Analysis

  • max time kernel
    161s
  • max time network
    190s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    07-12-2021 20:50

General

  • Target

    vaccine.exe

  • Size

    7.6MB

  • MD5

    51036ffd690fc0b4c9d32a7f014e2225

  • SHA1

    1a51a798ac54a271bdef2b15f2fbfec80299128b

  • SHA256

    70732fc71c82134f96999b191de22feba361d1f3f4050a22f2160273fd1d316a

  • SHA512

    927863d1e53b1b73a1a0773029593943ee90ccb2810c52fa15841bc5569ac8171efc218dd866d55847381fc573dc8c356d8282c16fc1b764b75481d6f1556f62

Malware Config

Extracted

Family

djvu

C2

http://tzgl.org/fhsgtsspen6/get.php

Attributes
  • extension

    .wnlu

  • offline_id

    gYuqQ5GsAaJom08TivUVhlPzZDKd916x4NcXrWt1

  • payload_url

    http://kotob.top/dl/build2.exe

    http://tzgl.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-m8LBBi8x8F Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0357Sigrj

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 8 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vaccine.exe
    "C:\Users\Admin\AppData\Local\Temp\vaccine.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\vaccine.exe
      "C:\Users\Admin\AppData\Local\Temp\vaccine.exe"
      2⤵
      • Loads dropped DLL
      PID:872
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:612
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\bowsakkdestx.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:4016
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
      1⤵
        PID:1544
      • C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe
        "C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe
          "C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe"
          2⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
            3⤵
            • Modifies file permissions
            PID:3656
          • C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe
            "C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe" --Admin IsNotAutoStart IsNotTask
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3180
            • C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe
              "C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe" --Admin IsNotAutoStart IsNotTask
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2864
      • C:\Windows\system32\mmc.exe
        "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
        1⤵
        • Drops file in System32 directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:588
      • C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
        C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe --Task
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3316
        • C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
          C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe --Task
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2120
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\SystemID\PersonalID.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:2960
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:396
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="396.0.1054563617\796533176" -parentBuildID 20200403170909 -prefsHandle 1524 -prefMapHandle 1516 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 396 "\\.\pipe\gecko-crash-server-pipe.396" 1604 gpu
            3⤵
              PID:4020
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="396.3.2105440387\1649840980" -childID 1 -isForBrowser -prefsHandle 2248 -prefMapHandle 2244 -prefsLen 156 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 396 "\\.\pipe\gecko-crash-server-pipe.396" 2124 tab
              3⤵
                PID:3624
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="396.13.1729195623\1005489675" -childID 2 -isForBrowser -prefsHandle 3344 -prefMapHandle 3100 -prefsLen 7013 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 396 "\\.\pipe\gecko-crash-server-pipe.396" 3360 tab
                3⤵
                  PID:956
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="396.20.289056338\70033390" -childID 3 -isForBrowser -prefsHandle 3956 -prefMapHandle 3932 -prefsLen 7718 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 396 "\\.\pipe\gecko-crash-server-pipe.396" 4320 tab
                  3⤵
                    PID:4124
              • C:\Windows\system32\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\bowsakkdestx.txt
                1⤵
                • Opens file in notepad (likely ransom note)
                PID:4248

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Defense Evasion

              File Permissions Modification

              1
              T1222

              Modify Registry

              1
              T1112

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              1
              T1082

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\SystemID\PersonalID.txt
                MD5

                47f4765154cf29db1151e031ec30c7be

                SHA1

                2ea01d44388a1618aab334346eace27d137ae870

                SHA256

                99e78dcc99f522bf13c5ae6cbd55c2eaa23dd1cca29dde4402f5b86b8bf811c6

                SHA512

                b896a7049c771ebc0b6553ea050ae66f4ca5903592a4039287aba2f61f0e976f8ae7afd5efdaa3b29bc8dd8e2977804c0b50e43ee02898a7853508c94391b4bf

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
                MD5

                dfd1d8c11c8e104d9ca31b6b589fb717

                SHA1

                50e4a082219aa5c4e2376f1e9910a748287bef36

                SHA256

                7e5518f47ccc38390147991b40a3addde74cb52264f8808cf1088f5f711e2345

                SHA512

                31fea2c3cd0ad810a7a298251571ef14ac2445f8fe1fc5e806f26378a9397c47a04790b9a3c5a02af83c0e572878e7d6c59c7751a8be012902c1c86b699dd216

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                MD5

                0ffb91dc0ac91e9630245216a5677aff

                SHA1

                d861ae5652a25d5f0396178818058150adf00273

                SHA256

                b88d9ca03ea0f1c5900d203f3e416f0fa159823801358261823b5898cd97fe6b

                SHA512

                063f2bce3ead49f7bd9a7c8aa21161f78a25362034c2973f4d4721001f475296b7aee221801b7dc28a342bb5f4688be58c999ff13e777a19d8eb8147a75bcbc5

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
                MD5

                774d0b3923673e3625696675075617b5

                SHA1

                3404e701510a43cb9f8d5f858069e135a7b34381

                SHA256

                17d9b584889159e6561ac1cc2802145b7df73de5b5e89aa1571daba34a8f7fd9

                SHA512

                293224af129d5449f6e4d202afade72050b37a258cee34c6a47d51d739ba339bd749e1fdb4cca7d0fa06922653cb29aaa6b3c18185f24eff533caa84cdca30e2

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                MD5

                ae7c1a624aa7175aac9b337826638354

                SHA1

                e7b9435a1bc24fe99cbdde1bec26fa24cca57814

                SHA256

                8e6e084651e7b4c33a934d2c4829dc9a0e553c516f412dee917a7d673aafa390

                SHA512

                a9961787d8694b9f88d5639e99fc758b63e25b796d1094a0a53db5bc6bbc9a3646f6449c91d8b347232f9aa1eb815daaebe140ffdd2d1056d2b68478ce6526b6

              • C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
                MD5

                ce492cc2d9bff6b9c1455b1d68776e77

                SHA1

                fd40c16d8de20f934e2f39cb12a6f5e30e859606

                SHA256

                234bb5fec4db69b563c807f168bfb48e37abde49e9ae5d4a7ee4cb90e552fa1e

                SHA512

                a1365398ba4f261f565b0365ddaa586f0a0eb51e86ccc831aba5e6a5dddf166e2c94e92d3fef0cbb897a0ae710328aef23730b59ab307cb0d58cc250df6e4243

              • C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
                MD5

                ce492cc2d9bff6b9c1455b1d68776e77

                SHA1

                fd40c16d8de20f934e2f39cb12a6f5e30e859606

                SHA256

                234bb5fec4db69b563c807f168bfb48e37abde49e9ae5d4a7ee4cb90e552fa1e

                SHA512

                a1365398ba4f261f565b0365ddaa586f0a0eb51e86ccc831aba5e6a5dddf166e2c94e92d3fef0cbb897a0ae710328aef23730b59ab307cb0d58cc250df6e4243

              • C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
                MD5

                ce492cc2d9bff6b9c1455b1d68776e77

                SHA1

                fd40c16d8de20f934e2f39cb12a6f5e30e859606

                SHA256

                234bb5fec4db69b563c807f168bfb48e37abde49e9ae5d4a7ee4cb90e552fa1e

                SHA512

                a1365398ba4f261f565b0365ddaa586f0a0eb51e86ccc831aba5e6a5dddf166e2c94e92d3fef0cbb897a0ae710328aef23730b59ab307cb0d58cc250df6e4243

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\VCRUNTIME140.dll
                MD5

                11d9ac94e8cb17bd23dea89f8e757f18

                SHA1

                d4fb80a512486821ad320c4fd67abcae63005158

                SHA256

                e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

                SHA512

                aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\_ctypes.pyd
                MD5

                7ab242d7c026dad5e5837b4579bd4eda

                SHA1

                b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

                SHA256

                1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

                SHA512

                1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\_socket.pyd
                MD5

                4b2f1faab9e55a65afa05f407c92cab4

                SHA1

                1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

                SHA256

                241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

                SHA512

                68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\base_library.zip
                MD5

                935ecbb6c183daa81c0ac65c013afd67

                SHA1

                0d870c56a1a9be4ce0f2d07d5d4335e9239562d1

                SHA256

                7ae17d6eb5d9609dc8fc67088ab915097b4de375e286998166f931da5394d466

                SHA512

                a9aac82ab72c06cfff1f1e34bf0f13cbf0d7f0dc53027a9e984b551c602d58d785c374b02238e927e7b7d69c987b1e8ab34bfc734c773ef23d35b0bdb25e99cb

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\libffi-7.dll
                MD5

                eef7981412be8ea459064d3090f4b3aa

                SHA1

                c60da4830ce27afc234b3c3014c583f7f0a5a925

                SHA256

                f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

                SHA512

                dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\python39.dll
                MD5

                7e9d14aa762a46bb5ebac14fbaeaa238

                SHA1

                a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

                SHA256

                e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

                SHA512

                280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\pywintypes39.dll
                MD5

                977f7ef232671b94251d8eaddd15390d

                SHA1

                97d9035a5f21df0267f4ae8cd203a92917aab970

                SHA256

                4ece6771f1206b99dba4e5cf988051472f530bf90bb3114d3fd7377b3f34dfa6

                SHA512

                1f556c661d3dd963cd563230a1ac1707905ffbfb3d76081f3dd316b40ce55ce1bfcc431f744de98ab3249760d4386cccd54a483b01f98017ff75c6603d316988

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\select.pyd
                MD5

                f8f5a047b98309d425fd06b3b41b16e4

                SHA1

                2a44819409199b47f11d5d022e6bb1d5d1e77aea

                SHA256

                5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

                SHA512

                f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\ucrtbase.dll
                MD5

                0e0bac3d1dcc1833eae4e3e4cf83c4ef

                SHA1

                4189f4459c54e69c6d3155a82524bda7549a75a6

                SHA256

                8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

                SHA512

                a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

              • C:\Users\Admin\AppData\Local\Temp\_MEI19202\win32api.pyd
                MD5

                0afa0ac73c1659570e529f51f3a0d8c6

                SHA1

                f4f7d659bcac3409395aa92a72ba90d0c7db204f

                SHA256

                b541e3d53be2db7da8e1c16496958fc6c8034ccc8ac763fd00e4a6fbd1162944

                SHA512

                0bb76bd92cbbd8f1f42a309b9f17124136032a41f7e75977fff4e208794218ed01574c7253a75fa7254cfcdb5f7920ebd8847fff9e851c3a6559eb6ed80590fe

              • C:\Users\Admin\AppData\Local\bowsakkdestx.txt
                MD5

                06992dab50d0ce7f132ce61599b62ac6

                SHA1

                19b1fe7fb4ffe40db56fea6ed444687e831e7c57

                SHA256

                d4f3aaca71d19ce72340c6b320419d93fc6b12a0d009ffc6a88af535b5db4d91

                SHA512

                407a8efa93a2acff99045961c26e0a78935bc44a36bc478f6917e434e982110f426486684dd7fa9c622bcaab42c2590c6cbe077d4b124a9a9200811ffcb99310

              • \Users\Admin\AppData\Local\Temp\_MEI19202\VCRUNTIME140.dll
                MD5

                11d9ac94e8cb17bd23dea89f8e757f18

                SHA1

                d4fb80a512486821ad320c4fd67abcae63005158

                SHA256

                e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

                SHA512

                aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

              • \Users\Admin\AppData\Local\Temp\_MEI19202\_ctypes.pyd
                MD5

                7ab242d7c026dad5e5837b4579bd4eda

                SHA1

                b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

                SHA256

                1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

                SHA512

                1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

              • \Users\Admin\AppData\Local\Temp\_MEI19202\_socket.pyd
                MD5

                4b2f1faab9e55a65afa05f407c92cab4

                SHA1

                1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

                SHA256

                241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

                SHA512

                68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

              • \Users\Admin\AppData\Local\Temp\_MEI19202\libffi-7.dll
                MD5

                eef7981412be8ea459064d3090f4b3aa

                SHA1

                c60da4830ce27afc234b3c3014c583f7f0a5a925

                SHA256

                f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

                SHA512

                dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

              • \Users\Admin\AppData\Local\Temp\_MEI19202\python39.dll
                MD5

                7e9d14aa762a46bb5ebac14fbaeaa238

                SHA1

                a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

                SHA256

                e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

                SHA512

                280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

              • \Users\Admin\AppData\Local\Temp\_MEI19202\pywintypes39.dll
                MD5

                977f7ef232671b94251d8eaddd15390d

                SHA1

                97d9035a5f21df0267f4ae8cd203a92917aab970

                SHA256

                4ece6771f1206b99dba4e5cf988051472f530bf90bb3114d3fd7377b3f34dfa6

                SHA512

                1f556c661d3dd963cd563230a1ac1707905ffbfb3d76081f3dd316b40ce55ce1bfcc431f744de98ab3249760d4386cccd54a483b01f98017ff75c6603d316988

              • \Users\Admin\AppData\Local\Temp\_MEI19202\select.pyd
                MD5

                f8f5a047b98309d425fd06b3b41b16e4

                SHA1

                2a44819409199b47f11d5d022e6bb1d5d1e77aea

                SHA256

                5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

                SHA512

                f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

              • \Users\Admin\AppData\Local\Temp\_MEI19202\ucrtbase.dll
                MD5

                0e0bac3d1dcc1833eae4e3e4cf83c4ef

                SHA1

                4189f4459c54e69c6d3155a82524bda7549a75a6

                SHA256

                8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

                SHA512

                a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

              • \Users\Admin\AppData\Local\Temp\_MEI19202\win32api.pyd
                MD5

                0afa0ac73c1659570e529f51f3a0d8c6

                SHA1

                f4f7d659bcac3409395aa92a72ba90d0c7db204f

                SHA256

                b541e3d53be2db7da8e1c16496958fc6c8034ccc8ac763fd00e4a6fbd1162944

                SHA512

                0bb76bd92cbbd8f1f42a309b9f17124136032a41f7e75977fff4e208794218ed01574c7253a75fa7254cfcdb5f7920ebd8847fff9e851c3a6559eb6ed80590fe

              • memory/588-152-0x000000001C990000-0x000000001C992000-memory.dmp
                Filesize

                8KB

              • memory/588-160-0x000000001C998000-0x000000001C99A000-memory.dmp
                Filesize

                8KB

              • memory/588-159-0x000000001C99A000-0x000000001C99F000-memory.dmp
                Filesize

                20KB

              • memory/588-158-0x00007FF6029E0000-0x00007FF6029E1000-memory.dmp
                Filesize

                4KB

              • memory/588-157-0x000000001C997000-0x000000001C998000-memory.dmp
                Filesize

                4KB

              • memory/588-156-0x000000001C996000-0x000000001C997000-memory.dmp
                Filesize

                4KB

              • memory/588-155-0x000000001C995000-0x000000001C996000-memory.dmp
                Filesize

                4KB

              • memory/588-154-0x000000001C994000-0x000000001C995000-memory.dmp
                Filesize

                4KB

              • memory/588-153-0x000000001C992000-0x000000001C994000-memory.dmp
                Filesize

                8KB

              • memory/872-115-0x0000000000000000-mapping.dmp
              • memory/1748-139-0x0000000000424141-mapping.dmp
              • memory/1748-140-0x0000000000400000-0x0000000000537000-memory.dmp
                Filesize

                1.2MB

              • memory/1748-138-0x0000000000400000-0x0000000000537000-memory.dmp
                Filesize

                1.2MB

              • memory/2120-164-0x0000000000424141-mapping.dmp
              • memory/2120-166-0x0000000000400000-0x0000000000537000-memory.dmp
                Filesize

                1.2MB

              • memory/2864-147-0x0000000000400000-0x0000000000537000-memory.dmp
                Filesize

                1.2MB

              • memory/2864-146-0x0000000000424141-mapping.dmp
              • memory/3180-143-0x0000000000000000-mapping.dmp
              • memory/3180-144-0x0000000000636000-0x00000000006C8000-memory.dmp
                Filesize

                584KB

              • memory/3316-162-0x000000000211C000-0x00000000021AE000-memory.dmp
                Filesize

                584KB

              • memory/3656-141-0x0000000000000000-mapping.dmp
              • memory/3776-137-0x00000000022B0000-0x00000000023CB000-memory.dmp
                Filesize

                1.1MB

              • memory/3776-136-0x00000000020B2000-0x0000000002144000-memory.dmp
                Filesize

                584KB