hxxps://cdn[.]discordapp[.]com/attachments/1193221857156006078/1199739073842131035/Deef_64[.]zip

max time kernel
126s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 13:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1193221857156006078/1199739073842131035/Deef_64.zip

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deef_64.exe	Deef_64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deef_64.exe	Deef_64.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	Deef_64.exe

Loads dropped DLL 43 IoCs

pid	Process
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
63	raw.githubusercontent.com
64	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
75	api.ipify.org
76	api.ipify.org

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5052	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2352	NOTEPAD.EXE
1076	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
1360	msedge.exe
1360	msedge.exe
956	identity_helper.exe
956	identity_helper.exe
3680	msedge.exe
3680	msedge.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
2256	Deef_64.exe
4528	powershell.exe
4528	powershell.exe
244	powershell.exe
244	powershell.exe
4672	powershell.exe
4672	powershell.exe
4972	powershell.exe
4972	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3956	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3040	7zG.exe
Token: 35	3040	7zG.exe
Token: SeSecurityPrivilege	3040	7zG.exe
Token: SeSecurityPrivilege	3040	7zG.exe
Token: SeDebugPrivilege	2256	Deef_64.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1460	WMIC.exe
Token: SeSecurityPrivilege	1460	WMIC.exe
Token: SeTakeOwnershipPrivilege	1460	WMIC.exe
Token: SeLoadDriverPrivilege	1460	WMIC.exe
Token: SeSystemProfilePrivilege	1460	WMIC.exe
Token: SeSystemtimePrivilege	1460	WMIC.exe
Token: SeProfSingleProcessPrivilege	1460	WMIC.exe
Token: SeIncBasePriorityPrivilege	1460	WMIC.exe
Token: SeCreatePagefilePrivilege	1460	WMIC.exe
Token: SeBackupPrivilege	1460	WMIC.exe
Token: SeRestorePrivilege	1460	WMIC.exe
Token: SeShutdownPrivilege	1460	WMIC.exe
Token: SeDebugPrivilege	1460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1460	WMIC.exe
Token: SeRemoteShutdownPrivilege	1460	WMIC.exe
Token: SeUndockPrivilege	1460	WMIC.exe
Token: SeManageVolumePrivilege	1460	WMIC.exe
Token: 33	1460	WMIC.exe
Token: 34	1460	WMIC.exe
Token: 35	1460	WMIC.exe
Token: 36	1460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1460	WMIC.exe
Token: SeSecurityPrivilege	1460	WMIC.exe
Token: SeTakeOwnershipPrivilege	1460	WMIC.exe
Token: SeLoadDriverPrivilege	1460	WMIC.exe
Token: SeSystemProfilePrivilege	1460	WMIC.exe
Token: SeSystemtimePrivilege	1460	WMIC.exe
Token: SeProfSingleProcessPrivilege	1460	WMIC.exe
Token: SeIncBasePriorityPrivilege	1460	WMIC.exe
Token: SeCreatePagefilePrivilege	1460	WMIC.exe
Token: SeBackupPrivilege	1460	WMIC.exe
Token: SeRestorePrivilege	1460	WMIC.exe
Token: SeShutdownPrivilege	1460	WMIC.exe
Token: SeDebugPrivilege	1460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1460	WMIC.exe
Token: SeRemoteShutdownPrivilege	1460	WMIC.exe
Token: SeUndockPrivilege	1460	WMIC.exe
Token: SeManageVolumePrivilege	1460	WMIC.exe
Token: 33	1460	WMIC.exe
Token: 34	1460	WMIC.exe
Token: 35	1460	WMIC.exe
Token: 36	1460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3536	wmic.exe
Token: SeSecurityPrivilege	3536	wmic.exe
Token: SeTakeOwnershipPrivilege	3536	wmic.exe
Token: SeLoadDriverPrivilege	3536	wmic.exe
Token: SeSystemProfilePrivilege	3536	wmic.exe
Token: SeSystemtimePrivilege	3536	wmic.exe
Token: SeProfSingleProcessPrivilege	3536	wmic.exe
Token: SeIncBasePriorityPrivilege	3536	wmic.exe
Token: SeCreatePagefilePrivilege	3536	wmic.exe
Token: SeBackupPrivilege	3536	wmic.exe
Token: SeRestorePrivilege	3536	wmic.exe
Token: SeShutdownPrivilege	3536	wmic.exe
Token: SeDebugPrivilege	3536	wmic.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
3040	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe
3956	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 4112	1360	msedge.exe	68
PID 1360 wrote to memory of 4112	1360	msedge.exe	68
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3716	1360	msedge.exe	87
PID 1360 wrote to memory of 3968	1360	msedge.exe	85
PID 1360 wrote to memory of 3968	1360	msedge.exe	85
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86
PID 1360 wrote to memory of 2280	1360	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1193221857156006078/1199739073842131035/Deef_64.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbee9746f8,0x7ffbee974708,0x7ffbee974718
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13011533814525517554,905120888008090095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3948

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Deef_64\" -ad -an -ai#7zMap32235:76:7zEvent15797
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3040

C:\Users\Admin\Downloads\Deef_64\Deef_64\Deef_64.exe
"C:\Users\Admin\Downloads\Deef_64\Deef_64\Deef_64.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
  2⤵
  PID:4796
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
  2⤵
  PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic os get Caption"
  2⤵
  PID:2388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
  2⤵
  PID:2972
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
  2⤵
  PID:3224
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
  2⤵
  PID:4668
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
    3⤵
    PID:1572

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Deef_64\Deef_64\options.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:1076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3956
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Deef_64\Deef_64\python311.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0488aee2-cb46-4e0e-a18d-636e1ef95d0f.tmp

Filesize
5KB

MD5
d906643334639e014d420756fd574ee7

SHA1
ce28a87fe83e1e12d7bfb0f988c07f30365d6531

SHA256
34f0da27527000ae21d3037c54beab2d4471cf74fe95e218a03954817040d7cf

SHA512
59844cff0ed9a5e595d0c667c074a8a44c15d0b84c2a5313a614805be1e8a75e4d8b61eb80116d07d34d96c75e7a65ba5c0813cd801256de7b4ed4efbbf0754d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
131e2648aca1f10b4c738666bd8afde8

SHA1
d7e5c105b03488537a9e24269deb48c6046c0e34

SHA256
5c5af594e42ee4c021f4b9ac7249e4eee73a4fcd7bdfdd5b26d9ebcfb433480a

SHA512
80e9fd046f09027eaa3a4f675ce65f831de4e5fbad9100ece6198f5a53fe13c024b1b21f04b90d5d20c5d8376284850e0d869ba4f510d199fb244e8bc9d9dd00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ff2192d6f78db1d609df198adeb31ddd

SHA1
7aeea52ab13f9e7fe9989943ba70f5f1b43461c1

SHA256
22074dd6378422ded8bd42e43dbf6a80af4f365902fc63b280b49683f7215fd3

SHA512
8376eac16c49ded4fc90d03b74da9354f20346e55b48de239352560d5ee02c090b8feb288c636a9598f7d94010795ac3adc4dd8fd687fdbe324778cfdb1abaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6db2d2ceb22a030bd1caa72b32cfbf98

SHA1
fe50f35e60f88624a28b93b8a76be1377957618b

SHA256
7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4

SHA512
d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9a3d5d46c23ac7603438ea4676d3f486

SHA1
0705629ed418b3512ecbac087a730be7338b3e88

SHA256
6197643554e45888e6ac65b9e8d63d2a6a1a30a1b000a0e7dfe8df493f446192

SHA512
64b7fb35914ed531e2f548a2dc236262780e28fee3d89436d05fac6605080bd7fcaf1fe9cde0d075d655d5913520a531a6e773f3a79b1523ab660e6b6d65060c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1420b506ad8b8bd42378fdb279ea8939

SHA1
396d3cf6f9aa9c19fdf327b1cfe214753218f77a

SHA256
2888e45680e28f96f8ddfe181de39af1688112b52643c4129d5d3e40b7de6d9e

SHA512
59f0f723d212eadb53f3d25f932d4a54f8499a5c4d1320f8d5ca822df0747858cc8fd755f4dacc766e2f5d5b67695d1bd4f8d71b48860062b0899ad613ad55d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDLuDirve3\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDLuDirve3\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bs2vcte.f4h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Deef_64.zip

Filesize
23.6MB

MD5
e06bacd44647f6478825efe3faa5951d

SHA1
225bf940146292e3772f3263df0b0eff7eae5917

SHA256
8480e2eb3b2f9984d3cd40a78feecc89f467c9b0363a12e5d67d7a603c9f6d22

SHA512
c017236d82332064ad187cab1b529fee20e72595694c9ef774cf0f97e4b3d690e6481f432c458a75c009d850304db819e994c076ce5fed9cfa19c37c91594fce

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\Deef_64.exe

Filesize
20KB

MD5
1f383a8e29a79c11cf0a106de54b5f23

SHA1
eb96942cbf8f6c3abf2fb680203a1b861250ccb7

SHA256
574443fa2fa574da69b61699a7ffcfbce2df1b9ff1370c59a9327635b5a160ed

SHA512
e50dd212e4f5943e89d8ede141f05fb98e76463d8489c672f7b20c35ecd668b83603ddaac03d571ac9514979f766516c806ec66b463ceeb683a8722f50b81888

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\_sqlite3.pyd

Filesize
117KB

MD5
a7df575bf69570944b004dfe150e8caf

SHA1
2fd19be98a07347d59afd78c167601479aac94bb

SHA256
b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b

SHA512
18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\collections\__init__.pyc

Filesize
76KB

MD5
3dc45187369b7c579651192d0170bce1

SHA1
71079a41e806cd24b9437e93295736012f290511

SHA256
9586dc042018df9441cd32eb74472a2b9b7c65c13f01b39acba11ab4d0598b65

SHA512
4227dae85456250ddfd92d802995c043e1df4ff1c55c9f45f37bd58116556e1894f9fe72a2854d1a29fd6a696505263f006ed48da082dfaedd4abb9bcf43df61

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\collections\abc.pyc

Filesize
333B

MD5
21e0f3cc6322fb0004b8f0d9af9cd1b8

SHA1
acc7d743dbe6fa86fcec247751e912268d98cdb9

SHA256
4759595c54e6eedeae731f9a1f2be8a4a8b9aae6c76bc797f23d2efdd8ec144c

SHA512
15634b4dd1ee13af566cb9ebef85ca83d055560703d49a5362b9082a8d5c2addcf898de17ddb2189ef9e6ffe644274b85b8e81ac32e2dcefe03dfee3a5ad5c29

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\concurrent\__init__.pyc

Filesize
190B

MD5
a15009780d1ac86b6c284f27031c2d76

SHA1
31a336cb531da4e395dd46b3595bea64a37eda98

SHA256
25d6d1380cfa4a3e791df75686b9faea5577adba7682121b92a3c86e0a79e153

SHA512
967a1111a8f90793dd8865b92a2327daaf2cfbe5780d3d3dbaa89cfb6e011036e765f241ee35e2ec2c4c7a06577c6d02098fbc2e3140e2d0e2b3c7ee2dd6e348

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\concurrent\futures\__init__.pyc

Filesize
1KB

MD5
26e85fd88575ecc829ca18ad6d10d3bc

SHA1
b518b3c37dbf7c5fa20dde02d647b93ad965a55e

SHA256
a8013167e53d7d65973d80eafc50eaebb52cdb363e5fdc48f7f5fc972541b0fd

SHA512
97caa61ab15b14c7fb3ee9205190fa47e13e47e4813ad1add6e71cbcc18c4dd03f0aa7a1de8dadbdc29f90baecbf6a2febdc7ae65d58a91a900d6a3d10c1ad9a

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\concurrent\futures\_base.pyc

Filesize
36KB

MD5
c6dfb5e448ed62a3996eb32887e658f2

SHA1
8a951410294fb6d9a32a00ba1ea74d774a87c145

SHA256
790a37a35984f72312a2c68ff5ab876867bff3f70881ea63937fb28b7e6a731a

SHA512
7f3c444677864ec3a0009655a09bc69ba0728f628ab83918eb79c7f1e17c0c35ffa971551d3b49cb53b64932ba0aeda12fb16947fdf25a7f5a45fdebdcef76c4

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\ctypes\__init__.pyc

Filesize
26KB

MD5
5f487f8836ee2740bea263e604acb6b2

SHA1
1ed46f9d41cea2b53f0652f57e233c58502e730e

SHA256
9e18899eebd532ebb76688fcbd5eeff41e94e6984b61ee6c116914d1fe6e235a

SHA512
bfdc44836793e26aaa7b3d6e1b27b0b9862ba6ff3f1e9e3cb1eeff0d78e76a8d30a46a6ff21090272ff1fd0a500ed635d2f8ec2dbcfd48c1131a72962799a172

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\ctypes\_endian.pyc

Filesize
3KB

MD5
d45068b012921c180877c1ed49f3427b

SHA1
33e67a07fffa98245a7ca8b6ead11d2031514544

SHA256
01e6403efca461c3362870cff44b100880cde7fcd37188d8fde77519baac0617

SHA512
b0403208800937119449a6b734f1f046a5a9f3faa0b0630b505486e37fac82b8363ee9d9f2c389e781a740260e4ac851bd765688077eaa7ba34498676d1ceff7

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\encodings\__init__.pyc

Filesize
6KB

MD5
7b97837db32f7e0eab6cb68c5230da6c

SHA1
31baf8b1be95def2423ad73b9c57c280875a71c7

SHA256
0164e42461201fe43d5d1681e0de63ee374c1f4d2c0491ea458960456760d85d

SHA512
8cb6d95dac7c4a2924f77e6d5e8c254e6abb986a06bc9054a03c2d8a8d7a45815a4e3a7afba60ef334abe549377db93a6dc9d57fae16412dba41af59c6f0cda3

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\encodings\aliases.pyc

Filesize
12KB

MD5
2aa93081a06fd5069a2a87a7995651f3

SHA1
129ef6b58407233da8430dd0f0d32006a0881055

SHA256
bab963cd2722b4056e2f718b978fc5f517d3ad0887435a76613408e022394e24

SHA512
c529642de1a632d7f2524d16f1d8e22d9745ebea2e110f9c4f1c8c893ffd88db70e605ee776d4c532bdfceec8d8208353e8b81330cc23d9e2936d5824becdf9c

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\encodings\cp1252.pyc

Filesize
3KB

MD5
4b509de3b15deee0f1c4800e67781e4d

SHA1
94e5ab3efed142a6306982e026df26580b655ea2

SHA256
f5ac323c27ceb9835b6e36a83574ff9dbe4f1b385439f85d09d3438c3cce3c20

SHA512
50044e3beb90288afb4b7f19231c3d3c3694733152ce90f9c88e458c9431e0d99a02b16e17891931524bbb63ceeb29f43979164135dae63b5a4d6d91c8a9d8f3

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\encodings\utf_8.pyc

Filesize
2KB

MD5
c80c809b4a58833f0ce1fcd20faa92fb

SHA1
e439b21a68b3f60c9bc51a7b5865701adb50d26c

SHA256
b5f575cf705841b6f293b00c4e058685cc4d198b0bf227aaef8e58d895268dfe

SHA512
e0bf4d3af28b508d75430421019b5bb038df21774b1133c9ec8853cfec46f18cd982b70ed5887f6f95ea68d0e5453bc6f6d19b3b7bc064792e0ed39c834fba9d

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\importlib\__init__.pyc

Filesize
6KB

MD5
e7a5bd6f4860e44cd888e08acc408349

SHA1
e614cf721c043e5e1a998c51d2d879c3bc66d15f

SHA256
b4208943f9c4f4716802af1fbe4f4484dd5d1be93667cabf37a93a80f116e477

SHA512
ab84cfee143343b2f8897e76b495ae4a53c5efd28c33ea2468c7f676a41fcc9b7c855bbf4436b9afc84b8a374d1a26f2a7b97cdd8ccd68728116337f994dda47

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\json\__init__.pyc

Filesize
13KB

MD5
2a23eb07faa92c57b08121bb837afa03

SHA1
630d88e05033ca8ec641e75dd4ddda620034b0a9

SHA256
bbbe6ece9bc282388ff18ac8cca323f381d4cf6c61328b5fa428655cc96c320a

SHA512
97566c678def949889029b139239806d6368e88f2bf60579ea83090192ba1418ed1947eb54279c26bfc84c45db4459603387b594a77bb333b769a18fb7c99111

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\json\decoder.pyc

Filesize
14KB

MD5
e59e4b1c77ee9e2e7eb64e029061b216

SHA1
0c088a67a4e911337a796790d9c8470956f008e5

SHA256
ec66745644dee36402246def6c46a69a3578ae198bc3c830a551b87a34f6e754

SHA512
5e1188a48f8bf1ee9f3ea6314c5450389cd0e16d5e7c92bab5f8c0542d5184ab22861d6e00597ccd3ef4f4a67a414ba8eb7a8f4ecc210d464d34010baf5a60ab

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\json\encoder.pyc

Filesize
16KB

MD5
a138f00fc30720ceab3cef5f6896e16e

SHA1
ddba7f22e5459c18b55e893615b8dfadd9bf7dd0

SHA256
a8c612807bf104edb977de4ffc21264ec27eadc3f62f1278968cbe9b4c7052d2

SHA512
cee7ecf72153fede13f33eaa900547900571313495257fae6e1fa9b0e399946a9d0b5c993e347d779c34899225805e8248a9b23d0c71380c4ef052eaa0127bb9

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\json\scanner.pyc

Filesize
3KB

MD5
cb3b181161471ccd87907c25d6821b9d

SHA1
5ac629acf815fdb63f491e4f7593dc45876e1127

SHA256
f636498aa1a7bc5964867e84eb9e0f297ddd82197aaa137d7fdcbd6146231854

SHA512
df4af3ae663bbabaa6f86c5b5052bfeb3e12c7e6c0dfbe373f0c20862f5b71bfd49dbc9249aa8ba69bc31009145cdd6a758ecadc9ea5c27fc7ddcd88706d36ef

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\library.zip

Filesize
4.6MB

MD5
90f682c398c71939b118ef637c3cc0f7

SHA1
393b73e043651bb89ae0ce75e874be2feb59780a

SHA256
84f9192b211de6fb504e9e154851ff39134b0fbf14df9dabfab6be494637b0ef

SHA512
b49529808c82dcb5493ea6e4c54e6db17d44466fda6ed80226d46a4e9be98d54477d525f100f5d93d035d511a1057d30b805422560cae7411627794b9073639f

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\logging\__init__.pyc

Filesize
96KB

MD5
2cc304292c2b2acfe9dd1120d78ed601

SHA1
f6159e147035da096d2220e161e1ae14c8b36c1d

SHA256
1198238b95a6a089f723e4214e8d6506a2759eda466f1d3a317cd5a5078e62c7

SHA512
3ec4f2847603e9c8de5a0a65e0f8bd68b253ed768dc7efd4226f5b40631d8639674f285c813c1f23c7f4f82ff633a47bf6590dc2e5345f4c894e1cde5ebe1229

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\multiprocessing\__init__.pyc

Filesize
1KB

MD5
2fec945ce474f92ee0081f5537d0bb40

SHA1
d54598b25ff30ad48cb33acf3959bdb185c9c36d

SHA256
d1f8a84e791aca1856c4be9c4ebc7cf553ceac008bff45a8341ba3441a18f66e

SHA512
8cbed4a3705484896d0d63464b07bf7a416c31fa93ee7dd8c6eb7c7fd569da389c791831fa0cfca9f67b9d4743f3423502e28b5f84d0dd7657eee80767526713

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\multiprocessing\context.pyc

Filesize
19KB

MD5
3ca7b191daa1898fce5c4dc054f44310

SHA1
7ee669c08b43f2a641ab3fab7ee1df6c098a2a11

SHA256
84cc7f5361e6aedda7060edbf458857608a6bc73ecc8b33f8c5fdb18b2797644

SHA512
4c42bd5b69df3ffced4fe964435814e711789c90ae7cfdeda82bb802190ff6152173fce50c68c2a400cf71e545c908fcc639b3c0755afb243e4a91bf4e89ddb9

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\multiprocessing\process.pyc

Filesize
18KB

MD5
673128cdfc42edbc3095b65167f7940f

SHA1
4ea8ed2fcaf926803a9d118ca1276c551b22e6f5

SHA256
cfec41e68f93854ca67740d713d6a4c090492f08c72f3a3c1ead3e95576191ff

SHA512
67b7fa417b90351e5697806302bcfe18df0f175a669364506b6f7de2893534a6d445a2a20a4fc8a7feff78a2cc55e8f427f1d0e862c79f166392a21d9b318779

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\multiprocessing\reduction.pyc

Filesize
14KB

MD5
4fc39b06a27e86ea9830ee07b1213d9c

SHA1
115495e8ba105b8cf232f5319cd469e82fada23e

SHA256
c20339195bfce6ec304ac29abbccc216207e25108fbd9ab376fe096ddacb2a29

SHA512
0beb1f5ca17660bf06b285655ef76acbef538cad04f6462cb6257ed4849d3b3bd2f2724ce348e4a4de3a12328db03106ea536d9bfeb4c8b18f34b8b32171e033

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\re\__init__.pyc

Filesize
18KB

MD5
15c28eb54d4f344bdfec2d508c9ce247

SHA1
5ea70dddc6a0c727fb0c32b42a3b44e0c659ba74

SHA256
6aca202006852c09e459facd5bca0279e26d51cec7705c42cfa578896b797beb

SHA512
e7895aafa3ff5b5ec0ec09a02a2530549089b2c4a55c41d0960866ea3d4c6e9b16fb8e70e29cbca99b741b8470b1f9b7efaf0746f5f65b8a2f0f7134f352891c

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\re\_casefix.pyc

Filesize
1KB

MD5
80cf205ed0d1da73146d30f69f5eb1a6

SHA1
8f00ef5a2f67a9883511850cd259b843a2976921

SHA256
110d79a70c03cc37f1ca9f395ce128f7a6bac8a81eed6d510a4884b2ad588cdd

SHA512
5c4534da057fd8c7f9ec1bb5011b6dbcd9483b6e3bf42d2c20c48b81edefcb525d1a08152290064f2789a2c6da1e7fc4edafbc2205ec39adac295e676378ec3c

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\re\_compiler.pyc

Filesize
31KB

MD5
d6db76debece3c869978435558f8b0f2

SHA1
ea075ba5c1e793c18eb383066159a60c8f3ea5d4

SHA256
d0a16bfec81d04ef66c30943e72ded8f13cc1b58959e547c817d2292a5b674a3

SHA512
7daed4f193943b8ea486f7946f8c36253fcc81dd4808f84bc5cccf41a76619236d99005d6ec84edc4fba829b7bfb77016dbd3b3e6d8987a1ce3f6860849e0cef

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\re\_constants.pyc

Filesize
5KB

MD5
cdbe5dfec40530658910f3617a38ce7e

SHA1
583b73c39631c6eb4f0faddcae5f8c8ed585c36c

SHA256
79554a08456bf324eb41a2db9019a64a3e150742d62a1131da46ff318cbfa538

SHA512
cf6e844ed10653b5cce4c3750c72bf4c19e6bfb43dc3ae26761ea2aa38bf04936c8f2fdd7b97a551e929cc34895ec7b60919ea2abfebb7378a70eaa771ec2dc1

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\re\_parser.pyc

Filesize
48KB

MD5
5b37fc26578fdc59c53b12e3855aa918

SHA1
e9f1cd15cd643fe4aa459c8eb5b49fbccb72a656

SHA256
4c696d90e5887d946fcf4723015723aa18574c096975fce49bff1e33cdf71f2a

SHA512
f9c51e68cf3b5dc3e653f97e033de8eca3f689f59ab14e87696f0c65ee624efa2ed170c43e13aedc80335bfba932e96c09e2e024cfe2a3c891f54913b2dbc149

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\sqlite3.dll

Filesize
1.4MB

MD5
b49b8fde59ee4e8178c4d02404d06ee7

SHA1
1816fc83155d01351e191d583c68e722928cce40

SHA256
1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f

SHA512
a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\sqlite3\__init__.pyc

Filesize
1KB

MD5
090011f73722a63c55eb94ed4a0563a9

SHA1
f155fee3ebc643a5d6ff5fadcd67b5c2d1b7825b

SHA256
d2fd6bedbfa721c778d2abb276c0f1f55a62e2e7bc62673645d564beac7a356c

SHA512
058bd1373a61f8eb6fa0c2c32493a765bded8f074bb16eaba7b34479d994c0fd6f8f03701737007bdf666ee4e50ef596b9cf559389c2437e3d4d4e3bd2243111

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\sqlite3\dbapi2.pyc

Filesize
4KB

MD5
acd17feb122060cceed6e3d49e1aecd6

SHA1
352bec96e241513af5773ec74598e34de4501806

SHA256
aedbeae7311dda9e1fd7bdc91c784f40957bb543a608be363a8f7282d4015ffa

SHA512
349f2ef4fafada9debd0430d32ee9bc17b8aaba5a2e17dc1507b121b254bf38437ec96495a10e7bcc5baacb1d290242f747d32d2b7f058b293c8c8151cb6b8d5

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\test\cjkencodings\shift_jis-utf8.txt

Filesize
1KB

MD5
cc34bcc252d8014250b2fbc0a7880ead

SHA1
89a79425e089c311137adcdcf0a11dfa9d8a4e58

SHA256
a6bbfb8ecb911d13581f7713391f8c0ceea1edd41537fdb300bbb4d62dd72e9b

SHA512
c6fb4a793870993a9f1310ce59697397e5334dbb92031ab49a3ecc33c55e84737e626e815754c5ddbe7835b15d3817bf07d2b4c80ea5fd956792b4db96c18c2f

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\lib\test\test_importlib\namespacedata01\binary.file

Filesize
4B

MD5
37b59afd592725f9305e484a5d7f5168

SHA1
a02a05b025b928c039cf1ae7e8ee04e7c190c0db

SHA256
054edec1d0211f624fed0cbca9d4f9400b0e491c43742af2c5b0abebf0c990d8

SHA512
4ec54b09e2b209ddb9a678522bb451740c513f488cb27a0883630718571745141920036aebdb78c0b4cd783a4a6eecc937a40c6104e427512d709a634b412f60

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\python3.dll

Filesize
65KB

MD5
0e105f62fdd1ff4157560fe38512220b

SHA1
99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c

SHA256
803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423

SHA512
59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

Download Submit
C:\Users\Admin\Downloads\Deef_64\Deef_64\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
memory/244-5678-0x0000024AF82E0000-0x0000024AF82F0000-memory.dmp

Filesize
64KB

Download
memory/244-5680-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download
memory/244-5667-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download
memory/244-5668-0x0000024AF82E0000-0x0000024AF82F0000-memory.dmp

Filesize
64KB

Download
memory/4528-5663-0x0000028100180000-0x0000028100190000-memory.dmp

Filesize
64KB

Download
memory/4528-5666-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download
memory/4528-5662-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download
memory/4528-5652-0x000002817FEB0000-0x000002817FED2000-memory.dmp

Filesize
136KB

Download
memory/4672-5681-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download
memory/4672-5682-0x00000214ECBB0000-0x00000214ECBC0000-memory.dmp

Filesize
64KB

Download
memory/4672-5683-0x00000214ECBB0000-0x00000214ECBC0000-memory.dmp

Filesize
64KB

Download
memory/4672-5694-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download
memory/4972-5695-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download
memory/4972-5696-0x000001A8F3630000-0x000001A8F3640000-memory.dmp

Filesize
64KB

Download
memory/4972-5706-0x000001A8F3630000-0x000001A8F3640000-memory.dmp

Filesize
64KB

Download
memory/4972-5708-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download