Analysis

  • max time kernel
    4294231s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    25-03-2022 00:30

General

  • Target

    559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe

  • Size

    10.0MB

  • MD5

    c8f1a1134ac0ccacb849b819e0435e11

  • SHA1

    ca4941cba333018c484418a42d7e2e3a6d2a380e

  • SHA256

    559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd

  • SHA512

    db570e14148c36db6eb8de41c48f65472ef83e18fa0804e39fd1e9b484f3d55240a447451c6d9b7149e58c4d714d91ddb4696c196e8008d8e3d4e31375a4504f

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note
hey Down! Seems like you got hit by CoderWare ransomware! warning: take a screenshot of this place. If you lose the information here, you'll never get to us. and it would be impossible to get your dosys Don't Panic, you get have your files back! CoderWare uses a basic encryption script to lock your files.This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry.You have 10 hours to find your key When you pay >>> 1000$ <<< to the Bitcoin address below, you will need to send a single as proof to our e-mail address, and if the receipt is correct, your code to decrypt our files to your e-mail address. It will be sent back to you via e-mail. But you have to be quick for that. Because you have 10 hours. If you do not pay within 10 hours, your files will be permanently deleted. And it would be out of reach again. If you don't know how to get bitcoin. https://buy.moonpay.io can quickly get your credit or debit card online from the website. Please type the bitcoin address shown on the screen in the wallet field on the website. If you try to shut it down by force, you'll lose your dosys. because if you lose your bitcoin address, you won't be able to pay. and you'll never get your files back. email: [email protected] bitcion Adress : 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K telegram : @Codersan whatsap: +63 997 401 3126
Wallets

336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K

Signatures

  • DemonWare

    Ransomware first seen in mid-2020.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 37 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Detects Pyinstaller 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe
    "C:\Users\Admin\AppData\Local\Temp\559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\server.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Users\Admin\AppData\Local\Temp\CyberPunk2077.sfx.exe
        CyberPunk2077.sfx.exe -p1234 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"
            5⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            PID:1208

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CyberPunk2077.sfx.exe

    MD5

    f65b6e5c80643e85771e1b050cce51f3

    SHA1

    e9d6ec45859868fda152fd19a0c977a439be40fa

    SHA256

    7e946b53dd48fc7d42a8812ab0450e1193ae21ee9990d812811224c3429ecfc5

    SHA512

    63d3fb8b157c30fc155feedf01ba7f141e7251d9a424e056b8f6798ee1238dc6c5834938940c3fd445ed9c22a53841f389f3d553c6b53e52285030751e120c53

  • C:\Users\Admin\AppData\Local\Temp\CyberPunk2077.sfx.exe

    MD5

    f65b6e5c80643e85771e1b050cce51f3

    SHA1

    e9d6ec45859868fda152fd19a0c977a439be40fa

    SHA256

    7e946b53dd48fc7d42a8812ab0450e1193ae21ee9990d812811224c3429ecfc5

    SHA512

    63d3fb8b157c30fc155feedf01ba7f141e7251d9a424e056b8f6798ee1238dc6c5834938940c3fd445ed9c22a53841f389f3d553c6b53e52285030751e120c53

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe

    MD5

    9bb3e77f3a2b7329ca41979a783996ae

    SHA1

    fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06

    SHA256

    08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

    SHA512

    d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe

    MD5

    9bb3e77f3a2b7329ca41979a783996ae

    SHA1

    fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06

    SHA256

    08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

    SHA512

    d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe

    MD5

    9bb3e77f3a2b7329ca41979a783996ae

    SHA1

    fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06

    SHA256

    08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

    SHA512

    d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_Salsa20.cp36-win32.pyd

    MD5

    b30ec504a0d48b37c9dd7c5610832f44

    SHA1

    efc46c98dee5d49892bbb6fd848a3dbe2dcc23a8

    SHA256

    91268a56cdc767d5c1412887d56435595c58fdaef4a26bcfeac8f380d0ca5ff9

    SHA512

    7bc50faa48895ea30a2d39e85ef0b76e64eea318c74e9b89280af60b802760732e44af8168fc7fdd6ff3c644c07e7ad53b74c55d40596716aff58118f070c321

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_cbc.cp36-win32.pyd

    MD5

    6d387595f24aa01d830943edabe7f574

    SHA1

    3c613bed7f60d9d9d7d63afd1ada86427925e7ae

    SHA256

    ea8d904ca11a89a5783770aa988da11859e63ea0d05f13d56b72d91b18eee121

    SHA512

    4968382886269d8ef3b9c927ba0b09257816e27adda69e39f6815495e69fd4cdd23b5ab57acfa76af82116fcdbec88d734360f2d3b6a6ee8ffcc93bcaefbc4b3

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_cfb.cp36-win32.pyd

    MD5

    59e1e5386d888953cf3db6ba5786b1fa

    SHA1

    2f0256eae40bee5270f2d661a323d0161697c5c6

    SHA256

    e5ac021609a27b0296acb67a464e4270aa133d5740b4df555b4585d358ba1f6c

    SHA512

    814124782ce39f6166827557a4ffb66c78843ae1cc4350fc62f239e6cabcc50973b6c9ce42abaa521d09fb11fb881746ebcfc10f443c563e9a443c7b043c3db1

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_ctr.cp36-win32.pyd

    MD5

    9f949bbe2dd4f7524e147c32c9f009cc

    SHA1

    a3bcb4754c725f080b8012b7f93946d719a9e19c

    SHA256

    569e2828ed873580aad1142a4a8f197b48c51bbf082ca45d6659d40276910452

    SHA512

    8b00ae064e3e9275c9ae06a0044a5952fe5bc5696a62cc6886230609b95781e0c0ef09756c15e8b233d0557f0bf2b21affc072e2117684495183fcc344c92b98

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_ecb.cp36-win32.pyd

    MD5

    f47dcb5b325e17d116d0cd0c58618924

    SHA1

    6670afe930ee717f1217982148c508cebf0977de

    SHA256

    2ecc748d30dc2302ef75c85f47247492acf888ae150499bab2154d91cdb2c6c6

    SHA512

    3faeb66dfbf600673e6df99584b9708a3362fd82e4b599ee251f05dd409cbef0b91ca2b7260435abc8900057311cfabce347686e930a674312ed6d538fdbb11e

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_ofb.cp36-win32.pyd

    MD5

    4dc9322f08bf2bdefc7d839ab12af6a1

    SHA1

    7e8cea0a18b986c64854a3bbf229f3d4775410a0

    SHA256

    b743d19773f0ffd604039f832e77eda00bbae78899f949b6a7f2d13709d84a8d

    SHA512

    a6079a3b35b62476c54a3cec6807a6b517eb9b6725e8218caaaf07953eaa3369adb33569b016163ee5221627ea07f7102961e76709ebedfc5c1a6821d2ab0259

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Hash\_BLAKE2s.cp36-win32.pyd

    MD5

    f7b5a6f061886695b223f4b8d39d4902

    SHA1

    418d9c54e12c3b9d9b488b70d47a0ee8b24b6d14

    SHA256

    c7797e2cff42f002b1325f2a86bc882d5e0c23208d6165c2b961c819b67ef121

    SHA512

    d41a4a963ad3bb473ba79a89ef7861ad48831b39581c6480667c381224c6742f21d6abbc40de586648dc859ddf2670a3d6a12c6f24c2ce74bcad0ff1068b15bd

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Hash\_MD5.cp36-win32.pyd

    MD5

    864f5836335cef221215e26cf6d41603

    SHA1

    8ee27e68866c4b40d94bb9fb507b69410df7ab7f

    SHA256

    291fe6fe0a55ffa808d616a32faf02735661da18e289c2f0ef528d8216054382

    SHA512

    7c3daa6d0439c9b892caee8a8498d26ffc97ac8266fc7a066fc38f408ba045f7bece28893292a048ea5f50371878573f03edd430182957a2dc214f5698d0a04d

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Hash\_SHA1.cp36-win32.pyd

    MD5

    d8607a8a58b1cf026baca1b9dd82cd2d

    SHA1

    4008f66453a7a1ca800d085bce60ca51db94f3f8

    SHA256

    5906d630c826491ed7f20a741f8d0116c8b54b020a5af3f8d4020fa3684cb33a

    SHA512

    c703e00ca600aab0359722f28fe1d88911b38d7e9e535a0169cd1758484af8da815e9bbe79d64d8af502461d03c6bba17cd6427f6594eeecf2f62ea7aa33c5c3

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Hash\_SHA256.cp36-win32.pyd

    MD5

    e30362540228296980f7bc42f4a4c483

    SHA1

    e69ee6a9a239b5d23e201d3dd47bfcbc15fb78b1

    SHA256

    29ae2a46eee26cb64dd3aab346ba3f101607839e4a23be9ff679505c08358528

    SHA512

    c8d26b0f1196c19b5c314b2354508742bd3e4c76e7d1042e01d016d27749fd5b284bac18b19ff7dd178f1b37b72778a45509258e5d3eaa6f7ccd4ed6465437f8

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Protocol\_scrypt.cp36-win32.pyd

    MD5

    5c2e66df5cc26af3dcd5e1dc61fed7bc

    SHA1

    9708321fc655050e9272bc55e178ae5dc0d74bdc

    SHA256

    a34b7eb861c3e2305cc0f7b481f3750172427a278659299ffac72b9f3069f0ab

    SHA512

    d89011c5b8d1fcb47b190f3de57247d8e9647d4e32ae5918a954bc733cdb3cffa565bd917a52939f850b37d6383524e267dd67f6b086bb0496ad3db7b8b3933c

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Util\_strxor.cp36-win32.pyd

    MD5

    db31e8cc0699b54ccf8f7290a7971491

    SHA1

    aabcf59d19bb7deb17aff2de96d72cc93988bff6

    SHA256

    6b9201a3d1a2646b298c778de6e8c8ff93ec989051d589f3b78e1b96e212abdc

    SHA512

    c0b35c1cfed1e5ed1a8c5db946e95766e302f550facaf03267013d670c1a3a737fd93af7b24e1bd33e37d3b9994da78a9410f0a83a3acab3b52e4bdb0c1e1bb6

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\PIL\_imaging.cp36-win32.pyd

    MD5

    f78718f60dc88148cd3a4178ec2260b0

    SHA1

    cefffe857931756f76728ceddb0db0f73259165d

    SHA256

    cdf8ac13f296fb16fa99196f39b8651ec2b4c08f222fe459fb7d2bbdadd4ebb8

    SHA512

    9aef3f2415cfa5c69f727b30568339153e0adffed43e0ee38f2e402f5a6e40cc530c887812aabe722daae8fa65b9724cb1045a70eda02765ba1be3a118f22445

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\VCRUNTIME140.dll

    MD5

    a2523ea6950e248cbdf18c9ea1a844f6

    SHA1

    549c8c2a96605f90d79a872be73efb5d40965444

    SHA256

    6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4

    SHA512

    2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\_bz2.pyd

    MD5

    f97c69209c208c1dd472c5e0ed760456

    SHA1

    df60690e333433ddb39cbe19384ff10856b9b75d

    SHA256

    9a0b806e6a764d6109da7762f57a92381db329d1b3ec5adbfbd3cf61ef81e3c0

    SHA512

    cf03214687de08cb6dd12f9dbe500d036124ab76b3781148e5c7cda8ff9833b7bd1c12c368f4116edcbc6b8862af419250fa444e1d7b9dedc1162b9d0540b521

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\_ctypes.pyd

    MD5

    d0b0aacac633ee2eda0075eb85d43c06

    SHA1

    16f85e31472c783dddf3a00a8034f1fd8f571f62

    SHA256

    a9c70c16cbd27d15b4d76f68f8d7663c27f7b4d89ab1641abe6c4a2ed2227032

    SHA512

    4a8e19367f5fb335afe2ab7fd884d644d4ff9c2d2515da74e2c3d193e289a73f49ed4d9de08ca43ddd0b811b952dce3cbb49c4cdc323c48008eab7814ca423f2

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\_elementtree.pyd

    MD5

    f2d229ea5c830066b4642b947b27fe61

    SHA1

    eac1e0a86af1cb7fa3a382821f9375db2d8fe30a

    SHA256

    c5cefc7702556ee5542d2116774275c61f20ee2a173b851ee1c7319b4b8d2357

    SHA512

    f161b377d46e1494621410231ef74f97047e58455cb63a8ca6d33f4d7208cc91869e82a4f92e33acbe66b7c77b81f98a89d5ce003c344292edbd4883b8261939

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\_hashlib.pyd

    MD5

    ea2d8f0c9320c1363640bf3a7a9ea21f

    SHA1

    9af865a4e4355dff9ab48af7acfd42ecdbec93c8

    SHA256

    161f6ec2a08e4955e2c2850539bd61cd18f96a93b2f340ea7b244121fbed9cf6

    SHA512

    15f8e062dd864a1f4cd8003ff7bc14fa3be1896112aaf696847eb15bce72b1db3f0fb81280fd20d64672888b5a916767fc049a9b8f4f3c03f52e50dfd610f83c

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\_lzma.pyd

    MD5

    2b6cf186eba511e0903c9314b865d3b9

    SHA1

    19dd12a7d4cdb41e8efb46b235591d22ce35eab1

    SHA256

    b1a6d7cb4f88a5eb2c30908836f7eed1f1c8294baaee94e9ab4b8bb47fe0f6dc

    SHA512

    f4f7ac4edca5c49357fa174219d93d3206ce2f3d7a89418ba52ae815278feb72b9448a8f553b7d308d04774c52d2f95ae1656475caf160e0d59ad735a003080e

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\_socket.pyd

    MD5

    fb4db1e9eb7c4e3d7f74f1e31d7f2f02

    SHA1

    63c855aa583d2e484b42cfbfe78f6202601b782b

    SHA256

    62ea60c77915fb24bdde4afa3b4639ccf4898929a79bec2d1d1b3f7f42e8e095

    SHA512

    801c9a3d1858738f736759b37c14dbbf22672a2cd652f14afa1399f209d70a416935460319c0f08a1d9ebb0fd0d5236c377298cc0d0a2c3de0c40fe0503bd0b4

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\_tkinter.pyd

    MD5

    ff1800992e20ce2772f95e08ff55702b

    SHA1

    d27dd9e0f45e9f449ec50af0fc406b4ca582ff8e

    SHA256

    f189f532876626008bcd2d5a95aa8be548fa7e78b1b421589c0c5ba11c5e6c8d

    SHA512

    13fe75226453017b6bcdb317a35e4815673e1f12b24329dc4035af6066ce9926e8e8743c7ec2d36ee78061f411bc3fac2877ad055aecac0a1d211bdfd8cabb6e

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\base_library.zip

    MD5

    c543bb6076375933044987cdc2b696dc

    SHA1

    9366c0eacd6e8f9c72fabde15ea0b4b42d6015d2

    SHA256

    b714d345fa1746f607b142c7bc90d7df950b41bb10a9724a7814a63fb68f550c

    SHA512

    bcf444f09fc57ee31c3eafc2ed202c52cf507c2160b51373ac2431a90e02d6d5a6981e4325063f44f4327308b3247d02bebc12adea906f5ea7b46eacfebae4de

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\pyexpat.pyd

    MD5

    23ed0a03a2b8ae756c459caae2859d02

    SHA1

    939ad94c06644758c1e532a6d6aa1c263e55e2ed

    SHA256

    5e94b9c35c4ef0188bdd57fc08afd0f982849f8e100ae8ff9b90844e6f9f0edc

    SHA512

    c0c6fe22bf57ed4af2a6a7b234000be766dc1e72daeb0996668ef9383f456046e51bbb13a206bc837c41eac76eacf56cbd9173077094f2bfe16a0e5764555679

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\python36.dll

    MD5

    1ac97dbe4a81fc2beb509f8da5a3e8b6

    SHA1

    b9e7d3857a10072c8569b2d07e0208059cf9495c

    SHA256

    258dd151e3ec9632d0b49488cc689bcbab172648854e121dc6b5f2e43e58cb62

    SHA512

    c69a7619d3b75d7170e087be9f02afc6d6bd1706aefcb60e84507f33d393f7323b168436f77c540c9439e2045b7577a2fb77ad287e02ff1afac747017478fad1

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\select.pyd

    MD5

    02aaefa1473499a116ed8ce166881637

    SHA1

    a373f1cb2655778e1f908541cc29d9ec46f308f3

    SHA256

    733808629fa4903b844ef854cbab30323442cc62d015858f72a2d28253d5a8ab

    SHA512

    48b211d0134eb4bd8cc236cb563a7bb5f7c0daa0d9aa2c79004c751856925c21e0297f380c7d14d568ce3d8663e2221f7d6a1d96607ec3b64f031bb53e2eace8

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\tcl86t.dll

    MD5

    9606acb077b6ba32a5869fbf25373134

    SHA1

    c4dd60b9d92c894042a9f34500492a088cd642fa

    SHA256

    6aa99d4ff2c73722f67c9ef42c27e3a2c660edf1495d538dad9793a15e7b0b7c

    SHA512

    a40fc446db5fcdb2367fa688fd7cc1f8beee70d41e9fc673bb1735c0002c1cb5d8e31db0ce32bb533289792f273919eb212d863bcb2660c402c4f13c20b64166

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\tcl\encoding\cp1252.enc

    MD5

    5900f51fd8b5ff75e65594eb7dd50533

    SHA1

    2e21300e0bc8a847d0423671b08d3c65761ee172

    SHA256

    14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

    SHA512

    ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

  • C:\Users\Admin\AppData\Local\Temp\_MEI14682\tk86t.dll

    MD5

    0e7466542d8f0c527e77c297b85b17e8

    SHA1

    2ce37d74fb26e88054f6ef7d02a24a3a435c4f0d

    SHA256

    b5063b511e98931da51ea471634f98a1c9de2fef149ea2e3c779b2adff002246

    SHA512

    d0de3b5f92be8300784c1c5eea65f93e56568f72dd28958592c51ad72f97770efe158f0a8a4e092a996401d59bd49dc7eeb5c9ce91117717ae2c01640df30d22

  • C:\Users\Admin\AppData\Local\Temp\server.bat

    MD5

    82b73f08ee8c8d1eebd3f9dfc6495d8a

    SHA1

    420ac44ac8447d97bb66029808215f3f59535ed4

    SHA256

    27ae018d877d981cc5de00ce7ed6ee4873e1c6be8793596503127160ac31e88d

    SHA512

    44821f8620d3b27134e14bc34d9d31ad9edcc0215ba0bef574b99636488fec1fe300e58003278fb4d0b13e861a2777f0fd3e7b492ac1ab75a922db94543a4823

  • \Users\Admin\AppData\Local\Temp\CyberPunk2077.sfx.exe

    MD5

    f65b6e5c80643e85771e1b050cce51f3

    SHA1

    e9d6ec45859868fda152fd19a0c977a439be40fa

    SHA256

    7e946b53dd48fc7d42a8812ab0450e1193ae21ee9990d812811224c3429ecfc5

    SHA512

    63d3fb8b157c30fc155feedf01ba7f141e7251d9a424e056b8f6798ee1238dc6c5834938940c3fd445ed9c22a53841f389f3d553c6b53e52285030751e120c53

  • \Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe

    MD5

    9bb3e77f3a2b7329ca41979a783996ae

    SHA1

    fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06

    SHA256

    08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

    SHA512

    d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1

  • \Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe

    MD5

    9bb3e77f3a2b7329ca41979a783996ae

    SHA1

    fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06

    SHA256

    08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

    SHA512

    d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1

  • \Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe

    MD5

    9bb3e77f3a2b7329ca41979a783996ae

    SHA1

    fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06

    SHA256

    08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

    SHA512

    d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1

  • \Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe

    MD5

    9bb3e77f3a2b7329ca41979a783996ae

    SHA1

    fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06

    SHA256

    08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

    SHA512

    d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_Salsa20.cp36-win32.pyd

    MD5

    b30ec504a0d48b37c9dd7c5610832f44

    SHA1

    efc46c98dee5d49892bbb6fd848a3dbe2dcc23a8

    SHA256

    91268a56cdc767d5c1412887d56435595c58fdaef4a26bcfeac8f380d0ca5ff9

    SHA512

    7bc50faa48895ea30a2d39e85ef0b76e64eea318c74e9b89280af60b802760732e44af8168fc7fdd6ff3c644c07e7ad53b74c55d40596716aff58118f070c321

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_cbc.cp36-win32.pyd

    MD5

    6d387595f24aa01d830943edabe7f574

    SHA1

    3c613bed7f60d9d9d7d63afd1ada86427925e7ae

    SHA256

    ea8d904ca11a89a5783770aa988da11859e63ea0d05f13d56b72d91b18eee121

    SHA512

    4968382886269d8ef3b9c927ba0b09257816e27adda69e39f6815495e69fd4cdd23b5ab57acfa76af82116fcdbec88d734360f2d3b6a6ee8ffcc93bcaefbc4b3

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_cfb.cp36-win32.pyd

    MD5

    59e1e5386d888953cf3db6ba5786b1fa

    SHA1

    2f0256eae40bee5270f2d661a323d0161697c5c6

    SHA256

    e5ac021609a27b0296acb67a464e4270aa133d5740b4df555b4585d358ba1f6c

    SHA512

    814124782ce39f6166827557a4ffb66c78843ae1cc4350fc62f239e6cabcc50973b6c9ce42abaa521d09fb11fb881746ebcfc10f443c563e9a443c7b043c3db1

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_ctr.cp36-win32.pyd

    MD5

    9f949bbe2dd4f7524e147c32c9f009cc

    SHA1

    a3bcb4754c725f080b8012b7f93946d719a9e19c

    SHA256

    569e2828ed873580aad1142a4a8f197b48c51bbf082ca45d6659d40276910452

    SHA512

    8b00ae064e3e9275c9ae06a0044a5952fe5bc5696a62cc6886230609b95781e0c0ef09756c15e8b233d0557f0bf2b21affc072e2117684495183fcc344c92b98

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_ecb.cp36-win32.pyd

    MD5

    f47dcb5b325e17d116d0cd0c58618924

    SHA1

    6670afe930ee717f1217982148c508cebf0977de

    SHA256

    2ecc748d30dc2302ef75c85f47247492acf888ae150499bab2154d91cdb2c6c6

    SHA512

    3faeb66dfbf600673e6df99584b9708a3362fd82e4b599ee251f05dd409cbef0b91ca2b7260435abc8900057311cfabce347686e930a674312ed6d538fdbb11e

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Cipher\_raw_ofb.cp36-win32.pyd

    MD5

    4dc9322f08bf2bdefc7d839ab12af6a1

    SHA1

    7e8cea0a18b986c64854a3bbf229f3d4775410a0

    SHA256

    b743d19773f0ffd604039f832e77eda00bbae78899f949b6a7f2d13709d84a8d

    SHA512

    a6079a3b35b62476c54a3cec6807a6b517eb9b6725e8218caaaf07953eaa3369adb33569b016163ee5221627ea07f7102961e76709ebedfc5c1a6821d2ab0259

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Hash\_BLAKE2s.cp36-win32.pyd

    MD5

    f7b5a6f061886695b223f4b8d39d4902

    SHA1

    418d9c54e12c3b9d9b488b70d47a0ee8b24b6d14

    SHA256

    c7797e2cff42f002b1325f2a86bc882d5e0c23208d6165c2b961c819b67ef121

    SHA512

    d41a4a963ad3bb473ba79a89ef7861ad48831b39581c6480667c381224c6742f21d6abbc40de586648dc859ddf2670a3d6a12c6f24c2ce74bcad0ff1068b15bd

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Hash\_MD5.cp36-win32.pyd

    MD5

    864f5836335cef221215e26cf6d41603

    SHA1

    8ee27e68866c4b40d94bb9fb507b69410df7ab7f

    SHA256

    291fe6fe0a55ffa808d616a32faf02735661da18e289c2f0ef528d8216054382

    SHA512

    7c3daa6d0439c9b892caee8a8498d26ffc97ac8266fc7a066fc38f408ba045f7bece28893292a048ea5f50371878573f03edd430182957a2dc214f5698d0a04d

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Hash\_SHA1.cp36-win32.pyd

    MD5

    d8607a8a58b1cf026baca1b9dd82cd2d

    SHA1

    4008f66453a7a1ca800d085bce60ca51db94f3f8

    SHA256

    5906d630c826491ed7f20a741f8d0116c8b54b020a5af3f8d4020fa3684cb33a

    SHA512

    c703e00ca600aab0359722f28fe1d88911b38d7e9e535a0169cd1758484af8da815e9bbe79d64d8af502461d03c6bba17cd6427f6594eeecf2f62ea7aa33c5c3

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Hash\_SHA256.cp36-win32.pyd

    MD5

    e30362540228296980f7bc42f4a4c483

    SHA1

    e69ee6a9a239b5d23e201d3dd47bfcbc15fb78b1

    SHA256

    29ae2a46eee26cb64dd3aab346ba3f101607839e4a23be9ff679505c08358528

    SHA512

    c8d26b0f1196c19b5c314b2354508742bd3e4c76e7d1042e01d016d27749fd5b284bac18b19ff7dd178f1b37b72778a45509258e5d3eaa6f7ccd4ed6465437f8

  • \Users\Admin\AppData\Local\Temp\_MEI14682\Crypto\Util\_strxor.cp36-win32.pyd

    MD5

    db31e8cc0699b54ccf8f7290a7971491

    SHA1

    aabcf59d19bb7deb17aff2de96d72cc93988bff6

    SHA256

    6b9201a3d1a2646b298c778de6e8c8ff93ec989051d589f3b78e1b96e212abdc

    SHA512

    c0b35c1cfed1e5ed1a8c5db946e95766e302f550facaf03267013d670c1a3a737fd93af7b24e1bd33e37d3b9994da78a9410f0a83a3acab3b52e4bdb0c1e1bb6

  • \Users\Admin\AppData\Local\Temp\_MEI14682\PIL\_imaging.cp36-win32.pyd

    MD5

    f78718f60dc88148cd3a4178ec2260b0

    SHA1

    cefffe857931756f76728ceddb0db0f73259165d

    SHA256

    cdf8ac13f296fb16fa99196f39b8651ec2b4c08f222fe459fb7d2bbdadd4ebb8

    SHA512

    9aef3f2415cfa5c69f727b30568339153e0adffed43e0ee38f2e402f5a6e40cc530c887812aabe722daae8fa65b9724cb1045a70eda02765ba1be3a118f22445

  • \Users\Admin\AppData\Local\Temp\_MEI14682\VCRUNTIME140.dll

    MD5

    a2523ea6950e248cbdf18c9ea1a844f6

    SHA1

    549c8c2a96605f90d79a872be73efb5d40965444

    SHA256

    6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4

    SHA512

    2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

  • \Users\Admin\AppData\Local\Temp\_MEI14682\_bz2.pyd

    MD5

    f97c69209c208c1dd472c5e0ed760456

    SHA1

    df60690e333433ddb39cbe19384ff10856b9b75d

    SHA256

    9a0b806e6a764d6109da7762f57a92381db329d1b3ec5adbfbd3cf61ef81e3c0

    SHA512

    cf03214687de08cb6dd12f9dbe500d036124ab76b3781148e5c7cda8ff9833b7bd1c12c368f4116edcbc6b8862af419250fa444e1d7b9dedc1162b9d0540b521

  • \Users\Admin\AppData\Local\Temp\_MEI14682\_ctypes.pyd

    MD5

    d0b0aacac633ee2eda0075eb85d43c06

    SHA1

    16f85e31472c783dddf3a00a8034f1fd8f571f62

    SHA256

    a9c70c16cbd27d15b4d76f68f8d7663c27f7b4d89ab1641abe6c4a2ed2227032

    SHA512

    4a8e19367f5fb335afe2ab7fd884d644d4ff9c2d2515da74e2c3d193e289a73f49ed4d9de08ca43ddd0b811b952dce3cbb49c4cdc323c48008eab7814ca423f2

  • \Users\Admin\AppData\Local\Temp\_MEI14682\_elementtree.pyd

    MD5

    f2d229ea5c830066b4642b947b27fe61

    SHA1

    eac1e0a86af1cb7fa3a382821f9375db2d8fe30a

    SHA256

    c5cefc7702556ee5542d2116774275c61f20ee2a173b851ee1c7319b4b8d2357

    SHA512

    f161b377d46e1494621410231ef74f97047e58455cb63a8ca6d33f4d7208cc91869e82a4f92e33acbe66b7c77b81f98a89d5ce003c344292edbd4883b8261939

  • \Users\Admin\AppData\Local\Temp\_MEI14682\_hashlib.pyd

    MD5

    ea2d8f0c9320c1363640bf3a7a9ea21f

    SHA1

    9af865a4e4355dff9ab48af7acfd42ecdbec93c8

    SHA256

    161f6ec2a08e4955e2c2850539bd61cd18f96a93b2f340ea7b244121fbed9cf6

    SHA512

    15f8e062dd864a1f4cd8003ff7bc14fa3be1896112aaf696847eb15bce72b1db3f0fb81280fd20d64672888b5a916767fc049a9b8f4f3c03f52e50dfd610f83c

  • \Users\Admin\AppData\Local\Temp\_MEI14682\_lzma.pyd

    MD5

    2b6cf186eba511e0903c9314b865d3b9

    SHA1

    19dd12a7d4cdb41e8efb46b235591d22ce35eab1

    SHA256

    b1a6d7cb4f88a5eb2c30908836f7eed1f1c8294baaee94e9ab4b8bb47fe0f6dc

    SHA512

    f4f7ac4edca5c49357fa174219d93d3206ce2f3d7a89418ba52ae815278feb72b9448a8f553b7d308d04774c52d2f95ae1656475caf160e0d59ad735a003080e

  • \Users\Admin\AppData\Local\Temp\_MEI14682\_socket.pyd

    MD5

    fb4db1e9eb7c4e3d7f74f1e31d7f2f02

    SHA1

    63c855aa583d2e484b42cfbfe78f6202601b782b

    SHA256

    62ea60c77915fb24bdde4afa3b4639ccf4898929a79bec2d1d1b3f7f42e8e095

    SHA512

    801c9a3d1858738f736759b37c14dbbf22672a2cd652f14afa1399f209d70a416935460319c0f08a1d9ebb0fd0d5236c377298cc0d0a2c3de0c40fe0503bd0b4

  • \Users\Admin\AppData\Local\Temp\_MEI14682\_tkinter.pyd

    MD5

    ff1800992e20ce2772f95e08ff55702b

    SHA1

    d27dd9e0f45e9f449ec50af0fc406b4ca582ff8e

    SHA256

    f189f532876626008bcd2d5a95aa8be548fa7e78b1b421589c0c5ba11c5e6c8d

    SHA512

    13fe75226453017b6bcdb317a35e4815673e1f12b24329dc4035af6066ce9926e8e8743c7ec2d36ee78061f411bc3fac2877ad055aecac0a1d211bdfd8cabb6e

  • \Users\Admin\AppData\Local\Temp\_MEI14682\pyexpat.pyd

    MD5

    23ed0a03a2b8ae756c459caae2859d02

    SHA1

    939ad94c06644758c1e532a6d6aa1c263e55e2ed

    SHA256

    5e94b9c35c4ef0188bdd57fc08afd0f982849f8e100ae8ff9b90844e6f9f0edc

    SHA512

    c0c6fe22bf57ed4af2a6a7b234000be766dc1e72daeb0996668ef9383f456046e51bbb13a206bc837c41eac76eacf56cbd9173077094f2bfe16a0e5764555679

  • \Users\Admin\AppData\Local\Temp\_MEI14682\python36.dll

    MD5

    1ac97dbe4a81fc2beb509f8da5a3e8b6

    SHA1

    b9e7d3857a10072c8569b2d07e0208059cf9495c

    SHA256

    258dd151e3ec9632d0b49488cc689bcbab172648854e121dc6b5f2e43e58cb62

    SHA512

    c69a7619d3b75d7170e087be9f02afc6d6bd1706aefcb60e84507f33d393f7323b168436f77c540c9439e2045b7577a2fb77ad287e02ff1afac747017478fad1

  • \Users\Admin\AppData\Local\Temp\_MEI14682\select.pyd

    MD5

    02aaefa1473499a116ed8ce166881637

    SHA1

    a373f1cb2655778e1f908541cc29d9ec46f308f3

    SHA256

    733808629fa4903b844ef854cbab30323442cc62d015858f72a2d28253d5a8ab

    SHA512

    48b211d0134eb4bd8cc236cb563a7bb5f7c0daa0d9aa2c79004c751856925c21e0297f380c7d14d568ce3d8663e2221f7d6a1d96607ec3b64f031bb53e2eace8

  • \Users\Admin\AppData\Local\Temp\_MEI14682\tcl86t.dll

    MD5

    9606acb077b6ba32a5869fbf25373134

    SHA1

    c4dd60b9d92c894042a9f34500492a088cd642fa

    SHA256

    6aa99d4ff2c73722f67c9ef42c27e3a2c660edf1495d538dad9793a15e7b0b7c

    SHA512

    a40fc446db5fcdb2367fa688fd7cc1f8beee70d41e9fc673bb1735c0002c1cb5d8e31db0ce32bb533289792f273919eb212d863bcb2660c402c4f13c20b64166

  • \Users\Admin\AppData\Local\Temp\_MEI14682\tk86t.dll

    MD5

    0e7466542d8f0c527e77c297b85b17e8

    SHA1

    2ce37d74fb26e88054f6ef7d02a24a3a435c4f0d

    SHA256

    b5063b511e98931da51ea471634f98a1c9de2fef149ea2e3c779b2adff002246

    SHA512

    d0de3b5f92be8300784c1c5eea65f93e56568f72dd28958592c51ad72f97770efe158f0a8a4e092a996401d59bd49dc7eeb5c9ce91117717ae2c01640df30d22

  • memory/512-59-0x0000000000000000-mapping.dmp

  • memory/564-55-0x0000000000000000-mapping.dmp

  • memory/756-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

    Filesize

    8KB

  • memory/1208-69-0x0000000000000000-mapping.dmp

  • memory/1468-65-0x0000000000000000-mapping.dmp