00007FFDB55A0000-0x00007FFDB5709000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_ssl.pyd

MD5 92c1b0608e4aa51aa1bc4369559fdad8
SHA1 5a57fe482100b694ff2b1fe4256f75c90669134c
SHA256 b9cf399774fea53fe3fe7357c0df65a19315fc7f525fb96758ba8568360fa18d
SHA512 c99c9f9f3f99cbc26e40cc832fe69b7d8ff2e611e5438b8bf5c549d88d138c6294e7d930ab4238b4e01d27cc71e723df1d97dee1dee0cd1880f4e294cf686270

C:\Users\Admin\AppData\Local\Temp\_MEI32802\libcrypto-1_1.dll

MD5 ef98f0bfd75bfca256dfdde36ab79c56
SHA1 db0c976dd286d6b4a046e19d669ea9366a8d6b0c
SHA256 17fded0a4337fc353a1a06f40bc7a4c4d6ae4e74a7d563f8bb7fa512daa82f99
SHA512 27fa2e78c3153f4c1b824ddc8291af6f4eefd4754b7847917e84e096723c7947da1a8695120fe8071312d6e8963841a82813ea32559457fe9ffb37ff3f75b705

memory/2612-135-0x00007FFDC4670000-0x00007FFDC469E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\libssl-1_1.dll

MD5 594f9b1d3f3f2217896a3d07f861d55a
SHA1 a84a68606a65077258979d9a17b0ae2d83067939
SHA256 1ed537c1c1db991ea9297be1e48b4c24d9ddd93ff8b277eea0f5bd228a4c92e2
SHA512 e61aaa93a4b4e820697a5b02f1aea3152544e5c2af2b5bbdfd86cd8267f69cd09f9321c4791bc81ff05cb2ee7aef57fc0ef1c5ed211c643419ded648f209358d

memory/2612-139-0x00007FFDB4D80000-0x00007FFDB51EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_asyncio.pyd

MD5 223915a05f124498a473e1caab2d14ad
SHA1 62d7d236dc1db0adb4e9769597a3d18cc2de65e1
SHA256 77306c7c5c9411db1846bc1b5ef70aef5e52999f2442f1e39a0901df320b6202
SHA512 ea162e1b4287d7cf3814b8eeee55884e838a4c81d0699093cbea09f73307a8ba50ccbb6405de002bdca8f7200e8ff5840c5f4d45d039e6401e262aa3ef0dbb2a

memory/2612-140-0x00007FFDB4940000-0x00007FFDB4CB7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_hashlib.pyd

MD5 484c70992d2102a7843540593dfc12e0
SHA1 350144bd486f9648319dae5332a18ec4dd979f78
SHA256 92b2ca8ae281a5559ce071756b392b0937b25ca531dbcba01395027b86a9889b
SHA512 eaea83ec64bf3537302c52dee0b8d75526793543ea1d5396adfea5ab96c7b115d23aedceb7931756929bbd4893eda497dce19c926b6e36cbefa2355827e9404f

C:\Users\Admin\AppData\Local\Temp\_MEI32802\unicodedata.pyd

MD5 7fdbd3fc6609dec6ac6028513167502b
SHA1 7d031e081f45f70fe6cd1fc38ca602cd3172052c
SHA256 8713294d8edd6227fd31114d36033dee58f563b179ca274280e528c4bb085af0
SHA512 7a97e8358acbffe14b3e657bad975bb1f4e262eb25bcc783cd4d369a47e29e7e3936548a12333fdb5bb5f1b9dfdd9e7ef6edfaae993107aa7683d9c2f965cee9

memory/2612-162-0x00007FFDC4060000-0x00007FFDC407C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\yarl\_quoting_c.cp310-win_amd64.pyd

MD5 fdc577588ffd0f939c02b236fde9fbae
SHA1 6e8c7a3456870a2bf2fabae861209aed29475498
SHA256 2ed79904384fda527647ba6927abfed3062e7b83a308c41d2890685a19e6b883
SHA512 3472bb46a90b620a181f73dd5d4b2258fe02a7db4144d22d8feeb8dad6f667940482cb285c77e0c1c7592e3468be4ed126a0caad76a3cfc1bb615c20fe77b7e3

memory/2612-160-0x00007FFDB5480000-0x00007FFDB5598000-memory.dmp

memory/2612-159-0x00007FFDC4AB0000-0x00007FFDC4ABD000-memory.dmp

memory/2612-156-0x00007FFDC4080000-0x00007FFDC4094000-memory.dmp

memory/2612-155-0x00007FFDC5FC0000-0x00007FFDC5FD9000-memory.dmp

memory/2612-152-0x00007FFDC4650000-0x00007FFDC4664000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\multidict\_multidict.cp310-win_amd64.pyd

MD5 9781e6bfedeffddb3220de3e49632d4d
SHA1 06b13c4623888f0703c0e71d2773c5e9201b0374
SHA256 d0f937783eeadd70654685bd1b49cda9289896c3b719ec37874ac7fe1221e682
SHA512 6b2b799f519699fcce94577a4c1aed0e155e8f56750557c24fbe30b10efa55d826e2358827cfb451753830394c5a841471082fda99729d66e0c785cf3cd18f82

memory/2612-148-0x00007FFDC3DC0000-0x00007FFDC3DD5000-memory.dmp

memory/2612-147-0x00007FFDC4D10000-0x00007FFDC4D34000-memory.dmp

memory/2612-146-0x00007FFDB4CC0000-0x00007FFDB4D77000-memory.dmp

memory/2612-145-0x00007FFDC4A60000-0x00007FFDC4A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_overlapped.pyd

MD5 ff7cba7ce768f7f8c638be282f844f0e
SHA1 406126bad5813b2d09b1cbd17edc05aa5029c7e5
SHA256 ed9a6782039007f90422a5b981ce66deee0c581052c14e247446c924b09833fa
SHA512 04d71776010e0c1aab2dd0fdd06b4807739129b9df2d8081927be202d7861a048e92f8fc0162d237478fdb08b9580ef77552c8ece28ce48ea119f8c6c576a5d2

C:\Users\Admin\AppData\Local\Temp\_MEI32802\aiohttp\_helpers.cp310-win_amd64.pyd

MD5 f7e02ab5fdaceb53d35ce588d1eaa264
SHA1 390485a21881334894e63f5a4843c552518fb75c
SHA256 e781d6205149306f4aa80a11ad8c654b7572bfaf0cc5517f2b2daef0ac016229
SHA512 4c015d21f33b6fee07d24d060c02ece75aec4bbbffa4a490b2961d92e1ae821f142ee6a32d13c491acef927c14d511112bdfc0412c800b81394d530a9518cbc7

memory/2612-165-0x00007FFDC4040000-0x00007FFDC4053000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\aiohttp\_http_writer.cp310-win_amd64.pyd

MD5 a4c8dd79a38b8fadecf723c204935ffe
SHA1 3d71c55aa83c89694204bfd0aade8dc60e0f84f8
SHA256 02b68eafcfe40db926f671bafa01db9a691b178103b06377ffa3d1d5df3b1530
SHA512 d573340437a7b9d4634eca845da94244bb463005e1bb049b4c7753610f4624679ebdff0b80320d416d4363f7e387e8789345d4df8cd5a707fe5eaad588196c73

memory/2612-169-0x00007FFDC3DA0000-0x00007FFDC3DB5000-memory.dmp

memory/2612-168-0x00007FFDC48F0000-0x00007FFDC490F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_brotli.cp310-win_amd64.pyd

MD5 50ca8b574270390ae93fbe452c852555
SHA1 1d8dcfe22835a3d92cf63fae6c25e2b4f01b8610
SHA256 f1d8c9316751c9550aadd94a8ee4bdbb55e143ce967d293f82f1f3cd84e91284
SHA512 9c1986adefd2dc2ee8a6c7ac76de78545d27bbea41d156c3f9fff032313bcf737c9ee98360c762b57987a9477d00179786894ed3689f3adc34dda7168e4a4747

memory/2612-174-0x00007FFDB55A0000-0x00007FFDB5709000-memory.dmp

memory/2612-175-0x00007FFDB52F0000-0x00007FFDB53CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\VCRUNTIME140_1.dll

MD5 75e78e4bf561031d39f86143753400ff
SHA1 324c2a99e39f8992459495182677e91656a05206
SHA256 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
SHA512 ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

C:\Users\Admin\AppData\Local\Temp\_MEI32802\MSVCP140.dll

MD5 72f3d84384e888bf0d38852eb863026b
SHA1 8e6a0257591eb913ae7d0e975c56306b3f680b3f
SHA256 a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde
SHA512 6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6

C:\Users\Admin\AppData\Local\Temp\_MEI32802\aiohttp\_http_parser.cp310-win_amd64.pyd

MD5 f3a43ee9a1cd3da4b1e8856832d37fb5
SHA1 e5b257f6b70f033ccc250d8063fa277d294578f6
SHA256 5cd0986d4b79c7079bd472df2fb41dc2056fb3f7db6d6776d5fe5f883de45fe1
SHA512 1bebd434cb40c9f21cd2ed99429010a7f307ce22822d34a21ceeb7df6566dd8ea056ccecab78be3e98f9e25515ff6bb16d61f3ae4e05734381ebf244ac995e64

memory/2612-184-0x00007FFDC4670000-0x00007FFDC469E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI32802\charset_normalizer\md.cp310-win_amd64.pyd

MD5 7b305a0e94a78e72820fa4ddec303ad6
SHA1 c42ae66f78fc333849e500115d045604ad5bf1a0
SHA256 7d69e30849fdbfbafb6d39e7a69568771b80be39e92fb184c63af0d089781592
SHA512 5e8f029da7d9fd5d40ed3c64475b4c1239854fe5c63282872d884984c8554211472c6d901f12b0541aa081daf55787dc6e204d6f73faa2ea1d2d4f3879ae1556

C:\Users\Admin\AppData\Local\Temp\_MEI32802\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 92f129c2699477b0db7087a02ccefca7
SHA1 553753e30a0c6a92e8916b80d44053b2b85f11c9
SHA256 fef9870e40b5ca337ad325fd2dcb503bb550864df6656a35c8d734f00eec48ae
SHA512 f4875e1842195b354a34c4ba919d57cafa36137e869e685e64514535bfcef63f3ced8f6bbb45dd7cae04a19ec0fc728cba75532d36348c893540653140881845

C:\Users\Admin\AppData\Local\Temp\_MEI32802\_uuid.pyd

MD5 8571d3c1ef8bb47ccdec7b9dab62626c
SHA1 6d1461e7042c18f5282ac284ab8b8c7c7bd72c80
SHA256 9003cb2351efe9f0d392c413ee460d3f29ba70058aefaa018c2402a16d44de55
SHA512 dcbf20132a9382d2d0aea126badb038afd427c66368cfb2756f125864a3dd2b67b4f5f64fd86a1331fc73f49506318dfeb76f0344b155cca615c29e20f08727a

C:\Users\Admin\AppData\Local\Temp\_MEI32802\aiohttp\_websocket.cp310-win_amd64.pyd

MD5 7ea40c5cde77804709ca1652bbdf22c1
SHA1 03813e28850f8205c09eaa2412d39227e6bede9b
SHA256 9dd0fb7690b61fa84713e8fe3ac5b9962124e9573073322508d9c6459eeb263c
SHA512 4a8ab360eca08065f3b4d2deb0b30be98ecd6ee1bec3e4a15b5cd6ee7ce95dd2b5786bbadb578226614fb5ed665bff8e579f7bc12ea90cb12188673b99f5d99c

memory/2612-190-0x00007FFDBB910000-0x00007FFDBB951000-memory.dmp

memory/2612-189-0x00007FFDB4940000-0x00007FFDB4CB7000-memory.dmp

memory/2612-194-0x00007FFDBE190000-0x00007FFDBE1A6000-memory.dmp

memory/2612-193-0x00007FFDC0C40000-0x00007FFDC0C65000-memory.dmp

memory/2612-197-0x00007FFDC24C0000-0x00007FFDC24CA000-memory.dmp

memory/2612-196-0x00007FFDC4A60000-0x00007FFDC4A70000-memory.dmp

memory/2612-195-0x00007FFDB40A0000-0x00007FFDB46FA000-memory.dmp

memory/2612-192-0x00007FFDC0C70000-0x00007FFDC0C7B000-memory.dmp

memory/2612-191-0x00007FFDC24F0000-0x00007FFDC24FE000-memory.dmp

memory/2612-199-0x00007FFDB6630000-0x00007FFDB6668000-memory.dmp

memory/2612-198-0x00007FFDC3DC0000-0x00007FFDC3DD5000-memory.dmp

memory/2612-200-0x00007FFDB4040000-0x00007FFDB4091000-memory.dmp

memory/2612-234-0x00007FFDC4060000-0x00007FFDC407C000-memory.dmp

memory/2612-235-0x00007FFDBBFB0000-0x00007FFDBBFBD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lttyya4l.kmp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1172-247-0x0000026DD0500000-0x0000026DD0522000-memory.dmp

memory/2612-250-0x00007FFDC4040000-0x00007FFDC4053000-memory.dmp

memory/2612-253-0x00007FFDC3DA0000-0x00007FFDC3DB5000-memory.dmp

memory/2612-254-0x00007FFDB52F0000-0x00007FFDB53CF000-memory.dmp

memory/2612-284-0x00007FFDB4040000-0x00007FFDB4091000-memory.dmp

memory/2612-286-0x00007FFDBB910000-0x00007FFDBB951000-memory.dmp

memory/2612-282-0x00007FFDB40A0000-0x00007FFDB46FA000-memory.dmp

memory/2612-273-0x00007FFDC4040000-0x00007FFDC4053000-memory.dmp

memory/2612-268-0x00007FFDC4A60000-0x00007FFDC4A70000-memory.dmp

memory/2612-267-0x00007FFDC3DC0000-0x00007FFDC3DD5000-memory.dmp

memory/2612-263-0x00007FFDB55A0000-0x00007FFDB5709000-memory.dmp

memory/2612-262-0x00007FFDC48F0000-0x00007FFDC490F000-memory.dmp

memory/2612-256-0x00007FFDC4D10000-0x00007FFDC4D34000-memory.dmp

memory/2612-283-0x00007FFDB6630000-0x00007FFDB6668000-memory.dmp

memory/2612-272-0x00007FFDC4060000-0x00007FFDC407C000-memory.dmp

memory/2612-255-0x00007FFDB4D80000-0x00007FFDB51EE000-memory.dmp

memory/2612-308-0x00007FFDB4CC0000-0x00007FFDB4D77000-memory.dmp

memory/2612-316-0x00007FFDC3DA0000-0x00007FFDC3DB5000-memory.dmp

memory/2612-314-0x00007FFDC4060000-0x00007FFDC407C000-memory.dmp

memory/2612-309-0x00007FFDC3DC0000-0x00007FFDC3DD5000-memory.dmp

memory/2612-307-0x00007FFDB4940000-0x00007FFDB4CB7000-memory.dmp

memory/2612-297-0x00007FFDB4D80000-0x00007FFDB51EE000-memory.dmp

memory/2612-306-0x00007FFDC4670000-0x00007FFDC469E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\DisconnectProtect.jpeg

MD5 b41740066a8a699a64fc04c7b177df90
SHA1 0fbe774e9098168214801c2b155ffe2d98db59cd
SHA256 6dc1540c3ae74bf485a9514e313332b88d6f93d3e539b6e3345e4dc7f6632461
SHA512 38adbf6cdf52fac42465dd20b85b30833d32482ccb66b23a477f6c31b6fe27a07cf5553cd3e2fb4d13a3493a66bb2f290e0dc4798ee3db29a97dc3155989921f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\FormatReset.mp3

MD5 45924f867a33efc8847b3e3552d8cf8d
SHA1 e59cf2aeab545f12745ccd24b4c71ca47977c57a
SHA256 5fd1d4b992af5f383288809cf452337837f23cef4f5f5d5223b07b0448af82db
SHA512 646826a304cb3962d218c5ce5e488b630e05aa8a52ba93c04808b05259724c794d1d63e8be5bbe287e0d2d450576c2d4a8a01e549ee458a875b781ef44ea20a0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\PushMeasure.pdf

MD5 579b38e4678b98d45d309aac5958a15c
SHA1 b0e3ae4798b3cb500ab4b5ae3b6f751789fdb8ef
SHA256 6aeb475de687f98bea5e860457ac50868cc416f3b6e3c6b0ade78d822e40cb38
SHA512 3a4ca9aa74f051d49c0e528126a42919ad0d5fb9bae9aa33a4b97a057c8de07de0fbb2ea4d7cf5dcd5867fecd4e6919e9cdec2806628c8ec94021a878ce3cd35

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\RevokeTrace.png

MD5 0ec4390dbaf90de9da266914acedaf47
SHA1 92ac70f62a4152218d8a8ca5c2618b18b644f22e
SHA256 9b5a72ca2d75caed416eaf5882a13aa99109ba87c132877e1e5599f13116ab79
SHA512 3f7aee7a860e3177f647296599b47fcc083396f71c3ac8a4761fd59974ef30c5b18da6f38f5ff9145a86fd1c26a40133f44f56cd66c54d7546f50a6c85d67e7b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\TestAssert.pdf

MD5 fca5b0d2fc35044ff99debd3767ac9f8
SHA1 34d4eac6b74cdbfacd357fa5d27e287e8b82c5ac
SHA256 57f4e4fb10373169dd035754264055e3d2fc537b0dd00301cf452ad244296479
SHA512 5b626257be9f3f861a21808a46ea2e807553e738890a2f0edb691e91f730ced1157672d8d5217f8385da35a699189f6edaa9e45ddfa6d4f080bbe12c45a54cb1

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\StartPublish.xlsx

MD5 f37e84a3d0d4b4d24c635110d63f155a
SHA1 195681423a6fdb72dabc4d1a4a86519d0e5f7c98
SHA256 608fbb8c8fc2e062f87aac3e93b9ebcce23c605820bdd0d840f559be8c899754
SHA512 af458b4b333c5919a3c3c4cbee0b2efff4554deb4c7a4fc76ab58a2b29d6104b465b599bfad22eaff27dd17c9fa9b64e3b9dd0bf682dec4cfff02fee508e7e24

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\BackupComplete.M2TS

MD5 1dac048d40f9f7d4dc7083fa78d19dfe
SHA1 4e8df6b473db9959d1009c9b1ab11096693dacd2
SHA256 bafad9e8434505bd306d5a0b5b010d62da507134144456a33b8a0b7579c225f0
SHA512 1ea26482b27196d4f4f0ba9f79bf513c7501f882cfd0cc5f5fa995dfe3be60f668bedf43476f1b0cab9966496d21be92f558d108dda26cd2b83889cc1af2e359

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\ExportGroup.xls

MD5 1c67d56e20cb9aff8a1bd65226d5b427
SHA1 e1be16fc63483b76518a9e56411d9f645b03e33e
SHA256 2cb43080ae158f414db5baf2bf89c09968324ec53b5c93be785b1ad89d3228fa
SHA512 9ff5a62fb55231312f30fafd80e3b612a4bc37198eb291a2575b7c9fcbc47620b4e9646a2ec8ab6b4b11ebb96bec04ec232f7f1c435423400d80f6fd34dff12b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\ExportPush.jpg

MD5 f29bc9443b3cd9929c47d5c31a15a207
SHA1 ea4fb6590b9399e6684aae234693d6e4b2f4c0c3
SHA256 4fc3dd1528bbb23c1c4ea69a1df009abb91a9e388e0186b93c545410a78d5930
SHA512 3730916747e15d0923b5b6f237c4f22b3cd590a715de79624c0240ece2dd07429d6b1ee427a404597051f1e79b06143581f19a57a169a44f468f8844c4da704e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\SwitchInvoke.txt

MD5 7a77510483359af1f4dc48e9fce49db1
SHA1 1176e961b1e543d6fabeab3e2d4a63147da4004e
SHA256 d2ee19c2dfb453f31b75134f8c6a430395b7d45622e11d0bddd6beba418ee553
SHA512 de5239bf656650b749dad93a2c25aab1909260ce18608f8e6fdb2f1e3a0b4630f2747e4540ef976f19afc484cba4ad43239526a4f604b10cccb183938bb634d4

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\RevokeRedo.jpg

MD5 b5503cb8dbb5abd50748cbd23d82290d
SHA1 2f3d1ac658e18145b6b9b49dc1eafa934917cf9a
SHA256 80af8f2209913d41c9498e3dd9c09ca23452f5a721c9934987ffc1cd89198981
SHA512 e246a98a7b254e7a76d0697e9bdb9961b1732e127f3d649eea8c3c9c77304151bb079ec129c7289f577ac0dd1e2e54f85cd26802ce9f52bdabb590448dfa9bae

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\RenameConvertTo.xlsx

MD5 598c624602ca0329c09f61a5891b27e7
SHA1 f2ab7005cdc5fa17cf54810412bdffd4c9a48526
SHA256 dffc4724e4b5a1129c0859ea5374a8bd4bbfff8cb522d72722272cdcb4398ca0
SHA512 723d612050799dc7595fce08251e8d64dcc07eaed02cf2b49716d4fad56095ac780741f23bb8b4114ef9c2e9a9dc50ae88fb7bffb47ac6a041a3e6488311a8ea

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\CopyInvoke.xlsx

MD5 b16237304622fa95ddf387ef0b1133b2
SHA1 d6569433cd44dbfe15518f9c834b99820a74d478
SHA256 975f28a3e3f9d54cbdb81281f7df519198f9ddd016934690380156fa5b788db2
SHA512 34bb9d5e13276ec126e14975ecdb5b699b1bb902decb029d35e911ad2304a790ff4d2f0bfa76b31bbeca606fe39c85f4285db86afc8cdeb849cd1a0d205a3b88

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\TraceRequest.xlsx

MD5 d60cc9dc43b000a19a152fadad5bd416
SHA1 657cdd007f798e49f4969bb0b9c6d1eb1ad12bd8
SHA256 517675ebb6c1fd320f2e1acfd2becf6f5fc72b7e2a73a61fbcd608ff4e6769d9
SHA512 25f129fd93a2628e52a65ed6096013b725f6914ca9d24b72cb3856175ea345fd8e38594caa40f1162f665da2dc9751667d3bbbe5c6ab8a4cd009ea2c00ca1d5f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\BackupConvertTo.ram

MD5 2eedc7d3de8a576a928dc97d5bee5a23
SHA1 60f05014854dae9d4fdee249f5bbcf9efaa3302d
SHA256 7982179fb614ab799775ca8d666c0d462e12db7b4c48badae925f1beab6cbac0
SHA512 c5fbd02b3cf776c513c16104c920f903000c6df1f56db84202c3c39f9b82fff2feb680537208a563bd51a0110fd042aa2486a34998e745df538ce5e11612b709

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\UnprotectJoin.png

MD5 8c84c4f48d99ea0c80f3d47dedc8604b
SHA1 750bee28eadd4258d28fc5a04996b01b1ffe7080
SHA256 a0205e896e0c1bebe72b6fc6b9b63230dc87d576fc59b4307cd4d4a595526728
SHA512 99cab9de505ed09adce75fb356daa6d419f1def28d67ec1cbeb7a85b2700453bd46b6cf324f556a68a0ca94142b7c0f079f267069a71c9515e5ae5b29e0263ad

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\MergeRegister.zip

MD5 a6f3fc5d67421f183d32208f19a2e4b0
SHA1 3c298230a38f7d20b1997e933a57041cc964f181
SHA256 05867c6dce88d52dd72fa8a7d6b9b9a151cc72c7c2e8a0ca41e222ac25934a41
SHA512 daf6bc0d45c672cbea30d815b2edbdfd857f87861edf007d34499dbfd75301de58d0568641e1090539c6d309398b3c688d480363b581eb502162d580cf145508

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\ImportRepair.docx

MD5 5dc2dd95d722cea89a6c7322c7d739a4
SHA1 5ba68ee6b3b16cc60e3eb8dae7bc144ee64f31d6
SHA256 5e9592e94d26b6058f8f1bdfadba38919e5e5438f626669f1eedbf5092e0ae79
SHA512 e74ffe8756383b6b7d5207b67bebc574eb7bab3470bcc1f7f69fd4908b81d25160bca6df172031c39c75e9e8210f1e1bcd4748092480fc692d626365c02a6b4b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\SetReset.jpg

MD5 33b465d052a295768ca10ce8ed8b35e7
SHA1 a169f81fa9ce60e65b04f56ece455d648bf6e715
SHA256 ae42e2afdd6d66487d26fd31268d706157bbe72e57ab92f8fea0d2981e36984f
SHA512 a1d064fa694fe4f52e4618953e27bbbdad212d736c6889bc51dabdbabe0370ca317f1da833f434f6473c5e9eb29f8369fe82a183294ef2850422c730208bec1f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\UseWrite.pdf

MD5 d10ad147d032f333a1c9b976e078b85f
SHA1 49fb832ed89b95317cf2b92b027350f95f04373b
SHA256 350033c5d8093e6d63d69cf6d394121945f2b6811a47fc061e2b6ef743ace5a3
SHA512 f20f73effe7222d06b2185c90336beda1f1b5735fea99850a07551d36b7a9aab0ffc892b373ace676bad806b101414363269b947f930e2c72cc8ca1b57130fbe

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\SwitchConfirm.mp4

MD5 ab27ad728d72c7989cf916c6423b38a7
SHA1 aaa88d82d09ae82f091679e0c5d4da4d4c52a5fd
SHA256 6f474ee6d51bdcbd40e279699fbaacddde8a6b5213e084bfc4caa3032b51cdad
SHA512 aac1a07de4f45786a19ed191da3b74e4f0c29f7793001bfa68443f94e2f0e0483c91d12e9b8f2cd3d9dcf78ba790e680e0e054744ea766ace6fbb5fb94159116

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\ReceiveSplit.csv

MD5 d243835a4a29b6b623b895060a9c9e19
SHA1 31c0c7ce77136214939a3e5c4213b6c6b42306aa
SHA256 215431ac0346d566f0701cfc7bafc898bcd4528028814f5d4660cbcc5ca80e40
SHA512 19783b52ef24fb06065ae1fea54c8106f3f6bd3e40021e1f3d5ff1b9ebd06a69539f20fd41b11ebd06206f3d8a8cbdb51069c48cd16c05571e7f8dd2b2942a5b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\StopShow.jpeg

MD5 1acc78e38491c59508e830c23bd96b20
SHA1 e5bde1cfad649454756ee805530f0b0ca3e3e668
SHA256 d6377385c7e3cb8f753c2621f92ac8e787e6fb93f259b04f228dde8474ced279
SHA512 f66ffd250fada0574c1f11378ae701b47f010ecd53a65ea3f21785622d218a17b7845f8f8b9cdc353b43511a3387680409287b2fbb417b864f0d7f199f9f1618

memory/2612-687-0x00007FFDB4CC0000-0x00007FFDB4D77000-memory.dmp

memory/2612-694-0x00007FFDC48F0000-0x00007FFDC490F000-memory.dmp

memory/2612-697-0x00007FFDC3DC0000-0x00007FFDC3DD5000-memory.dmp

memory/2612-717-0x00007FFDBBFB0000-0x00007FFDBBFBD000-memory.dmp

memory/2612-716-0x00007FFDB4040000-0x00007FFDB4091000-memory.dmp

memory/2612-715-0x00007FFDB6630000-0x00007FFDB6668000-memory.dmp

memory/2612-714-0x00007FFDB4940000-0x00007FFDB4CB7000-memory.dmp

memory/2612-713-0x00007FFDB40A0000-0x00007FFDB46FA000-memory.dmp

memory/2612-712-0x00007FFDBE190000-0x00007FFDBE1A6000-memory.dmp

memory/2612-711-0x00007FFDC0C40000-0x00007FFDC0C65000-memory.dmp

memory/2612-710-0x00007FFDC0C70000-0x00007FFDC0C7B000-memory.dmp

memory/2612-709-0x00007FFDC24F0000-0x00007FFDC24FE000-memory.dmp

memory/2612-708-0x00007FFDBB910000-0x00007FFDBB951000-memory.dmp

memory/2612-707-0x00007FFDB52F0000-0x00007FFDB53CF000-memory.dmp

memory/2612-706-0x00007FFDC3DA0000-0x00007FFDC3DB5000-memory.dmp

memory/2612-705-0x00007FFDC4040000-0x00007FFDC4053000-memory.dmp

memory/2612-704-0x00007FFDC4060000-0x00007FFDC407C000-memory.dmp

memory/2612-703-0x00007FFDB5480000-0x00007FFDB5598000-memory.dmp

memory/2612-702-0x00007FFDC4080000-0x00007FFDC4094000-memory.dmp

memory/2612-701-0x00007FFDC4650000-0x00007FFDC4664000-memory.dmp

memory/2612-700-0x00007FFDC24C0000-0x00007FFDC24CA000-memory.dmp

memory/2612-699-0x00007FFDC4A60000-0x00007FFDC4A70000-memory.dmp

memory/2612-698-0x00007FFDB4D80000-0x00007FFDB51EE000-memory.dmp

memory/2612-696-0x00007FFDC4670000-0x00007FFDC469E000-memory.dmp

memory/2612-695-0x00007FFDB55A0000-0x00007FFDB5709000-memory.dmp

memory/2612-693-0x00007FFDC4950000-0x00007FFDC497D000-memory.dmp

memory/2612-692-0x00007FFDC4980000-0x00007FFDC4999000-memory.dmp

memory/2612-691-0x00007FFDC4AB0000-0x00007FFDC4ABD000-memory.dmp

memory/2612-690-0x00007FFDC5FC0000-0x00007FFDC5FD9000-memory.dmp

memory/2612-689-0x00007FFDC82D0000-0x00007FFDC82DF000-memory.dmp

memory/2612-688-0x00007FFDC4D10000-0x00007FFDC4D34000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 16:02

Reported

2024-11-15 16:05

Platform

win7-20241023-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe

"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"

C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe

"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23602\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI23602\api-ms-win-core-localization-l1-2-0.dll

MD5 724223109e49cb01d61d63a8be926b8f
SHA1 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA256 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA512 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

C:\Users\Admin\AppData\Local\Temp\_MEI23602\api-ms-win-core-processthreads-l1-1-1.dll

MD5 517eb9e2cb671ae49f99173d7f7ce43f
SHA1 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA256 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

C:\Users\Admin\AppData\Local\Temp\_MEI23602\api-ms-win-core-file-l1-2-0.dll

MD5 1c58526d681efe507deb8f1935c75487
SHA1 0e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256 ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA512 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

C:\Users\Admin\AppData\Local\Temp\_MEI23602\api-ms-win-core-timezone-l1-1-0.dll

MD5 d12403ee11359259ba2b0706e5e5111c
SHA1 03cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256 f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA512 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

C:\Users\Admin\AppData\Local\Temp\_MEI23602\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI23602\python310.dll

MD5 b9d896d5f748793d3dc44be7b2e43ba7
SHA1 fb81bb8cfba3c5f2caffe0be3e17babf669de42a
SHA256 686dc3e3104a45f2a38821cd0c43c17d2e4b3f41a30de94fc7bebef3b882ac83
SHA512 6835873e751851c3ea9bc53f744f27d89eb1f3bc4a6a88f36de93ac0be3e2eb151c4f57879a07d25dacde51720ca36dd12e390c80535bebd64c9e0390b691736

memory/2704-111-0x000007FEF6230000-0x000007FEF669E000-memory.dmp