Malware Analysis Report

2024-09-23 01:12

Sample ID 240515-1k3bxsdg64
Target https://github.com/xaim919/Discord-Image-Grabber
Tags
stormkitty pyinstaller stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/xaim919/Discord-Image-Grabber was found to be: Known bad.

Malicious Activity Summary

stormkitty pyinstaller stealer

StormKitty

Contains code to disable Windows Defender

StormKitty payload

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Detects Pyinstaller

Enumerates physical storage devices

Runs net.exe

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-15 21:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 21:43

Reported

2024-05-15 21:44

Platform

win10v2004-20240426-en

Max time kernel

24s

Max time network

29s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/xaim919/Discord-Image-Grabber

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 4396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/xaim919/Discord-Image-Grabber

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd150d46f8,0x7ffd150d4708,0x7ffd150d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Image Grabber.rar"

C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe

"C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT" "

C:\Windows\SysWOW64\net.exe

net stop"WinDefend"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop"WinDefend"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /t /im "MSASCui.exe"

C:\Windows\SysWOW64\reg.exe

reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT" /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\XD.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title xyz

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 21.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ea98e583ad99df195d29aa066204ab56
SHA1 f89398664af0179641aa0138b337097b617cb2db
SHA256 a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512 e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

\??\pipe\LOCAL\crashpad_3316_AXIZVPQEETKWFNQE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4f7152bc5a1a715ef481e37d1c791959
SHA1 c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA512 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de894e2c194c190cde05203cc884af54
SHA1 c010487ef14673f784a7aa2c2004eaf53e9a54e4
SHA256 1af8cf4ac1eaf495f29b8590b6549cc65a650154ddb40c74a9cd4754663278bc
SHA512 c04d2b08b56a1433fb09db6473f397604ab31c127100cbde561c100bf7f2c22248c4003ad89445d281d8f01ce2b59386e8d850c56b576d810c3940c50a88f977

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 064297ca2a92eac3b3daa6665c4e06c5
SHA1 08046db349bc8fb3d477d792f48d102dd4b030a0
SHA256 e173b01cb135261f6acbec486ece3fe3b5a6c27fa7112fb6a72861cc4f1ec7e8
SHA512 932b3da99b4e733929ae989d2a3b187ea140bfa5198455d3e3c2286c574dac276e36d6ed6b67af5352e3cd2df44aa44b397e314a4393a5f2b13676791d851816

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3592b848a07aa09c93e512537da6d97f
SHA1 dcee467698f6ee12af22a08bd7d54a43d7a8e700
SHA256 14e09932d98e403a33c8388acee820717a7d3279eb34fe699cd90546bb92a746
SHA512 3807f8de1a0e3f552df0906a2df4cbb4fbf9dd93866c100bee86e9eefab4ce061af90c98757a294be64b412f97f01b8b5d9333906549e3835c50a6175d4e03f2

C:\Users\Admin\Downloads\Unconfirmed 173105.crdownload

MD5 44de91e271048fb81154f20559a9cb9f
SHA1 c3971f1cc73c2e9bb3003f1b55cd4155bb294fa1
SHA256 d52870d8ffaadba5beb9d658781564e5e9c9a27e67606a13e3b8581008bd5693
SHA512 254d77d478cf30c19bdaeaa826fdee73eed21ce2e22b462d9161c17d41f7d90f18ada2795a2a26957457a6088645bc9a1ecb1bb23d3a3d93b9a3aeeda08e0fbe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c511c66805130138430cec793453ca61
SHA1 f371722513b1d4794c09e371364c06b91c68166e
SHA256 900a83e97509823ad4ce1a1eede8b715d8a3e19102641b636d3ffa5514c98296
SHA512 1f2d46dad324197bbe339129bcd9f9be6ab21faf0b2de3bb6763fdbae780dc7853dc2864d935aba958b4e38fc8d8304aba11a0bb5fab2a4c89682b1afa326de7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 aedd3e681deab4782bdcee89dd478622
SHA1 a9edc43a991aac75201ae0f9e771e6bc2bd5a7ad
SHA256 c958572f0c580f3b1bdcd1b38e34d678080949e2490003f32a5f91e4e8710385
SHA512 a471b416c2ddf6d2ff686c6ae1860bbd187c98b6c053d695d8486bcc7bbc75272c173cb037b205318fbc1c1d06cb7db8b9f84a5a6575626864c648aa81b6bf07

C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe

MD5 450af056aabbcc2aa7df5a33b40423c1
SHA1 5384300bb46b349a22b8de845f3e1bb81b21127e
SHA256 b3da645311707200427f2ddadf01908d6841759b670f8288b7d3e5bd556e65be
SHA512 5da75c4146abb15465ae0c39094fa0464ab46ae9097f4acafb48aeb15a42727931aa58a5d0b15e5e31665fe92087877fd082f35c7ef832e7ff99bebd179b7ed9

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE

MD5 d8a776348b63fd6d8df4a8c6e94c60d7
SHA1 3bb173d4097bec73a58558aa954e322704c90363
SHA256 88dea99636204335f5dbb9c70965d68ad99faa56af18dd618b97358c8bfd8aca
SHA512 d15149b06a35c2ed930397f249d0bf33b53b477d75024925a2cbe6ffa3e2913d5a3a34ecb452d8505a3adf8a4dad5d8de5fd40e62b197cb2bf25e4c81bb776a5

memory/5644-249-0x0000000000A80000-0x0000000000AA8000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\IMAGE LOGGER.EXE

MD5 2f16688544cef3e2f408351bf83482e8
SHA1 8d6056e029876c7cbee46e2c36ca6042c9ff07ff
SHA256 7275073b3139f2f512533a6ef060497ca57be41e807c906c9e5724d4cdc90101
SHA512 13da72cf923f22891dcb752da8fe7b504f4cd9dfebd97bc1a1ed16303d73d03eab9536c83e108a6cdba4b1f98ba9d36e5e5e189018e8b549f257e94e5e96d5d4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT

MD5 63a8d4832194895037e912648b21dd7e
SHA1 4f7c6dc63b3189387e11e0e83461f72f73ec8efb
SHA256 2019bcc66d0c119fde0cf62200d1285d7752e91a39bbb2f29ecacc4864860ea3
SHA512 9206b55dfcb5fffe59766a0c2ad3c82086dbfcd56dd757f1c09dbd03e8caf8f1beddb1c89d64c5b3771c67724817ce129d8d761cac9f3c42d8c243d84982ded8

C:\Users\Admin\AppData\Local\Temp\_MEI57042\ucrtbase.dll

MD5 61eb0ad4c285b60732353a0cb5c9b2ab
SHA1 21a1bea01f6ca7e9828a522c696853706d0a457b
SHA256 10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd
SHA512 44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

C:\Users\Admin\AppData\Local\Temp\_MEI57042\python310.dll

MD5 c6c37b848273e2509a7b25abe8bf2410
SHA1 b27cfbd31336da1e9b1f90e8f649a27154411d03
SHA256 b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8
SHA512 222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40

C:\Users\Admin\AppData\Local\Temp\_MEI57042\VCRUNTIME140.dll

MD5 a87575e7cf8967e481241f13940ee4f7
SHA1 879098b8a353a39e16c79e6479195d43ce98629e
SHA256 ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512 e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

C:\Users\Admin\AppData\Local\Temp\_MEI57042\base_library.zip

MD5 b84ef290351f6094577edd80643bda7d
SHA1 545caae3c268580486933df445aef3b941266557
SHA256 41c75c5c680d01197d5b731c448158172cae9d6eceb08f0b2e4135b8e8a14339
SHA512 37bf1a0c6a8c3c925a8d7c3a144bfe295bba4873c2751b5a948f34fa6bb0cf8c31084ff23d10f9b602ee31ace264a9f144000fd5efd34a8e9a84aa06ce3cbde8

C:\Users\Admin\AppData\Local\Temp\_MEI57042\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5093b0d83a649bfa246b287f6da051df
SHA1 f628ccc895611aabdecfa6bfc31e2aeadd0c89e9
SHA256 6c342e2e5554311114183c4778870217ad0a8dd065f4690e166b794c9971d26c
SHA512 4e5196981bc446602745775bc05e0ac325c5abd7f011b8cc50468bf462a066789cd83c2f8c74ebbb39eab3a8fbce610bc98440fc3c7ca8a67aa6b829896440a8

C:\Users\Admin\AppData\Local\Temp\_MEI57042\_ctypes.pyd

MD5 41a9708af86ae3ebc358e182f67b0fb2
SHA1 accab901e2746f7da03fab8301f81a737b6cc180
SHA256 0bd4ed11f2fb097f235b62eb26a00c0cb16815bbf90ab29f191af823a9fed8cf
SHA512 835f9aa33fdfbb096c31f8ac9a50db9fac35918fc78bce03dae55ea917f738a41f01aee4234a5a91ffa5bdbbd8e529399205592eb0cae3224552c35c098b7843

C:\Users\Admin\AppData\Local\Temp\_MEI57042\python3.dll

MD5 c38e9571f33898eb9f3da53dc29b512f
SHA1 5be348c829b6dfa008d0dd239414ad388e5d7ace
SHA256 70596aea8c5ca8f3bf88e46a0606522413b50208ec9fcc6b706f7a064cf83b79
SHA512 1704be273e3485013282c269fc974558683204639fccfb46e6eb640c64a0769a21572a07ee62fe1d5eb1eed4d1419f2293d6e4fd8193caafe128c6d66bd48f6e

C:\Users\Admin\AppData\Local\Temp\_MEI57042\_socket.pyd

MD5 79c2ff05157ef4ba0a940d1c427c404e
SHA1 17da75d598deaa480cdd43e282398e860763297b
SHA256 f3e0e2f3e70ab142e7ce1a4d551c5623a3317fb398d359e3bd8e26d21847f707
SHA512 f91fc9c65818e74ddc08bbe1ccea49f5f60d6979bc27e1cdb2ef40c2c8a957bd3be7aea5036394abab52d51895290d245fd5c9f84cc3cc554597ae6f85c149e1

C:\Users\Admin\AppData\Local\Temp\_MEI57042\select.pyd

MD5 431464c4813ed60fbf15a8bf77b0e0ce
SHA1 9825f6a8898e38c7a7ddc6f0d4b017449fb54794
SHA256 1f56df23a36132f1e5be4484582c73081516bee67c25ef79beee01180c04c7f0
SHA512 53175384699a7bb3b93467065992753b73d8f3a09e95e301a1a0386c6a1224fa9ed8fa42c99c1ffbcfa6377b6129e3db96e23750e7f23b4130af77d14ac504a0

C:\Users\Admin\AppData\Local\Temp\_MEI57042\_ssl.pyd

MD5 1ed0ef72a40268e300a611ba4ab20dfd
SHA1 4d04d5911a6ed422308ea11d7b15821af8f62585
SHA256 5860fe208122219a4071cc369d5001edc3b08c13bd96156abd1375e35401acd0
SHA512 f72ea051ed50a09561414fc41d837c03ce44be9d8e4c39f59133dd8a092c9f13fc942c58dc8517edc149caa3bf7d94fa6bdbe88cabc8cb3c6a02428676572f3e

C:\Users\Admin\AppData\Local\Temp\_MEI57042\libssl-1_1.dll

MD5 86556da811797c5e168135360acac6f2
SHA1 42d868fc25c490db60030ef77fba768374e7fe03
SHA256 a594fc6fa4851b3095279f6dc668272ee975e7e03b850da4945f49578abe48cb
SHA512 4ba4d6bfff563a3f9c139393da05321db160f5ae8340e17b82f46bcaf30cbcc828b2fc4a4f86080e4826f0048355118ef21a533def5e4c9d2496b98951344690

C:\Users\Admin\AppData\Local\Temp\_MEI57042\libcrypto-1_1.dll

MD5 63c756d74c729d6d24da2b8ef596a391
SHA1 7610bb1cbf7a7fdb2246be55d8601af5f1e28a00
SHA256 17d0f4c13c213d261427ee186545b13ef0c67a99fe7ad12cd4d7c9ec83034ac8
SHA512 d9cf045bb1b6379dd44f49405cb34acf8570aed88b684d0ab83af571d43a0d8df46d43460d3229098bd767dd6e0ef1d8d48bc90b9040a43b5469cef7177416a2

C:\Users\Admin\AppData\Local\Temp\_MEI57042\_brotli.cp310-win_amd64.pyd

MD5 6d44fd95c62c6415999ebc01af40574b
SHA1 a5aee5e107d883d1490257c9702913c12b49b22a
SHA256 58bacb135729a70102356c2d110651f1735bf40a602858941e13bdeabfacab4a
SHA512 59b6c07079f979ad4a27ec394eab3fdd2d2d15d106544246fe38f4eb1c9e12672f11d4a8efb5a2a508690ce2677edfac85eb793e2f6a5f8781b258c421119ff3

C:\Users\Admin\AppData\Local\Temp\_MEI57042\MSVCP140.dll

MD5 db0ab2886b8cb6d21d0f2a88073a6f59
SHA1 609a7778a6114a47ae8af0c0fa1e42a9cbf0e3b2
SHA256 5fddf4a5c13c79e180656a58f5dfd5058b03eb9ca2125c23a9c8ef86980472c4
SHA512 2918da5404dc95130ad061336ebdb105dff30dc157327aba7b3f67438f6fd5f13bb8663ae52c15ef367efeea91b55718a45b814d3f309e0fe417dc53ec4aa116

C:\Users\Admin\AppData\Local\Temp\_MEI57042\_hashlib.pyd

MD5 f63da7f9a4e64148255e9d3885e7a008
SHA1 756dc192e7b2932df147c48f05ec5e38e9aa06e6
SHA256 fa0bb4bf93a6739ce5ade6a7a69272bbc1227d09c7afc1c027d6cea41141bcc6
SHA512 23d06def20c3668613392a02832777b27ad5353e1dc246316043b606890445d195a1066fca65300a5d429319aa2ae2505f9fa3a5ab0f97aba2717b64aaa07e8d

C:\Users\Admin\AppData\Local\Temp\_MEI57042\_queue.pyd

MD5 e6bb918cc02cd270bad449875577427c
SHA1 5b22420ae4170858a6a2aa04a54adc26b9a8051c
SHA256 2d8b41dad8a8506870e6f2e2a5856c6c6c68a219f18bd88ad79c63cfa1366b1f
SHA512 b19353e0df213525c466d5cb80f362ab1a22eaf9940f742b59df1c2842e49594db87a5119289dca616fdfa3e808c7ceb26906e0ff8723afc80af768496faca9c

C:\Users\Admin\AppData\Local\Temp\_MEI57042\_bz2.pyd

MD5 bcf0d58a4c415072dae95db0c5cc7db3
SHA1 8ce298b7729c3771391a0decd82ab4ae8028c057
SHA256 d7faf016ef85fdbb6636f74fc17afc245530b1676ec56fc2cc756fe41cd7bf5a
SHA512 c54d76e50f49249c4e80fc6ce03a5fdec0a79d2ff0880c2fc57d43227a1388869e8f7c3f133ef8760441964da0bf3fc23ef8d3c3e72ce1659d40e8912cb3e9bc

C:\Users\Admin\AppData\Local\Temp\_MEI57042\VCRUNTIME140_1.dll

MD5 37c372da4b1adb96dc995ecb7e68e465
SHA1 6c1b6cb92ff76c40c77f86ea9a917a5f854397e2
SHA256 1554b5802968fdb2705a67cbb61585e9560b9e429d043a5aa742ef3c9bbfb6bf
SHA512 926f081b1678c15dc649d7e53bfbe98e4983c9ad6ccdf11c9383ca1d85f2a7353d5c52bebf867d6e155ff897f4702fc4da36a8f4cf76b00cb842152935e319a6

C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\XD.vbs

MD5 dae152349afc5a157065d6a73d7e445a
SHA1 2272104fe03c370f5d402e52d139d2279642a37f
SHA256 6b9be9c2ab8a64643726e7dddbb52d5ac9f3e63973957a7fcf9a4980c2f2e49e
SHA512 ee37a60e265205bdea21322bc3dd08a4f5f02b24a6a9a5942d8d754f6768b1d191168834998e35fe40ac8985ee3812e665f549fb276da7b536cb9f0d28dd3b5d

C:\Users\Admin\AppData\Local\Temp\_MEI57042\_lzma.pyd

MD5 ba3797d77b4b1f3b089a73c39277b343
SHA1 364a052731cfe40994c6fef4c51519f7546cd0b1
SHA256 f904b02720b6498634fc045e3cc2a21c04505c6be81626fe99bdb7c12cc26dc6
SHA512 5688ae25405ae8c5491898c678402c7a62ec966a8ec77891d9fd397805a5cfcf02d7ae8e2aa27377d65e6ce05b34a7ffdedf3942a091741af0d5bce41628bf7d

C:\Users\Admin\AppData\Local\Temp\_MEI57042\unicodedata.pyd

MD5 d1182ba27939104010b6313c466d49ff
SHA1 7870134f41ba5333294c927dbd77d3f740ac87e7
SHA256 1ac171f51cc87f268617b4a635b2331d5991d987d32bb206dd4e38033449c052
SHA512 ef26a2c8b0094792e10ceabbf4d11724a9368d96f888240581a15d7a551754c1484f6b2ed1b963a73b686495c7952d9cb940021028d4f230b0b47d0794607d0f

C:\Users\Admin\AppData\Local\Temp\_MEI57042\lxml\etree.cp310-win_amd64.pyd

MD5 ed5715ffcbc5fc22e10955b6230e48aa
SHA1 14ed152f82e31904117129502f59bd91f5a80ef2
SHA256 f4042d9433e8ced903fddfa0446878851835a27c1c67182416db7a90d8e6c96c
SHA512 75d2f645f6069aa1bb23386d061d76d6eb92c4cd24140c52c49bdde6d73bea4f6b9ff8605059705ec276244941011232840cc77fa78d914c656c4fdef7f2c74a