demonware | hxxps://github[.]com/jstrosch/malware-samples/raw/master/binaries/gamma_ransomware/2020/May/samples_pcap[.]zip

Analysis

max time kernel
194s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/jstrosch/malware-samples/raw/master/binaries/gamma_ransomware/2020/May/samples_pcap.zip

Score

10^/10

demonware pyinstaller ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\README.txt

Ransom Note

Tango Down Bitch! Seems like you got hit by GAmmA Group! Don't Panic, you get to have your files back! GAmmAWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key! Payment is accepted with Bitcoin only, Or Google [How to buy Bitcoin] Payment 0.052 BTC to: 1sd2WD1fEJnUPkGgfTEciWENKtLeUGMQe After Payment is confirmed Please Email: [email protected] with your IP/hostname & BTC transaction ID to receive your decryption key. Kind regards, GAmmA GrouP

Emails

[email protected]

Wallets

1sd2WD1fEJnUPkGgfTEciWENKtLeUGMQe

Signatures

DemonWare
Ransomware first seen in mid-2020.
ransomware demonware

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

25af3ae9f4ebe5413b0ca1080b69b0ca.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ApproveSwitch.png => C:\Users\Admin\Pictures\ApproveSwitch.png.DEMON	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
File renamed	C:\Users\Admin\Pictures\ExpandUnprotect.png => C:\Users\Admin\Pictures\ExpandUnprotect.png.DEMON	25af3ae9f4ebe5413b0ca1080b69b0ca.exe

Executes dropped EXE 2 IoCs

Processes:

25af3ae9f4ebe5413b0ca1080b69b0ca.exe25af3ae9f4ebe5413b0ca1080b69b0ca.exe

pid	Process
1220	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe

Loads dropped DLL 34 IoCs

Processes:

25af3ae9f4ebe5413b0ca1080b69b0ca.exe

pid	Process
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe
4320	25af3ae9f4ebe5413b0ca1080b69b0ca.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x000d000000023120-246.dat	pyinstaller
behavioral1/files/0x000d000000023120-247.dat	pyinstaller
behavioral1/files/0x000d000000023120-1258.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133327224272906454"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4840	chrome.exe
4840	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
4704	chrome.exe
4704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	Process
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeRestorePrivilege	1112	7zG.exe
Token: 35	1112	7zG.exe
Token: SeSecurityPrivilege	1112	7zG.exe
Token: SeSecurityPrivilege	1112	7zG.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe7zG.exe

pid	Process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
1112	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 4704 wrote to memory of 5080	4704	chrome.exe	84
PID 4704 wrote to memory of 5080	4704	chrome.exe	84
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 1564	4704	chrome.exe	85
PID 4704 wrote to memory of 4140	4704	chrome.exe	86
PID 4704 wrote to memory of 4140	4704	chrome.exe	86
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87
PID 4704 wrote to memory of 4780	4704	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/jstrosch/malware-samples/raw/master/binaries/gamma_ransomware/2020/May/samples_pcap.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93fc89758,0x7ff93fc89768,0x7ff93fc89778
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:2
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3232 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3236 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:8
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4748 --field-trial-handle=1856,i,6706618636584470711,17691569928160292469,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2264

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21082:86:7zEvent12125
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1112

C:\Users\Admin\Downloads\25af3ae9f4ebe5413b0ca1080b69b0ca.exe
"C:\Users\Admin\Downloads\25af3ae9f4ebe5413b0ca1080b69b0ca.exe"
1⤵
- Executes dropped EXE
PID:1220
- C:\Users\Admin\Downloads\25af3ae9f4ebe5413b0ca1080b69b0ca.exe
  "C:\Users\Admin\Downloads\25af3ae9f4ebe5413b0ca1080b69b0ca.exe"
  2⤵
  - Modifies extensions of user files
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fc9bdcdf278668b29be40d4630c286cf

SHA1
51b7fa24229624d1a4e9657a72ef0b11755be60f

SHA256
4e68384059ec35f8c1e29e28c2c2ddb67b25d695d921d6837785f2736592f19e

SHA512
210573c8d5f5ae5b5840606892c58891f964b8d61c58c46f072cbb98da23143a499f0a586c5b8a6ac3f4e363a32b47a8e8870800f59b23ef14f3f2573a868919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
702B

MD5
88988ebbcfc82e668baddefe2383d354

SHA1
ef6a12a5e7948cdda6654b6c4768cf8880d31fa9

SHA256
88612473d640bc3265e0ef803047ae689e4968bb283ac22c13b5539b2e6b6a1e

SHA512
aea5214498e3b5ccf486251d79134056e2d392c2d46b316b9a50d309cbe25a083b54fb56f406271013891586101d70ce7780c8ec611d2b66826bdbd38dd859ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f901ab14fb979f0b7a70053f0d313a75

SHA1
cc11829f0ba55349901a8a26ae8487af2dded530

SHA256
8dbce703d738ded3136974d4de0ceccd7cfb4353d284e3f0e61e90ca26d1270d

SHA512
861660b469359e76baddd0f6dfe1b7ac2ab4df89a598560f2ee25b20a3dfbb7a282a61d3ec05a26a0888fe0e301719bfb87fd4d38074fc843fa48737f48a81e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a69eb303dbd3fdc2fd0003c0631b9016

SHA1
4b6e33ee6a4a1454e6193797a2d65cde38e29074

SHA256
c1f73ee551426e16546d735081194bb63eddbd9ac941f57dc9aa1ca54ff0e872

SHA512
887708eb634132e4779db1cb2e97330a7fe42c4f8184ac8ee73f994721b43c6cf6b4adb951006dfccce1e4a2d8b146473f24b14dc35f105005f23eb9de408a3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dddff0c2d87bbd75e72e25b9bce805b2

SHA1
3f6eb08981608a7f0bbab0c40ef3f1a0c7c613ad

SHA256
eb4a23fbd798f5d69a90139677306a1940938bbc8e853e63b886614742a4fb06

SHA512
17a50a5949cd73a4c33667bfc20984dcefa881cfdca6c9389ee58d489671663f83c16b2f73ce613e3af04525e52c355ad68b6714fe45228a53d4e315a83f500d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
88KB

MD5
d355441c75dec026eda3cc7839d00177

SHA1
2b11a00faf745ccc778f8109e2d8db1faf4a3551

SHA256
2194767c93fa3e4a1318ba80b80fcaa33b7fca65650c0a128673596e1e4439bd

SHA512
1d04dde8af4a4dc4b3c58471de68da0c64ab0446ec85677c19d4db6f84d5bef6a085511cab82be6833628e28d8a4ec27743e8968179e3ddd2f5343608e11cc85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
3666b693d67a788933377f5685101dcc

SHA1
7be3a562219a14ed7f92aef6406e6a025e3565f7

SHA256
763078ef642c78c55e69986d9767cbcd738fa2e9d7466b5da704f371486d1a06

SHA512
b7cb8e5f78a78e78664980bbc71688dabd87cbc01743e2893c0be055bf7dd0f292ade7ac9326fbd5a1ea7fed389cdd73576d9158516d1fafd5303d41a891161f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
bdd74df69b8b87eeb7bb44a52c2971f1

SHA1
27ebd4452541232304b6d7b7ecc741289f27cbd0

SHA256
7f79d50ceae7b66d7fe29d0e564273e5c92fbf7c97c5fb4bd2a47fc67f256c55

SHA512
0aa294f78d5f06905e6410e518053a9660a21a679aadcd2ffef2f6c0c57112baf5574911577d938ef07f69f06ef78f2ee80ea003d7d9e4dc5ea063a59f3f8b04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
d7878caee64da01f69568febd87d94d7

SHA1
8f752380f147fc98b2354f14c4af29f728e531e1

SHA256
5a5d6d591d161312c1c6327a0686628ecc3d984e7779908c6d1cf1110f93ff71

SHA512
6404df8465f802062f2a832775d6cdfb33a8a75e58d6a3ff24843cb378b2ae8d86d0a6ad97ce11c3e30b463cedfd2819a8f417618dd0fe5af667e3fee3a8d8ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_cbc.cp37-win_amd64.pyd

Filesize
12KB

MD5
975677038380fe2055348ef1cfead173

SHA1
fc13d734e4a762692b4763b0bb69f54f65961baa

SHA256
183c2b948acfee01ee53acdbcfd5ea1161819dd91e26a711f6bcae54ea4f1d68

SHA512
a84a1a1babc5e29fe3b3b52da550506b4a51d9974c044cae977d22082b9293f72c55339b936b4b01e13ac7f482fd15bac20129ed008421e00270275970548447

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_cbc.cp37-win_amd64.pyd

Filesize
12KB

MD5
975677038380fe2055348ef1cfead173

SHA1
fc13d734e4a762692b4763b0bb69f54f65961baa

SHA256
183c2b948acfee01ee53acdbcfd5ea1161819dd91e26a711f6bcae54ea4f1d68

SHA512
a84a1a1babc5e29fe3b3b52da550506b4a51d9974c044cae977d22082b9293f72c55339b936b4b01e13ac7f482fd15bac20129ed008421e00270275970548447

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_cfb.cp37-win_amd64.pyd

Filesize
12KB

MD5
eaeb30f73165bef13c17703e524ba4e7

SHA1
375396d0d6287739a78d192b6c99f63adb850621

SHA256
37dceb92e4712f70725b79309e1b3313c9a6fe4f0129eb873ec283f8a4fc966a

SHA512
6a8997a2bd80c62cee369636b8e33130ab983b5a58211901312624d961fd8c2630eee10df7891bc87bfc51c85e6fae3eec1e7537c35859604db754084bfcf226

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_cfb.cp37-win_amd64.pyd

Filesize
12KB

MD5
eaeb30f73165bef13c17703e524ba4e7

SHA1
375396d0d6287739a78d192b6c99f63adb850621

SHA256
37dceb92e4712f70725b79309e1b3313c9a6fe4f0129eb873ec283f8a4fc966a

SHA512
6a8997a2bd80c62cee369636b8e33130ab983b5a58211901312624d961fd8c2630eee10df7891bc87bfc51c85e6fae3eec1e7537c35859604db754084bfcf226

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_ctr.cp37-win_amd64.pyd

Filesize
13KB

MD5
9c4f7079923415405bdc57170343d276

SHA1
a7c5fc789c34717efdf18afd6ad80aa638285a3e

SHA256
0a3d953bbecd62553ec35ccd2b5e97e54849171ae3bec86361f18e5641f51cb4

SHA512
fe950abae14646fcafa417395361cbeda0b9f939fc5a8cc9610791ffc7d37d6ea3f0ccb59d3b541afdf2cfea5477b612ca2881bce2aec011165c521c6ae4570b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_ctr.cp37-win_amd64.pyd

Filesize
13KB

MD5
9c4f7079923415405bdc57170343d276

SHA1
a7c5fc789c34717efdf18afd6ad80aa638285a3e

SHA256
0a3d953bbecd62553ec35ccd2b5e97e54849171ae3bec86361f18e5641f51cb4

SHA512
fe950abae14646fcafa417395361cbeda0b9f939fc5a8cc9610791ffc7d37d6ea3f0ccb59d3b541afdf2cfea5477b612ca2881bce2aec011165c521c6ae4570b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_ecb.cp37-win_amd64.pyd

Filesize
10KB

MD5
dc7b8a32b583dddd095e4a586790e196

SHA1
899addf5f7160c3e9dcf0b70a277b37f9cfe1a99

SHA256
1e14ce917a8fda673def4e59ec95f3cbebc053adee0f4c1916b6cd580dc5451a

SHA512
04a8cef79f8f644af9daf937c20c1372eea55c747e2e3ebc7511263cc6d803ca5d959f856bcab3d1df8ac98939b2eb66c5ae506418f8317475b566480fe32fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_ecb.cp37-win_amd64.pyd

Filesize
10KB

MD5
dc7b8a32b583dddd095e4a586790e196

SHA1
899addf5f7160c3e9dcf0b70a277b37f9cfe1a99

SHA256
1e14ce917a8fda673def4e59ec95f3cbebc053adee0f4c1916b6cd580dc5451a

SHA512
04a8cef79f8f644af9daf937c20c1372eea55c747e2e3ebc7511263cc6d803ca5d959f856bcab3d1df8ac98939b2eb66c5ae506418f8317475b566480fe32fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_ofb.cp37-win_amd64.pyd

Filesize
11KB

MD5
f61b7704ddc6e8a3cdef746ce273e9b4

SHA1
724ca28ece5e600397b37ca92ab73d8ef28420d1

SHA256
bb04cfa6485c766cc980b317c4bc6afa776b9fb2f550cd24d4d31091942aa579

SHA512
56b1f4f6aa275303afdd1ec292f4f5908bb2eae0d71236cb00ade785c74ea0180f494c78a73269c8a0532e4daa71cd9a5cbebde5db3788d93f343ac7f53bcae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Cipher\_raw_ofb.cp37-win_amd64.pyd

Filesize
11KB

MD5
f61b7704ddc6e8a3cdef746ce273e9b4

SHA1
724ca28ece5e600397b37ca92ab73d8ef28420d1

SHA256
bb04cfa6485c766cc980b317c4bc6afa776b9fb2f550cd24d4d31091942aa579

SHA512
56b1f4f6aa275303afdd1ec292f4f5908bb2eae0d71236cb00ade785c74ea0180f494c78a73269c8a0532e4daa71cd9a5cbebde5db3788d93f343ac7f53bcae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Hash\_BLAKE2s.cp37-win_amd64.pyd

Filesize
14KB

MD5
80bcd0e98ccd489062d84d9fac968bdb

SHA1
4754c9ec593ff821c9249053eb5e257ccc6dc630

SHA256
4fbdf3c3057e8eef60fa7382be1c303db96c06d3d846723ce19a5982d92d0179

SHA512
f82a856bf72c3bd9906992d0733e4b0e6ec6d183e7557f431e2d8ed6f5a058f7ad1e7a9f4abf787f40bda800757dc03a64454df3183a1626096e78e85a0c6ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Hash\_BLAKE2s.cp37-win_amd64.pyd

Filesize
14KB

MD5
80bcd0e98ccd489062d84d9fac968bdb

SHA1
4754c9ec593ff821c9249053eb5e257ccc6dc630

SHA256
4fbdf3c3057e8eef60fa7382be1c303db96c06d3d846723ce19a5982d92d0179

SHA512
f82a856bf72c3bd9906992d0733e4b0e6ec6d183e7557f431e2d8ed6f5a058f7ad1e7a9f4abf787f40bda800757dc03a64454df3183a1626096e78e85a0c6ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Hash\_MD5.cp37-win_amd64.pyd

Filesize
15KB

MD5
01c4ff8f2c1b7de289412e0b991fc3ea

SHA1
cf61c41da1d0828c585b00f1fe1a5806dfca4abe

SHA256
f65db1b2870dd515a21f0a54c41648e46c084f69397b9e490c851dfbe16a94d1

SHA512
20c5440dc6c2580b65c5554f1613dfc2fef564739f8ab53032806894521ac5459c5b616d2c95a01dbc68177e38079059da8bae033c25379b8a08a6eb9069a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Hash\_SHA1.cp37-win_amd64.pyd

Filesize
18KB

MD5
130c190ea34d050d11ddb438aa85ee38

SHA1
608e400fc970d132081149284336f065532f50b2

SHA256
c8b01a857fff18abda746b703376373b5f9b66eec8e4fee124dbd0dfab73cdbb

SHA512
3109d48cb3bea9d061dfe1c22e0795dac12c8d5468fd866286fc9349876843f5650159f41afbb3162ce060ccd258486ddc2622fdd041f1d5c0867ac6577f59d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Hash\_SHA1.cp37-win_amd64.pyd

Filesize
18KB

MD5
130c190ea34d050d11ddb438aa85ee38

SHA1
608e400fc970d132081149284336f065532f50b2

SHA256
c8b01a857fff18abda746b703376373b5f9b66eec8e4fee124dbd0dfab73cdbb

SHA512
3109d48cb3bea9d061dfe1c22e0795dac12c8d5468fd866286fc9349876843f5650159f41afbb3162ce060ccd258486ddc2622fdd041f1d5c0867ac6577f59d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Hash\_SHA256.cp37-win_amd64.pyd

Filesize
20KB

MD5
604980ebcb7a6f094fafbf7fbddb024d

SHA1
0062fe88f899f28df8682be6e7820db51eb7ae50

SHA256
cd7909a8da1136c930daab4b496640f6a23f89c6423e9e1cad829874ff499c6c

SHA512
2fc270a5aca29157d82e0be5be1eb49bf58edeefd8591b72f1a2857a78c2d534dd0b3ddcbf702d3b741170fdd86e5fa901d1028a3cde2e8518fbdbf0f2bbb354

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Hash\_SHA256.cp37-win_amd64.pyd

Filesize
20KB

MD5
604980ebcb7a6f094fafbf7fbddb024d

SHA1
0062fe88f899f28df8682be6e7820db51eb7ae50

SHA256
cd7909a8da1136c930daab4b496640f6a23f89c6423e9e1cad829874ff499c6c

SHA512
2fc270a5aca29157d82e0be5be1eb49bf58edeefd8591b72f1a2857a78c2d534dd0b3ddcbf702d3b741170fdd86e5fa901d1028a3cde2e8518fbdbf0f2bbb354

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Util\_strxor.cp37-win_amd64.pyd

Filesize
10KB

MD5
8b0290798b02b21fb79521c7914b24f7

SHA1
2f7ab160f2bf26734ecffecba69889035e3bd930

SHA256
2c21a97fb28c49b2d92ab0f6e7b3a55a821bc465ddcd4e29558a1d063d9fe5c1

SHA512
9898575c8894599069877bbff9109b28ca624f5bb1ac88a623a5de4fa40a8e02c64dfbb2c142aac1a65ec6b7fa24c7f9399c28083a666e18fd68ea5b2e24a81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\Crypto\Util\_strxor.cp37-win_amd64.pyd

Filesize
10KB

MD5
8b0290798b02b21fb79521c7914b24f7

SHA1
2f7ab160f2bf26734ecffecba69889035e3bd930

SHA256
2c21a97fb28c49b2d92ab0f6e7b3a55a821bc465ddcd4e29558a1d063d9fe5c1

SHA512
9898575c8894599069877bbff9109b28ca624f5bb1ac88a623a5de4fa40a8e02c64dfbb2c142aac1a65ec6b7fa24c7f9399c28083a666e18fd68ea5b2e24a81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\PIL\_imaging.cp37-win_amd64.pyd

Filesize
2.5MB

MD5
70398840c51be1f97b011b0d5f6116e2

SHA1
bb303242a812444e14900724574f115601820b9b

SHA256
ca0adeb0602b3574b93f17a2c2d7c0c0046ea26a46ee8046149ec2bf2ad80ef2

SHA512
968d7a8075c09b5969044fd6258aa81a7f00cd901a172c8cbd45147621c8902f787a5eba6c6f8a010aa4db8bc211db769c94d71edb8b3c12907180859ed8bac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\PIL\_imaging.cp37-win_amd64.pyd

Filesize
2.5MB

MD5
70398840c51be1f97b011b0d5f6116e2

SHA1
bb303242a812444e14900724574f115601820b9b

SHA256
ca0adeb0602b3574b93f17a2c2d7c0c0046ea26a46ee8046149ec2bf2ad80ef2

SHA512
968d7a8075c09b5969044fd6258aa81a7f00cd901a172c8cbd45147621c8902f787a5eba6c6f8a010aa4db8bc211db769c94d71edb8b3c12907180859ed8bac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_bz2.pyd

Filesize
87KB

MD5
8b40a68ae537c0aab25a8b30b10ab098

SHA1
1c8ac1f7f5c3697c457dd98f05296c2354ff7f55

SHA256
0b86ef4810d53e79f1d934b427fdbacf3792eebb37ed241bc89148238af763fa

SHA512
620ad61ff05c73adee4ac8f4b88a3880c11893eaac77ccca4e88edb29b492366a5bcf813d18628f005730f7e45ce373af9275776ea768b67b8d0e3bc62949229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_bz2.pyd

Filesize
87KB

MD5
8b40a68ae537c0aab25a8b30b10ab098

SHA1
1c8ac1f7f5c3697c457dd98f05296c2354ff7f55

SHA256
0b86ef4810d53e79f1d934b427fdbacf3792eebb37ed241bc89148238af763fa

SHA512
620ad61ff05c73adee4ac8f4b88a3880c11893eaac77ccca4e88edb29b492366a5bcf813d18628f005730f7e45ce373af9275776ea768b67b8d0e3bc62949229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_ctypes.pyd

Filesize
131KB

MD5
9a69561e94859bc3411c6499bc46c4bd

SHA1
3fa5bc2d4ffc23c4c383252c51098d6211949b99

SHA256
6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c

SHA512
31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_ctypes.pyd

Filesize
131KB

MD5
9a69561e94859bc3411c6499bc46c4bd

SHA1
3fa5bc2d4ffc23c4c383252c51098d6211949b99

SHA256
6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c

SHA512
31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_hashlib.pyd

Filesize
38KB

MD5
1f77f7a5f36c48e7c596e7031c80e4ff

SHA1
79f86e31203b60b3388047e39a2a26275da411f5

SHA256
30dfbd97883b1545513ca5bb857a9aad6e9bf4b8b4272569818346eaf25033f7

SHA512
b647e820ae4854921839a6cc92610fd63ef79623d442fd17503a39ca145dfd6cde3719c50473c0c74fe487f980b12e90bd3d3beb5729fa5498a357d44f81809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_hashlib.pyd

Filesize
38KB

MD5
1f77f7a5f36c48e7c596e7031c80e4ff

SHA1
79f86e31203b60b3388047e39a2a26275da411f5

SHA256
30dfbd97883b1545513ca5bb857a9aad6e9bf4b8b4272569818346eaf25033f7

SHA512
b647e820ae4854921839a6cc92610fd63ef79623d442fd17503a39ca145dfd6cde3719c50473c0c74fe487f980b12e90bd3d3beb5729fa5498a357d44f81809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_lzma.pyd

Filesize
251KB

MD5
16fb5a2363ce8dd12a65a9823a517b59

SHA1
59979d9195259f48c678cdaa36b5efee13472ff5

SHA256
bb78ca0dd1478027e2e9f06f56fc7c3cc6f157b4151562d58a7f6646e463fcc2

SHA512
d9801cdd8cc9809781b79882a226ee7a56d93eac0181295c80cb1f088f0fbf46e3eb35c7d8ff208dbd5a3e93a190a04c48fd254c9971a3740b020547973683e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_lzma.pyd

Filesize
251KB

MD5
16fb5a2363ce8dd12a65a9823a517b59

SHA1
59979d9195259f48c678cdaa36b5efee13472ff5

SHA256
bb78ca0dd1478027e2e9f06f56fc7c3cc6f157b4151562d58a7f6646e463fcc2

SHA512
d9801cdd8cc9809781b79882a226ee7a56d93eac0181295c80cb1f088f0fbf46e3eb35c7d8ff208dbd5a3e93a190a04c48fd254c9971a3740b020547973683e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_socket.pyd

Filesize
74KB

MD5
0ea1df6137ee3369546a806a175aecf4

SHA1
95fd1ad45892cb9e655bfa62ca1be80a0b9b2d43

SHA256
6fcc31573ae6b380db1d4e23731755465fd2cee0856e7a6c0e396759bcbf73b5

SHA512
6497fdb86ac69f6551a7794c090ca695bf22eb647b7a503fa23d7944ad375f061429f17e2ea043c809460e7cb9fc3df77c7bfe0b64f00ddd65de1aa744d3adcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_socket.pyd

Filesize
74KB

MD5
0ea1df6137ee3369546a806a175aecf4

SHA1
95fd1ad45892cb9e655bfa62ca1be80a0b9b2d43

SHA256
6fcc31573ae6b380db1d4e23731755465fd2cee0856e7a6c0e396759bcbf73b5

SHA512
6497fdb86ac69f6551a7794c090ca695bf22eb647b7a503fa23d7944ad375f061429f17e2ea043c809460e7cb9fc3df77c7bfe0b64f00ddd65de1aa744d3adcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_tkinter.pyd

Filesize
67KB

MD5
e994387279fec56a0eda4ca03eec759e

SHA1
f3a3872b42c7c5bc3379a605dac398e8596e1179

SHA256
01604c20b2ef42ed854c84c75a4227a844f543e54e1c05949281f9adabb762ff

SHA512
f005e4916d0fb468c70946ca884cd38870a74dd8936ca49925e79cc0aa0458ca578b61e0be436aa2497e98c45f95513e14085289746f41027a2bfec540d3dc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\_tkinter.pyd

Filesize
67KB

MD5
e994387279fec56a0eda4ca03eec759e

SHA1
f3a3872b42c7c5bc3379a605dac398e8596e1179

SHA256
01604c20b2ef42ed854c84c75a4227a844f543e54e1c05949281f9adabb762ff

SHA512
f005e4916d0fb468c70946ca884cd38870a74dd8936ca49925e79cc0aa0458ca578b61e0be436aa2497e98c45f95513e14085289746f41027a2bfec540d3dc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\base_library.zip

Filesize
764KB

MD5
e5b66f29455a81c4d9935e36d23df0ab

SHA1
48902a5d77168e17dd5a5dda4dd77147b31d080e

SHA256
09e423ddbd85bda67b0bdd2848ede518dc550b9b8d9f148c89391ab6bd178d9f

SHA512
b59ad7615295a23f9da421ee34f45f8f451d477919c9f6e322de5cd25b8ab4023b4960eca3bdbf67729a130cb2794616df451e17d88bee5e5139608d3067ee89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\payload.exe.manifest

Filesize
1KB

MD5
22a0ccba48fe09df9b1a9dc4d03348c8

SHA1
b83b7b140333e5fcb70bf361e717453982f8be1d

SHA256
d4dc6e1c6191a54fd372aa0bb6c8db946d4be94b70142d0d9c3aab4d6b11d28f

SHA512
633abf3a33f13e21566d7e0ea1d1fccd52fca5d5237202e0266ed46f539a8354b877487f422b29e2082b62f4adc8acf1487620f6b60e417f4d91663e826eef7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\python37.dll

Filesize
3.6MB

MD5
86af9b888a72bdceb8fd8ed54975edd5

SHA1
c9d67c9243f818c0a8cc279267cca44d9995f0cf

SHA256
e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f

SHA512
5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\python37.dll

Filesize
3.6MB

MD5
86af9b888a72bdceb8fd8ed54975edd5

SHA1
c9d67c9243f818c0a8cc279267cca44d9995f0cf

SHA256
e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f

SHA512
5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\select.pyd

Filesize
26KB

MD5
e1d0d18a0dd8e82f9b677a86d32e3124

SHA1
96a00541d86d03529b55c1ac5ff1c6cfb5e91d1e

SHA256
4595675949851bd0ff65521e936647fcc5c8d2f32f0ac2641a262fb6323896dd

SHA512
38e3b6b23ebcbdc60eeeed0bf3dddc69004a1ccd4a2486f3a9f8c0d4624b690e2e5704e3fe05bf1bf2c900bf4f5bc9439f45f3c02fd4c67783056b3da15e0f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\select.pyd

Filesize
26KB

MD5
e1d0d18a0dd8e82f9b677a86d32e3124

SHA1
96a00541d86d03529b55c1ac5ff1c6cfb5e91d1e

SHA256
4595675949851bd0ff65521e936647fcc5c8d2f32f0ac2641a262fb6323896dd

SHA512
38e3b6b23ebcbdc60eeeed0bf3dddc69004a1ccd4a2486f3a9f8c0d4624b690e2e5704e3fe05bf1bf2c900bf4f5bc9439f45f3c02fd4c67783056b3da15e0f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\tcl86t.dll

Filesize
1.6MB

MD5
c0b23815701dbae2a359cb8adb9ae730

SHA1
5be6736b645ed12e97b9462b77e5a43482673d90

SHA256
f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768

SHA512
ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\tcl86t.dll

Filesize
1.6MB

MD5
c0b23815701dbae2a359cb8adb9ae730

SHA1
5be6736b645ed12e97b9462b77e5a43482673d90

SHA256
f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768

SHA512
ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
5900f51fd8b5ff75e65594eb7dd50533

SHA1
2e21300e0bc8a847d0423671b08d3c65761ee172

SHA256
14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

SHA512
ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\tk86t.dll

Filesize
1.4MB

MD5
fdc8a5d96f9576bd70aa1cadc2f21748

SHA1
bae145525a18ce7e5bc69c5f43c6044de7b6e004

SHA256
1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5

SHA512
816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\tk86t.dll

Filesize
1.4MB

MD5
fdc8a5d96f9576bd70aa1cadc2f21748

SHA1
bae145525a18ce7e5bc69c5f43c6044de7b6e004

SHA256
1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5

SHA512
816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\ucrtbase.dll

Filesize
971KB

MD5
1eb17f650462eea820f4cd727d2d3ab1

SHA1
688f59160589ffa293502bffcd5c0e62e1993903

SHA256
24968e69daf49f58e812ada3e4cb24a66d6fb9ef14fc211538dd992b08ed1c3b

SHA512
4b2fd6f202d2c697d10e0a2751ec05128071c7a3f1296c9f41fdbf07b334d8eb48dad674d91150966e0ea925c8e2aeceff904bb3d055989de2e1f94dd7d4bf18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12202\ucrtbase.dll

Filesize
971KB

MD5
1eb17f650462eea820f4cd727d2d3ab1

SHA1
688f59160589ffa293502bffcd5c0e62e1993903

SHA256
24968e69daf49f58e812ada3e4cb24a66d6fb9ef14fc211538dd992b08ed1c3b

SHA512
4b2fd6f202d2c697d10e0a2751ec05128071c7a3f1296c9f41fdbf07b334d8eb48dad674d91150966e0ea925c8e2aeceff904bb3d055989de2e1f94dd7d4bf18

Download Submit
C:\Users\Admin\Downloads\25af3ae9f4ebe5413b0ca1080b69b0ca.exe

Filesize
11.3MB

MD5
25af3ae9f4ebe5413b0ca1080b69b0ca

SHA1
c34e2a2d8ba0aaea3913227de0cbf87cad4ebd1b

SHA256
2d95507aa1ea5d2a6313bc5c201cf76e6aae4c207aa0fafe8f1fcb03e94102ec

SHA512
b7194be16c8d4db0fc8305165c6d0e0aa6684b36c58855d9fab11e0d59d8bf004475df9932588cabebeff7d4f9a71dfa6bd8e985cfde1e318eb34e6880960ff2

Download Submit
C:\Users\Admin\Downloads\25af3ae9f4ebe5413b0ca1080b69b0ca.exe

Filesize
11.3MB

MD5
25af3ae9f4ebe5413b0ca1080b69b0ca

SHA1
c34e2a2d8ba0aaea3913227de0cbf87cad4ebd1b

SHA256
2d95507aa1ea5d2a6313bc5c201cf76e6aae4c207aa0fafe8f1fcb03e94102ec

SHA512
b7194be16c8d4db0fc8305165c6d0e0aa6684b36c58855d9fab11e0d59d8bf004475df9932588cabebeff7d4f9a71dfa6bd8e985cfde1e318eb34e6880960ff2

Download Submit
C:\Users\Admin\Downloads\25af3ae9f4ebe5413b0ca1080b69b0ca.exe

Filesize
11.3MB

MD5
25af3ae9f4ebe5413b0ca1080b69b0ca

SHA1
c34e2a2d8ba0aaea3913227de0cbf87cad4ebd1b

SHA256
2d95507aa1ea5d2a6313bc5c201cf76e6aae4c207aa0fafe8f1fcb03e94102ec

SHA512
b7194be16c8d4db0fc8305165c6d0e0aa6684b36c58855d9fab11e0d59d8bf004475df9932588cabebeff7d4f9a71dfa6bd8e985cfde1e318eb34e6880960ff2

Download Submit
C:\Users\Admin\Downloads\samples_pcap.zip

Filesize
20.5MB

MD5
a37a8feea4cf91fe2223efd28a48e1aa

SHA1
87b970c0012f7dfb630819ba3302dc87db360ffd

SHA256
273ffc020f3bae8049be32d6b73371f35147f84ef19dfdad91217cdca3632d23

SHA512
b402fee4ba98899312351bd4e6e2d1b6fccf5670f1ac702c5c707fa04e8c6734fda7f0ced26285557584cf2b0863b14746baa747738a5d7db042f64999571532

Download Submit
C:\Users\Admin\Downloads\samples_pcap.zip.crdownload

Filesize
20.5MB

MD5
a37a8feea4cf91fe2223efd28a48e1aa

SHA1
87b970c0012f7dfb630819ba3302dc87db360ffd

SHA256
273ffc020f3bae8049be32d6b73371f35147f84ef19dfdad91217cdca3632d23

SHA512
b402fee4ba98899312351bd4e6e2d1b6fccf5670f1ac702c5c707fa04e8c6734fda7f0ced26285557584cf2b0863b14746baa747738a5d7db042f64999571532

Download Submit
C:\Users\Admin\Pictures\README.txt

Filesize
690B

MD5
1bdcdadff52738118b8756668b9d2c19

SHA1
d3ae0b6f436658897ebde5936905958baa345fd2

SHA256
ae7212ed43727581a3cd2b6a505a494063e325d347704a405acbfea27ee4a0f8

SHA512
a53b1fd0a67aa17fc70a0ae5dfb1fb3692db4fe70c83f60cbdca2d398730130b1517462ea1ce59239dab3f76b699a3ad45941310423cddc3badddc726e0246ac

Download Submit
\??\pipe\crashpad_4704_FPRHHOHEXCCHWCMW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit