Resubmissions
24-07-2021 10:45
210724-phtf8r61la 1007-09-2020 13:45
200907-tlde9xx29n 706-09-2020 10:57
200906-apz15m223e 706-09-2020 07:55
200906-2zwlc6b7h2 806-09-2020 07:51
200906-h9pa71e62a 7Analysis
-
max time kernel
102s -
max time network
100s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
06-09-2020 07:55
Static task
static1
Behavioral task
behavioral1
Sample
TOOL.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
TOOL.exe
Resource
win10v200722
Errors
General
-
Target
TOOL.exe
-
Size
15.3MB
-
MD5
42c3370a6bdc0bd641bf0583cef3cfe2
-
SHA1
33fea4db9b6a1fd9167f4bfa5abad4c0c86f6b58
-
SHA256
8d025c8034092b69331f21684eaeee9ebf1d3b4db491997f857b9b1a233b2ef5
-
SHA512
628eaac733723b2f371182c0fd017e558859d15fc32077a0abf04fc7b82e6e8c1a53e6ed5ba85467bce63bdfeff9b23b7f09c342c0e744ffdd3307ee9037975d
Malware Config
Signatures
-
Loads dropped DLL 37 IoCs
Processes:
TOOL.exepid process 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe 1004 TOOL.exe -
JavaScript code in executable 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI9322\python38.dll js \Users\Admin\AppData\Local\Temp\_MEI9322\python38.dll js C:\Users\Admin\AppData\Local\Temp\_MEI9322\base_library.zip js C:\Users\Admin\AppData\Local\Temp\_MEI9322\pywintypes38.dll js \Users\Admin\AppData\Local\Temp\_MEI9322\pywintypes38.dll js C:\Users\Admin\AppData\Local\Temp\_MEI9322\libcrypto-1_1.dll js \Users\Admin\AppData\Local\Temp\_MEI9322\libcrypto-1_1.dll js -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1760 ipconfig.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
WMIC.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeIncreaseQuotaPrivilege 788 WMIC.exe Token: SeSecurityPrivilege 788 WMIC.exe Token: SeTakeOwnershipPrivilege 788 WMIC.exe Token: SeLoadDriverPrivilege 788 WMIC.exe Token: SeSystemProfilePrivilege 788 WMIC.exe Token: SeSystemtimePrivilege 788 WMIC.exe Token: SeProfSingleProcessPrivilege 788 WMIC.exe Token: SeIncBasePriorityPrivilege 788 WMIC.exe Token: SeCreatePagefilePrivilege 788 WMIC.exe Token: SeBackupPrivilege 788 WMIC.exe Token: SeRestorePrivilege 788 WMIC.exe Token: SeShutdownPrivilege 788 WMIC.exe Token: SeDebugPrivilege 788 WMIC.exe Token: SeSystemEnvironmentPrivilege 788 WMIC.exe Token: SeRemoteShutdownPrivilege 788 WMIC.exe Token: SeUndockPrivilege 788 WMIC.exe Token: SeManageVolumePrivilege 788 WMIC.exe Token: 33 788 WMIC.exe Token: 34 788 WMIC.exe Token: 35 788 WMIC.exe Token: SeIncreaseQuotaPrivilege 788 WMIC.exe Token: SeSecurityPrivilege 788 WMIC.exe Token: SeTakeOwnershipPrivilege 788 WMIC.exe Token: SeLoadDriverPrivilege 788 WMIC.exe Token: SeSystemProfilePrivilege 788 WMIC.exe Token: SeSystemtimePrivilege 788 WMIC.exe Token: SeProfSingleProcessPrivilege 788 WMIC.exe Token: SeIncBasePriorityPrivilege 788 WMIC.exe Token: SeCreatePagefilePrivilege 788 WMIC.exe Token: SeBackupPrivilege 788 WMIC.exe Token: SeRestorePrivilege 788 WMIC.exe Token: SeShutdownPrivilege 788 WMIC.exe Token: SeDebugPrivilege 788 WMIC.exe Token: SeSystemEnvironmentPrivilege 788 WMIC.exe Token: SeRemoteShutdownPrivilege 788 WMIC.exe Token: SeUndockPrivilege 788 WMIC.exe Token: SeManageVolumePrivilege 788 WMIC.exe Token: 33 788 WMIC.exe Token: 34 788 WMIC.exe Token: 35 788 WMIC.exe Token: SeShutdownPrivilege 1160 powercfg.exe Token: SeShutdownPrivilege 1636 powercfg.exe Token: SeShutdownPrivilege 2016 powercfg.exe Token: SeShutdownPrivilege 1220 powercfg.exe Token: SeShutdownPrivilege 1904 powercfg.exe Token: SeShutdownPrivilege 1556 powercfg.exe Token: SeShutdownPrivilege 740 powercfg.exe Token: SeShutdownPrivilege 1400 powercfg.exe Token: SeShutdownPrivilege 1560 powercfg.exe Token: SeShutdownPrivilege 2028 powercfg.exe Token: SeShutdownPrivilege 1824 powercfg.exe -
Suspicious use of WriteProcessMemory 114 IoCs
Processes:
TOOL.exeTOOL.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 932 wrote to memory of 1004 932 TOOL.exe TOOL.exe PID 932 wrote to memory of 1004 932 TOOL.exe TOOL.exe PID 932 wrote to memory of 1004 932 TOOL.exe TOOL.exe PID 1004 wrote to memory of 1792 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1792 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1792 1004 TOOL.exe cmd.exe PID 1792 wrote to memory of 1768 1792 cmd.exe chcp.com PID 1792 wrote to memory of 1768 1792 cmd.exe chcp.com PID 1792 wrote to memory of 1768 1792 cmd.exe chcp.com PID 1792 wrote to memory of 1760 1792 cmd.exe ipconfig.exe PID 1792 wrote to memory of 1760 1792 cmd.exe ipconfig.exe PID 1792 wrote to memory of 1760 1792 cmd.exe ipconfig.exe PID 1792 wrote to memory of 1676 1792 cmd.exe findstr.exe PID 1792 wrote to memory of 1676 1792 cmd.exe findstr.exe PID 1792 wrote to memory of 1676 1792 cmd.exe findstr.exe PID 1004 wrote to memory of 2020 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 2020 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 2020 1004 TOOL.exe cmd.exe PID 2020 wrote to memory of 1356 2020 cmd.exe chcp.com PID 2020 wrote to memory of 1356 2020 cmd.exe chcp.com PID 2020 wrote to memory of 1356 2020 cmd.exe chcp.com PID 1004 wrote to memory of 2008 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 2008 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 2008 1004 TOOL.exe cmd.exe PID 2008 wrote to memory of 788 2008 cmd.exe WMIC.exe PID 2008 wrote to memory of 788 2008 cmd.exe WMIC.exe PID 2008 wrote to memory of 788 2008 cmd.exe WMIC.exe PID 1004 wrote to memory of 1784 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1784 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1784 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1900 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1900 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1900 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 2016 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 2016 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 2016 1004 TOOL.exe cmd.exe PID 2016 wrote to memory of 1052 2016 cmd.exe rundll32.exe PID 2016 wrote to memory of 1052 2016 cmd.exe rundll32.exe PID 2016 wrote to memory of 1052 2016 cmd.exe rundll32.exe PID 1004 wrote to memory of 540 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 540 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 540 1004 TOOL.exe cmd.exe PID 540 wrote to memory of 1876 540 cmd.exe rundll32.exe PID 540 wrote to memory of 1876 540 cmd.exe rundll32.exe PID 540 wrote to memory of 1876 540 cmd.exe rundll32.exe PID 1004 wrote to memory of 1800 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1800 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1800 1004 TOOL.exe cmd.exe PID 1800 wrote to memory of 1160 1800 cmd.exe powercfg.exe PID 1800 wrote to memory of 1160 1800 cmd.exe powercfg.exe PID 1800 wrote to memory of 1160 1800 cmd.exe powercfg.exe PID 1004 wrote to memory of 1180 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1180 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1180 1004 TOOL.exe cmd.exe PID 1180 wrote to memory of 1636 1180 cmd.exe powercfg.exe PID 1180 wrote to memory of 1636 1180 cmd.exe powercfg.exe PID 1180 wrote to memory of 1636 1180 cmd.exe powercfg.exe PID 1004 wrote to memory of 1484 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1484 1004 TOOL.exe cmd.exe PID 1004 wrote to memory of 1484 1004 TOOL.exe cmd.exe PID 1484 wrote to memory of 2016 1484 cmd.exe powercfg.exe PID 1484 wrote to memory of 2016 1484 cmd.exe powercfg.exe PID 1484 wrote to memory of 2016 1484 cmd.exe powercfg.exe PID 1004 wrote to memory of 1396 1004 TOOL.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TOOL.exe"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TOOL.exe"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\ipconfig.exeipconfig4⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr /i "Default Gateway"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "@chcp 65001 1>nul"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic BIOS get BIOSVersion"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic BIOS get BIOSVersion4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start rundll32.exe javascript:'\..\mshtml,RunHTMLApplication ';alert('');"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe javascript:'\..\mshtml,RunHTMLApplication ';alert('');4⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start rundll32.exe javascript:'\..\mshtml,RunHTMLApplication ';alert('');"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe javascript:'\..\mshtml,RunHTMLApplication ';alert('');4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0"3⤵
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start ms-cxh-full://0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg /setdcvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 1"3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 14⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg /setacvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 1"3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 14⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg -attributes F15576E8-98B7-4186-B944-EAFA664402D9 +ATTRIB_HIDE"3⤵
-
C:\Windows\system32\powercfg.exepowercfg -attributes F15576E8-98B7-4186-B944-EAFA664402D9 +ATTRIB_HIDE4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg -attributes SUB_BUTTONS 7648efa3-dd9c-4e3e-b566-50f929386280 +ATTRIB_HIDE"3⤵
-
C:\Windows\system32\powercfg.exepowercfg -attributes SUB_BUTTONS 7648efa3-dd9c-4e3e-b566-50f929386280 +ATTRIB_HIDE4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg -change -monitor-timeout-ac 0"3⤵
-
C:\Windows\system32\powercfg.exepowercfg -change -monitor-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg -change -monitor-timeout-dc 0"3⤵
-
C:\Windows\system32\powercfg.exepowercfg -change -monitor-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powercfg -SetActive SCHEME_CURRENT"3⤵
-
C:\Windows\system32\powercfg.exepowercfg -SetActive SCHEME_CURRENT4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_Salsa20.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_aes.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ocb.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_BLAKE2s.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_MD5.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_SHA1.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_SHA256.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_ghash_portable.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Protocol\_scrypt.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Util\_cpuid_c.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Util\_strxor.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\TOOL.exe.manifest
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\VCRUNTIME140.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_bz2.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_ctypes.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_hashlib.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_lzma.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_portaudio.cp38-win_amd64.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_queue.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_socket.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_sqlite3.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_ssl.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\base_library.zip
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\certifi\cacert.pem
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\libcrypto-1_1.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\libffi-7.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\libssl-1_1.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\python38.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\pythoncom38.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\pywintypes38.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\select.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\sqlite3.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\unicodedata.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\win32api.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI9322\win32gui.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_Salsa20.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_aes.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ocb.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_BLAKE2s.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_MD5.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_SHA1.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_SHA256.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_ghash_portable.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Protocol\_scrypt.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Util\_cpuid_c.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Util\_strxor.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\VCRUNTIME140.dll
-
\Users\Admin\AppData\Local\Temp\_MEI9322\_bz2.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\_ctypes.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\_hashlib.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\_lzma.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\_portaudio.cp38-win_amd64.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\_queue.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\_socket.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\_sqlite3.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\_ssl.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\libcrypto-1_1.dll
-
\Users\Admin\AppData\Local\Temp\_MEI9322\libffi-7.dll
-
\Users\Admin\AppData\Local\Temp\_MEI9322\libssl-1_1.dll
-
\Users\Admin\AppData\Local\Temp\_MEI9322\python38.dll
-
\Users\Admin\AppData\Local\Temp\_MEI9322\pythoncom38.dll
-
\Users\Admin\AppData\Local\Temp\_MEI9322\pywintypes38.dll
-
\Users\Admin\AppData\Local\Temp\_MEI9322\select.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\sqlite3.dll
-
\Users\Admin\AppData\Local\Temp\_MEI9322\unicodedata.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\win32api.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI9322\win32gui.pyd
-
memory/540-125-0x0000000000000000-mapping.dmp
-
memory/540-92-0x0000000000000000-mapping.dmp
-
memory/740-122-0x0000000000000000-mapping.dmp
-
memory/788-85-0x0000000000000000-mapping.dmp
-
memory/1004-0-0x0000000000000000-mapping.dmp
-
memory/1052-89-0x0000000000000000-mapping.dmp
-
memory/1052-103-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmpFilesize
64KB
-
memory/1052-90-0x0000000000000000-mapping.dmp
-
memory/1160-109-0x0000000000000000-mapping.dmp
-
memory/1180-110-0x0000000000000000-mapping.dmp
-
memory/1220-115-0x0000000000000000-mapping.dmp
-
memory/1356-83-0x0000000000000000-mapping.dmp
-
memory/1396-114-0x0000000000000000-mapping.dmp
-
memory/1400-124-0x0000000000000000-mapping.dmp
-
memory/1444-118-0x0000000000000000-mapping.dmp
-
memory/1484-112-0x0000000000000000-mapping.dmp
-
memory/1556-120-0x0000000000000000-mapping.dmp
-
memory/1560-126-0x0000000000000000-mapping.dmp
-
memory/1636-111-0x0000000000000000-mapping.dmp
-
memory/1668-121-0x0000000000000000-mapping.dmp
-
memory/1676-41-0x0000000000000000-mapping.dmp
-
memory/1692-129-0x0000000000000000-mapping.dmp
-
memory/1760-40-0x0000000000000000-mapping.dmp
-
memory/1768-39-0x0000000000000000-mapping.dmp
-
memory/1784-123-0x0000000000000000-mapping.dmp
-
memory/1784-86-0x0000000000000000-mapping.dmp
-
memory/1792-38-0x0000000000000000-mapping.dmp
-
memory/1800-108-0x0000000000000000-mapping.dmp
-
memory/1824-130-0x0000000000000000-mapping.dmp
-
memory/1876-94-0x0000000000000000-mapping.dmp
-
memory/1876-93-0x0000000000000000-mapping.dmp
-
memory/1900-87-0x0000000000000000-mapping.dmp
-
memory/1904-119-0x0000000000000000-mapping.dmp
-
memory/1908-116-0x0000000000000000-mapping.dmp
-
memory/1948-117-0x0000000000000000-mapping.dmp
-
memory/2008-91-0x000007FEF7100000-0x000007FEF737A000-memory.dmpFilesize
2.5MB
-
memory/2008-84-0x0000000000000000-mapping.dmp
-
memory/2016-113-0x0000000000000000-mapping.dmp
-
memory/2016-88-0x0000000000000000-mapping.dmp
-
memory/2020-82-0x0000000000000000-mapping.dmp
-
memory/2028-128-0x0000000000000000-mapping.dmp
-
memory/2040-127-0x0000000000000000-mapping.dmp