Analysis Overview
SHA256
04b84b7755e757c899f54ca892ca9b9ea4933057628a9e30e945b1508ab24f88
Threat Level: Known bad
The file fantafn.exe was found to be: Known bad.
Malicious Activity Summary
Exelastealer family
Exela Stealer
Grants admin privileges
Modifies Windows Firewall
Clipboard Data
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Network Service Discovery
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Hide Artifacts: Hidden Files and Directories
Enumerates processes with tasklist
Launches sc.exe
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
Unsigned PE
System Network Connections Discovery
Browser Information Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Gathers network information
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Gathers system information
Suspicious use of AdjustPrivilegeToken
Collects information from the system
Runs net.exe
Suspicious use of WriteProcessMemory
Kills process with taskkill
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-26 02:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-26 02:24
Reported
2024-11-26 02:25
Platform
win10ltsc2021-20241023-en
Max time kernel
25s
Max time network
29s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord Update Service = "C:\\Users\\Admin\\AppData\\Local\\scriptkidUpdate\\scriptkid.exe" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fantafn.exe
"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe
"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM "taskmgr.exe""
C:\Windows\system32\taskkill.exe
taskkill /F /IM "taskmgr.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Discord Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe" /f"
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Discord Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.244.186:443 | checkappexec.microsoft.com | tcp |
| N/A | 127.0.0.1:49899 | tcp | |
| N/A | 127.0.0.1:49904 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.244.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:49916 | tcp | |
| N/A | 127.0.0.1:49939 | tcp | |
| N/A | 127.0.0.1:49943 | tcp | |
| N/A | 127.0.0.1:49945 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe
| MD5 | 4210339142ccd774ee8011ae1784cf71 |
| SHA1 | 8ef93cf8ef23af2b0fa4350aecd262c46ec01c6c |
| SHA256 | 64d0d6f1b1755a040d9cd820bf0f8ab227ead7a1a9acea24481a04d44ba3014c |
| SHA512 | 3ea656a952f3fdd97bb5827d6de9cbb88edda9766d440a9ce0a82d2ca2198e06bfd9d51b209952c0f2955af307c62aad8139d2d55a3765ef6581f3151ca8a3d6 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\python311.dll
| MD5 | 5a5dd7cad8028097842b0afef45bfbcf |
| SHA1 | e247a2e460687c607253949c52ae2801ff35dc4a |
| SHA256 | a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce |
| SHA512 | e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
| MD5 | bd36f7d64660d120c6fb98c8f536d369 |
| SHA1 | 6829c9ce6091cb2b085eb3d5469337ac4782f927 |
| SHA256 | ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902 |
| SHA512 | bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 3859239ced9a45399b967ebce5a6ba23 |
| SHA1 | 6f8ff3df90ac833c1eb69208db462cda8ca3f8d6 |
| SHA256 | a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a |
| SHA512 | 030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd
| MD5 | d7b9ed5f37519b68750ecb5defb8e957 |
| SHA1 | 661cf73707e02d2837f914adc149b61a120dda7d |
| SHA256 | 2ce63e16df518ae178de0940505ff1b11da97a5b175fe2a0d355b2ee351c55fd |
| SHA512 | f04708c28feb54f355d977e462245b183a0b50f4db6926c767e8f1499e83e910b05a3023b84d398fb5dd87743fe6146dbbc3e1caaed5351c27396f16746c6d6b |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll
| MD5 | 08d50fd2b635972dc84a6fb6fc581c06 |
| SHA1 | 4bcfc96a1aad74f7ab11596788acb9a8d1126064 |
| SHA256 | bb5ac4945b43611c1821fa575af3152b2937b4bc1a77531136780cc4a28f82e9 |
| SHA512 | 8ec536e97d7265f007ad0f99fc8b9eecc9355a63f131b96e8a04e4bd38d3c72e3b80e36e4b1923548bd77eb417c5e0ac6a01d09af23311784a328fbed3c41084 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd
| MD5 | 486085aac7bb246a173ceea0879230af |
| SHA1 | ef1095843b2a9c6d8285c7d9e8e334a9ce812fae |
| SHA256 | c3964fc08e4ca8bc193f131def6cc4b4724b18073aa0e12fed8b87c2e627dc83 |
| SHA512 | 8a56774a08da0ab9dd561d21febeebc23a5dea6f63d5638ea1b608cd923b857df1f096262865e6ebd56b13efd3bba8d714ffdce8316293229974532c49136460 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_lzma.pyd
| MD5 | e5abc3a72996f8fde0bcf709e6577d9d |
| SHA1 | 15770bdcd06e171f0b868c803b8cf33a8581edd3 |
| SHA256 | 1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb |
| SHA512 | b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
| MD5 | 4255c44dc64f11f32c961bf275aab3a2 |
| SHA1 | c1631b2821a7e8a1783ecfe9a14db453be54c30a |
| SHA256 | e557873d5ad59fd6bd29d0f801ad0651dbb8d9ac21545defe508089e92a15e29 |
| SHA512 | 7d3a306755a123b246f31994cd812e7922943cdbbc9db5a6e4d3372ea434a635ffd3945b5d2046de669e7983ef2845bd007a441d09cfe05cf346523c12bdad52 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\libcrypto-1_1.dll
| MD5 | e94733523bcd9a1fb6ac47e10a267287 |
| SHA1 | 94033b405386d04c75ffe6a424b9814b75c608ac |
| SHA256 | f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44 |
| SHA512 | 07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
| MD5 | 208b0108172e59542260934a2e7cfa85 |
| SHA1 | 1d7ffb1b1754b97448eb41e686c0c79194d2ab3a |
| SHA256 | 5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69 |
| SHA512 | 41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_asyncio.pyd
| MD5 | 79f71c92c850b2d0f5e39128a59054f1 |
| SHA1 | a773e62fa5df1373f08feaa1fb8fa1b6d5246252 |
| SHA256 | 0237739399db629fdd94de209f19ac3c8cd74d48bebe40ad8ea6ac7556a51980 |
| SHA512 | 3fdef4c04e7d89d923182e3e48d4f3d866204e878abcaacff657256f054aeafafdd352b5a55ea3864a090d01169ec67b52c7f944e02247592417d78532cc5171 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\yarl\_quoting_c.pyd
| MD5 | 0edc0f96b64523314788745fa2cc7ddd |
| SHA1 | 555a0423ce66c8b0fa5eea45caac08b317d27d68 |
| SHA256 | db5b421e09bf2985fbe4ef5cdf39fc16e2ff0bf88534e8ba86c6b8093da6413f |
| SHA512 | bb0074169e1bd05691e1e39c2e3c8c5fae3a68c04d851c70028452012bb9cb8d19e49cdff34efb72e962ed0a03d418dfbad34b7c9ad032105cf5acd311c1f713 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\aiohttp\_http_parser.pyd
| MD5 | a7b4711c5ba1866745485abe14101ac7 |
| SHA1 | c37158cbd0fe67f8acd61596f63cf62bd2985431 |
| SHA256 | 6688f3dd5b7efa8008c5ba776f32cecf5b42887b1b9ee21555ae3e0d4f13d2e0 |
| SHA512 | f952ad3c21b649e13e64540713a61db6d49b394ca5d62add7a5fec2186a8d27131ba038d449561b77670d3deb2358a8254e4e205ef20228e27b1eb8234d0e843 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pycares\_cares.pyd
| MD5 | e611e5c516fe1c3670353e3427da42b9 |
| SHA1 | a946abdeebe7fa9ccd7ab256c927be5902784e4a |
| SHA256 | b4f41659dc3002f70bc6578801aad771b45f106103441d1e9b4c553c1e50c939 |
| SHA512 | a1c057dbd4b618fdfdd75f70bfe85dbfc6d2a25fed8e74dd5fbf950a02d7470e1f4bfac8ed00a5cdef6a68b8737a156a5a0ea443e826c6b30c94554bd7326b99 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\charset_normalizer\md__mypyc.pyd
| MD5 | 2d1f2ffd0fecf96a053043daad99a5df |
| SHA1 | b03d5f889e55e802d3802d0f0caa4d29c538406b |
| SHA256 | 207bbae9ddf8bdd64e65a8d600fe1dd0465f2afcd6dc6e28d4d55887cd6cbd13 |
| SHA512 | 4f7d68f241a7f581e143a010c78113154072c63adff5f200ef67eb34d766d14ce872d53183eb2b96b1895aa9c8d4ca82ee5e61e1c5e655ff5be56970be9ebe3e |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\charset_normalizer\md.pyd
| MD5 | fa50d9f8bce6bd13652f5090e7b82c4d |
| SHA1 | ee137da302a43c2f46d4323e98ffd46d92cf4bef |
| SHA256 | fff69928dea1432e0c7cb1225ab96f94fd38d5d852de9a6bb8bf30b7d2bedceb |
| SHA512 | 341cec015e74348eab30d86ebb35c028519703006814a2ecd19b9fe5e6fcb05eda6dde0aaf4fe624d254b0d0180ec32adf3b93ee96295f8f0f4c9d4ed27a7c0c |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_uuid.pyd
| MD5 | 46e9d7b5d9668c9db5caa48782ca71ba |
| SHA1 | 6bbc83a542053991b57f431dd377940418848131 |
| SHA256 | f6063622c0a0a34468679413d1b18d1f3be67e747696ab972361faed4b8d6735 |
| SHA512 | c5b171ebdb51b1755281c3180b30e88796db8aa96073489613dab96b6959a205846711187266a0ba30782102ce14fbfa4d9f413a2c018494597600482329ebf7 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\aiohttp\_websocket.pyd
| MD5 | aa40ac7a7d1d9a10da426701ea49508d |
| SHA1 | bbd083535e20ea00bcc40de7b9e625ff5c74851e |
| SHA256 | b892cbaf1a5b363fb66768194cd4d466916e81981bcb63c2989277114a4b0c10 |
| SHA512 | eaf14159f5f1b70dcb5e6416804f306ec5f4c235abf431a27bc421861117be8c6ec5326c8c703c4c3764b771e5dbac37e6b93ac05f9a632bc83788c476eed8e2 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_brotli.pyd
| MD5 | d9fc15caf72e5d7f9a09b675e309f71d |
| SHA1 | cd2b2465c04c713bc58d1c5de5f8a2e13f900234 |
| SHA256 | 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf |
| SHA512 | 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\aiohttp\_http_writer.pyd
| MD5 | 2f2a2b2343549e990419df0977e3fac9 |
| SHA1 | 5724b63e32bda7d36285f79dc9ad57fc97ba5415 |
| SHA256 | 9569b0b501a0235388d075baa4c84e5d571169ac6ce3ae9220cde31a5f208b94 |
| SHA512 | a1b99dcaf01666c3ab9755d55001f3a18344cd70c386ce1b2233b5c6b8248b59d95804b450f9ee9c2f51d6293c4e748b9347540ae3f247418a1673bbd6ef466a |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\aiohttp\_helpers.pyd
| MD5 | 4b5dcc46170e4ac810a59ca5b7533462 |
| SHA1 | 1eacf60fdfd427909b54f83518612a4638930225 |
| SHA256 | 704cdcfca773ac658b8f84335f29630707c216f739f7fa5970b1be57f13a5b82 |
| SHA512 | c2e5b9b40f267f375234be9a562882faa1a0e82f32a951233464d27879d0b1620099bb800de3e96be277bb3bb44ff421a98a2f0c125f28652c2b6415d0fb4dea |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\unicodedata.pyd
| MD5 | aa13ee6770452af73828b55af5cd1a32 |
| SHA1 | c01ece61c7623e36a834d8b3c660e7f28c91177e |
| SHA256 | 8fbed20e9225ff82132e97b4fefbb5ddbc10c062d9e3f920a6616ab27bb5b0fb |
| SHA512 | b2eeb9a7d4a32e91084fdae302953aac57388a5390f9404d8dfe5c4a8f66ca2ab73253cf5ba4cc55350d8306230dd1114a61e22c23f42fbcc5c0098046e97e0f |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\multidict\_multidict.pyd
| MD5 | b92f8efb672c383ab60b971b3c6c87de |
| SHA1 | acb671089a01d7f1db235719c52e6265da0f708f |
| SHA256 | b7376b5d729115a06b1cab60b251df3efc3051ebba31524ea82f0b8db5a49a72 |
| SHA512 | 680663d6c6cd7b9d63160c282f6d38724bd8b8144d15f430b28b417dda0222bfff7afefcb671e863d1b4002b154804b1c8af2d8a28fff11fa94972b207df081b |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_overlapped.pyd
| MD5 | e5aceaf21e82253e300c0b78793887a8 |
| SHA1 | c58f78fbbe8713cb00ccdfeb1d8d7359f58ebfde |
| SHA256 | d950342686c959056ff43c9e5127554760fa20669d97166927dd6aae5494e02a |
| SHA512 | 517c29928d6623cf3b2bcdcd68551070d2894874893c0d115a0172d749b6fe102af6261c0fd1b65664f742fa96abbce2f8111a72e1a3c2f574b58b909205937f |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\libssl-1_1.dll
| MD5 | 25bde25d332383d1228b2e66a4cb9f3e |
| SHA1 | cd5b9c3dd6aab470d445e3956708a324e93a9160 |
| SHA256 | c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13 |
| SHA512 | ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\select.pyd
| MD5 | c97a587e19227d03a85e90a04d7937f6 |
| SHA1 | 463703cf1cac4e2297b442654fc6169b70cfb9bf |
| SHA256 | c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf |
| SHA512 | 97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_socket.pyd
| MD5 | 1eea9568d6fdef29b9963783827f5867 |
| SHA1 | a17760365094966220661ad87e57efe09cd85b84 |
| SHA256 | 74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117 |
| SHA512 | d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_cffi_backend.pyd
| MD5 | fde9a1d6590026a13e81712cd2f23522 |
| SHA1 | ca99a48caea0dbaccf4485afd959581f014277ed |
| SHA256 | 16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b |
| SHA512 | a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4 |
C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\python3.dll
| MD5 | b711598fc3ed0fe4cf2c7f3e0877979e |
| SHA1 | 299c799e5d697834aa2447d8a313588ab5c5e433 |
| SHA256 | 520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a |
| SHA512 | b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84 |
memory/1816-115-0x0000024509170000-0x0000024509171000-memory.dmp
memory/1816-114-0x0000024509170000-0x0000024509171000-memory.dmp
memory/1816-113-0x0000024509170000-0x0000024509171000-memory.dmp
memory/1816-125-0x0000024509170000-0x0000024509171000-memory.dmp
memory/1816-124-0x0000024509170000-0x0000024509171000-memory.dmp
memory/1816-123-0x0000024509170000-0x0000024509171000-memory.dmp
memory/1816-122-0x0000024509170000-0x0000024509171000-memory.dmp
memory/1816-121-0x0000024509170000-0x0000024509171000-memory.dmp
memory/1816-120-0x0000024509170000-0x0000024509171000-memory.dmp
memory/1816-119-0x0000024509170000-0x0000024509171000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dmp4m53.zof.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/400-175-0x000001FA5BC30000-0x000001FA5BC52000-memory.dmp
memory/4256-183-0x0000029EF9290000-0x0000029EF9291000-memory.dmp
memory/4256-184-0x0000029EF9290000-0x0000029EF9291000-memory.dmp
memory/4256-182-0x0000029EF9290000-0x0000029EF9291000-memory.dmp
memory/4256-191-0x0000029EF9290000-0x0000029EF9291000-memory.dmp
memory/4256-190-0x0000029EF9290000-0x0000029EF9291000-memory.dmp
memory/4256-189-0x0000029EF9290000-0x0000029EF9291000-memory.dmp
memory/4256-188-0x0000029EF9290000-0x0000029EF9291000-memory.dmp
memory/4256-187-0x0000029EF9290000-0x0000029EF9291000-memory.dmp
memory/4256-186-0x0000029EF9290000-0x0000029EF9291000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-26 02:24
Reported
2024-11-26 02:27
Platform
win11-20241007-en
Max time kernel
103s
Max time network
107s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord Update Service = "C:\\Users\\Admin\\AppData\\Local\\scriptkidUpdate\\scriptkid.exe" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fantafn.exe
"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe
"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Discord Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe" /f"
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Discord Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:49879 | tcp | |
| N/A | 127.0.0.1:49884 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:49893 | tcp | |
| N/A | 127.0.0.1:49898 | tcp | |
| N/A | 127.0.0.1:49902 | tcp | |
| N/A | 127.0.0.1:49904 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| GB | 23.62.195.195:443 | cxcs.microsoft.net | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:49978 | tcp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| N/A | 127.0.0.1:49981 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe
| MD5 | 4210339142ccd774ee8011ae1784cf71 |
| SHA1 | 8ef93cf8ef23af2b0fa4350aecd262c46ec01c6c |
| SHA256 | 64d0d6f1b1755a040d9cd820bf0f8ab227ead7a1a9acea24481a04d44ba3014c |
| SHA512 | 3ea656a952f3fdd97bb5827d6de9cbb88edda9766d440a9ce0a82d2ca2198e06bfd9d51b209952c0f2955af307c62aad8139d2d55a3765ef6581f3151ca8a3d6 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\python311.dll
| MD5 | 5a5dd7cad8028097842b0afef45bfbcf |
| SHA1 | e247a2e460687c607253949c52ae2801ff35dc4a |
| SHA256 | a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce |
| SHA512 | e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
| MD5 | bd36f7d64660d120c6fb98c8f536d369 |
| SHA1 | 6829c9ce6091cb2b085eb3d5469337ac4782f927 |
| SHA256 | ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902 |
| SHA512 | bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | e5abc3a72996f8fde0bcf709e6577d9d |
| SHA1 | 15770bdcd06e171f0b868c803b8cf33a8581edd3 |
| SHA256 | 1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb |
| SHA512 | b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd
| MD5 | d7b9ed5f37519b68750ecb5defb8e957 |
| SHA1 | 661cf73707e02d2837f914adc149b61a120dda7d |
| SHA256 | 2ce63e16df518ae178de0940505ff1b11da97a5b175fe2a0d355b2ee351c55fd |
| SHA512 | f04708c28feb54f355d977e462245b183a0b50f4db6926c767e8f1499e83e910b05a3023b84d398fb5dd87743fe6146dbbc3e1caaed5351c27396f16746c6d6b |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll
| MD5 | 08d50fd2b635972dc84a6fb6fc581c06 |
| SHA1 | 4bcfc96a1aad74f7ab11596788acb9a8d1126064 |
| SHA256 | bb5ac4945b43611c1821fa575af3152b2937b4bc1a77531136780cc4a28f82e9 |
| SHA512 | 8ec536e97d7265f007ad0f99fc8b9eecc9355a63f131b96e8a04e4bd38d3c72e3b80e36e4b1923548bd77eb417c5e0ac6a01d09af23311784a328fbed3c41084 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd
| MD5 | 486085aac7bb246a173ceea0879230af |
| SHA1 | ef1095843b2a9c6d8285c7d9e8e334a9ce812fae |
| SHA256 | c3964fc08e4ca8bc193f131def6cc4b4724b18073aa0e12fed8b87c2e627dc83 |
| SHA512 | 8a56774a08da0ab9dd561d21febeebc23a5dea6f63d5638ea1b608cd923b857df1f096262865e6ebd56b13efd3bba8d714ffdce8316293229974532c49136460 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_cffi_backend.pyd
| MD5 | fde9a1d6590026a13e81712cd2f23522 |
| SHA1 | ca99a48caea0dbaccf4485afd959581f014277ed |
| SHA256 | 16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b |
| SHA512 | a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
| MD5 | 4255c44dc64f11f32c961bf275aab3a2 |
| SHA1 | c1631b2821a7e8a1783ecfe9a14db453be54c30a |
| SHA256 | e557873d5ad59fd6bd29d0f801ad0651dbb8d9ac21545defe508089e92a15e29 |
| SHA512 | 7d3a306755a123b246f31994cd812e7922943cdbbc9db5a6e4d3372ea434a635ffd3945b5d2046de669e7983ef2845bd007a441d09cfe05cf346523c12bdad52 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll
| MD5 | e94733523bcd9a1fb6ac47e10a267287 |
| SHA1 | 94033b405386d04c75ffe6a424b9814b75c608ac |
| SHA256 | f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44 |
| SHA512 | 07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 1eea9568d6fdef29b9963783827f5867 |
| SHA1 | a17760365094966220661ad87e57efe09cd85b84 |
| SHA256 | 74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117 |
| SHA512 | d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll
| MD5 | 25bde25d332383d1228b2e66a4cb9f3e |
| SHA1 | cd5b9c3dd6aab470d445e3956708a324e93a9160 |
| SHA256 | c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13 |
| SHA512 | ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd
| MD5 | 79f71c92c850b2d0f5e39128a59054f1 |
| SHA1 | a773e62fa5df1373f08feaa1fb8fa1b6d5246252 |
| SHA256 | 0237739399db629fdd94de209f19ac3c8cd74d48bebe40ad8ea6ac7556a51980 |
| SHA512 | 3fdef4c04e7d89d923182e3e48d4f3d866204e878abcaacff657256f054aeafafdd352b5a55ea3864a090d01169ec67b52c7f944e02247592417d78532cc5171 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\yarl\_quoting_c.pyd
| MD5 | 0edc0f96b64523314788745fa2cc7ddd |
| SHA1 | 555a0423ce66c8b0fa5eea45caac08b317d27d68 |
| SHA256 | db5b421e09bf2985fbe4ef5cdf39fc16e2ff0bf88534e8ba86c6b8093da6413f |
| SHA512 | bb0074169e1bd05691e1e39c2e3c8c5fae3a68c04d851c70028452012bb9cb8d19e49cdff34efb72e962ed0a03d418dfbad34b7c9ad032105cf5acd311c1f713 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_brotli.pyd
| MD5 | d9fc15caf72e5d7f9a09b675e309f71d |
| SHA1 | cd2b2465c04c713bc58d1c5de5f8a2e13f900234 |
| SHA256 | 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf |
| SHA512 | 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\charset_normalizer\md__mypyc.pyd
| MD5 | 2d1f2ffd0fecf96a053043daad99a5df |
| SHA1 | b03d5f889e55e802d3802d0f0caa4d29c538406b |
| SHA256 | 207bbae9ddf8bdd64e65a8d600fe1dd0465f2afcd6dc6e28d4d55887cd6cbd13 |
| SHA512 | 4f7d68f241a7f581e143a010c78113154072c63adff5f200ef67eb34d766d14ce872d53183eb2b96b1895aa9c8d4ca82ee5e61e1c5e655ff5be56970be9ebe3e |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pycares\_cares.pyd
| MD5 | e611e5c516fe1c3670353e3427da42b9 |
| SHA1 | a946abdeebe7fa9ccd7ab256c927be5902784e4a |
| SHA256 | b4f41659dc3002f70bc6578801aad771b45f106103441d1e9b4c553c1e50c939 |
| SHA512 | a1c057dbd4b618fdfdd75f70bfe85dbfc6d2a25fed8e74dd5fbf950a02d7470e1f4bfac8ed00a5cdef6a68b8737a156a5a0ea443e826c6b30c94554bd7326b99 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\charset_normalizer\md.pyd
| MD5 | fa50d9f8bce6bd13652f5090e7b82c4d |
| SHA1 | ee137da302a43c2f46d4323e98ffd46d92cf4bef |
| SHA256 | fff69928dea1432e0c7cb1225ab96f94fd38d5d852de9a6bb8bf30b7d2bedceb |
| SHA512 | 341cec015e74348eab30d86ebb35c028519703006814a2ecd19b9fe5e6fcb05eda6dde0aaf4fe624d254b0d0180ec32adf3b93ee96295f8f0f4c9d4ed27a7c0c |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_uuid.pyd
| MD5 | 46e9d7b5d9668c9db5caa48782ca71ba |
| SHA1 | 6bbc83a542053991b57f431dd377940418848131 |
| SHA256 | f6063622c0a0a34468679413d1b18d1f3be67e747696ab972361faed4b8d6735 |
| SHA512 | c5b171ebdb51b1755281c3180b30e88796db8aa96073489613dab96b6959a205846711187266a0ba30782102ce14fbfa4d9f413a2c018494597600482329ebf7 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\aiohttp\_websocket.pyd
| MD5 | aa40ac7a7d1d9a10da426701ea49508d |
| SHA1 | bbd083535e20ea00bcc40de7b9e625ff5c74851e |
| SHA256 | b892cbaf1a5b363fb66768194cd4d466916e81981bcb63c2989277114a4b0c10 |
| SHA512 | eaf14159f5f1b70dcb5e6416804f306ec5f4c235abf431a27bc421861117be8c6ec5326c8c703c4c3764b771e5dbac37e6b93ac05f9a632bc83788c476eed8e2 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\aiohttp\_http_parser.pyd
| MD5 | a7b4711c5ba1866745485abe14101ac7 |
| SHA1 | c37158cbd0fe67f8acd61596f63cf62bd2985431 |
| SHA256 | 6688f3dd5b7efa8008c5ba776f32cecf5b42887b1b9ee21555ae3e0d4f13d2e0 |
| SHA512 | f952ad3c21b649e13e64540713a61db6d49b394ca5d62add7a5fec2186a8d27131ba038d449561b77670d3deb2358a8254e4e205ef20228e27b1eb8234d0e843 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\aiohttp\_http_writer.pyd
| MD5 | 2f2a2b2343549e990419df0977e3fac9 |
| SHA1 | 5724b63e32bda7d36285f79dc9ad57fc97ba5415 |
| SHA256 | 9569b0b501a0235388d075baa4c84e5d571169ac6ce3ae9220cde31a5f208b94 |
| SHA512 | a1b99dcaf01666c3ab9755d55001f3a18344cd70c386ce1b2233b5c6b8248b59d95804b450f9ee9c2f51d6293c4e748b9347540ae3f247418a1673bbd6ef466a |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\aiohttp\_helpers.pyd
| MD5 | 4b5dcc46170e4ac810a59ca5b7533462 |
| SHA1 | 1eacf60fdfd427909b54f83518612a4638930225 |
| SHA256 | 704cdcfca773ac658b8f84335f29630707c216f739f7fa5970b1be57f13a5b82 |
| SHA512 | c2e5b9b40f267f375234be9a562882faa1a0e82f32a951233464d27879d0b1620099bb800de3e96be277bb3bb44ff421a98a2f0c125f28652c2b6415d0fb4dea |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\unicodedata.pyd
| MD5 | aa13ee6770452af73828b55af5cd1a32 |
| SHA1 | c01ece61c7623e36a834d8b3c660e7f28c91177e |
| SHA256 | 8fbed20e9225ff82132e97b4fefbb5ddbc10c062d9e3f920a6616ab27bb5b0fb |
| SHA512 | b2eeb9a7d4a32e91084fdae302953aac57388a5390f9404d8dfe5c4a8f66ca2ab73253cf5ba4cc55350d8306230dd1114a61e22c23f42fbcc5c0098046e97e0f |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\multidict\_multidict.pyd
| MD5 | b92f8efb672c383ab60b971b3c6c87de |
| SHA1 | acb671089a01d7f1db235719c52e6265da0f708f |
| SHA256 | b7376b5d729115a06b1cab60b251df3efc3051ebba31524ea82f0b8db5a49a72 |
| SHA512 | 680663d6c6cd7b9d63160c282f6d38724bd8b8144d15f430b28b417dda0222bfff7afefcb671e863d1b4002b154804b1c8af2d8a28fff11fa94972b207df081b |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_overlapped.pyd
| MD5 | e5aceaf21e82253e300c0b78793887a8 |
| SHA1 | c58f78fbbe8713cb00ccdfeb1d8d7359f58ebfde |
| SHA256 | d950342686c959056ff43c9e5127554760fa20669d97166927dd6aae5494e02a |
| SHA512 | 517c29928d6623cf3b2bcdcd68551070d2894874893c0d115a0172d749b6fe102af6261c0fd1b65664f742fa96abbce2f8111a72e1a3c2f574b58b909205937f |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_ssl.pyd
| MD5 | 208b0108172e59542260934a2e7cfa85 |
| SHA1 | 1d7ffb1b1754b97448eb41e686c0c79194d2ab3a |
| SHA256 | 5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69 |
| SHA512 | 41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\select.pyd
| MD5 | c97a587e19227d03a85e90a04d7937f6 |
| SHA1 | 463703cf1cac4e2297b442654fc6169b70cfb9bf |
| SHA256 | c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf |
| SHA512 | 97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\python3.dll
| MD5 | b711598fc3ed0fe4cf2c7f3e0877979e |
| SHA1 | 299c799e5d697834aa2447d8a313588ab5c5e433 |
| SHA256 | 520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a |
| SHA512 | b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84 |
C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_bz2.pyd
| MD5 | 3859239ced9a45399b967ebce5a6ba23 |
| SHA1 | 6f8ff3df90ac833c1eb69208db462cda8ca3f8d6 |
| SHA256 | a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a |
| SHA512 | 030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ekttngc5.0en.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4692-158-0x0000023D4B330000-0x0000023D4B352000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\InitializeClear.jpeg
| MD5 | 427d866e57553238c38a12cb184329dd |
| SHA1 | b0b0beddc7d3c6f0dc31214ec63b3b3fb4cbb121 |
| SHA256 | 126d88d7b933251d15ddfc117d97998fecd5a4b81444c68ad20f770e3dd35a48 |
| SHA512 | 7a5fa5072f1e0a46d07c2320d1a04e0297db3359968a07ecfb6546ae7625cc5da72c0c3a5285a8b826ac3f039639ba4afb01eb14a1147e65b87ce71d7702c50e |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\MergeOptimize.docx
| MD5 | 38e9f413f294920c7090b0b3293a8f77 |
| SHA1 | 30b2b206e1fee77218fd0ae8f39644368152ea2b |
| SHA256 | de9cfd2c0b62cc26e2be03c4bd69409bcb6251341f633d8814985a7595663948 |
| SHA512 | 2d95d8757d93283e648a5a4b041722f251109a87215842c4110bcc7c499874865b8f53ebf299e0e0397d2e482ad8e4dd921c4afb256f459cf01dacfb87a51f8a |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\SaveResolve.docx
| MD5 | 0dde131aadd76df4a0d268243506f436 |
| SHA1 | ceb2cb0914ae0d5108bdf7f547b26042b47477c4 |
| SHA256 | 52684dd4b9dd20d8e12f3e85269305b73ce69782d0f535b5886bd131caa76d27 |
| SHA512 | 464db2b8062d58f3c60e8b63a5b37c8560ed590a784d78d8c678dc482c31d6b04eac71c52d06e2e939ec7af5dc25f9472c769a0468341e06794dd81bd6fe9e55 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\SendBackup.mpeg
| MD5 | 21644add8ba5de790a09de922472aa8d |
| SHA1 | 9be64e7f6f69a4fb699bc548ee142949bea7bf83 |
| SHA256 | c49c0b85251f1400c7500d6aaa1eca453e55445560ea03f68cdfbed278623d10 |
| SHA512 | 3f458a03fad2df9386e1345eaba3e3605a3c9727208b86b91e6be1eef2e4ea2f341618da17508fd9844ffad5f4e7211dded571a168774b3ed08a02f30d29522a |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\WatchBackup.ps1xml
| MD5 | f1fb69e65108a96409a64a3f4737fe47 |
| SHA1 | 3c3c34dcd9d35daf3639b1548b6862eeb5209b7c |
| SHA256 | 1297029f3e59f53b959382a0f103c223dbdae51b61de49e5b7c75c659457b331 |
| SHA512 | dc2daa9abc5ba7b425b3af9ed9bffac18ed57ddbd32e4f6c6814e44e50a56f7480eb94965620283356d93eaf0383eb4ceba3c05354d4e7f806818dbb571c9d7a |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\ImportLock.pdf
| MD5 | 4631c1742a38cf7b42edfc55e51c0300 |
| SHA1 | c4b9d8796f28ef69b2e73fff8a35f1d2b2fcaca7 |
| SHA256 | c9bd4139b04b7f97918a9d7d71a52318462cfd43864dfce176bdd3b36df5df10 |
| SHA512 | 02161048d68190a97b969c7dec7dc3d33b604dcb4c7835620582aa04493a0ddffc0ef30be38c4cfa20ff4e7839e4a0a950bd7abc02db5d0099aa0f5d3dd55e2b |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\ConvertAdd.pdf
| MD5 | b6a25400cbf8db7046a104d0257dd658 |
| SHA1 | dd1cf34832d6900c68acb8401c8ed45f55693b21 |
| SHA256 | 5b5052d7f08ec45c7157678759bdb1266b6aebc60c46907922006ee00fddcc9b |
| SHA512 | 1af97159ade12c0cb2816f3e49cf5a8c3e4a8e9b7a78c72aaa48551c19f059b6ab4fbe235438e917ee2565379dc320badb1ca00f12faa3edced841eda2aff1d8 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\CompareConvertTo.docx
| MD5 | 4c572de5d93d212501027733fa4e77ba |
| SHA1 | 4cf8b572a4010f3b63449492f506a98c49310827 |
| SHA256 | 8209aae41b56474831278052dbec866d9de72b04fe53d45f66195ea0fd357dc7 |
| SHA512 | fcdbdb2a6d495a2eee29371b5157ccdc03042958b43a87d3b40a4aa0fe09ad3bdb015bd0a1ec39e0a82630bb5a42d8bf55ddadf0c00cd7636fcc657dff0d3fd5 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\BlockSelect.xlsx
| MD5 | 563ccb484071798d1c255a4caa16fe55 |
| SHA1 | ca8d32259cea18a45a9c0b464608199e8137146e |
| SHA256 | f859d995398e96c6351b413931d70ea6e9e6bcd8b4c2d2f57c35a401162cb68b |
| SHA512 | 2a31902b73389cc55b35cc657fe0cbaf51454004a6b9641facb4d6b05f7b04a0db1d64ea174bdc9014515b07acd012c54804a709769884d045f12dfb036178a2 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\StopImport.docx
| MD5 | 2a096a888f4e7cc5f81b934aaae49270 |
| SHA1 | 24c8877adea73f6de18d5c1302d97a232af15b1a |
| SHA256 | b013168f8cadcc21e6adc70c07eef3b66eccf2fb4d6e0f0a657796d0040ebfc0 |
| SHA512 | 53cbd42f5e6b1e157edd82bf2bf0682b387b17e06a7e2a4d7c4cd074fb6833d74eef3bcfeaf6e33696c9f968e5f9f1b9942b6311cc29c426239963caff9c5132 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\LockWrite.pdf
| MD5 | 25a8faa957eb31516e73fde21eba32bb |
| SHA1 | 0a328ddfc6424831dbbcdefc87b611a94fe5b824 |
| SHA256 | 0f4e70cc16f3d17e01c4cff750e36c09d49f9bc53332f9735ea7769ebdb18672 |
| SHA512 | 70f56b2be38273bf893405bb23af371eba98df2fb386ac4dfd54cc1f5f5f9e5e533b973ac88bfa9a3eeab7f19a5508cc0cb5b3ae73c2110b96ab010cf8dd2f86 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\LimitPop.xlsx
| MD5 | e78c1bfc78e0ee6f249ee8c12c89d9f2 |
| SHA1 | c4ef95a903fb44dec95e57d9490eb250868754eb |
| SHA256 | 12ce933d1b06db0ac5a2a074ae577a1ce3a981f7d43a02004bf47c7268dfb139 |
| SHA512 | ae3540d3cff08dd1ad7221833d77f9b20bfc0acd80aa98525fb5e8de182e1f8a0ed0b0fedea3625c7600cbfaf92284f22cb054250749150b69bc24421653a1e3 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\UnblockApprove.docx
| MD5 | 2b4b4f392cd67dae280aa9783eef4c1d |
| SHA1 | 1714871a548d6b499d4df751be54e382aef49972 |
| SHA256 | cb53c079ce0715ac12b4eca8bcd65f0309be9eecb6cd744c170434b05fa26a90 |
| SHA512 | eee4139ad700a28323965ed5358fc11d06c98a16ffd1db6b68ecce0d753e108e1bce1b0f7974d44c31bc585ad6729708adf3ca08b4e2d139cd96ed606b8d43ae |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\RedoRename.docx
| MD5 | ca9daacb2f3eabcb60d5a58e544589b0 |
| SHA1 | 346d9727b311bbf86999bcd6484cd17d7e12a92f |
| SHA256 | 2167a44a552f9d0bc94cd858f9a4f024daf865ef70ceea75687aed5c284e0c75 |
| SHA512 | 8ca7ae8db9620e245db017872addb0472e824dadd49ba1987c8ee0d850130e016c1398ba9233a063ad3c02779099f335f343eb5ecc7ef3d4a8aa607bad7b5be2 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Downloads\CloseGroup.jpeg
| MD5 | af80e230e915fb8a2d1bb2bd34c67479 |
| SHA1 | b1478fd8581af60666dae191af5fb318e294692c |
| SHA256 | 79ec6661122aa6cd9b345577691cf75aac119754a3e074e03a1b0081ecee2e97 |
| SHA512 | 41869cfe179815a09a3c7491e46ab337101092484029ed1652833d411f652c7b50d1b22a2f4c2d7e9b0ec2096066e4c46b42340b8335a2387394060797213351 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Downloads\ApproveExpand.xlsx
| MD5 | 8e3eeb1361e2cdf15988defce7b5cc3f |
| SHA1 | 968631c171bdfe7614552b7c1ab491e67b25c2ec |
| SHA256 | 74a46a5a91df82b67c604bd79dc7884a5e94bf6a9ae07ed866c3e930938ebe7d |
| SHA512 | 03aca448e8772190bb41a683234837cfd49349c4d4aadadc97e4ea5c27898843c4e07a41716790e256e32575fbb95a1bd5c64fcf9dea6fbdb9d42e7a318e5960 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\UpdateSplit.xlsx
| MD5 | a9ab1e5d9f41c14dc541f22f0a141ed4 |
| SHA1 | b0ee6b45876c428d81d345aa3bd3ed53302bc14b |
| SHA256 | d9a6f2587412c39f6f40cadf720a839bc864781320b4b7e5fa1e0eb7a8f9c66f |
| SHA512 | cb59a1387b79be1b91c7cd713815fd96e4a353a9a11667eefe614abf1671aa4397af7b39f7b3517ca34066b8597e43cdc145552ef445844f348b1b7113a821c7 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\OpenInvoke.zip
| MD5 | 826d9ad28a5f1516938fd59e30d60c48 |
| SHA1 | 92bc3499268c50378c51e15e8c7923db1046850f |
| SHA256 | df32fb8fc6f5a40e045ca8f0a2fea9e024fc167ee468897e56e0ecc92605ded3 |
| SHA512 | 45f44bdcff76e0a02ed35f3c5986924aecf7ed42adfb94bb47b8baa4c2f126b6b24be51adcfd66a9dd65a9fa51833c6bb5a85f72b81ac6c52123b5053e45f87c |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\StepConvertFrom.jpeg
| MD5 | 9eb3e1fb9470f618658aba69b49514de |
| SHA1 | 1f91bc4e7efaddb47dfe5a0dbbfe28a709762642 |
| SHA256 | 49a2b68f65cc0a3e1cecd3b0ced349d31766430219f569cd47a364265e23f196 |
| SHA512 | 45d62463e6b2473be0829d5a86c79bcceabb2adc1f8163fff21cf975cb7cdbc3b306a2bba22858bd03c1de069970da91f7db1de5a26d62eeb70775eb96956044 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Pictures\ResizeImport.jpg
| MD5 | b9c7031ad7bfb7c59d84b7fddd44a6ab |
| SHA1 | f6ed8fc53b60ca57203a22078e419487b90c8212 |
| SHA256 | 27f8514da0eb8325cb0186654dfd24f324130ba68c9dc72b9c90ff76c234acbc |
| SHA512 | 253f6de8d23a391ec83390631c23aaf237973874c9077d0ef496c60d1073555cf0626e753587b24ece78db6f5cb87cf91b92eec9c34b0c552ef20862272dfa38 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\TestClear.jpeg
| MD5 | 3b51b24baaef1c5b5d22b8209fc2b9e0 |
| SHA1 | e0e3f8fab8e1855526c9b8129da05b290cdec128 |
| SHA256 | 03ca8f16774674744056edc7f5ca56aeac4220158e111e38917e7526f533e7df |
| SHA512 | c01f2543a0f33c3a1f1c697b3f944d070e933d1d396c225844a40d78c54838e1fc129a872149bb9472ff75ffc925508582b30be7a51e5b70255b102eb9010417 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Pictures\UpdateCheckpoint.png
| MD5 | b1267755da4b01cc53c1a57d91e4552c |
| SHA1 | 7bc9581655b0d671713078133e9c0a22fb1c7f8a |
| SHA256 | 3a8348b78358c51651de2c1277285935690db524cc80bd3b06fbf12a1fbf00d0 |
| SHA512 | 4971bd3f6b13bf181ee96a7f13a021652b822e34bd3e45c535e4f673e40e9bf0bfe2427d4eafe9f76548efb02447a5d6a61f63b457add4a2dd822459e1334580 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\BackupStop.MTS
| MD5 | c74964443328fc14cd643c6728d2579a |
| SHA1 | 47ca3431ddf916f84ecf611709e1a26851b55602 |
| SHA256 | e0112b51c56ccfb85798e6757af184c05050883118223d863eda5f0d69e2786b |
| SHA512 | a1a99d4e9c59c6796265a737834d657e967f36e56f6c15385a0b63ca713db772297a15d8243b74b5f2b0aa865fccc288dcf3ba572b4acbe62ddca3e81c3df137 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\AssertMove.doc
| MD5 | 965d90818d247eeadfb7e16adc7c9269 |
| SHA1 | f3982ca6dea8eba9a21c73c9dafa8ecb6736c36e |
| SHA256 | 8a1a9462236341e6b79ac6fe84fd3cafc896752a4b2b6d5e05480f185cc86849 |
| SHA512 | 6f3f5408ca90733692d95b1c159648d77253fbbfefd06a302337d7c82761df1294fbd191bfac1a5fe4f40ecb4aa65ac9598e83335b478ac49fdb38a50c5569b2 |
C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Downloads\WaitConvertFrom.xls
| MD5 | 0e48c57da2b1dcb1cf6aee36b94eddf7 |
| SHA1 | 2d3aeb9dbd14b2b3064ec74c34cb82888e04d2a3 |
| SHA256 | 82a31af549084221078ba5ad1e15b06d86e3ea5bab066b0c3adb65136b4d4454 |
| SHA512 | 08b1051db46e1205c32cfdd2c8868681be945cc6cf0777b5ae9cab6b416288c514cf7903346ebffa5f0a62a233682f98cb66317bdfa32a649581608a77e7dc8e |