c941424c74419bbec2b2cc261d35f343a4c655d5d3586dcf89b0f229af64a5ff

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2022 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LightcordstereoV2.exe
Size

16.4MB
MD5

beb2d01115e0ff0115fd9659aea3cc66
SHA1

f077cfdffefec9bbcb7f5ab950c98edba808fb09
SHA256

c941424c74419bbec2b2cc261d35f343a4c655d5d3586dcf89b0f229af64a5ff
SHA512

74375d74f54f9f11749f6ad5237aa1659376baba8a07e03424c217d67ef4c89c300ffc9d46f5b8e6a753e72ed99d37c1816caf1b0031296f47d19407cc55d5b0
SSDEEP

393216:uOtwR56tvaJyXtBqVPpAs26yZLiVxpbYLjZk:b081aJgtIUsEiNYR

Score

10^/10

discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Programs\Python\Python310\NEWS.txt

Ransom Note

+++++++++++ Python News +++++++++++ What's New in Python 3.10.7 final? ================================== *Release date: 2022-09-05* Security -------- - gh-issue-95778: Converting between :class:`int` and :class:`str` in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a :exc:`ValueError` if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for `CVE-2020-10735 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_. This new limit can be configured or disabled by environment variable, command line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion length limitation <int_max_str_digits>` documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. Core and Builtins ----------------- - gh-issue-96187: Fixed a bug that caused ``_PyCode_GetExtra`` to return garbage for negative indexes. Patch by Pablo Galindo - gh-issue-95876: Fix format string in ``_PyPegen_raise_error_known_location`` that can lead to memory corruption on some 64bit systems. The function was building a tuple with ``i`` (int) instead of ``n`` (Py_ssize_t) for Py_ssize_t arguments. - gh-issue-95605: Fix misleading contents of error message when converting an all-whitespace string to :class:`float`. - gh-issue-93592: ``coroutine.throw()`` now properly initializes the ``frame.f_back`` when resuming a stack of coroutines. This allows e.g. ``traceback.print_stack()`` to work correctly when an exception (such as ``CancelledError``) is thrown into a coroutine. - gh-issue-94996: :func:`ast.parse` will no longer parse function definitions with positional-only params when passed ``feature_version`` less than ``(3, 8)``. Patch by Shantanu Jain. Library ------- - gh-issue-68163: Correct conversion of :class:`numbers.Rational`'s to :class:`float`. - gh-issue-96159: Fix a performance regression in logging TimedRotatingFileHandler. Only check for special files when the rollover time has passed. - gh-issue-96175: Fix unused ``localName`` parameter in the ``Attr`` class in :mod:`xml.dom.minidom`. - gh-issue-95609: Update bundled pip to 22.2.2. - gh-issue-95231: Fail gracefully if :data:`~errno.EPERM` or :data:`~errno.ENOSYS` is raised when loading :mod:`crypt` methods. This may happen when trying to load ``MD5`` on a Linux kernel with :abbr:`FIPS (Federal Information Processing Standard)` enabled. Documentation ------------- - gh-issue-96098: Improve discoverability of the higher level concurrent.futures module by providing clearer links from the lower level threading and multiprocessing modules. - gh-issue-95789: Update the default RFC base URL from deprecated tools.ietf.org to datatracker.ietf.org - gh-issue-91207: Fix stylesheet not working in Windows CHM htmlhelp docs. Contributed by C.A.M. Gerlach. - bpo-47115: The documentation now lists which members of C structs are part of the :ref:`Limited API/Stable ABI <stable>`. Tests ----- - gh-issue-95243: Mitigate the inherent race condition from using find_unused_port() in testSockName() by trying to find an unused port a few times before failing. Patch by Ross Burton. Build ----- - gh-issue-94682: Build and test with OpenSSL 1.1.1q IDLE ---- - gh-issue-65802: Document handling of extensions in Save As dialogs. - gh-issue-95191: Include prompts when saving Shell (interactive input and output). What's New in Python 3.10.6 final? ================================== *Release date: 2022-08-01* Security -------- - gh-issue-87389: :mod:`http.server`: Fix an open redirection vulnerability in the HTTP server when an URI path starts with ``//``. Vulnerability discovered, and initial fix proposed, by Hamza Avvan. - gh-issue-92888: Fix ``memoryview`` use after free when accessing the backing buffer in certain cases. Core and Builtins ----------------- - gh-issue-95355: ``_PyPegen_Parser_New`` now properly detects token memory allocation errors. Patch by Honglin Zhu. - gh-issue-94938: Fix error detection in some builtin functions when keyword argument name is an instance of a str subclass with overloaded ``__eq__`` and ``__hash__``. Previously it could cause SystemError or other undesired behavior. - gh-issue-94949: :func:`ast.parse` will no longer parse parenthesized context managers when passed ``feature_version`` less than ``(3, 9)``. Patch by Shantanu Jain. - gh-issue-94947: :func:`ast.parse` will no longer parse assignment expressions when passed ``feature_version`` less than ``(3, 8)``. Patch by Shantanu Jain. - gh-issue-94869: Fix the column offsets for some expressions in multi-line f-strings :mod:`ast` nodes. Patch by Pablo Galindo. - gh-issue-91153: Fix an issue where a :class:`bytearray` item assignment could crash if it's resized by the new value's :meth:`__index__` method. - gh-issue-94329: Compile and run code with unpacking of extremely large sequences (1000s of elements). Such code failed to compile. It now compiles and runs correctly. - gh-issue-94360: Fixed a tokenizer crash when reading encoded files with syntax errors from ``stdin`` with non utf-8 encoded text. Patch by Pablo Galindo - gh-issue-94192: Fix error for dictionary literals with invalid expression as value. - gh-issue-93964: Strengthened compiler overflow checks to prevent crashes when compiling very large source files. - gh-issue-93671: Fix some exponential backtrace case happening with deeply nested sequence patterns in match statements. Patch by Pablo Galindo - gh-issue-93021: Fix the :attr:`__text_signature__` for :meth:`__get__` methods implemented in C. Patch by Jelle Zijlstra. - gh-issue-92930: Fixed a crash in ``_pickle.c`` from mutating collections during ``__reduce__`` or ``persistent_id``. - gh-issue-92914: Always round the allocated size for lists up to the nearest even number. - gh-issue-92858: Improve error message for some suites with syntax error before ':' Library ------- - gh-issue-95339: Update bundled pip to 22.2.1. - gh-issue-95045: Fix GC crash when deallocating ``_lsprof.Profiler`` by untracking it before calling any callbacks. Patch by Kumar Aditya. - gh-issue-95087: Fix IndexError in parsing invalid date in the :mod:`email` module. - gh-issue-95199: Upgrade bundled setuptools to 63.2.0. - gh-issue-95194: Upgrade bundled pip to 22.2. - gh-issue-93899: Fix check for existence of :data:`os.EFD_CLOEXEC`, :data:`os.EFD_NONBLOCK` and :data:`os.EFD_SEMAPHORE` flags on older kernel versions where these flags are not present. Patch by Kumar Aditya. - gh-issue-95166: Fix :meth:`concurrent.futures.Executor.map` to cancel the currently waiting on future on an error - e.g. TimeoutError or KeyboardInterrupt. - gh-issue-93157: Fix :mod:`fileinput` module didn't support ``errors`` option when ``inplace`` is true. - gh-issue-94821: Fix binding of unix socket to empty address on Linux to use an available address from the abstract namespace, instead of "\0". - gh-issue-94736: Fix crash when deallocating an instance of a subclass of ``_multiprocessing.SemLock``. Patch by Kumar Aditya. - gh-issue-94637: :meth:`SSLContext.set_default_verify_paths` now releases the GIL around ``SSL_CTX_set_default_verify_paths`` call. The function call performs I/O and CPU intensive work. - gh-issue-94510: Re-entrant calls to :func:`sys.setprofile` and :func:`sys.settrace` now raise :exc:`RuntimeError`. Patch by Pablo Galindo. - gh-issue-92336: Fix bug where :meth:`linecache.getline` fails on bad files with :exc:`UnicodeDecodeError` or :exc:`SyntaxError`. It now returns an empty string as per the documentation. - gh-issue-89988: Fix memory leak in :class:`pickle.Pickler` when looking up :attr:`dispatch_table`. Patch by Kumar Aditya. - gh-issue-94254: Fixed types of :mod:`struct` module to be immutable. Patch by Kumar Aditya. - gh-issue-94245: Fix pickling and copying of ``typing.Tuple[()]``. - gh-issue-94207: Made :class:`_struct.Struct` GC-tracked in order to fix a reference leak in the :mod:`_struct` module. - gh-issue-94101: Manual instantiation of :class:`ssl.SSLSession` objects is no longer allowed as it lead to misconfigured instances that crashed the interpreter when attributes where accessed on them. - gh-issue-84753: :func:`inspect.iscoroutinefunction`, :func:`inspect.isgeneratorfunction`, and :func:`inspect.isasyncgenfunction` now properly return ``True`` for duck-typed function-like objects like instances of :class:`unittest.mock.AsyncMock`. This makes :func:`inspect.iscoroutinefunction` consistent with the behavior of :func:`asyncio.iscoroutinefunction`. Patch by Mehdi ABAAKOUK. - gh-issue-83499: Fix double closing of file description in :mod:`tempfile`. - gh-issue-79512: Fixed names and ``__module__`` value of :mod:`weakref` classes :class:`~weakref.ReferenceType`, :class:`~weakref.ProxyType`, :class:`~weakref.CallableProxyType`. It makes them pickleable. - gh-issue-90494: :func:`copy.copy` and :func:`copy.deepcopy` now always raise a TypeError if ``__reduce__()`` returns a tuple with length 6 instead of silently ignore the 6th item or produce incorrect result. - gh-issue-90549: Fix a multiprocessing bug where a global named resource (such as a semaphore) could leak when a child process is spawned (as opposed to forked). - gh-issue-79579: :mod:`sqlite3` now correctly detects DML queries with leading comments. Patch by Erlend E. Aasland. - gh-issue-93421: Update :data:`sqlite3.Cursor.rowcount` when a DML statement has run to completion. This fixes the row count for SQL queries like ``UPDATE ... RETURNING``. Patch by Erlend E. Aasland. - gh-issue-91810: Suppress writing an XML declaration in open files in ``ElementTree.write()`` with ``encoding='unicode'`` and ``xml_declaration=None``. - gh-issue-93353: Fix the :func:`importlib.resources.as_file` context manager to remove the temporary file if destroyed late during Python finalization: keep a local reference to the :func:`os.remove` function. Patch by Victor Stinner. - gh-issue-83658: Make :class:`multiprocessing.Pool` raise an exception if ``maxtasksperchild`` is not ``None`` or a positive int. - gh-issue-74696: :func:`shutil.make_archive` no longer temporarily changes the current working directory during creation of standard ``.zip`` or tar archives. - gh-issue-91577: Move imports in :class:`~multiprocessing.SharedMemory` methods to module level so that they can be executed late in python finalization. - bpo-47231: Fixed an issue with inconsistent trailing slashes in tarfile longname directories. - bpo-46755: In :class:`QueueHandler`, clear ``stack_info`` from :class:`LogRecord` to prevent stack trace from being written twice. - bpo-46053: Fix OSS audio support on NetBSD. - bpo-46197: Fix :mod:`ensurepip` environment isolation for subprocess running ``pip``. - bpo-45924: Fix :mod:`asyncio` incorrect traceback when future's exception is raised multiple times. Patch by Kumar Aditya. - bpo-34828: :meth:`sqlite3.Connection.iterdump` now handles databases that use ``AUTOINCREMENT`` in one or more tables. Documentation ------------- - gh-issue-94321: Document the :pep:`246` style protocol type :class:`sqlite3.PrepareProtocol`. - gh-issue-86128: Document a limitation in ThreadPoolExecutor where its exit handler is executed before any handlers in atexit. - gh-issue-61162: Clarify :mod:`sqlite3` behavior when :ref:`sqlite3-connection-context-manager`. - gh-issue-87260: Align :mod:`sqlite3` argument specs with the actual implementation. - gh-issue-86986: The minimum Sphinx version required to build the documentation is now 3.2. - gh-issue-88831: Augmented documentation of asyncio.create_task(). Clarified the need to keep strong references to tasks and added a code snippet detailing how to do this. - bpo-47161: Document that :class:`pathlib.PurePath` does not collapse initial double slashes because they denote UNC paths. Tests ----- - gh-issue-95280: Fix problem with ``test_ssl`` ``test_get_ciphers`` on systems that require perfect forward secrecy (PFS) ciphers. - gh-issue-95212: Make multiprocessing test case ``test_shared_memory_recreate`` parallel-safe. - gh-issue-91330: Added more tests for :mod:`dataclasses` to cover behavior with data descriptor-based fields. - gh-issue-94208: ``test_ssl`` is now checking for supported TLS version and protocols in more tests. - gh-issue-93951: In test_bdb.StateTestCase.test_skip, avoid including auxiliary importers. - gh-issue-93957: Provide nicer error reporting from subprocesses in test_venv.EnsurePipTest.test_with_pip. - gh-issue-57539: Increase calendar test coverage for :meth:`calendar.LocaleTextCalendar.formatweekday`. - gh-issue-92886: Fixing tests that fail when running with optimizations (``-O``) in ``test_zipimport.py`` - bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner. Build ----- - gh-issue-94841: Fix the possible performance regression of :c:func:`PyObject_Free` compiled with MSVC version 1932. - bpo-45816: Python now supports building with Visual Studio 2022 (MSVC v143, VS Version 17.0). Patch by Jeremiah Vivian. Windows ------- - gh-issue-90844: Allow virtual environments to correctly launch when they have spaces in the path. - gh-issue-92841: :mod:`asyncio` no longer throws ``RuntimeError: Event loop is closed`` on interpreter exit after asynchronous socket activity. Patch by Oleg Iarygin. - bpo-42658: Support native Windows case-insensitive path comparisons by using ``LCMapStringEx`` instead of :func:`str.lower` in :func:`ntpath.normcase`. Add ``LCMapStringEx`` to the :mod:`_winapi` module. IDLE ---- - gh-issue-95511: Fix the Shell context menu copy-with-prompts bug of copying an extra line when one selects whole lines. - gh-issue-95471: In the Edit menu, move ``Select All`` and add a new separator. - gh-issue-95411: Enable using IDLE's module browser with .pyw files. - gh-issue-89610: Add .pyi as a recognized extension for IDLE on macOS. This allows opening stub files by double clicking on them in the Finder. Tools/Demos ----------- - gh-issue-94538: Fix Argument Clinic output to custom file destinations. Patch by Erlend E. Aasland. - gh-issue-94430: Allow parameters named ``module`` and ``self`` with custom C names in Argument Clinic. Patch by Erlend E. Aasland C API ----- - gh-issue-94930: Fix ``SystemError`` raised when :c:func:`PyArg_ParseTupleAndKeywords` is used with ``#`` in ``(...)`` but without ``PY_SSIZE_T_CLEAN`` defined. - gh-issue-94864: Fix ``PyArg_Parse*`` with deprecated format units "u" and "Z". It returned 1 (success) when warnings are turned into exceptions. What's New in Python 3.10.5 final? ================================== *Release date: 2022-06-06* Core and Builtins ----------------- - gh-issue-93418: Fixed an assert where an f-string has an equal sign '=' following an expression, but there's no trailing brace. For example, f"{i=". - gh-issue-91924: Fix ``__ltrace__`` debug feature if the stdout encoding is not UTF-8. Patch by Victor Stinner. - gh-issue-93061: Backward jumps after ``async for`` loops are no longer given dubious line numbers. - gh-issue-93065: Fix contextvars HAMT implementation to handle iteration over deep trees. The bug was discovered and fixed by Eli Libman. See `MagicStack/immutables#84 <https://github.com/MagicStack/immutables/issues/84>`_ for more details. - gh-issue-92311: F

Emails

<tim.peters@gmail.com>

a@b@c.com

URLs

https://invisible-island.net/ncurses/NEWS.html#index-t20170401

https://bugs.python.org/issue26903

https://mail.python.org/archives/list/python-dev@python.org/thread/CLVXXPQ2T2LQ5MP2Y53VVQFCXYWQJHKZ/

https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html

https://bugzilla.redhat.com/show_bug.cgi?id=1866884

http

http.client.putrequest

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242274

http.server

http.client

https://www.w3.org/TR/xml/#sec-prolog-dtd

https://fishshell.com/docs/current/commands.html#source

httplib

http.client.InvalidURL

http://www.example.com

http.HTTPStatus(200

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html

https://docs.python.org/3/

https://python.visualstudio.com/cpython

https://sourceforge.net/p/expat/bugs/537/

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

140 4352 msiexec.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

python-3.10.7-amd64.exepython-3.10.7-amd64.exepython-3.10.7-amd64.exepython.exepython.exe

pid process

1432 python-3.10.7-amd64.exe
4860 python-3.10.7-amd64.exe
1460 python-3.10.7-amd64.exe
1516 python.exe
2548 python.exe

flow	pid	process
140	4352	msiexec.exe

pid	process
1432	python-3.10.7-amd64.exe
4860	python-3.10.7-amd64.exe
1460	python-3.10.7-amd64.exe
1516	python.exe
2548	python.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32\ = "C:\\Windows\\pyshellext.amd64.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

python-3.10.7-amd64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	python-3.10.7-amd64.exe

Loads dropped DLL 64 IoCs

Processes:

LightcordstereoV2.exepython-3.10.7-amd64.exeMsiExec.exepython.exepython.exe

pid	process
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4860	python-3.10.7-amd64.exe
940	MsiExec.exe
1516	python.exe
1516	python.exe
1516	python.exe
1516	python.exe
1516	python.exe
1516	python.exe
2548	python.exe
2548	python.exe
2548	python.exe
2548	python.exe
2548	python.exe
2548	python.exe
2548	python.exe
2548	python.exe
2548	python.exe
2548	python.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

python-3.10.7-amd64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	python-3.10.7-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{c62ef944-a7c9-4646-9fc7-d9e658defc1f} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{c62ef944-a7c9-4646-9fc7-d9e658defc1f}\\python-3.10.7-amd64.exe\" /burn.runonce"	python-3.10.7-amd64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 59 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{08D7A4E8-F704-409B-A676-457432DA3248}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF87C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dae3.msi	msiexec.exe
File created	C:\Windows\Installer\e57dae6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\py.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D80.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CE8E4C24-9C7B-447B-B974-CD8236BE09B9}	msiexec.exe
File created	C:\Windows\Installer\e57dade.msi	msiexec.exe
File created	C:\Windows\Installer\e57dadb.msi	msiexec.exe
File created	C:\Windows\Installer\e57daeb.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4065.tmp	msiexec.exe
File created	C:\Windows\Installer\e57dad2.msi	msiexec.exe
File created	C:\Windows\Installer\e57dadf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57daeb.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{30C9588C-5E1D-479E-988A-DA38CADFA384}	msiexec.exe
File created	C:\Windows\Installer\e57dad6.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{96BFBDD2-78C9-42B5-9893-FABA2BB527C4}	msiexec.exe
File created	C:\Windows\Installer\{96BFBDD2-78C9-42B5-9893-FABA2BB527C4}\ARPIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dacf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE89.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C9D65557-5B19-4B9B-860E-4E5477F9B10A}	msiexec.exe
File created	C:\Windows\Installer\e57dae3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BE0.tmp	msiexec.exe
File created	C:\Windows\pyw.exe	msiexec.exe
File created	C:\Windows\Installer\e57dad3.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{51EC70CA-6E66-499A-B7F7-94912F3EA381}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DB8.tmp	msiexec.exe
File created	C:\Windows\Installer\e57daef.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57daef.msi	msiexec.exe
File created	C:\Windows\Installer\e57dacf.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{099B73AD-9E34-4ADF-B982-7E3A75610CA6}	msiexec.exe
File created	C:\Windows\Installer\e57daea.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{96BFBDD2-78C9-42B5-9893-FABA2BB527C4}\ARPIcon	msiexec.exe
File created	C:\Windows\Installer\e57daee.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dad3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dad7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC65.tmp	msiexec.exe
File created	C:\Windows\Installer\e57dae7.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E1A1200C-5CC4-404B-BF93-E33C463963CD}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7BB23EC2-FD76-4BDB-813C-3EEFBB7FD3D9}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D4C83865-A602-4834-8390-B094CAF22F71}	msiexec.exe
File created	C:\Windows\Installer\e57dada.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A1B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dadf.msi	msiexec.exe
File created	C:\Windows\Installer\e57dae2.msi	msiexec.exe
File created	C:\Windows\pyshellext.amd64.dll	msiexec.exe
File created	C:\Windows\Installer\e57daf3.msi	msiexec.exe
File created	C:\Windows\Installer\e57daf6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57daf3.msi	msiexec.exe
File created	C:\Windows\Installer\e57dad7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dadb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dae7.msi	msiexec.exe
File created	C:\Windows\Installer\e57daf2.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exepython-3.10.7-amd64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Python.File\Shell\editwithidle\MUIVerb = "&Edit with IDLE"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.NoConArchiveFile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32\ = "C:\\Windows\\pyshellext.amd64.dll"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer	python-3.10.7-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{CE8E4C24-9C7B-447B-B974-CD8236BE09B9}\Version = "3.10.7150.0"	python-3.10.7-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Python.NoConFile\Shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyw	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyz\Content Type = "application/x-zip-compressed"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2DDBFB699C875B248939AFABB25B724C\AssociateFiles	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\CPython-3.10\DisplayName = "Python 3.10.7 (64-bit)"	python-3.10.7-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{51EC70CA-6E66-499A-B7F7-94912F3EA381}\DisplayName = "Python 3.10.7 Documentation (64-bit)"	python-3.10.7-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{7BB23EC2-FD76-4BDB-813C-3EEFBB7FD3D9}	python-3.10.7-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Python.File\Shell\editwithidle\shell\edit310\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python310\\pythonw.exe\" -m idlelib \"%L\" %*"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Python.NoConFile\Shell\editwithidle\shell\edit310\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python310\\pythonw.exe\" -m idlelib \"%L\" %*"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\shellex\DropHandler	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyz\ = "Python.ArchiveFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.ArchiveFile\ = "Python Zip Application File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\shell\open\command\ = "\"C:\\Windows\\pyw.exe\" \"%L\" %*"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyzw	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{D4C83865-A602-4834-8390-B094CAF22F71}	python-3.10.7-amd64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{08D7A4E8-F704-409B-A676-457432DA3248}\ = "{08D7A4E8-F704-409B-A676-457432DA3248}"	python-3.10.7-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Python.File\Shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{7BB23EC2-FD76-4BDB-813C-3EEFBB7FD3D9}\Dependents	python-3.10.7-amd64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.ArchiveFile\shellex\DropHandler	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\CPython-3.10\ = "{c62ef944-a7c9-4646-9fc7-d9e658defc1f}"	python-3.10.7-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{D4C83865-A602-4834-8390-B094CAF22F71}\ = "{D4C83865-A602-4834-8390-B094CAF22F71}"	python-3.10.7-amd64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\ = "Python File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\DefaultIcon\ = "\"C:\\Windows\\py.exe\",1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyc	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shellex\DropHandler	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{CE8E4C24-9C7B-447B-B974-CD8236BE09B9}	python-3.10.7-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Python.File	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shellex\DropHandler\ = "{BEA218D2-6950-497B-9434-61683EC065FE}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.ArchiveFile\shellex\DropHandler\ = "{BEA218D2-6950-497B-9434-61683EC065FE}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{099B73AD-9E34-4ADF-B982-7E3A75610CA6}\Version = "3.10.7150.0"	python-3.10.7-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Python.NoConFile\Shell\editwithidle\MUIVerb = "&Edit with IDLE"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\{7BB23EC2-FD76-4BDB-813C-3EEFBB7FD3D9}\Dependents\{c62ef944-a7c9-4646-9fc7-d9e658defc1f}	python-3.10.7-amd64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyzw\Content Type = "application/x-zip-compressed"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{96BFBDD2-78C9-42B5-9893-FABA2BB527C4}v3.10.7917.0\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Python.File\Shell\editwithidle	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyw\Content Type = "text/x-python"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.ArchiveFile\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\ = "Python Zip Application File (no console)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\shellex\DropHandler\ = "{BEA218D2-6950-497B-9434-61683EC065FE}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\ProductIcon = "C:\\Windows\\Installer\\{96BFBDD2-78C9-42B5-9893-FABA2BB527C4}\\ARPIcon"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Installer\Dependencies\CPython-3.10	python-3.10.7-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Python.NoConFile\Shell\editwithidle	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyo\ = "Python.CompiledFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\PackageCode = "74C813BDAFBC2F6429CF80A92F78C2C7"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DDBFB699C875B248939AFABB25B724C\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

LightcordstereoV2.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exemsiexec.exechrome.exe

pid	process
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4704	LightcordstereoV2.exe
4512	chrome.exe
4512	chrome.exe
4680	chrome.exe
4680	chrome.exe
5008	chrome.exe
5008	chrome.exe
3492	chrome.exe
3492	chrome.exe
3260	chrome.exe
3260	chrome.exe
4044	chrome.exe
4044	chrome.exe
3180	chrome.exe
3180	chrome.exe
2684	chrome.exe
2684	chrome.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

4680 chrome.exe
4680 chrome.exe
4680 chrome.exe
4680 chrome.exe
4680 chrome.exe
4680 chrome.exe
4680 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LightcordstereoV2.exevssvc.exepython-3.10.7-amd64.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4704	LightcordstereoV2.exe
Token: SeBackupPrivilege	1028	vssvc.exe
Token: SeRestorePrivilege	1028	vssvc.exe
Token: SeAuditPrivilege	1028	vssvc.exe
Token: SeShutdownPrivilege	4860	python-3.10.7-amd64.exe
Token: SeIncreaseQuotaPrivilege	4860	python-3.10.7-amd64.exe
Token: SeSecurityPrivilege	4352	msiexec.exe
Token: SeCreateTokenPrivilege	4860	python-3.10.7-amd64.exe
Token: SeAssignPrimaryTokenPrivilege	4860	python-3.10.7-amd64.exe
Token: SeLockMemoryPrivilege	4860	python-3.10.7-amd64.exe
Token: SeIncreaseQuotaPrivilege	4860	python-3.10.7-amd64.exe
Token: SeMachineAccountPrivilege	4860	python-3.10.7-amd64.exe
Token: SeTcbPrivilege	4860	python-3.10.7-amd64.exe
Token: SeSecurityPrivilege	4860	python-3.10.7-amd64.exe
Token: SeTakeOwnershipPrivilege	4860	python-3.10.7-amd64.exe
Token: SeLoadDriverPrivilege	4860	python-3.10.7-amd64.exe
Token: SeSystemProfilePrivilege	4860	python-3.10.7-amd64.exe
Token: SeSystemtimePrivilege	4860	python-3.10.7-amd64.exe
Token: SeProfSingleProcessPrivilege	4860	python-3.10.7-amd64.exe
Token: SeIncBasePriorityPrivilege	4860	python-3.10.7-amd64.exe
Token: SeCreatePagefilePrivilege	4860	python-3.10.7-amd64.exe
Token: SeCreatePermanentPrivilege	4860	python-3.10.7-amd64.exe
Token: SeBackupPrivilege	4860	python-3.10.7-amd64.exe
Token: SeRestorePrivilege	4860	python-3.10.7-amd64.exe
Token: SeShutdownPrivilege	4860	python-3.10.7-amd64.exe
Token: SeDebugPrivilege	4860	python-3.10.7-amd64.exe
Token: SeAuditPrivilege	4860	python-3.10.7-amd64.exe
Token: SeSystemEnvironmentPrivilege	4860	python-3.10.7-amd64.exe
Token: SeChangeNotifyPrivilege	4860	python-3.10.7-amd64.exe
Token: SeRemoteShutdownPrivilege	4860	python-3.10.7-amd64.exe
Token: SeUndockPrivilege	4860	python-3.10.7-amd64.exe
Token: SeSyncAgentPrivilege	4860	python-3.10.7-amd64.exe
Token: SeEnableDelegationPrivilege	4860	python-3.10.7-amd64.exe
Token: SeManageVolumePrivilege	4860	python-3.10.7-amd64.exe
Token: SeImpersonatePrivilege	4860	python-3.10.7-amd64.exe
Token: SeCreateGlobalPrivilege	4860	python-3.10.7-amd64.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

chrome.exepython-3.10.7-amd64.exe

pid	process
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4860	python-3.10.7-amd64.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LightcordstereoV2.exechrome.exe

description	pid	process	target process
PID 4992 wrote to memory of 4704	4992	LightcordstereoV2.exe	LightcordstereoV2.exe
PID 4992 wrote to memory of 4704	4992	LightcordstereoV2.exe	LightcordstereoV2.exe
PID 4992 wrote to memory of 4704	4992	LightcordstereoV2.exe	LightcordstereoV2.exe
PID 4680 wrote to memory of 3548	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 3548	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4420	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4512	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 4512	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe
PID 4680 wrote to memory of 5052	4680	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\LightcordstereoV2.exe
"C:\Users\Admin\AppData\Local\Temp\LightcordstereoV2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Local\Temp\LightcordstereoV2.exe
"C:\Users\Admin\AppData\Local\Temp\LightcordstereoV2.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe98c14f50,0x7ffe98c14f60,0x7ffe98c14f70
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:2
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2032 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4964 /prefetch:8
2⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4980 /prefetch:8
2⤵
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:1912

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff623bba890,0x7ff623bba8a0,0x7ff623bba8b0
3⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5720 /prefetch:8
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3720 /prefetch:8
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3124 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
2⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3920 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2500 /prefetch:8
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 /prefetch:8
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6048 /prefetch:8
2⤵
PID:2496

C:\Users\Admin\Downloads\python-3.10.7-amd64.exe
"C:\Users\Admin\Downloads\python-3.10.7-amd64.exe"
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\Temp\{7C872234-647C-4FF3-A4FA-5525360A7268}\.cr\python-3.10.7-amd64.exe
"C:\Windows\Temp\{7C872234-647C-4FF3-A4FA-5525360A7268}\.cr\python-3.10.7-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.10.7-amd64.exe" -burn.filehandle.attached=696 -burn.filehandle.self=704
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4860

C:\Windows\Temp\{B9C22300-AE03-4A3F-A51C-7D58F260FA01}\.be\python-3.10.7-amd64.exe
"C:\Windows\Temp\{B9C22300-AE03-4A3F-A51C-7D58F260FA01}\.be\python-3.10.7-amd64.exe" -q -burn.elevated BurnPipe.{82780466-E165-48A9-AD59-5202935D2795} {B3C0D300-6121-4D27-9CCD-18F30F45E297} 4860
4⤵
- Executes dropped EXE
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=808 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6056 /prefetch:8
2⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:8
2⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,2090317976749225693,13147604116338584850,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5768 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C2357C6BEF6BEE8F5922E2F9562173E6
2⤵
- Loads dropped DLL
PID:940

C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe
"C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe" -E -s -m ensurepip -U --default-pip
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516

C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe
C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe -W ignore::DeprecationWarning -c " import runpy import sys sys.path = ['C:\\Users\\Admin\\AppData\\Local\\Temp\\tmptsoxqxxi\\setuptools-63.2.0-py3-none-any.whl', 'C:\\Users\\Admin\\AppData\\Local\\Temp\\tmptsoxqxxi\\pip-22.2.2-py3-none-any.whl'] + sys.path sys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\Users\\Admin\\AppData\\Local\\Temp\\tmptsoxqxxi', '--upgrade', 'setuptools', 'pip'] runpy.run_module(\"pip\", run_name=\"__main__\", alter_sys=True) "
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:4256

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x31c
1⤵
PID:2512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI49922\Crypto\Cipher\_raw_cbc.pyd
Filesize
17KB

MD5
48ad84c24a5c163660054e2f560eacde

SHA1
dfd8f15de4f274c6b1e78697ea880ae2df5408e4

SHA256
6106e21a69e5fd53c1897192decf771d1b679a6588bc7e1a35e915b47d269f03

SHA512
237ad2fcd4b115ba385c19e1ba1523237a32c9e27435f4f3598bc7a5971d42ff45f867c29fe7555dee7ae584b397a350c07edd753e88555cb72c7b49062161f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\Crypto\Cipher\_raw_cbc.pyd
Filesize
17KB

MD5
48ad84c24a5c163660054e2f560eacde

SHA1
dfd8f15de4f274c6b1e78697ea880ae2df5408e4

SHA256
6106e21a69e5fd53c1897192decf771d1b679a6588bc7e1a35e915b47d269f03

SHA512
237ad2fcd4b115ba385c19e1ba1523237a32c9e27435f4f3598bc7a5971d42ff45f867c29fe7555dee7ae584b397a350c07edd753e88555cb72c7b49062161f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\Crypto\Cipher\_raw_cfb.pyd
Filesize
18KB

MD5
496dd306be58a199cd62d9037ce8f60a

SHA1
284eb3eaebcd50008984bad86c129b7c0937574c

SHA256
172c713c4837d88fca5bdfcbb9cbe1bb827ca537d2c17214d0fb6dda407ed04a

SHA512
a517e2414114ac47c952b1c05ed48c243a9dbbbb432a0c6130c5609b065b7f93ccdb2c3ae1c3d8df13c79f925401dbb559677e6c93066a7ab511f77acdb65eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\Crypto\Cipher\_raw_cfb.pyd
Filesize
18KB

MD5
496dd306be58a199cd62d9037ce8f60a

SHA1
284eb3eaebcd50008984bad86c129b7c0937574c

SHA256
172c713c4837d88fca5bdfcbb9cbe1bb827ca537d2c17214d0fb6dda407ed04a

SHA512
a517e2414114ac47c952b1c05ed48c243a9dbbbb432a0c6130c5609b065b7f93ccdb2c3ae1c3d8df13c79f925401dbb559677e6c93066a7ab511f77acdb65eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\Crypto\Cipher\_raw_ctr.pyd
Filesize
19KB

MD5
395f8173a0828691c137e03d4c0b751e

SHA1
5cce68db1034d2629c8d1c7f2f0593f1c003c2c1

SHA256
0ca8e51b9a5f677cf273f34691d5b81ef40da0f28c6367926cf7d07469b9ecfe

SHA512
039d89e840e841c9c2f7c49a70f8824fdd656d97c850ebdc39d9a9ed7c042e2ddef4940c6bc4ad8e7f87112c8ae6d3be90a85d1501853e7ccfe88e81244e8389

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\Crypto\Cipher\_raw_ecb.pyd
Filesize
15KB

MD5
2b487a27439563dbfcc765a459cf080c

SHA1
9d7fa283cf0e5444ae020581551fa2204512790b

SHA256
a90dc0677a75b60659a562aa3797a0639ebe91bebc5943b8c90fc69f8cf0f69a

SHA512
c1a7e2056d1e6113939fb2c78ff9b1d4ed613ccf3f883db7bdde8be5df35b4574e68649a5cbc1a7b60d5784c18c868705eeb8b2d5184fe71f3f73b6dcc2cdcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\Crypto\Cipher\_raw_ecb.pyd
Filesize
15KB

MD5
2b487a27439563dbfcc765a459cf080c

SHA1
9d7fa283cf0e5444ae020581551fa2204512790b

SHA256
a90dc0677a75b60659a562aa3797a0639ebe91bebc5943b8c90fc69f8cf0f69a

SHA512
c1a7e2056d1e6113939fb2c78ff9b1d4ed613ccf3f883db7bdde8be5df35b4574e68649a5cbc1a7b60d5784c18c868705eeb8b2d5184fe71f3f73b6dcc2cdcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\Crypto\Cipher\_raw_ofb.pyd
Filesize
17KB

MD5
010af2054fd3819461c27a2dda0bc40e

SHA1
0ff04a4687f93b9ef30b2887b865a7668d858386

SHA256
7117379fa8d00341231725b1b5f9a031daa8f95a2a1556603496140e5d2931cc

SHA512
b168bf7c1ae528b9a0a015cac362cef5b60e26da13072d92178408228e9a5f03a326f364336b3ef4b992b6ce470eba7955ccf2b49de68921f8f84363a602a99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\Crypto\Cipher\_raw_ofb.pyd
Filesize
17KB

MD5
010af2054fd3819461c27a2dda0bc40e

SHA1
0ff04a4687f93b9ef30b2887b865a7668d858386

SHA256
7117379fa8d00341231725b1b5f9a031daa8f95a2a1556603496140e5d2931cc

SHA512
b168bf7c1ae528b9a0a015cac362cef5b60e26da13072d92178408228e9a5f03a326f364336b3ef4b992b6ce470eba7955ccf2b49de68921f8f84363a602a99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\MSVCP140.dll
Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\MSVCP140.dll
Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\PIL\_imaging.cp38-win32.pyd
Filesize
2.6MB

MD5
2aa194c3ca7a7a94c9b72df10d781d36

SHA1
0c01ce719bfe94492f6173269bcf45ece019ddee

SHA256
5b6b985e8b069c33c8eeae267ad89d28f54b9f5a4ee74c551db1b6c53e80e17b

SHA512
626e2d3c671bcb10f4300303d1ae01ba31129d2661d24cad2c848b14f37f0fba17fa44328ab9e89135426c91aae66aafcacbe5e88b1ba63d080d7e9ea1dba6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\PIL\_imaging.cp38-win32.pyd
Filesize
2.6MB

MD5
2aa194c3ca7a7a94c9b72df10d781d36

SHA1
0c01ce719bfe94492f6173269bcf45ece019ddee

SHA256
5b6b985e8b069c33c8eeae267ad89d28f54b9f5a4ee74c551db1b6c53e80e17b

SHA512
626e2d3c671bcb10f4300303d1ae01ba31129d2661d24cad2c848b14f37f0fba17fa44328ab9e89135426c91aae66aafcacbe5e88b1ba63d080d7e9ea1dba6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\VCRUNTIME140.dll
Filesize
74KB

MD5
5f9d90d666620944943b0d6d1cca1945

SHA1
08ead2b72a4701349430d18d4a06d9343f777fa6

SHA256
9ec4afad505e0a3dad760fa5b59c66606ae54dd043c16914cf56d7006e46d375

SHA512
be7a2c9dae85e425a280af552dbd7efd84373f780fa8472bab9a5ff29376c3a82d9dfa1fef32c6cf7f45ba6e389de90e090cb579eebff12dcfe12e6f3e7764d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\VCRUNTIME140.dll
Filesize
74KB

MD5
5f9d90d666620944943b0d6d1cca1945

SHA1
08ead2b72a4701349430d18d4a06d9343f777fa6

SHA256
9ec4afad505e0a3dad760fa5b59c66606ae54dd043c16914cf56d7006e46d375

SHA512
be7a2c9dae85e425a280af552dbd7efd84373f780fa8472bab9a5ff29376c3a82d9dfa1fef32c6cf7f45ba6e389de90e090cb579eebff12dcfe12e6f3e7764d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_bz2.pyd
Filesize
77KB

MD5
18cd8755e6d4559840d07467df26af34

SHA1
a88ac5c278242308e44a96c01d45663b0b930395

SHA256
82a85187faf8786216c82ac1c4ccf32c8839048e242025ed4e7a1e3ab870255f

SHA512
8d5b4afdc836145443ce2502b52ef350d7f6017aba609d40ec1aafd2cbccb515debc0b04aa6001c690e537f33ca45151134586c32845924aa5afccccc35a82ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_bz2.pyd
Filesize
77KB

MD5
18cd8755e6d4559840d07467df26af34

SHA1
a88ac5c278242308e44a96c01d45663b0b930395

SHA256
82a85187faf8786216c82ac1c4ccf32c8839048e242025ed4e7a1e3ab870255f

SHA512
8d5b4afdc836145443ce2502b52ef350d7f6017aba609d40ec1aafd2cbccb515debc0b04aa6001c690e537f33ca45151134586c32845924aa5afccccc35a82ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_cffi_backend.cp38-win32.pyd
Filesize
143KB

MD5
0902dd1a037f758905320782eb5b5789

SHA1
60f7a41259a3e4427967a17e764f177e1782301c

SHA256
c93ecec95e754ef9604af91cac523d2bdbe86ae803a37d1cfeefb00da977fb95

SHA512
4283447337fabc6d8375055072c2d926a72e2767077d86b789158a41664b8fc426a3258c2676a12ba97e955c77254c5ad8f700148a691527dc623052327bbe29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_cffi_backend.cp38-win32.pyd
Filesize
143KB

MD5
0902dd1a037f758905320782eb5b5789

SHA1
60f7a41259a3e4427967a17e764f177e1782301c

SHA256
c93ecec95e754ef9604af91cac523d2bdbe86ae803a37d1cfeefb00da977fb95

SHA512
4283447337fabc6d8375055072c2d926a72e2767077d86b789158a41664b8fc426a3258c2676a12ba97e955c77254c5ad8f700148a691527dc623052327bbe29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ctypes.pyd
Filesize
114KB

MD5
76816a27c925f301f9776ffd76e6f6d4

SHA1
f9d3992c2ec5998436c24b8ef1dbd50072b7b89d

SHA256
3a94a3525b0531524aabc7f8fc9f1253894cd612a9823d9cdd5070ab81b9d329

SHA512
f79fb8513a786c59f1b6dabbe9cfddb930b7def19316451cf75efa5aa5fe0d46f6ee04870c7dcc2d64818c34f7abe5662a8ad8c3ee4490b02c7182051deed3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ctypes.pyd
Filesize
114KB

MD5
76816a27c925f301f9776ffd76e6f6d4

SHA1
f9d3992c2ec5998436c24b8ef1dbd50072b7b89d

SHA256
3a94a3525b0531524aabc7f8fc9f1253894cd612a9823d9cdd5070ab81b9d329

SHA512
f79fb8513a786c59f1b6dabbe9cfddb930b7def19316451cf75efa5aa5fe0d46f6ee04870c7dcc2d64818c34f7abe5662a8ad8c3ee4490b02c7182051deed3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_hashlib.pyd
Filesize
38KB

MD5
fe12f0301b1e8749108627f1085fd10c

SHA1
f30034824406e62663007ea3d593ebe3e53cc6ce

SHA256
8929b5818aaa0f595b8cc3b6aaddc630f2b27bcde3a29d44c13d95037596aa1b

SHA512
da3e1dd819e1a3a312d509d1930371b11137940939cdf1eb43b07e8db5a19e8a980c8dbe096e47ce57544fc6e0f3c7b17718935a05d26f63a2ce03bc22be2443

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_hashlib.pyd
Filesize
38KB

MD5
fe12f0301b1e8749108627f1085fd10c

SHA1
f30034824406e62663007ea3d593ebe3e53cc6ce

SHA256
8929b5818aaa0f595b8cc3b6aaddc630f2b27bcde3a29d44c13d95037596aa1b

SHA512
da3e1dd819e1a3a312d509d1930371b11137940939cdf1eb43b07e8db5a19e8a980c8dbe096e47ce57544fc6e0f3c7b17718935a05d26f63a2ce03bc22be2443

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_lzma.pyd
Filesize
155KB

MD5
b23d17b4b3b15dab84e384b8dd1d8fc6

SHA1
72fcf3b4cd61b0a8cb282760c9fd466dbb12565b

SHA256
d3350ad957d6c37b2c75f56a5a149f0eeb58295227f78c15048669a2e816ae3a

SHA512
e14a1a3b59da76204325c3edd890ca865262b7fab12fb0fa9754f7a425a64b094b8da75236f0a665d1624229bbeced8b661c452af5798006609a5a4f7f08abb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_lzma.pyd
Filesize
155KB

MD5
b23d17b4b3b15dab84e384b8dd1d8fc6

SHA1
72fcf3b4cd61b0a8cb282760c9fd466dbb12565b

SHA256
d3350ad957d6c37b2c75f56a5a149f0eeb58295227f78c15048669a2e816ae3a

SHA512
e14a1a3b59da76204325c3edd890ca865262b7fab12fb0fa9754f7a425a64b094b8da75236f0a665d1624229bbeced8b661c452af5798006609a5a4f7f08abb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_queue.pyd
Filesize
25KB

MD5
d4d66184d157d9dd8c8337e75eb03914

SHA1
b4d351be2d1140cd3a9d7a41bc5235b6098cc461

SHA256
e8d293cf77b9f94395c18a26ce38cc1ca01a183db3e9105ed9040338ea252ae4

SHA512
15c435f92f8783c46c6eadb33d6200ef5c2c36bdfd5feb8e5cf4a2d51be95f47504e45cd79fa4177de5726c156fcf5c933a38cfff60af619b7cc3513b731d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_queue.pyd
Filesize
25KB

MD5
d4d66184d157d9dd8c8337e75eb03914

SHA1
b4d351be2d1140cd3a9d7a41bc5235b6098cc461

SHA256
e8d293cf77b9f94395c18a26ce38cc1ca01a183db3e9105ed9040338ea252ae4

SHA512
15c435f92f8783c46c6eadb33d6200ef5c2c36bdfd5feb8e5cf4a2d51be95f47504e45cd79fa4177de5726c156fcf5c933a38cfff60af619b7cc3513b731d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_socket.pyd
Filesize
68KB

MD5
e7ad342af27ef2b62c6fba44a2456fba

SHA1
192bc00a74319fc30bd75c4448a126ccef7f110d

SHA256
48f1f1842e6845a197c9be50027bb2a67a868e743bfa81b8d8753c24cdc08b7b

SHA512
673df6fd4a36f66cbefd05718de0f49ad8299662c3978ad6e05ceaa7437aca6a745573819f267ddb109b1eca7fe366aac8f4e89e53bdee28582836900767dab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_socket.pyd
Filesize
68KB

MD5
e7ad342af27ef2b62c6fba44a2456fba

SHA1
192bc00a74319fc30bd75c4448a126ccef7f110d

SHA256
48f1f1842e6845a197c9be50027bb2a67a868e743bfa81b8d8753c24cdc08b7b

SHA512
673df6fd4a36f66cbefd05718de0f49ad8299662c3978ad6e05ceaa7437aca6a745573819f267ddb109b1eca7fe366aac8f4e89e53bdee28582836900767dab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_sqlite3.pyd
Filesize
68KB

MD5
a9cc8e6d9222fbd9882ca5ff670ddbd8

SHA1
f1d658ce1f2287ad3a5c81bdd6f905072b2e7b4b

SHA256
dda21a626a57cf6794140e5f7af749baf1ae686a58336a85b20c61b617a99a80

SHA512
a0c22ecdfd2ce5a4e728c62b14cdb3dca888804abce8bdbd0ed8051c8986dd9044a7bd5c66feb8e0c99ad1c36c22c307b6e533649711828f7db9c0ecba59bddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_sqlite3.pyd
Filesize
68KB

MD5
a9cc8e6d9222fbd9882ca5ff670ddbd8

SHA1
f1d658ce1f2287ad3a5c81bdd6f905072b2e7b4b

SHA256
dda21a626a57cf6794140e5f7af749baf1ae686a58336a85b20c61b617a99a80

SHA512
a0c22ecdfd2ce5a4e728c62b14cdb3dca888804abce8bdbd0ed8051c8986dd9044a7bd5c66feb8e0c99ad1c36c22c307b6e533649711828f7db9c0ecba59bddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ssl.pyd
Filesize
140KB

MD5
54bceb21e1d683b68d58e063f55ae22e

SHA1
f443e16d7d572c62f56066d2e91ab73ad51b9708

SHA256
5dc85dd0bee9ef96c1f278398cc7af36de2f3721dce726a4b13d64bd63eabc39

SHA512
4580371d90fca9f5375e5efa8060f219bb9c9ccd9546b04e69c1d15a8991a1931595deecb350472bdc96654d0c1d8fb3d9e47e8971c4168518e51de42cdc4736

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ssl.pyd
Filesize
140KB

MD5
54bceb21e1d683b68d58e063f55ae22e

SHA1
f443e16d7d572c62f56066d2e91ab73ad51b9708

SHA256
5dc85dd0bee9ef96c1f278398cc7af36de2f3721dce726a4b13d64bd63eabc39

SHA512
4580371d90fca9f5375e5efa8060f219bb9c9ccd9546b04e69c1d15a8991a1931595deecb350472bdc96654d0c1d8fb3d9e47e8971c4168518e51de42cdc4736

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\base_library.zip
Filesize
777KB

MD5
6a07f17ce1f92fa67857960482f85171

SHA1
fc7fed76ca6aea9641a63596098eba7822802664

SHA256
85f9fad12d7b562380e0b964ee855bac581cf0e26620c81fa0284088fa89d34a

SHA512
3676d6a32b4d2cacf29c7a18128916c2f0103973779e0030eb20e91d9ec5b57423eb266d28bc38f1b92f6a8ad716b8d116cb66d8693f32f426a7a93e290847df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\libcrypto-1_1.dll
Filesize
2.1MB

MD5
c7298cd5232cf8f6e34b3404fc276266

SHA1
a043e0ff71244a65a9c2c27c95622e6cc127b932

SHA256
1e95a63b165672accde92a9c9f8b9052c8f6357344f1376af9f916aeeb306da3

SHA512
212b0c5d27615e8375d32d1952beee6b8292f38aae9c9612633839c4b102fcdb2555c3ee206f0df942df49cddb1d833e2773d7dc95a367a0c6628b871d6c6892

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\libcrypto-1_1.dll
Filesize
2.1MB

MD5
c7298cd5232cf8f6e34b3404fc276266

SHA1
a043e0ff71244a65a9c2c27c95622e6cc127b932

SHA256
1e95a63b165672accde92a9c9f8b9052c8f6357344f1376af9f916aeeb306da3

SHA512
212b0c5d27615e8375d32d1952beee6b8292f38aae9c9612633839c4b102fcdb2555c3ee206f0df942df49cddb1d833e2773d7dc95a367a0c6628b871d6c6892

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\libffi-7.dll
Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\libffi-7.dll
Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\libssl-1_1.dll
Filesize
526KB

MD5
9c266951ad1d135f50884069b4f096b7

SHA1
8d228026bf26ee1c83521afd84def1383028de52

SHA256
06958c63049e2d7fe1f56df3767e884023a76bba1f41319f7fab3439b28174c5

SHA512
df7fcc98246cd5cd37bd5b8bb3eb5e4849c0f7c1098108b8a591611a2185999d353e42d150edf68c0b02ac3bec704f407eb35ebd7c540f6a8224a4ab498bc19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\libssl-1_1.dll
Filesize
526KB

MD5
9c266951ad1d135f50884069b4f096b7

SHA1
8d228026bf26ee1c83521afd84def1383028de52

SHA256
06958c63049e2d7fe1f56df3767e884023a76bba1f41319f7fab3439b28174c5

SHA512
df7fcc98246cd5cd37bd5b8bb3eb5e4849c0f7c1098108b8a591611a2185999d353e42d150edf68c0b02ac3bec704f407eb35ebd7c540f6a8224a4ab498bc19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\psutil\_psutil_windows.cp38-win32.pyd
Filesize
60KB

MD5
8998b3d6ca245b7114270a332d946fa5

SHA1
79c5bf229b4123177fdd4d1b12021d68dda5fa18

SHA256
a2750421c24180579a3fdc7aa2ce7d0cd14adb43e02ac79dfa0b6ce7b94e0bcb

SHA512
0f7f29e27b42c0f23b17139b4d4342a25aa8dd76c079e064f703fcec60960df4262d3c67e821311270e3c837604472f123e80f0c6b25e11e113cb49967256e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\psutil\_psutil_windows.cp38-win32.pyd
Filesize
60KB

MD5
8998b3d6ca245b7114270a332d946fa5

SHA1
79c5bf229b4123177fdd4d1b12021d68dda5fa18

SHA256
a2750421c24180579a3fdc7aa2ce7d0cd14adb43e02ac79dfa0b6ce7b94e0bcb

SHA512
0f7f29e27b42c0f23b17139b4d4342a25aa8dd76c079e064f703fcec60960df4262d3c67e821311270e3c837604472f123e80f0c6b25e11e113cb49967256e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\pyexpat.pyd
Filesize
164KB

MD5
008cf82bc460d691d7f662953a2a0a56

SHA1
ef1b83e421e211a38412b58ff16f35bca1d8b304

SHA256
c8ef88232e6d66dca7f1d7a60a5b0580067a1c9b4a9d21c9f836af4869dcd27c

SHA512
dffa6b10dd5d776003cbd32cf3b2e880d555e48e2b5f8e6a15bcd5fa85d2a1d9e1f099ef731233964efae2adcb24da81f70d72b3596e850a4e1567a5a44de478

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\pyexpat.pyd
Filesize
164KB

MD5
008cf82bc460d691d7f662953a2a0a56

SHA1
ef1b83e421e211a38412b58ff16f35bca1d8b304

SHA256
c8ef88232e6d66dca7f1d7a60a5b0580067a1c9b4a9d21c9f836af4869dcd27c

SHA512
dffa6b10dd5d776003cbd32cf3b2e880d555e48e2b5f8e6a15bcd5fa85d2a1d9e1f099ef731233964efae2adcb24da81f70d72b3596e850a4e1567a5a44de478

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\python3.DLL
Filesize
58KB

MD5
68bb9599ca71d84de782c2799112b274

SHA1
c751c6892b0cb4f9e87bc877ec01f97ef5bca4f2

SHA256
eac07e177308b8d77e23ef0f510a56b8fb9a56cda876118f9eab1a8e1d9bb399

SHA512
fa904cd9f1c70439b224960e4f4a1e31f0646b45af6ed6ed685af9def511ccfaa7fbe1071e68c2159bd184f90a0aafda50458a4358165a1a50f4ae24616fe9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\python3.dll
Filesize
58KB

MD5
68bb9599ca71d84de782c2799112b274

SHA1
c751c6892b0cb4f9e87bc877ec01f97ef5bca4f2

SHA256
eac07e177308b8d77e23ef0f510a56b8fb9a56cda876118f9eab1a8e1d9bb399

SHA512
fa904cd9f1c70439b224960e4f4a1e31f0646b45af6ed6ed685af9def511ccfaa7fbe1071e68c2159bd184f90a0aafda50458a4358165a1a50f4ae24616fe9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\python38.dll
Filesize
3.9MB

MD5
9f8e0de6e7d4b165b4a49600daacc3b1

SHA1
8cf37d69fdaf65c49f7f5e048c0085b207f7287b

SHA256
a9675a91d767095c9d4a2ae1df6e17bdb59102dbd2b4504c3493b0bcbed5ef55

SHA512
3201b7adf94d3f4510e0b39b4766d1314da66662819fd6de5f5f71956750bb4fdf4228b6e1ad9d4d3bc1fdeb99b7414ed2eff0374aaa3216b67eeedfb8673b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\python38.dll
Filesize
3.9MB

MD5
9f8e0de6e7d4b165b4a49600daacc3b1

SHA1
8cf37d69fdaf65c49f7f5e048c0085b207f7287b

SHA256
a9675a91d767095c9d4a2ae1df6e17bdb59102dbd2b4504c3493b0bcbed5ef55

SHA512
3201b7adf94d3f4510e0b39b4766d1314da66662819fd6de5f5f71956750bb4fdf4228b6e1ad9d4d3bc1fdeb99b7414ed2eff0374aaa3216b67eeedfb8673b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\pythoncom38.dll
Filesize
417KB

MD5
01397518d5cf95a2389207ea5ca84412

SHA1
8f59b5048a368a81c2648e83d3ae32bebbc35803

SHA256
a8a4f1d8866b7d1aaa3cc0e515ae89929b2074e6c86862940a4e5a98e59c4a1e

SHA512
5f48461eae23bcda64716a64bcf7416ebd2c90aacd5ef34f1459137a1039f5538a7a21ff34c25cfb820beec683130b59e0c3209a56c0633a0e45f964f127a681

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\pythoncom38.dll
Filesize
417KB

MD5
01397518d5cf95a2389207ea5ca84412

SHA1
8f59b5048a368a81c2648e83d3ae32bebbc35803

SHA256
a8a4f1d8866b7d1aaa3cc0e515ae89929b2074e6c86862940a4e5a98e59c4a1e

SHA512
5f48461eae23bcda64716a64bcf7416ebd2c90aacd5ef34f1459137a1039f5538a7a21ff34c25cfb820beec683130b59e0c3209a56c0633a0e45f964f127a681

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\pywintypes38.dll
Filesize
115KB

MD5
66abdc1521ef3fce5e9689b29832a49b

SHA1
5a2b330777350744ae1910eae163b533139e7588

SHA256
d522e94eb7c618ed75e8d86be5d690232c007dadaf4acf29d68708242000e890

SHA512
d4d8551f48d0d9c2c9361a712cc489e52f9e64fc09bc2e6bf4bc45a119df54acfffddb74a7d789e95da07f05f4cd4166efa436525c31e086ee31e418b944cbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\pywintypes38.dll
Filesize
115KB

MD5
66abdc1521ef3fce5e9689b29832a49b

SHA1
5a2b330777350744ae1910eae163b533139e7588

SHA256
d522e94eb7c618ed75e8d86be5d690232c007dadaf4acf29d68708242000e890

SHA512
d4d8551f48d0d9c2c9361a712cc489e52f9e64fc09bc2e6bf4bc45a119df54acfffddb74a7d789e95da07f05f4cd4166efa436525c31e086ee31e418b944cbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\select.pyd
Filesize
24KB

MD5
25ae837bec095038db628878c3b12c6a

SHA1
9c77211ed81e51c72e849a3e5d04027cd2ddb9da

SHA256
6d5a3630570035555cea342c3a8e2922ca23451113cb178cd7fee07e59da123c

SHA512
c70ff24bdbfdd995da62d8512b4f703371ee000197f58aa723afc9b050a9329cebc81a5ce86481154fcbc6f31a6831c725d83ce9ce9f551dbbc8756d1f42b417

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\select.pyd
Filesize
24KB

MD5
25ae837bec095038db628878c3b12c6a

SHA1
9c77211ed81e51c72e849a3e5d04027cd2ddb9da

SHA256
6d5a3630570035555cea342c3a8e2922ca23451113cb178cd7fee07e59da123c

SHA512
c70ff24bdbfdd995da62d8512b4f703371ee000197f58aa723afc9b050a9329cebc81a5ce86481154fcbc6f31a6831c725d83ce9ce9f551dbbc8756d1f42b417

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\sqlite3.dll
Filesize
1.2MB

MD5
6634dde8caa13b46e4c1f6e051d7a42b

SHA1
04b98121215b5bcd481e55a6af53c02c1ae87447

SHA256
1090083e89dcef8dcb42b9d7a9fc1928ff7b48b538f3ad44113e7cb5df9f0cc2

SHA512
3c7dfed0bd5eedccae033a36e903018bc2d95a18be76c17da4d2f7216856cc22d2ddf785337cb0c823064ec4865ac22701c04addf2cb782314b70f933c600f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\sqlite3.dll
Filesize
1.2MB

MD5
6634dde8caa13b46e4c1f6e051d7a42b

SHA1
04b98121215b5bcd481e55a6af53c02c1ae87447

SHA256
1090083e89dcef8dcb42b9d7a9fc1928ff7b48b538f3ad44113e7cb5df9f0cc2

SHA512
3c7dfed0bd5eedccae033a36e903018bc2d95a18be76c17da4d2f7216856cc22d2ddf785337cb0c823064ec4865ac22701c04addf2cb782314b70f933c600f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\ucrtbase.dll
Filesize
900KB

MD5
3df1d7da8c1493a5a00c0474323fef20

SHA1
f771c2f2cc1b0fc8534c7670f1633e8316f62092

SHA256
a134a1d4e9143bce04a4bbefe4f7ee5ad677da1913c1186e021623df01ba28bf

SHA512
fde8e6a06b13ebc64e42e09583e1466d32812b907274fdae8a5e04ee27f108aa311646e62b65aec30db5a9c150fdfe478b1586a7c413101377de50899af36582

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\ucrtbase.dll
Filesize
900KB

MD5
3df1d7da8c1493a5a00c0474323fef20

SHA1
f771c2f2cc1b0fc8534c7670f1633e8316f62092

SHA256
a134a1d4e9143bce04a4bbefe4f7ee5ad677da1913c1186e021623df01ba28bf

SHA512
fde8e6a06b13ebc64e42e09583e1466d32812b907274fdae8a5e04ee27f108aa311646e62b65aec30db5a9c150fdfe478b1586a7c413101377de50899af36582

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\unicodedata.pyd
Filesize
1.0MB

MD5
6b0b15ed011608fb8a4c3435ab7c51ef

SHA1
9687cd80d7ac21b6aa44e93f6b0b666c8e5d6485

SHA256
af602c6033875478b8cec6270c4b0fa618290b97c7e139d71dbb58b83a08781a

SHA512
32e68f96446e00b1bcc5274064fb86a13e7a1011b4294165fc0f2e54aecf4668eb7a0f2eb166d2bd06b62e8ef9a915dcd327f969ac55275b1456a2d4eacf6c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\unicodedata.pyd
Filesize
1.0MB

MD5
6b0b15ed011608fb8a4c3435ab7c51ef

SHA1
9687cd80d7ac21b6aa44e93f6b0b666c8e5d6485

SHA256
af602c6033875478b8cec6270c4b0fa618290b97c7e139d71dbb58b83a08781a

SHA512
32e68f96446e00b1bcc5274064fb86a13e7a1011b4294165fc0f2e54aecf4668eb7a0f2eb166d2bd06b62e8ef9a915dcd327f969ac55275b1456a2d4eacf6c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\win32api.pyd
Filesize
103KB

MD5
3d4cdc4e1ac38eecd00f7ab9f72baf5d

SHA1
f362606fcb5762dd96792ae439385414e24fbe66

SHA256
4f242496e57f5f28c7bcf6fc599f1d021de499191997539a1dc53d50ae42cda6

SHA512
329c362afab9d74293005c868a2d9d3333113d9667c4470425e2e83ee5a541f1c877e3c66675c42c2ca285ac2e56e8bc78a37a71e222d8f48e16905560dcd14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\win32api.pyd
Filesize
103KB

MD5
3d4cdc4e1ac38eecd00f7ab9f72baf5d

SHA1
f362606fcb5762dd96792ae439385414e24fbe66

SHA256
4f242496e57f5f28c7bcf6fc599f1d021de499191997539a1dc53d50ae42cda6

SHA512
329c362afab9d74293005c868a2d9d3333113d9667c4470425e2e83ee5a541f1c877e3c66675c42c2ca285ac2e56e8bc78a37a71e222d8f48e16905560dcd14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\win32crypt.pyd
Filesize
103KB

MD5
c5e4cb545271df0b9dd4c29d9110a958

SHA1
6d010315bb40cc4b7a3c26af7cdbd5dfbae4f3fe

SHA256
5c330534f153d7978075997f8fc8a19b313ff936e75e219ef1fedd81c13cc68a

SHA512
7e83754c5e73a2066d2f40c4118b4b2bbd23e91309d58a51b1a6a53caa47420d893e2c101591c998dc36f44b5bad7f9c68302fa2c8f3aa60d88bc4a4f871050d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\win32crypt.pyd
Filesize
103KB

MD5
c5e4cb545271df0b9dd4c29d9110a958

SHA1
6d010315bb40cc4b7a3c26af7cdbd5dfbae4f3fe

SHA256
5c330534f153d7978075997f8fc8a19b313ff936e75e219ef1fedd81c13cc68a

SHA512
7e83754c5e73a2066d2f40c4118b4b2bbd23e91309d58a51b1a6a53caa47420d893e2c101591c998dc36f44b5bad7f9c68302fa2c8f3aa60d88bc4a4f871050d

Download Submit
memory/940-202-0x0000000000000000-mapping.dmp

Download
memory/1092-198-0x0000000000000000-mapping.dmp

Download
memory/1432-199-0x0000000000000000-mapping.dmp

Download
memory/1460-201-0x0000000000000000-mapping.dmp

Download
memory/1516-203-0x0000000000000000-mapping.dmp

Download
memory/2548-204-0x0000000000000000-mapping.dmp

Download
memory/3728-197-0x0000000000000000-mapping.dmp

Download
memory/4256-205-0x0000000000000000-mapping.dmp

Download
memory/4704-132-0x0000000000000000-mapping.dmp

Download
memory/4860-200-0x0000000000000000-mapping.dmp

Download