Malware Analysis Report

2025-08-05 23:18

Sample ID 250115-2ymdasynay
Target Webhook_Troller.exe
SHA256 0384c9a6a82b4cd4989eb8a63bada67a1eefe86c26e34e2cb8e2768dbb8c04b0
Tags
blankgrabber upx collection credential_access discovery execution pyinstaller spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0384c9a6a82b4cd4989eb8a63bada67a1eefe86c26e34e2cb8e2768dbb8c04b0

Threat Level: Known bad

The file Webhook_Troller.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber upx collection credential_access discovery execution pyinstaller spyware stealer

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Clipboard Data

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates processes with tasklist

UPX packed file

Enumerates physical storage devices

Detects Pyinstaller

Gathers system information

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 22:59

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 22:59

Reported

2025-01-15 23:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe

"C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe"

C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe

"C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI27922\python313.dll

MD5 6ef5d2f77064df6f2f47af7ee4d44f0f
SHA1 0003946454b107874aa31839d41edcda1c77b0af
SHA256 ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA512 1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

memory/1916-24-0x000007FEF6040000-0x000007FEF66A3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 22:59

Reported

2025-01-15 23:02

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe"

Signatures

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe
PID 4024 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe
PID 4356 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 1472 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2388 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3200 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3200 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4528 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 4528 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 1400 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3304 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4356 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2128 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4356 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 864 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 864 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4356 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 2464 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 2464 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 4048 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4048 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4356 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe

"C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe"

C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe

"C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Webhook_Troller.exe'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‏ .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‏ .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title WEBHOOK Tool

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40242\rar.exe a -r -hp"Brdd6010" "C:\Users\Admin\AppData\Local\Temp\ljV29.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI40242\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI40242\rar.exe a -r -hp"Brdd6010" "C:\Users\Admin\AppData\Local\Temp\ljV29.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 blank-oivqp.in udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 216.58.212.227:443 gstatic.com tcp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI40242\python313.dll

MD5 6ef5d2f77064df6f2f47af7ee4d44f0f
SHA1 0003946454b107874aa31839d41edcda1c77b0af
SHA256 ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA512 1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

C:\Users\Admin\AppData\Local\Temp\_MEI40242\VCRUNTIME140.dll

MD5 862f820c3251e4ca6fc0ac00e4092239
SHA1 ef96d84b253041b090c243594f90938e9a487a9a
SHA256 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA512 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

memory/4356-26-0x00007FFEAA7F0000-0x00007FFEAAE53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40242\base_library.zip

MD5 a9cbd0455b46c7d14194d1f18ca8719e
SHA1 e1b0c30bccd9583949c247854f617ac8a14cbac7
SHA256 df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19
SHA512 b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_ctypes.pyd

MD5 79879c679a12fac03f472463bb8ceff7
SHA1 b530763123bd2c537313e5e41477b0adc0df3099
SHA256 8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3
SHA512 ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

memory/4356-31-0x00007FFEBD780000-0x00007FFEBD7A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40242\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI40242\bound.blank

MD5 37778d0fc3e4c6aa803fe8a55fb13feb
SHA1 f11fdbe73836432bf0213864df9c110c47f860a9
SHA256 9ac5353ed6c3956b941b166a06984588d687963488c00bd15e3613862cf40a93
SHA512 440037e2775a6a5bc8fedc5ded43d1036df4af8c3ff9592d4b48b1d73134b5661aad013d03be5f2d49048e09a1918721287f449a9a4d1a69eee38145d3bc9b6d

memory/4356-50-0x00007FFEBFB20000-0x00007FFEBFB2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_ssl.pyd

MD5 7ef27cd65635dfba6076771b46c1b99f
SHA1 14cb35ce2898ed4e871703e3b882a057242c5d05
SHA256 6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4
SHA512 ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_sqlite3.pyd

MD5 8cd40257514a16060d5d882788855b55
SHA1 1fd1ed3e84869897a1fad9770faf1058ab17ccb9
SHA256 7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891
SHA512 a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_socket.pyd

MD5 14392d71dfe6d6bdc3ebcdbde3c4049c
SHA1 622479981e1bbc7dd13c1a852ae6b2b2aebea4d7
SHA256 a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2
SHA512 0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_queue.pyd

MD5 513dce65c09b3abc516687f99a6971d8
SHA1 8f744c6f79a23aa380d9e6289cb4504b0e69fe3b
SHA256 d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc
SHA512 621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_lzma.pyd

MD5 055eb9d91c42bb228a72bf5b7b77c0c8
SHA1 5659b4a819455cf024755a493db0952e1979a9cf
SHA256 de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e
SHA512 c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_hashlib.pyd

MD5 d6f123c4453230743adcc06211236bc0
SHA1 9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e
SHA256 7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9
SHA512 f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_decimal.pyd

MD5 21d27c95493c701dff0206ff5f03941d
SHA1 f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600
SHA256 38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877
SHA512 a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_bz2.pyd

MD5 58fc4c56f7f400de210e98ccb8fdc4b2
SHA1 12cb7ec39f3af0947000295f4b50cbd6e7436554
SHA256 dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150
SHA512 ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

C:\Users\Admin\AppData\Local\Temp\_MEI40242\unicodedata.pyd

MD5 b2712b0dd79a9dafe60aa80265aa24c3
SHA1 347e5ad4629af4884959258e3893fde92eb3c97e
SHA256 b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a
SHA512 4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

C:\Users\Admin\AppData\Local\Temp\_MEI40242\sqlite3.dll

MD5 21aea45d065ecfa10ab8232f15ac78cf
SHA1 6a754eb690ff3c7648dae32e323b3b9589a07af2
SHA256 a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7
SHA512 d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

C:\Users\Admin\AppData\Local\Temp\_MEI40242\select.pyd

MD5 fb70aece725218d4cba9ba9bbb779ccc
SHA1 bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5
SHA256 9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617
SHA512 63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

C:\Users\Admin\AppData\Local\Temp\_MEI40242\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI40242\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI40242\libssl-3.dll

MD5 b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1 331269521ce1ab76799e69e9ae1c3b565a838574
SHA256 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA512 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

C:\Users\Admin\AppData\Local\Temp\_MEI40242\libcrypto-3.dll

MD5 8377fe5949527dd7be7b827cb1ffd324
SHA1 aa483a875cb06a86a371829372980d772fda2bf9
SHA256 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512 c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

C:\Users\Admin\AppData\Local\Temp\_MEI40242\blank.aes

MD5 60ed792ece16343b4873628aa5210eaa
SHA1 056eb113db12b2365dbad0834f967e66c737afd1
SHA256 f98f43139c84269adc881e1c98c9ed8f120ca776c8f5908e6d2ddee26fcb0e73
SHA512 f83a3de0a1a7fa0c0fbc0d76826af9bee7754de27ae53c2a00b9776a4ddf9dec34746f70a70e0b0257a7fb47f2cb00713e15c31450ac970b38910e62bb0f9aea

memory/4356-56-0x00007FFEBD620000-0x00007FFEBD64B000-memory.dmp

memory/4356-58-0x00007FFEBA660000-0x00007FFEBA679000-memory.dmp

memory/4356-60-0x00007FFEBA2B0000-0x00007FFEBA2D5000-memory.dmp

memory/4356-62-0x00007FFEB9CE0000-0x00007FFEB9E5F000-memory.dmp

memory/4356-64-0x00007FFEBA230000-0x00007FFEBA249000-memory.dmp

memory/4356-68-0x00007FFEBA010000-0x00007FFEBA044000-memory.dmp

memory/4356-66-0x00007FFEBA740000-0x00007FFEBA74D000-memory.dmp

memory/4356-73-0x00007FFEB9A20000-0x00007FFEB9AEE000-memory.dmp

memory/4356-72-0x00007FFEAA7F0000-0x00007FFEAAE53000-memory.dmp

memory/4356-74-0x0000020B59910000-0x0000020B59E43000-memory.dmp

memory/4356-76-0x00007FFEBD780000-0x00007FFEBD7A7000-memory.dmp

memory/4356-75-0x00007FFEAA2B0000-0x00007FFEAA7E3000-memory.dmp

memory/4356-78-0x00007FFEB9FF0000-0x00007FFEBA004000-memory.dmp

memory/4356-80-0x00007FFEBD620000-0x00007FFEBD64B000-memory.dmp

memory/4356-81-0x00007FFEBA370000-0x00007FFEBA37D000-memory.dmp

memory/4356-84-0x00007FFEA9C30000-0x00007FFEA9CE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lbeau5lg.hin.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1196-91-0x00000265629A0000-0x00000265629C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 11cb5c1136453530d673ecf73044e378
SHA1 1ef5a6fa7bbdb114746ee66cca76b22522bac7cd
SHA256 1b31365ec9a4e1de7914bc710a5e870a360f8545cedcded7172364b909829044
SHA512 dcee67186e364cfa0074f7f6f504921f5cab348a1aa1da3c8569272d5377327fa20d6a2accba262d3fcc70d170e01bf4259cd84fe30d6be03c140b4728689bc7

memory/4356-576-0x00007FFEBA2B0000-0x00007FFEBA2D5000-memory.dmp

memory/1196-633-0x0000026562B40000-0x0000026562D5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/976-746-0x0000011C2F8C0000-0x0000011C2FADC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/1116-749-0x000001AFA1800000-0x000001AFA1A1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

memory/4356-1053-0x00007FFEB9CE0000-0x00007FFEB9E5F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI24642\python313.dll

MD5 b9de917b925dd246b709bb4233777efd
SHA1 775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2
SHA256 0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99
SHA512 f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

C:\Users\Admin\AppData\Local\Temp\_MEI24642\python3.dll

MD5 16855ebef31c5b1ebe767f1c617645b3
SHA1 315521f3a748abfa35cd4d48e8dd09d0556d989b
SHA256 a5c6a329698490a035133433928d04368ce6285bb91a9d074fc285de4c9a32a4
SHA512 c3957b3bd36b10c7ad6ea1ff3bc7bd65cdceb3e6b4195a25d0649aa0da179276ce170da903d77b50a38fc3d5147a45be32dbcfdbfbf76cc46301199c529adea4

C:\Users\Admin\AppData\Local\Temp\_MEI24642\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI24642\zlib1.dll

MD5 3a46a119c9860c477f13fe98c878452c
SHA1 e0bcbe5b30ef2a2f58e1206c650672ee3f85abc9
SHA256 8c2ed3e1a90c9b0e3ef844be20e1af791ae8a1b665d4731162404f0eee1697dc
SHA512 0d3d4e8a2c8886fd6e480aecc5051644f39c1e06b1113def7273369f771c4429c757aed13bd8082f4768f617ca3499cd81b79a0893b5a2955fb4b68c8b571c71

C:\Users\Admin\AppData\Local\Temp\_MEI24642\unicodedata.pyd

MD5 0902d299a2a487a7b0c2d75862b13640
SHA1 04bcbd5a11861a03a0d323a8050a677c3a88be13
SHA256 2693c7ee4fba55dc548f641c0cb94485d0e18596ffef16541bd43a5104c28b20
SHA512 8cbef5a9f2d24da1014f8f1ccbddd997a084a0b04dd56bcb6ac38ddb636d05ef7e4ea7f67a085363aad3f43d45413914e55bdef14a662e80be955e6dfc2feca3

C:\Users\Admin\AppData\Local\Temp\_MEI24642\tk86t.dll

MD5 6f06390d3ac095827df2f1a8ed5dae0c
SHA1 879f24522821f597c0341ca091e474163764b343
SHA256 6425bf57abcc1dfbbe8662b1956883ae0c5ab8c2d9314e19692b3d86babc242c
SHA512 27b975e15f6e1b9bc8e3e41152baee25f4b400de3aa6e334c61b2165fecd27560fa5c4296a9b3ff0eb1103173cfb61c348ba11e01a44cbadbecf308b5d7c5095

C:\Users\Admin\AppData\Local\Temp\_MEI24642\tcl86t.dll

MD5 8587238932b4f7f394ce587ad169846b
SHA1 6cdc9c1751e812be3a11bb411a145e7ab6885def
SHA256 c861f39ad0f4fc7f3875850925f61442bff2bc1839bbbb3584a63bc4d6e5cea6
SHA512 c88506e5b78ab1459c25de4c7ef65b3c9e24e0f79ab2132e8fdc7a02195af2e137874512a0f423c80d558969e42e2a4bc7d2cddee696624dbd230b32c44f88f2

C:\Users\Admin\AppData\Local\Temp\_MEI24642\select.pyd

MD5 20831703486869b470006941b4d996f2
SHA1 28851dfd43706542cd3ef1b88b5e2749562dfee0
SHA256 78e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb
SHA512 4aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4

C:\Users\Admin\AppData\Local\Temp\_MEI24642\libssl-3.dll

MD5 4ff168aaa6a1d68e7957175c8513f3a2
SHA1 782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA256 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512 c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

C:\Users\Admin\AppData\Local\Temp\_MEI24642\_ctypes.pyd

MD5 a55e57d7594303c89b5f7a1d1d6f2b67
SHA1 904a9304a07716497cf3e4eaafd82715874c94f1
SHA256 f63c6c7e71c342084d8f1a108786ca6975a52cefef8be32cc2589e6e2fe060c8
SHA512 ffa61ad2a408a831b5d86b201814256c172e764c9c1dbe0bd81a2e204e9e8117c66f5dfa56bb7d74275d23154c0ed8e10d4ae8a0d0564434e9761d754f1997fc

C:\Users\Admin\AppData\Local\Temp\_MEI24642\libcrypto-3.dll

MD5 123ad0908c76ccba4789c084f7a6b8d0
SHA1 86de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA256 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA512 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

memory/4356-1218-0x00007FFEBA010000-0x00007FFEBA044000-memory.dmp

memory/4356-1219-0x00007FFEB9A20000-0x00007FFEB9AEE000-memory.dmp

memory/4356-1220-0x0000020B59910000-0x0000020B59E43000-memory.dmp

memory/4356-1221-0x00007FFEAA2B0000-0x00007FFEAA7E3000-memory.dmp

memory/4356-1238-0x00007FFEA9C30000-0x00007FFEA9CE3000-memory.dmp

memory/4356-1230-0x00007FFEB9CE0000-0x00007FFEB9E5F000-memory.dmp

memory/4356-1224-0x00007FFEAA7F0000-0x00007FFEAAE53000-memory.dmp

memory/1300-1260-0x00007FFEA4250000-0x00007FFEA4279000-memory.dmp

memory/4356-1272-0x00007FFEAA2B0000-0x00007FFEAA7E3000-memory.dmp

memory/4356-1282-0x00007FFEB9CE0000-0x00007FFEB9E5F000-memory.dmp

memory/4356-1285-0x00007FFEBA010000-0x00007FFEBA044000-memory.dmp

memory/4356-1284-0x00007FFEBA740000-0x00007FFEBA74D000-memory.dmp

memory/4356-1283-0x00007FFEBA230000-0x00007FFEBA249000-memory.dmp

memory/4356-1281-0x00007FFEBA2B0000-0x00007FFEBA2D5000-memory.dmp

memory/4356-1280-0x00007FFEBA660000-0x00007FFEBA679000-memory.dmp

memory/4356-1279-0x00007FFEBD620000-0x00007FFEBD64B000-memory.dmp

memory/4356-1278-0x00007FFEBFB20000-0x00007FFEBFB2F000-memory.dmp

memory/4356-1277-0x00007FFEBD780000-0x00007FFEBD7A7000-memory.dmp

memory/4356-1276-0x00007FFEAA7F0000-0x00007FFEAAE53000-memory.dmp

memory/4356-1275-0x00007FFEA9C30000-0x00007FFEA9CE3000-memory.dmp

memory/4356-1274-0x00007FFEBA370000-0x00007FFEBA37D000-memory.dmp

memory/4356-1273-0x00007FFEB9FF0000-0x00007FFEBA004000-memory.dmp

memory/4356-1271-0x00007FFEB9A20000-0x00007FFEB9AEE000-memory.dmp