Malware Analysis Report

2024-11-13 15:06

Sample ID 231202-yfap1afe3z
Target RUNCECE.exe
SHA256 da2ecdafa3fbcc59f30fed701e9c3529432bcc479fc18ffe575310601d8e4576
Tags
pyinstaller pysilon upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da2ecdafa3fbcc59f30fed701e9c3529432bcc479fc18ffe575310601d8e4576

Threat Level: Known bad

The file RUNCECE.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon upx persistence

Pysilon family

Detect Pysilon

Enumerates VirtualBox DLL files

Loads dropped DLL

Executes dropped EXE

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-02 19:43

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win10v2004-20231127-en

Max time kernel

1342s

Max time network

1132s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win7-20231023-en

Max time kernel

1799s

Max time network

1563s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\misc.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\misc.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 cab30b32f34d90163d95c684b6cc6a35
SHA1 1093cae73298e6646f88eb70ecc8dda8b0d58ccd
SHA256 2d6f46bf884b1d755e1b7f9527235c51a0829348bd122d3658cc3cf123b020bb
SHA512 562fec7b85f325d1358c12d6554301e07ce2b5b5743b9440e035029889e0f46ffd05b66b4421423d93537251fd33941772479d51166b4e2d2d6b38cd66093700

Analysis: behavioral8

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win10v2004-20231130-en

Max time kernel

1780s

Max time network

1734s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win7-20231201-en

Max time kernel

1560s

Max time network

1562s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 32ceb3d8a2d649dbec137c30fda08d4a
SHA1 fe4e90a1ac964e6e1506ca6892de72aeee5b2eb1
SHA256 35682eb79a67868a4807a1b7f5d35cb2bed6997b477db165715c9d9aaee8b1e5
SHA512 f9cb4da7b18bac1af0c0239141a54bd89d438bd82c2fc27119f87eb8e7ce0b6b4fc4320dfb2934fc0509ed1d664647fef894da40198afda9874cbf20f3cf7e1b

Analysis: behavioral10

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win10v2004-20231130-en

Max time kernel

1747s

Max time network

1756s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win7-20231020-en

Max time kernel

1563s

Max time network

1566s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 1c8773df6b2ffc567255cb3ed82ae622
SHA1 ca4cd4ecc04aac2a2976ad0d2413d7a2f0e4b11e
SHA256 3848da2bb6aa7ea29edbab2a434d9e4e4d98c4858f5e53ce6b6448192c74d47e
SHA512 81ca82a2927e12631bbb26ab0abcdc7060f7ef15c5485a5a0dce4f55fb09742e4d96dafe033b5a2680daa99d71c7f4975a3009aaaf31bee5211a3d14aaa465d2

Analysis: behavioral11

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win7-20231129-en

Max time kernel

1799s

Max time network

1563s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b5d8f3b9307dc81c08833c5f98c0e0c9
SHA1 2cf3c90a5c24af5086d53d22f972d27f7961b8fb
SHA256 9de492bd559c12b874a399e1cf1fff071ee34d677016a81fc82dadfa87591184
SHA512 e4bd92fd2eb81f7fb8d49d730278b8a712bd4dd2173484c82be963f5635c8f4937ed32dc0f187952b1dc9f21e567fe91a639c511b0bc276b69452f0a42110f43

Analysis: behavioral12

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win10v2004-20231201-en

Max time kernel

1780s

Max time network

1781s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win7-20231020-en

Max time kernel

1566s

Max time network

1571s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe

"C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe"

C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe

"C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI28802\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

\Users\Admin\AppData\Local\Temp\_MEI28802\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

memory/2660-149-0x000007FEF5B10000-0x000007FEF60F9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win10v2004-20231130-en

Max time kernel

1741s

Max time network

1640s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\Runtime Broker\Runtime Broker.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\Runtime Broker\Runtime Broker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Runtime Broker\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\Runtime Broker\Runtime Broker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker\\Runtime Broker.exe" C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A

Legitimate hosting services abused for malware hosting/C2

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Runtime Broker\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe
PID 4732 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe
PID 3588 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe C:\Windows\system32\cmd.exe
PID 3588 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe C:\Windows\system32\cmd.exe
PID 3588 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3588 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3588 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe C:\Windows\system32\cmd.exe
PID 3588 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Runtime Broker\Runtime Broker.exe
PID 5028 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Runtime Broker\Runtime Broker.exe
PID 5028 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5028 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4824 wrote to memory of 3924 N/A C:\Users\Admin\Runtime Broker\Runtime Broker.exe C:\Users\Admin\Runtime Broker\Runtime Broker.exe
PID 4824 wrote to memory of 3924 N/A C:\Users\Admin\Runtime Broker\Runtime Broker.exe C:\Users\Admin\Runtime Broker\Runtime Broker.exe
PID 3924 wrote to memory of 4180 N/A C:\Users\Admin\Runtime Broker\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 3924 wrote to memory of 4180 N/A C:\Users\Admin\Runtime Broker\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 3924 wrote to memory of 4368 N/A C:\Users\Admin\Runtime Broker\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4368 N/A C:\Users\Admin\Runtime Broker\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe

"C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe"

C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe

"C:\Users\Admin\AppData\Local\Temp\RUNCECE.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Runtime Broker\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Runtime Broker\activate.bat""

C:\Users\Admin\Runtime Broker\Runtime Broker.exe

"Runtime Broker.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "RUNCECE.exe"

C:\Users\Admin\Runtime Broker\Runtime Broker.exe

"Runtime Broker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Runtime Broker\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 discord.com udp
N/A 127.0.0.1:55131 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI47322\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

C:\Users\Admin\AppData\Local\Temp\_MEI47322\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

C:\Users\Admin\AppData\Local\Temp\_MEI47322\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

memory/3588-151-0x00007FFCE5DC0000-0x00007FFCE63A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47322\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Local\Temp\_MEI47322\base_library.zip

MD5 32ede00817b1d74ce945dcd1e8505ad0
SHA1 51b5390db339feeed89bffca925896aff49c63fb
SHA256 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512 a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI47322\python3.DLL

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

C:\Users\Admin\AppData\Local\Temp\_MEI47322\python3.dll

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

C:\Users\Admin\AppData\Local\Temp\_MEI47322\python3.dll

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI47322\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI47322\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/3588-163-0x00007FFCF8C10000-0x00007FFCF8C33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI47322\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_uuid.pyd

MD5 4faa479423c54d5be2a103b46ecb4d04
SHA1 011f6cdbd3badaa5c969595985a9ad18547dd7ec
SHA256 c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a
SHA512 92d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

memory/3588-187-0x00007FFCF8C00000-0x00007FFCF8C0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_sqlite3.pyd

MD5 1a8fdc36f7138edcc84ee506c5ec9b92
SHA1 e5e2da357fe50a0927300e05c26a75267429db28
SHA256 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

memory/3588-188-0x00007FFCF8BE0000-0x00007FFCF8BF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI47322\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

C:\Users\Admin\AppData\Local\Temp\_MEI47322\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

memory/3588-193-0x00007FFCF8B50000-0x00007FFCF8B64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47322\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 1c52efd6568c7d95b83b885632ec7798
SHA1 cae9e800292cb7f328105495dd53fc20749741f8
SHA256 2b2cad68bec8979fd577d692013a7981fdbc80a5a6e8f517c2467fdcee5d8939
SHA512 35e619f996e823f59455b531f1872d7658b299c41e14d91cd13dcef20072971a437884fde4424fd9a10b67a39ea40f48df416ed8b0633aea00022b31709541f2

C:\Users\Admin\AppData\Local\Temp\_MEI47322\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 1c52efd6568c7d95b83b885632ec7798
SHA1 cae9e800292cb7f328105495dd53fc20749741f8
SHA256 2b2cad68bec8979fd577d692013a7981fdbc80a5a6e8f517c2467fdcee5d8939
SHA512 35e619f996e823f59455b531f1872d7658b299c41e14d91cd13dcef20072971a437884fde4424fd9a10b67a39ea40f48df416ed8b0633aea00022b31709541f2

C:\Users\Admin\AppData\Local\Temp\_MEI47322\charset_normalizer\md.cp311-win_amd64.pyd

MD5 32062fd1796553acac7aa3d62ce4c4a5
SHA1 0c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA256 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA512 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758

C:\Users\Admin\AppData\Local\Temp\_MEI47322\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

memory/3588-197-0x00007FFCF8B10000-0x00007FFCF8B1D000-memory.dmp

memory/3588-202-0x00007FFCF8AD0000-0x00007FFCF8B03000-memory.dmp

memory/3588-206-0x00007FFCF7050000-0x00007FFCF7076000-memory.dmp

memory/3588-218-0x00007FFCF59A0000-0x00007FFCF59AC000-memory.dmp

memory/3588-224-0x00007FFCF5980000-0x00007FFCF598C000-memory.dmp

memory/3588-226-0x00007FFCF5500000-0x00007FFCF550C000-memory.dmp

memory/3588-223-0x00007FFCF5990000-0x00007FFCF599B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Hash\_SHA1.pyd

MD5 cd25891df326ee9d7e0895ebd0b68f5e
SHA1 e99f1b6fb140273168fdaa0f895a227f3d0f23f9
SHA256 5a0d0f2aa16046f2f72e773ff9b2aecf5ecac3941f790dec73d38ce470a9c565
SHA512 e259f24c441a2f0006768a5de3241f52368bdecd4c84de39654d6c67cd72643e2ddaa3bd380bf3c21f9f0cd84bb6c108670aa16bfae2c3cb29d5e53354f399da

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Hash\_BLAKE2s.pyd

MD5 bebf6aa1041bb611dfdc4b0659f51231
SHA1 7915d6bc787b4849c541d58cb42e3317a1b675a5
SHA256 78d827f7821fffd37a23a14a400eaa880acf5665bfddcc5110c2f7880f0f755e
SHA512 5b3d4a0a10c47b0e8d71c974764d2abb2c0f9f7580493abed6f00c61945b4fc772cd447ca8003e55feb2ceb316d8daa8ee77a712f3105cdd236bdfb2271b4bbb

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Hash\_BLAKE2s.pyd

MD5 bebf6aa1041bb611dfdc4b0659f51231
SHA1 7915d6bc787b4849c541d58cb42e3317a1b675a5
SHA256 78d827f7821fffd37a23a14a400eaa880acf5665bfddcc5110c2f7880f0f755e
SHA512 5b3d4a0a10c47b0e8d71c974764d2abb2c0f9f7580493abed6f00c61945b4fc772cd447ca8003e55feb2ceb316d8daa8ee77a712f3105cdd236bdfb2271b4bbb

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Util\_strxor.pyd

MD5 b4df0b72cd56c56d1710c75f75b10ed5
SHA1 2a659620aa24a191297cf3c16dc2e40f179df32f
SHA256 c0c8b217ad1d48e327a6574169b064cde58f43cb7c1483dbfd79c1fc3b0d06d4
SHA512 2364dac62ff651f205f32dfa23cc6d59c92feac5ff31490d99f22401d4a0c8a3ef188967848b90750b8c228936622ee6e11995970f7fd31b158a39ca0a1133d8

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_ecb.pyd

MD5 7c57420aaf4db71c584b175f7937a6f6
SHA1 68ba922c9991c5e2c0ecefa0f474dda3cc02950d
SHA256 39f3408b235d286cf8ec33cb5f9bc194dd643ae7ce59b5d83fa17d79ccd37d57
SHA512 680e55ab64fd91a1d5612efb937bd6f28d644e048e7d00505945a0664ec0178b0667ccc78da626621d88e0bd4d0a2280b1aba43a984d76e103c4fb38281fb414

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Util\_strxor.pyd

MD5 b4df0b72cd56c56d1710c75f75b10ed5
SHA1 2a659620aa24a191297cf3c16dc2e40f179df32f
SHA256 c0c8b217ad1d48e327a6574169b064cde58f43cb7c1483dbfd79c1fc3b0d06d4
SHA512 2364dac62ff651f205f32dfa23cc6d59c92feac5ff31490d99f22401d4a0c8a3ef188967848b90750b8c228936622ee6e11995970f7fd31b158a39ca0a1133d8

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_ctr.pyd

MD5 ed45b538dd662c1ab91b7914b0239f3c
SHA1 e36e96010ef7bfacabd1aebbaa7cf6208932df91
SHA256 6d1401d2d1903cfd4437f4bf2485c4e43b4355947ffdd7ed1e53c706e37c00cb
SHA512 45055f73a9795720ca9c54c4ded6c0c8461883b9fb03a7aa2198c01a1870255dbd5a4d254bf60a0b69612f47e59c53c195b42eb513650490e0c53613032bcd29

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_ctr.pyd

MD5 ed45b538dd662c1ab91b7914b0239f3c
SHA1 e36e96010ef7bfacabd1aebbaa7cf6208932df91
SHA256 6d1401d2d1903cfd4437f4bf2485c4e43b4355947ffdd7ed1e53c706e37c00cb
SHA512 45055f73a9795720ca9c54c4ded6c0c8461883b9fb03a7aa2198c01a1870255dbd5a4d254bf60a0b69612f47e59c53c195b42eb513650490e0c53613032bcd29

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_ofb.pyd

MD5 574e8f9b5edee613993691842f8743f8
SHA1 f86009b26acd822ec573bbb3ee88e3c84b8431b9
SHA256 cb4fd9faa143a998766530ebe62b6cb0ecbb6bdfc95fb765261754c457df2984
SHA512 5daa110157f694646e0dacbf6a546381023b478d2e52f9e18ca94195647305c30e6bafe42a9425f90aa30f04b193b11609766b3552fbe4a49005a66e8378556a

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_ofb.pyd

MD5 574e8f9b5edee613993691842f8743f8
SHA1 f86009b26acd822ec573bbb3ee88e3c84b8431b9
SHA256 cb4fd9faa143a998766530ebe62b6cb0ecbb6bdfc95fb765261754c457df2984
SHA512 5daa110157f694646e0dacbf6a546381023b478d2e52f9e18ca94195647305c30e6bafe42a9425f90aa30f04b193b11609766b3552fbe4a49005a66e8378556a

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_cfb.pyd

MD5 8e1f017bc6219dd2bd265d04d32eeb62
SHA1 11a7858d2af2eb3235db5d79b04ba8f04efbe1b2
SHA256 e1e0337dec5512859ff5e0d3df094ea74b730270672d723c4385dec12c3c8adb
SHA512 2de71f8e06b7b7ce9077bd6f9942b5a5dd6d9ddb5cbe6487ccb45fdd946857c4ef264124a5f7e04fcd1b20a658b386e40eef7aa3ecfedabb871671e98e02428d

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_cfb.pyd

MD5 8e1f017bc6219dd2bd265d04d32eeb62
SHA1 11a7858d2af2eb3235db5d79b04ba8f04efbe1b2
SHA256 e1e0337dec5512859ff5e0d3df094ea74b730270672d723c4385dec12c3c8adb
SHA512 2de71f8e06b7b7ce9077bd6f9942b5a5dd6d9ddb5cbe6487ccb45fdd946857c4ef264124a5f7e04fcd1b20a658b386e40eef7aa3ecfedabb871671e98e02428d

memory/3588-210-0x00007FFCF59B0000-0x00007FFCF59E8000-memory.dmp

memory/3588-225-0x00007FFCF5540000-0x00007FFCF554C000-memory.dmp

memory/3588-227-0x00007FFCF8BB0000-0x00007FFCF8BDD000-memory.dmp

memory/3588-230-0x00007FFCF7080000-0x00007FFCF708B000-memory.dmp

memory/3588-231-0x00007FFCF1C10000-0x00007FFCF1D2C000-memory.dmp

memory/3588-229-0x00007FFCF7090000-0x00007FFCF709D000-memory.dmp

memory/3588-228-0x00007FFCF8B20000-0x00007FFCF8B39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_cbc.pyd

MD5 ae7420ab8355ca21afb592109aa12b9b
SHA1 ef54263672ab9fdc35ddd1ea013b0845ec709658
SHA256 f4704d6c4aba9bb2b57440645635154ca377ace3fbad63de26bae59dfd003935
SHA512 3b381949b523add43fef8ed8987985e70f666d3238057a0aadd79fba206d75d58c7b5ca8aee0ae059a2cf0df4cd80a95c221d3281974b3290e647a2f1469a458

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_cbc.pyd

MD5 ae7420ab8355ca21afb592109aa12b9b
SHA1 ef54263672ab9fdc35ddd1ea013b0845ec709658
SHA256 f4704d6c4aba9bb2b57440645635154ca377ace3fbad63de26bae59dfd003935
SHA512 3b381949b523add43fef8ed8987985e70f666d3238057a0aadd79fba206d75d58c7b5ca8aee0ae059a2cf0df4cd80a95c221d3281974b3290e647a2f1469a458

C:\Users\Admin\AppData\Local\Temp\_MEI47322\Crypto\Cipher\_raw_ecb.pyd

MD5 7c57420aaf4db71c584b175f7937a6f6
SHA1 68ba922c9991c5e2c0ecefa0f474dda3cc02950d
SHA256 39f3408b235d286cf8ec33cb5f9bc194dd643ae7ce59b5d83fa17d79ccd37d57
SHA512 680e55ab64fd91a1d5612efb937bd6f28d644e048e7d00505945a0664ec0178b0667ccc78da626621d88e0bd4d0a2280b1aba43a984d76e103c4fb38281fb414

memory/3588-204-0x00007FFCF5600000-0x00007FFCF56CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_cffi_backend.cp311-win_amd64.pyd

MD5 1518035a65a45c274f1557ff5655e2d7
SHA1 2676d452113c68aa316cba9a03565ec146088c3f
SHA256 9ca400d84a52ae61c5613403ba379d69c271e8e9e9c3f253f93434c9336bc6e8
SHA512 b5932a2eadd2981a3bbc0918643a9936c9aaafc606d833d5ef2758061e05a3148826060ed52a2d121fabfd719ad9736b3402683640a4c4846b6aaaa457366b66

C:\Users\Admin\AppData\Local\Temp\_MEI47322\charset_normalizer\md.cp311-win_amd64.pyd

MD5 32062fd1796553acac7aa3d62ce4c4a5
SHA1 0c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA256 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA512 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

memory/3588-194-0x00007FFCF1D30000-0x00007FFCF2250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_overlapped.pyd

MD5 ce4626159bf66ab04f0279bb2a9f4fad
SHA1 18d93c34132aee2bed9ad5928010d3f4f33bb477
SHA256 7b92710eaf825571d3f3b0443b7c5d0e7231df8f3cbb3ba69d90eedbc151edf0
SHA512 365ba4250eb58498c8c7f3398461c777f91e6ae9408213b373a0306d7c29b10515460160f15a37d6d311378e433cb4733d5107dfc0d4ecef5c5ed34da26bcd5b

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_multiprocessing.pyd

MD5 e3e3f86cc4c41edbaa5d30769d743d09
SHA1 c8df3eaf3e30b6cfb9891a5fbd595a03f831cfc7
SHA256 0d8203dba58573e4bf1ff3c3e89c331085ce25df11f2860d8d59203dd8b3faf8
SHA512 eedff332f82e1635d4d1f091061389612476612daf4cd9c1dcdbcb76a4cde45c84879bfa6b3b505b6bb4ce6030102999d6830573095fa1dc637fbdb8b02e37a4

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_decimal.pyd

MD5 e3fb8bf23d857b1eb860923ccc47baa5
SHA1 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA256 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA512 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_cffi_backend.cp311-win_amd64.pyd

MD5 1518035a65a45c274f1557ff5655e2d7
SHA1 2676d452113c68aa316cba9a03565ec146088c3f
SHA256 9ca400d84a52ae61c5613403ba379d69c271e8e9e9c3f253f93434c9336bc6e8
SHA512 b5932a2eadd2981a3bbc0918643a9936c9aaafc606d833d5ef2758061e05a3148826060ed52a2d121fabfd719ad9736b3402683640a4c4846b6aaaa457366b66

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_asyncio.pyd

MD5 d776dbe9c3b432e7be82f61e491c598a
SHA1 f4b562ebdf18e60ae06d971cccc6108f3b2bc23d
SHA256 c3b2836defd08c6a5fac8bd375a7a7d4671d902af31011d60c463ac1100f3418
SHA512 c68070d2d33665ebb550df0eb4b512c86432fc79fec803bb4a6be8bc487a8b81fa5bdada6894c38944b7ac39603c965fda0e1b467edb1e2918c1bbf29faf0378

C:\Users\Admin\AppData\Local\Temp\_MEI47322\VCRUNTIME140_1.dll

MD5 cf0a1c4776ffe23ada5e570fc36e39fe
SHA1 2050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA256 6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512 d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

C:\Users\Admin\AppData\Local\Temp\_MEI47322\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

C:\Users\Admin\AppData\Local\Temp\_MEI47322\sqlite3.dll

MD5 dbc64142944210671cca9d449dab62e6
SHA1 a2a2098b04b1205ba221244be43b88d90688334c
SHA256 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA512 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

C:\Users\Admin\AppData\Local\Temp\_MEI47322\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI47322\pyexpat.pyd

MD5 07c481d3ecdc06b1c5fd15c503490298
SHA1 656c79384d418de31b84c7b68b30a7e37251a475
SHA256 40672a3fc0931133fd74802ec34edc4a91fccf432d8fc1b63e693f64912f8284
SHA512 c7ed37aa552e72106d590206d77836f9e32f2285bc767e55579b17dd97d6e48a5201fb53fff4641a9a84c261343e8b00ec3899c16ccf50c707af858f4bf4e501

C:\Users\Admin\AppData\Local\Temp\_MEI47322\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

C:\Users\Admin\AppData\Local\Temp\_MEI47322\libopus-0.x64.dll

MD5 17bed62f3389d532d3dfc59071bbd214
SHA1 2b0894cc48dd3756f0ff6602bf8c1e24cb8b6642
SHA256 4fd26640721088ac31fdac941db6fa3c094ca17bd97d240992969aefae19ff91
SHA512 976c5e0dd50487eb5f88c195633805cccbf34566496065eaf8f3ecbbea0300653097bfbbf628dbb2c238a4d552460187794bcebcb8d41452a3f873f0244fc6a4

C:\Users\Admin\AppData\Local\Temp\_MEI47322\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI47322\crypto_clipper.json

MD5 28ace1f269a7b6ddc508fe2ef995eb89
SHA1 fc25b159929682bff11e6d3b413acba80300418a
SHA256 8011959661b3c6efee432bdc16b358de1c371aaccdbec068c9e65004262f988e
SHA512 4c1172eead25d9c6037729ad372975d545153213dba99e7308308f1f1c6594bb1322b6c1332e44bd3677458160211046762a5dbf72564e4c7d36f7371177dcd2

C:\Users\Admin\AppData\Local\Temp\_MEI47322\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/3588-232-0x00007FFCF7000000-0x00007FFCF700B000-memory.dmp

memory/3588-233-0x00007FFCF5AF0000-0x00007FFCF5AFB000-memory.dmp

memory/3588-239-0x00007FFCF54D0000-0x00007FFCF54DC000-memory.dmp

memory/3588-240-0x00007FFCF54C0000-0x00007FFCF54CC000-memory.dmp

memory/3588-238-0x00007FFCF54F0000-0x00007FFCF54FB000-memory.dmp

memory/3588-241-0x00007FFCF5490000-0x00007FFCF54A2000-memory.dmp

memory/3588-237-0x00007FFCF5510000-0x00007FFCF551C000-memory.dmp

memory/3588-236-0x00007FFCF5520000-0x00007FFCF552E000-memory.dmp

memory/3588-235-0x00007FFCF5530000-0x00007FFCF553D000-memory.dmp

memory/3588-234-0x00007FFCF5760000-0x00007FFCF576B000-memory.dmp

memory/3588-242-0x00007FFCF4BC0000-0x00007FFCF4BD2000-memory.dmp

memory/3588-243-0x00007FFCF4B80000-0x00007FFCF4B9B000-memory.dmp

memory/3588-245-0x00007FFCF54B0000-0x00007FFCF54BD000-memory.dmp

memory/3588-244-0x00007FFCF54E0000-0x00007FFCF54EB000-memory.dmp

memory/3588-246-0x00007FFCF4C00000-0x00007FFCF4C0C000-memory.dmp

memory/3588-247-0x00007FFCF4BE0000-0x00007FFCF4BF5000-memory.dmp

memory/3588-248-0x00007FFCF4BA0000-0x00007FFCF4BB4000-memory.dmp

memory/3588-249-0x00007FFCF1BB0000-0x00007FFCF1BC2000-memory.dmp

memory/3588-250-0x00007FFCF1B90000-0x00007FFCF1BA5000-memory.dmp

memory/3588-252-0x00007FFCF4B30000-0x00007FFCF4B3E000-memory.dmp

memory/3588-251-0x00007FFCF1AC0000-0x00007FFCF1AFF000-memory.dmp

memory/3588-253-0x00007FFCF1AA0000-0x00007FFCF1ABC000-memory.dmp

memory/3588-254-0x00007FFCF19E0000-0x00007FFCF1A0E000-memory.dmp

memory/3588-255-0x00007FFCF1A40000-0x00007FFCF1A9D000-memory.dmp

memory/3588-256-0x00007FFCF1A10000-0x00007FFCF1A39000-memory.dmp

memory/3588-257-0x00007FFCF19B0000-0x00007FFCF19D3000-memory.dmp

memory/3588-258-0x00007FFCE5C40000-0x00007FFCE5DB7000-memory.dmp

memory/3588-259-0x00007FFCEBBB0000-0x00007FFCEBBC8000-memory.dmp

memory/3588-261-0x00007FFCF1670000-0x00007FFCF167B000-memory.dmp

memory/3588-260-0x00007FFCF4910000-0x00007FFCF491B000-memory.dmp

memory/3588-262-0x00007FFCE5DC0000-0x00007FFCE63A9000-memory.dmp

memory/3588-263-0x00007FFCEBB90000-0x00007FFCEBB9C000-memory.dmp

memory/3588-265-0x00007FFCEBB70000-0x00007FFCEBB7C000-memory.dmp

memory/3588-264-0x00007FFCEBB80000-0x00007FFCEBB8B000-memory.dmp

memory/3588-266-0x00007FFCEBB60000-0x00007FFCEBB6D000-memory.dmp

memory/3588-267-0x00007FFCE6670000-0x00007FFCE667C000-memory.dmp

memory/3588-268-0x00007FFCE6650000-0x00007FFCE665B000-memory.dmp

memory/3588-269-0x00007FFCE6640000-0x00007FFCE664B000-memory.dmp

memory/3588-270-0x00007FFCE6630000-0x00007FFCE663C000-memory.dmp

memory/3588-273-0x00007FFCE5C30000-0x00007FFCE5C3C000-memory.dmp

memory/3588-274-0x00007FFCF8C10000-0x00007FFCF8C33000-memory.dmp

memory/3588-272-0x00007FFCE65F0000-0x00007FFCE6602000-memory.dmp

memory/3588-271-0x00007FFCE6610000-0x00007FFCE661D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ia3fkic0.xcl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3588-310-0x00007FFCE5DC0000-0x00007FFCE63A9000-memory.dmp

memory/3588-312-0x00007FFCF8C00000-0x00007FFCF8C0F000-memory.dmp

memory/3588-313-0x00007FFCF8BE0000-0x00007FFCF8BF9000-memory.dmp

memory/3588-311-0x00007FFCF8C10000-0x00007FFCF8C33000-memory.dmp

memory/3588-314-0x00007FFCF8BB0000-0x00007FFCF8BDD000-memory.dmp

memory/3588-315-0x00007FFCF8B50000-0x00007FFCF8B64000-memory.dmp

memory/3588-317-0x00007FFCF1D30000-0x00007FFCF2250000-memory.dmp

memory/3588-331-0x00007FFCF8B10000-0x00007FFCF8B1D000-memory.dmp

memory/3588-361-0x00007FFCF8AD0000-0x00007FFCF8B03000-memory.dmp

memory/3588-318-0x00007FFCF8B20000-0x00007FFCF8B39000-memory.dmp

memory/3588-370-0x00007FFCF5600000-0x00007FFCF56CD000-memory.dmp

memory/3588-408-0x00007FFCF7090000-0x00007FFCF709D000-memory.dmp

memory/3588-429-0x00007FFCF7080000-0x00007FFCF708B000-memory.dmp

memory/3588-430-0x00007FFCF7050000-0x00007FFCF7076000-memory.dmp

memory/3588-432-0x00007FFCF1C10000-0x00007FFCF1D2C000-memory.dmp

memory/3588-461-0x00007FFCF4BE0000-0x00007FFCF4BF5000-memory.dmp

memory/3588-443-0x00007FFCF59B0000-0x00007FFCF59E8000-memory.dmp

memory/3588-472-0x00007FFCF4BC0000-0x00007FFCF4BD2000-memory.dmp

memory/3588-476-0x00007FFCF4BA0000-0x00007FFCF4BB4000-memory.dmp

memory/3588-477-0x00007FFCF4B80000-0x00007FFCF4B9B000-memory.dmp

memory/3588-478-0x00007FFCF1BB0000-0x00007FFCF1BC2000-memory.dmp

memory/3588-479-0x00007FFCF1B90000-0x00007FFCF1BA5000-memory.dmp

memory/3588-481-0x00007FFCF4B30000-0x00007FFCF4B3E000-memory.dmp

memory/3588-480-0x00007FFCF1AC0000-0x00007FFCF1AFF000-memory.dmp

memory/3588-484-0x00007FFCF1AA0000-0x00007FFCF1ABC000-memory.dmp

memory/3588-487-0x00007FFCF1A10000-0x00007FFCF1A39000-memory.dmp

memory/3588-485-0x00007FFCF1A40000-0x00007FFCF1A9D000-memory.dmp

memory/3588-493-0x00007FFCE5C40000-0x00007FFCE5DB7000-memory.dmp

memory/3588-495-0x00007FFCEBBB0000-0x00007FFCEBBC8000-memory.dmp

memory/3588-497-0x00007FFCE5BF0000-0x00007FFCE5C26000-memory.dmp

memory/3588-499-0x00007FFCE5B30000-0x00007FFCE5BEC000-memory.dmp

memory/3588-501-0x00007FFCE5B00000-0x00007FFCE5B2B000-memory.dmp

memory/3588-503-0x00007FFCE5870000-0x00007FFCE5AF3000-memory.dmp

memory/3924-591-0x00007FFCE5280000-0x00007FFCE5869000-memory.dmp

memory/3924-592-0x00007FFCF54C0000-0x00007FFCF54E3000-memory.dmp

memory/3924-597-0x00007FFCE4D60000-0x00007FFCE5280000-memory.dmp

memory/3924-600-0x00007FFCE6630000-0x00007FFCE6663000-memory.dmp

memory/3924-601-0x00007FFCE4C90000-0x00007FFCE4D5D000-memory.dmp

memory/3924-602-0x00007FFCF5760000-0x00007FFCF576D000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win7-20231025-en

Max time kernel

1561s

Max time network

1564s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 cf63d7c4dd69526c761ac6829167334e
SHA1 566537c3b5ef0929c77f4f16766dd744b6ddf524
SHA256 0b899d1903a637805cbeea2b277ad1dd6b7812268e8dc2bda3ec2ed2d01650fa
SHA512 ff5c8f570eb4e718dbfc113d6cd02aaf4eddfcf9273e7e337b03a62db18a15cdb45e6fb75654776ff72fe004d447bb2cd1fa456637b6bb98d45d5a7614951a63

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-02 19:43

Reported

2023-12-02 20:14

Platform

win10v2004-20231127-en

Max time kernel

1369s

Max time network

1157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A