chaos | b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
Size

2.3MB
MD5

8392650851d29f54e051d8a6499889a5
SHA1

d5814cff46164e3011bfce0d3bd7f6692ec63c64
SHA256

b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08
SHA512

f518039b485bc675383c11b435f2b6eab2dd8d1ffac3e0aed29d972effedeb69aa039191b0986a05c275a9ccb2d65d0efc98a21db96c9cde2c54a8fa3f0f1cd8
SSDEEP

49152:4EWDvY84YWarHKnuQDuZu/RJJlB8xsDDckz8YKBg1i1IIMoq:OxkDumRJJlQuDcXMDJ

Score

10^/10

chaos xworm zgrat bootkit persistence pyinstaller ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

gamemodz.duckdns.org:4678

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000002303f-4913.dat	family_chaos
behavioral2/memory/3276-4920-0x00000000009D0000-0x00000000009EC000-memory.dmp	family_chaos

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1348-4895-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/3552-2-0x0000000006BB0000-0x0000000006DD6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-5-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-6-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-8-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-10-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-12-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-14-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-16-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-18-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-20-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-22-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-24-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-26-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-28-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-30-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-32-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-34-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-36-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-38-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-40-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-42-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-46-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-48-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-44-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-52-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-54-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-50-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-56-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-58-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-60-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-62-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-66-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-64-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3552-68-0x0000000006BB0000-0x0000000006DCF000-memory.dmp	family_zgrat_v1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
behavioral2/memory/1348-4895-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects command variations typically used by ransomware 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000002303f-4913.dat	INDICATOR_SUSPICIOUS_GENRansomware
behavioral2/memory/3276-4920-0x00000000009D0000-0x00000000009EC000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	cvtres.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	cvtres.exe

Executes dropped EXE 7 IoCs

pid	Process
3128	cvtres.exe
3276	qxtzoq.exe
2832	nndsza.exe
4264	gbzxkh.exe
3124	ewtras.exe
4552	cvtres.exe
3468	ewtras.exe

Loads dropped DLL 64 IoCs

pid	Process
3124	ewtras.exe
3124	ewtras.exe
3124	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe
3468	ewtras.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\cvtres.exe"	cvtres.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	gbzxkh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3552 set thread context of 1348	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	92

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0004000000000709-4943.dat	pyinstaller

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ewtras.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ewtras.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ewtras.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ewtras.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
404	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
3276	qxtzoq.exe
4852	powershell.exe
4852	powershell.exe
2756	msedge.exe
2756	msedge.exe
988	msedge.exe
988	msedge.exe
1632	identity_helper.exe
1632	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
Token: SeDebugPrivilege	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
Token: SeDebugPrivilege	1348	cvtres.exe
Token: SeDebugPrivilege	1348	cvtres.exe
Token: SeDebugPrivilege	3276	qxtzoq.exe
Token: 33	3288	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3288	AUDIODG.EXE
Token: SeDebugPrivilege	3468	ewtras.exe
Token: SeDebugPrivilege	4852	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3468	ewtras.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 1348	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	92
PID 3552 wrote to memory of 1348	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	92
PID 3552 wrote to memory of 1348	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	92
PID 3552 wrote to memory of 1348	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	92
PID 3552 wrote to memory of 1348	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	92
PID 3552 wrote to memory of 1348	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	92
PID 3552 wrote to memory of 1348	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	92
PID 3552 wrote to memory of 1348	3552	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	92
PID 1348 wrote to memory of 404	1348	cvtres.exe	95
PID 1348 wrote to memory of 404	1348	cvtres.exe	95
PID 1348 wrote to memory of 404	1348	cvtres.exe	95
PID 1348 wrote to memory of 3276	1348	cvtres.exe	101
PID 1348 wrote to memory of 3276	1348	cvtres.exe	101
PID 1348 wrote to memory of 2832	1348	cvtres.exe	105
PID 1348 wrote to memory of 2832	1348	cvtres.exe	105
PID 1348 wrote to memory of 2832	1348	cvtres.exe	105
PID 1348 wrote to memory of 4264	1348	cvtres.exe	106
PID 1348 wrote to memory of 4264	1348	cvtres.exe	106
PID 1348 wrote to memory of 4264	1348	cvtres.exe	106
PID 1348 wrote to memory of 3124	1348	cvtres.exe	107
PID 1348 wrote to memory of 3124	1348	cvtres.exe	107
PID 3124 wrote to memory of 3468	3124	ewtras.exe	111
PID 3124 wrote to memory of 3468	3124	ewtras.exe	111
PID 3468 wrote to memory of 2104	3468	ewtras.exe	112
PID 3468 wrote to memory of 2104	3468	ewtras.exe	112
PID 3468 wrote to memory of 4156	3468	ewtras.exe	114
PID 3468 wrote to memory of 4156	3468	ewtras.exe	114
PID 4156 wrote to memory of 4852	4156	cmd.exe	116
PID 4156 wrote to memory of 4852	4156	cmd.exe	116
PID 1348 wrote to memory of 988	1348	cvtres.exe	117
PID 1348 wrote to memory of 988	1348	cvtres.exe	117
PID 988 wrote to memory of 4680	988	msedge.exe	118
PID 988 wrote to memory of 4680	988	msedge.exe	118
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119
PID 988 wrote to memory of 4868	988	msedge.exe	119

C:\Users\Admin\AppData\Local\Temp\b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
"C:\Users\Admin\AppData\Local\Temp\b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cvtres" /tr "C:\Users\Admin\AppData\Roaming\cvtres.exe"
    3⤵
    - Creates scheduled task(s)
    PID:404
- - C:\Users\Admin\AppData\Local\Temp\qxtzoq.exe
    "C:\Users\Admin\AppData\Local\Temp\qxtzoq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- - C:\Users\Admin\AppData\Local\Temp\nndsza.exe
    "C:\Users\Admin\AppData\Local\Temp\nndsza.exe"
    3⤵
    - Executes dropped EXE
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\gbzxkh.exe
    "C:\Users\Admin\AppData\Local\Temp\gbzxkh.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:4264
- - C:\Users\Admin\AppData\Local\Temp\ewtras.exe
    "C:\Users\Admin\AppData\Local\Temp\ewtras.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\ewtras.exe
      "C:\Users\Admin\AppData\Local\Temp\ewtras.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:2104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -NoProfile -ExecutionPolicy Bypass Start-Process ./assets/700.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass Start-Process ./assets/700.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://i.imgflip.com/1p7cdj.jpg
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef2d246f8,0x7ffef2d24708,0x7ffef2d24718
      4⤵
      PID:4680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
      4⤵
      PID:4868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
      4⤵
      PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:1812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:3628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
      4⤵
      PID:4620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
      4⤵
      PID:2380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
      4⤵
      PID:3412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:4792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,565776202167983669,8083365002445196375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:2780

C:\Users\Admin\AppData\Roaming\cvtres.exe
C:\Users\Admin\AppData\Roaming\cvtres.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Users\Admin\AppData\Roaming\cvtres.exe
C:\Users\Admin\AppData\Roaming\cvtres.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\29733f7b-ea4d-4d11-b124-8d8f183e5fc5.tmp

Filesize
6KB

MD5
a0a47f21c885eb9fde013a45e2d7e027

SHA1
e01affe4ff119de8f8dda3c6c1402632fb1a2527

SHA256
c98183af6e9f967b0b6c9cd821677ec82a0069c050769009d0f2b6d37cbd46ef

SHA512
2a6478eb09368b6aaac6798e4b1f244dfe25c8937db8d2bf56efb11a78fde58aef7dc0d80e24961df0899503f8b98adeb7df0a3c02078c4b2b99062e95ae3b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b389ddd4ba00fe0a7f8a60944e809dc

SHA1
e84ff696a3d43cf258a5d682fe14b23271f339e8

SHA256
6344ab13d979eeb660bfb32dc9e6d9db97bfc2a3456c8cdf975f2d95be172712

SHA512
64d3800497aa25f10230f164680fe2bd02f54897da46b335888227dc651e5d3e837d5b6285b2d4a22e954a2fc6da952d6550d28fc516bc5fa3346e5347585e8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
42362b71d2d10332f09ff363f320ce36

SHA1
86a1b5d7f4db60884280436101f04d4d38ce63b4

SHA256
31ea61089ee7a2520c7f2c40e02df66ae4b350e309437fe71327381167151530

SHA512
2dd2758dcd60c08d467a1ba90a4ffdb1f708aafc6fa0d1629b3121f0b4efe502613e76c0b58d38da134a2ba5554619d858db237ef1d98a859d1b7fca86024eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\PIL\_imaging.cp311-win_amd64.pyd

Filesize
2.3MB

MD5
442b67aacded7ea702d53b9f601fcecb

SHA1
b0c644cbf7298c7f319b6bdb27eae2dcffdb66e4

SHA256
338db35f14174040ae3fa5b246b8dd6d0a8264cec1ae64ea87c9446bbdebf193

SHA512
645bd6fd0008b29a2e88d9a86120525496aa011d29a29e3518b35016d31f21fed62fb333efa92a1ec6d9ee5a6943624023b4a03931a6acbdd4ef8b13084bfb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\SDL2.dll

Filesize
2.4MB

MD5
1b4ba5bd06f14635d1de6d994b4be8fb

SHA1
6b35a9038311652e135f25a3f86eb0a3a60dc43f

SHA256
76f7d265a3efaba658cbf5cf5ff078a4ad46f25160f961575041d1ca34e932c3

SHA512
9e8c80c6e33884171462de9d76e4b9aeedfbbf23c310bc162ebbba81e9a0621988b39e6740fe72d7f2041630e964eb25870bd8dce8f517183a9ff711e157483d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\__splash\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\__splash\tcl86t.dll

Filesize
1.8MB

MD5
ac6cd2fb2cd91780db186b8d6e447b7c

SHA1
b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a

SHA256
a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6

SHA512
45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\__splash\tk86t.dll

Filesize
1.5MB

MD5
499fa3dea045af56ee5356c0ce7d6ce2

SHA1
0444b7d4ecd25491245824c17b84916ee5b39f74

SHA256
20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94

SHA512
d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_asyncio.pyd

Filesize
63KB

MD5
61a5ae75f514b3ccbf1b939e06a5d451

SHA1
8154795e0f14415fb5802da65aafa91d7cbc57ec

SHA256
2b772076c2dba91fb4f61182b929485cc6c660baab4bce6e08aa18e414c69641

SHA512
bcd077d5d23fdab8427cc077b26626644b1b4b793c7f445e4f85094bd596c28319a854623b6e385f8e479b52726a9b843c4376bf288dc4f09edc30f332dbaf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_bz2.pyd

Filesize
82KB

MD5
a62207fc33140de460444e191ae19b74

SHA1
9327d3d4f9d56f1846781bcb0a05719dea462d74

SHA256
ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2

SHA512
90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_ctypes.pyd

Filesize
120KB

MD5
9b344f8d7ce5b57e397a475847cc5f66

SHA1
aff1ccc2608da022ecc8d0aba65d304fe74cdf71

SHA256
b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf

SHA512
2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_lzma.pyd

Filesize
155KB

MD5
0c7ea68ca88c07ae6b0a725497067891

SHA1
c2b61a3e230b30416bc283d1f3ea25678670eb74

SHA256
f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11

SHA512
fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_overlapped.pyd

Filesize
49KB

MD5
7db2b9d0fd06f7bd7e32b52bd626f1ce

SHA1
6756c6adf03d4887f8be371954ef9179b2df78cd

SHA256
24f9971debbd864e3ba615a89d2c5b0e818f9ab2be4081499bc877761992c814

SHA512
5b3f55c89056c0bf816c480ed7f8aad943a5ca07bd9b9948f0aa7163664d462c3c46d233ee11dd101ce46dc8a53b29e8341e227fe462e81d29e257a6897a5f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_queue.pyd

Filesize
31KB

MD5
06248702a6cd9d2dd20c0b1c6b02174d

SHA1
3f14d8af944fe0d35d17701033ff1501049e856f

SHA256
ac177cd84c12e03e3a68bca30290bc0b8f173eee518ef1fa6a9dce3a3e755a93

SHA512
5b22bbff56a8b48655332ebd77387d307f5c0a526626f3654267a34bc4863d8afaf08ff3946606f3cf00b660530389c37bdfac91843808dbebc7373040fec4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_socket.pyd

Filesize
77KB

MD5
26dd19a1f5285712068b9e41808e8fa0

SHA1
90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5

SHA256
eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220

SHA512
173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_ssl.pyd

Filesize
157KB

MD5
ab0e4fbffb6977d0196c7d50bc76cf2d

SHA1
680e581c27d67cd1545c810dbb175c2a2a4ef714

SHA256
680ad2de8a6cff927822c1d7dd22112a3e8a824e82a7958ee409a7b9ce45ec70

SHA512
2bff84a8ec7a26dde8d1bb09792ead8636009c8ef3fa68300a75420197cd7b6c8eaaf8db6a5f97442723e5228afa62961f002948e0eeee8c957c6517547dffba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_tkinter.pyd

Filesize
62KB

MD5
6352db60d88705ce62b5665764529006

SHA1
e7a22fd590661e91dfe5cace1adff17d7a3de5ec

SHA256
4536d9092a366426aa01e1800d9d4de669928bbcb277f2363d54df44da096c31

SHA512
78b19668c82aef75dcdf98fd0b90677f3530cb7e80dc7cfec5640637fecb3e5d4fb38c21051fc305133882d26c6f8ecb03825227a3d66c5045b968bdc624bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\base_library.zip

Filesize
1.7MB

MD5
df673df8c5f4b100f5588b8cf1834b68

SHA1
dc82a6a581fc4ad98ef94046753a107f3079e2a8

SHA256
61f8ceeb90d4321ea6b9593627ee414acac0de654327e703c679aebc8c520c6f

SHA512
6836c4bc80a15b89401006d1b061a7ce7c1431b742dcc903bcf027713bf8886189f88e8937dd13bd2c5e21671063adb09939d1c1fcf2db755d8935abd846dc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\pyexpat.pyd

Filesize
194KB

MD5
48e6930e3095f5a2dcf9baa67098acfb

SHA1
ddcd143f386e74e9820a3f838058c4caa7123a65

SHA256
c1ed7017ce55119df27563d470e7dc3fb29234a7f3cd5fc82d317b6fe559300b

SHA512
b50f42f6c7ddbd64bf0ff37f40b8036d253a235fb67693a7f1ed096f5c3b94c2bde67d0db63d84a8c710505a891b43f913e1b1044c42b0f5f333d0fe0386a62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\pygame\base.cp311-win_amd64.pyd

Filesize
30KB

MD5
58e3a6e70958d266c40f0e34e4e3622b

SHA1
285304368a161da6d49fe77d04bcefa9f954532d

SHA256
e4a4e703d1bcbf8e5d5cf14f16cafdb21db937fb9c8b86fa2a3736ae23db70c9

SHA512
14e68bce1d751594ffaed6adce383f42468fe8917bae05809100558af679e5878a10e1bda4e5b644c894ef018ed1771ffe5bc6a3a03411ac3a70694db1f7b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\pygame\constants.cp311-win_amd64.pyd

Filesize
49KB

MD5
22269c2cf45d1b2c1e6e9c6d2dd3a4f2

SHA1
50b575334c6b7677ea44c2166308d46f4e5d1d6b

SHA256
6cc41ae1371e1aefb593a6a7f23969062fdd6335762879ef5b691e587eaaf22e

SHA512
ebf75db7f51ebf76f3755c85a75e2349341cca28aaf887123b331dadbce0b358d84a241d934ff730bbf478877d3885a87cacbcfbea8d19e30dc7b91791a1d201

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\python3.dll

Filesize
65KB

MD5
7442c154565f1956d409092ede9cc310

SHA1
c72f9c99ea56c8fb269b4d6b3507b67e80269c2d

SHA256
95086ac060ffe6933ac04a6aa289b1c7d321f14380315e24ba0d6c4adfa0842b

SHA512
2bf96828534bcdf71e48d1948b989011d8e3ba757c38cc17905a13d3021ea5deb57e2c68d79507a6acbb62be009cfc85b24d14543958dba1d3bc3e4ca7d4f844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\select.pyd

Filesize
29KB

MD5
756c95d4d9b7820b00a3099faf3f4f51

SHA1
893954a45c75fb45fe8048a804990ca33f7c072d

SHA256
13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a

SHA512
0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\tk\text.tcl

Filesize
34KB

MD5
7c2ac370de0b941ae13572152419c642

SHA1
7598cc20952fa590e32da063bf5c0f46b0e89b15

SHA256
4a42ad370e0cd93d4133b49788c0b0e1c7cd78383e88bacb51cb751e8bfda15e

SHA512
8325a33bfd99f0fce4f14ed5dc6e03302f6ffabce9d1abfefc24d16a09ab3439a4b753cbf06b28d8c95e4ddabfb9082c9b030619e8955a7e656bd6c61b9256c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\tk\ttk\cursors.tcl

Filesize
4KB

MD5
18ec3e60b8dd199697a41887be6ce8c2

SHA1
13ff8ce95289b802a5247b1fd9dea90d2875cb5d

SHA256
7a2ed9d78fabcafff16694f2f4a2e36ff5aa313f912d6e93484f3bcd0466ad91

SHA512
4848044442efe75bcf1f89d8450c8ecbd441f38a83949a3cd2a56d9000cacaa2ea440ca1b32c856ab79358ace9c7e3f70ddf0ec54aa93866223d8fef76930b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\tk\ttk\fonts.tcl

Filesize
5KB

MD5
80331fcbe4c049ff1a0d0b879cb208de

SHA1
4eb3efdfe3731bd1ae9fd52ce32b1359241f13cf

SHA256
b94c319e5a557a5665b1676d602b6495c0887c5bacf7fa5b776200112978bb7b

SHA512
a4bd2d91801c121a880225f1f3d0c4e30bf127190cf375f6f7a49eb4239a35c49c44f453d6d3610df0d6a7b3cb15f4e79bd9c129025cc496ceb856fcc4b6de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\tk\ttk\ttk.tcl

Filesize
4KB

MD5
af45b2c8b43596d1bdeca5233126bd14

SHA1
a99e75d299c4579e10fcdd59389b98c662281a26

SHA256
2c48343b1a47f472d1a6b9ee8d670ce7fb428db0db7244dc323ff4c7a8b4f64b

SHA512
c8a8d01c61774321778ab149f6ca8dda68db69133cb5ba7c91938e4fd564160ecdcec473222affb241304a9acc73a36b134b3a602fd3587c711f2adbb64afa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\tk\ttk\utils.tcl

Filesize
8KB

MD5
d98edc491da631510f124cd3934f535f

SHA1
33037a966067c9f5c9074ae5532ff3b51b4082d4

SHA256
d58610a34301bb6e61a60bec69a7cecf4c45c6a034a9fc123977174b586278be

SHA512
23faed8298e561f490997fe44ab61cd8ccb9f1f63d48bb4cf51fc9e591e463ff9297973622180d6a599cabb541c82b8fe33bf38a82c5d5905bbfa52ca0341399

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnhx0w5n.u2r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewtras.exe

Filesize
31.8MB

MD5
1dd78e1d166b8996cebef2335a6a5ff4

SHA1
a5b9d55a7ce0ea5b870c000389f2de11eee10d3c

SHA256
016a3d5b64325ea0d7bb3561cfba8ba43ee937be69c8cd4f26ba8ee1e532d10f

SHA512
9d7bc3a7d493a2b7854caff5739b17faadff1e3330590c9ae089ac4354f31a08d6ed06dc5e2affed0baf3b1a2d04eafe23e67acef03b08be2f7ee7fabe7504f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbzxkh.exe

Filesize
1.3MB

MD5
94259b5ad79024a5b6f5388f18ec061f

SHA1
975251f1d30d9e0c41a88ff58eaa98283d0b2c01

SHA256
100b97224063dbaea25b4d53672b7e3fc81443aeef10151c47096ffb3c849334

SHA512
1b66ddb7fecf930680557ca2e036902b6ac60754fb5fecf5283ad66c45dadfe0a1f1a876ca4a8ced007008c03df0b1720011bf5be692c5cd8db2ce8f3c63ee82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nndsza.exe

Filesize
55KB

MD5
d6e6e2fb2e45c7a2ca6585d86b39d2d0

SHA1
0f64d36122ea98d09b504041b5a511dc4a0b5275

SHA256
942f4aca0316e529d0b7c721b774f37738fb99d27fb4adc034d08cb31fd72924

SHA512
9493b05deed8e0bfdf590c60d7aa7894420b192fdfbd979d321aae9c9cc1d5104fa6125ae8139b12ba1e0c227727375fe046456733c20198f20508321d8adaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxtzoq.exe

Filesize
84KB

MD5
7051dcbe9a0837a312b09a5ae3b42430

SHA1
3553ff8725a57929e438228bf141b695c13cecb4

SHA256
ce750c7054359e9e88556d48f7eea341374b74f494caed48251185b54c9ed644

SHA512
2e82160bff1fbdd6f6a9f0210dfaf831650fdefdf8e3bb70c3c2717122b107ef3610c5c5f55908843df7ba3bd3bbefc40b9d1dda07877083cbd2ab8b090a276c

Download Submit
C:\Users\Admin\AppData\Roaming\cvtres.exe

Filesize
45KB

MD5
70d838a7dc5b359c3f938a71fad77db0

SHA1
66b83eb16481c334719eed406bc58a3c2b910923

SHA256
e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea

SHA512
9c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034

Download Submit
memory/1348-4924-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1348-4894-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/1348-4895-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1348-4896-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/1348-4897-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/1348-4898-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1348-4921-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/3276-4920-0x00000000009D0000-0x00000000009EC000-memory.dmp

Filesize
112KB

Download
memory/3276-4923-0x00007FFEF1240000-0x00007FFEF1D01000-memory.dmp

Filesize
10.8MB

Download
memory/3276-4922-0x00007FFEF1240000-0x00007FFEF1D01000-memory.dmp

Filesize
10.8MB

Download
memory/3552-46-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-34-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-0-0x0000000000D50000-0x0000000000F9A000-memory.dmp

Filesize
2.3MB

Download
memory/3552-4893-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-4890-0x00000000072B0000-0x0000000007304000-memory.dmp

Filesize
336KB

Download
memory/3552-4887-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/3552-4886-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/3552-2958-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-68-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-64-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-66-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-62-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-60-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-58-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-56-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-50-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-54-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-52-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-44-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-48-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-4889-0x00000000070B0000-0x00000000070FC000-memory.dmp

Filesize
304KB

Download
memory/3552-42-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-40-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-38-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-36-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-4888-0x0000000007110000-0x0000000007172000-memory.dmp

Filesize
392KB

Download
memory/3552-32-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-30-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-28-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-26-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-24-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-22-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-20-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-1-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-2-0x0000000006BB0000-0x0000000006DD6000-memory.dmp

Filesize
2.1MB

Download
memory/3552-3-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/3552-18-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-4-0x0000000006E70000-0x0000000006F02000-memory.dmp

Filesize
584KB

Download
memory/3552-16-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-14-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-12-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-5-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-10-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-6-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/3552-8-0x0000000006BB0000-0x0000000006DCF000-memory.dmp

Filesize
2.1MB

Download
memory/4852-6067-0x00007FFEEFBC0000-0x00007FFEF0681000-memory.dmp

Filesize
10.8MB

Download
memory/4852-6064-0x00000198FB530000-0x00000198FB540000-memory.dmp

Filesize
64KB

Download
memory/4852-6052-0x00000198FB530000-0x00000198FB540000-memory.dmp

Filesize
64KB

Download
memory/4852-6063-0x00000198FB500000-0x00000198FB522000-memory.dmp

Filesize
136KB

Download
memory/4852-6058-0x00000198FB530000-0x00000198FB540000-memory.dmp

Filesize
64KB

Download
memory/4852-6051-0x00007FFEEFBC0000-0x00007FFEF0681000-memory.dmp

Filesize
10.8MB

Download