Malware Analysis Report

2025-05-05 21:25

Sample ID 240522-af74haed75
Target 654cfafd3808676689b0fb8963a773ff_JaffaCakes118
SHA256 82a25fd9ecb71be4fffa75947429614b57f6f9fe3f67eb603a80df263b2569a0
Tags
pyinstaller spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

82a25fd9ecb71be4fffa75947429614b57f6f9fe3f67eb603a80df263b2569a0

Threat Level: Shows suspicious behavior

The file 654cfafd3808676689b0fb8963a773ff_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller spyware stealer

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 00:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 00:10

Reported

2024-05-22 00:12

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 2128 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 2128 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 2128 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 2128 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe
PID 2128 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe
PID 2128 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe
PID 2128 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe
PID 1688 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 1688 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 1688 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe"

C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe

"C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe"

C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe"

Network

N/A

Files

memory/2128-0-0x0000000074481000-0x0000000074482000-memory.dmp

memory/2128-1-0x0000000074480000-0x0000000074A2B000-memory.dmp

memory/2128-2-0x0000000074480000-0x0000000074A2B000-memory.dmp

\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe

MD5 b0b0353c7d1de6481df28d29e30a8d21
SHA1 ebfc530903dd6df4a902474f29fd4e44f1dbceba
SHA256 21bd665d09977589113f6ee3873c9884f74dfa64d5ae754dd35c3123aeae16cd
SHA512 4bf7265f133327bb02361e92f2efcbe84f3517fd56def8a02bb1d93825e34be2f5fb05e2a5aea0e3d9aff37a1718de4aa778770ca12cad21c2d1a1cf18f82246

C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe

MD5 9cf7d8c91f0c95bb3a2f9f5a48da2ac5
SHA1 c42588e692880b4cd0b6ab08d69590204e93bc24
SHA256 be5980c81f9225e93c0d8f47685f4d0ab07e088be0f1e2099158f374ec271f99
SHA512 425446ead1d8bd8b76183d6cde55f7f007e27cafc9e209bdc92c2d843e6da34916355b9fbea18f4117e37133b30186a4d0153883ba29b3dd29fbe1f812e67d55

memory/2128-19-0x0000000074480000-0x0000000074A2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16882\python38.dll

MD5 1f2688b97f9827f1de7dfedb4ad2348c
SHA1 a9650970d38e30835336426f704579e87fcfc892
SHA256 169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc
SHA512 27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503

C:\Users\Admin\AppData\Local\Temp\_MEI16882\angst.exe.manifest

MD5 5c19e50a10cd7ab76df4516b10b3f392
SHA1 51147c310cb01dfcb86b981433283d15abb8917f
SHA256 34e699fa6b2df70ea87614723b14af30a80c091deb0f6b2400a853241e55e11d
SHA512 56af8dd0cfcfdf153e218a0bcea4d2852bfb6405bfa9edd3065a68e7278ede42205a81cdd8c3e82220cf7bed5583865ffc36d5b54b8cb3639aa35e8a2a20d62a

\Users\Admin\AppData\Local\Temp\_MEI16882\VCRUNTIME140.dll

MD5 18571d6663b7d9ac95f2821c203e471f
SHA1 3c186018df04e875d6b9f83521028a21f145e3be
SHA256 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f
SHA512 c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

C:\Users\Admin\AppData\Local\Temp\_MEI16882\base_library.zip

MD5 bc59d0993c320b3cd7f7dc2a8021cf9a
SHA1 2c64beaeb8f167d8f1ba80cde7aa83f3cc689a05
SHA256 175e5ecd65e165a1a4ee0f2625918b8ddf52744cc0094c82efbc22a53ec200af
SHA512 c9f0f62e895c2ff9f2efaee609c1c56ebbfbadc4f38c298927841558edc9c80ee1a3bdc111e8bcfc6a5bf6b8ae2db94441315356d216281bd1d3f1950cfa7534

\Users\Admin\AppData\Local\Temp\_MEI16882\_ctypes.pyd

MD5 8adb1345c717e575e6614e163eb62328
SHA1 f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3
SHA256 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8
SHA512 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae

C:\Users\Admin\AppData\Local\Temp\_MEI16882\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI16882\_socket.pyd

MD5 1d53841bb21acdcc8742828c3aded891
SHA1 cdf15d4815820571684c1f720d0cba24129e79c8
SHA256 ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b
SHA512 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9

\Users\Admin\AppData\Local\Temp\_MEI16882\_lzma.pyd

MD5 60e215bb78fb9a40352980f4de818814
SHA1 ff750858c3352081514e2ae0d200f3b8c3d40096
SHA256 c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806
SHA512 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230

\Users\Admin\AppData\Local\Temp\_MEI16882\_bz2.pyd

MD5 fc0d862a854993e0e51c00dee3eec777
SHA1 20203332c6f7bd51f6a5acbbc9f677c930d0669d
SHA256 e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863
SHA512 b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f

\Users\Admin\AppData\Local\Temp\_MEI16882\select.pyd

MD5 a2ab334e18222738dcb05bf820725938
SHA1 2f75455a471f95ac814b8e4560a023034480b7b5
SHA256 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7
SHA512 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679

C:\Users\Admin\AppData\Local\Temp\_MEI16882\pyexpat.pyd

MD5 11a886189eb726d5786926cc09f9e116
SHA1 d94295368a1285681fb03bac0553eb1495d43805
SHA256 dc38bdbe10cfaa99799e0c87aa8444fc062d445b87686d6593ffca46cc938031
SHA512 405c56487a91ad1209029ca6ea125642076251f0a8c069eef0e30ce484381db7bf24d2f5cd74b83d1c8c1358f92f35fa6ed7b75601ace611cf36bb2331588684

C:\Users\Admin\AppData\Local\Temp\_MEI16882\win32api.pyd

MD5 62c6c784ded5ac6296f7ad9770b86cfc
SHA1 ee7d9e60ec42e8548c26681f5122ade0b103134c
SHA256 25b36692d216af99f1526dc473ba34caf19b403fe15a19269c72e683aed8ed88
SHA512 d200a874581a0d4ee2943ff012dbc43e4f5d91ea01c6a61c73a065d8708a8198d4e38e91b9a9a73276cd44d8394dda83a76b14b275502911f5dfaa113e11018c

C:\Users\Admin\AppData\Local\Temp\_MEI16882\pywintypes38.dll

MD5 9d95a3e8f0ff313d13b5057b34ed2380
SHA1 0a9407bda668ee9fa597fa03210b299a98b87ae9
SHA256 b2d639f897aa376f7cbac7c1989cd176486a7aa0d0b2fa3d3ade410f5430978f
SHA512 10019a6790c9152be88c0eb75f38b650070325a91fe930aeca6f4e4740ea30774f0c475e084bf833b16e4f9a0332d8ae6c981c661f0b0641997f0fdccd9b7ca2

C:\Users\Admin\AppData\Local\Temp\_MEI16882\pythoncom38.dll

MD5 a4dfd0918c4f6335a14cc00cdd3978dc
SHA1 85ade339728c852906d53dba9a10820ecee1d7ce
SHA256 452edd825eac1b2eb77685fe4cbdf3244ca058c6c90d07d042a3b6be6f9215dc
SHA512 d9167da605d9282dd87d36228a9a9eddb15dd646e1e3793f0b7fbd5c62aed1c2e5bd2261e5be7dec7c9a34f50823bcf95a0bc9fed77e0ab39d4265a1905a6e1d

C:\Users\Admin\AppData\Local\Temp\_MEI16882\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

\Users\Admin\AppData\Local\Temp\_MEI16882\_ssl.pyd

MD5 84dea8d0acce4a707b094a3627b62eab
SHA1 d45dda99466ab08cc922e828729d0840ae2ddc18
SHA256 dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6
SHA512 fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108

C:\Users\Admin\AppData\Local\Temp\_MEI16882\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI16882\_pytransform.dll

MD5 ef0bc18d982cd691563c63eccbce295c
SHA1 5abe5eb0d0a575710b6bab64576eed86030bce58
SHA256 f0c0458fc473253afcd810ee7a5c96db6431d002fb7220a1210714076a7560df
SHA512 87d0564473837d0a4818b04beaa7c869319f1ad19b0eff3282ad69173ca600254948bdc21f83b0c3f7c9e26159990a400a68b9903034aa749263df95c8e3ce93

\Users\Admin\AppData\Local\Temp\_MEI16882\_hashlib.pyd

MD5 5fa7c9d5e6068718c6010bbeb18fbeb3
SHA1 93e8875d6d0f943b4226e25452c2c7d63d22b790
SHA256 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155
SHA512 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5

\Users\Admin\AppData\Local\Temp\_MEI16882\_queue.pyd

MD5 1fc2c6b80936efc502bfc30fc24caa56
SHA1 4e5b26ff3b225906c2b9e39e0f06126cfc43a257
SHA256 9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514
SHA512 d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee

memory/2456-1118-0x000007FEF0000000-0x000007FEF0001000-memory.dmp

memory/2456-1117-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1115-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1113-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1111-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1109-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1107-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1105-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1097-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1095-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1093-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1091-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1089-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1087-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1085-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1077-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1075-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1073-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1071-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1069-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1067-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1065-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1063-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1061-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1059-0x0000000003250000-0x0000000003251000-memory.dmp

memory/2456-1058-0x0000000003240000-0x0000000003241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16882\unicodedata.pyd

MD5 549c9eeda8546cd32d0713c723abd12a
SHA1 f84b2c529cff58b888cc99f566fcd2eba6ff2b8e
SHA256 5d5e733397ef7c4946cf26c84b07312cb12eaf339374613d4381e694ef38169b
SHA512 9432daf045bac3e322b1797f49afe50f76faf8b7d8db063a1d56578016c813881af3324e2529032a8644a04b58ccc9d2c363bf92b56115f06b9eefebfab08180

C:\Users\Admin\AppData\Local\Temp\_MEI16882\certifi\cacert.pem

MD5 c760591283d5a4a987ad646b35de3717
SHA1 5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134
SHA256 1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e
SHA512 c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

C:\Users\Admin\AppData\Local\Temp\_MEI16882\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd

MD5 b537c5216bd68311d50b10d62d02b9bb
SHA1 eb613bdabc18ee0f43afa4a13e684d0f8bc57817
SHA256 2b4fefd3688f5e92b1c3ef745d3463d44d9c071b9e2e190a7179191cd3b1e3a5
SHA512 1a3a8e9454646d7ac87f0acc34092da9c3873e4912ea8cb7c335d58a1bf7336d370dda9da13fdc6148ebfe93e3b75ceebc0684a5ee7b4ae24e8e2b5d053afe38

\Users\Admin\AppData\Local\Temp\_MEI16882\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd

MD5 6f1d3ed33d7dfeae5642406d76ff2084
SHA1 014cfee7d754564928ed2df2fef933aeda915918
SHA256 f5918822781473d44f69030a9b32bcaeffa8671f1328c48085c9671f140d1273
SHA512 e55f57ef9411979ab164d5c3faca609856ddaa273ee817225ba77a12ddad02da464378ca0cbd98ddec708aeac96845ab8c718d35edc88b0ab06bb14ed53647ca

\Users\Admin\AppData\Local\Temp\_MEI16882\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd

MD5 03c703a8f4c2a1443cccc8316af8940c
SHA1 046d8c846d9393e472064aa1250826994a785577
SHA256 ca09e03d93f3a330a467afd7fb998ad81dfd75fa7a1c2e202d6898f229c269d4
SHA512 a65bf31452e984de1f951a3bca97c9dc27ac113e5fd4e0d29fa2b67e6c1b24d48ba6513d1e2ceaa7617e92305171e9675379a0e97980a3ceec209c49cd687329

\Users\Admin\AppData\Local\Temp\_MEI16882\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd

MD5 d4535f5b8683cd4b523d1f97232d3772
SHA1 1a6ce4eeb5acd1762f629478db14dfe8e361967f
SHA256 a8bd1b23f25393b26570a23f3083227dca1e2a6c4422581ff3e46cea3c4ac4ad
SHA512 447c9b1772f4a4f91961268e1b87c3576415f5257197db16336a3be8601dcfc8cd01dd1bb0676403633c58b8593aa9f558bbd53ccd994f5702df38c265358730

\Users\Admin\AppData\Local\Temp\_MEI16882\win32crypt.pyd

MD5 ae58c89929b50d7a2c3fb93ff34a57b4
SHA1 164ba95be9075b97637ab54481d4117b28667de0
SHA256 e1f1fa417ff19efe3b0bed5b49a0e9f60728569b252817d79c9fb66b03e7305d
SHA512 090082d3419f6234fc63499e76da090afec107b7d367083f84079d9b1850ce324697357c836f02d7046695f67492f44000f71c1b32598d56eed839d015d790e6

\Users\Admin\AppData\Local\Temp\_MEI16882\sqlite3.dll

MD5 a2dbd94878af1bb29f8725a834696a60
SHA1 01c40f2949604183fb8c76fd5e7803009a83ce4d
SHA256 6af14006a4d732fc0c4bd44317457fca8c37d12ffcaf845790d3f57da75451fb
SHA512 6aad1e43e272b178127334c48925f69422ca9a4e6e4636e4c5a522a3b3690e0a715c1a3c400ec6962b6eeaac0ff2612208595d72747de3e286745eca90ee9953

\Users\Admin\AppData\Local\Temp\_MEI16882\_sqlite3.pyd

MD5 a3a0cb078aa4fc5d5a081be54745a4c9
SHA1 42b1873c4633f9a0288ce4ee44c50234c0f03e22
SHA256 e0ed20d5ae660a18bf60e907ba7f21013e04305aa67aa3b8b5a1cee9bd4dcd27
SHA512 ac6628bf3908c053362b8c840a7934d704413ae673702052b06d23d71995702d1c562e36a6bde3ad0170eb71a77f43d702ad71f74bc21a3d770f05b95be16f4e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 00:10

Reported

2024-05-22 00:12

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 4200 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 4200 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe
PID 4200 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe
PID 4200 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe
PID 2064 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 2064 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe
PID 2604 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1180 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\654cfafd3808676689b0fb8963a773ff_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe"

C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe

"C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe"

C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"

C:\Windows\System32\Wbem\WMIC.exe

wmic path softwarelicensingservice get OA3xOriginalProductKey

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.134.233:443 discordapp.com tcp
US 162.159.134.233:443 discordapp.com tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/4200-0-0x0000000074862000-0x0000000074863000-memory.dmp

memory/4200-1-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4200-2-0x0000000074860000-0x0000000074E11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AdobeCCUninst.exe

MD5 b0b0353c7d1de6481df28d29e30a8d21
SHA1 ebfc530903dd6df4a902474f29fd4e44f1dbceba
SHA256 21bd665d09977589113f6ee3873c9884f74dfa64d5ae754dd35c3123aeae16cd
SHA512 4bf7265f133327bb02361e92f2efcbe84f3517fd56def8a02bb1d93825e34be2f5fb05e2a5aea0e3d9aff37a1718de4aa778770ca12cad21c2d1a1cf18f82246

C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe

MD5 9cf7d8c91f0c95bb3a2f9f5a48da2ac5
SHA1 c42588e692880b4cd0b6ab08d69590204e93bc24
SHA256 be5980c81f9225e93c0d8f47685f4d0ab07e088be0f1e2099158f374ec271f99
SHA512 425446ead1d8bd8b76183d6cde55f7f007e27cafc9e209bdc92c2d843e6da34916355b9fbea18f4117e37133b30186a4d0153883ba29b3dd29fbe1f812e67d55

memory/4200-22-0x0000000074860000-0x0000000074E11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20642\angst.exe.manifest

MD5 5c19e50a10cd7ab76df4516b10b3f392
SHA1 51147c310cb01dfcb86b981433283d15abb8917f
SHA256 34e699fa6b2df70ea87614723b14af30a80c091deb0f6b2400a853241e55e11d
SHA512 56af8dd0cfcfdf153e218a0bcea4d2852bfb6405bfa9edd3065a68e7278ede42205a81cdd8c3e82220cf7bed5583865ffc36d5b54b8cb3639aa35e8a2a20d62a

C:\Users\Admin\AppData\Local\Temp\_MEI20642\python38.dll

MD5 1f2688b97f9827f1de7dfedb4ad2348c
SHA1 a9650970d38e30835336426f704579e87fcfc892
SHA256 169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc
SHA512 27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503

C:\Users\Admin\AppData\Local\Temp\_MEI20642\VCRUNTIME140.dll

MD5 18571d6663b7d9ac95f2821c203e471f
SHA1 3c186018df04e875d6b9f83521028a21f145e3be
SHA256 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f
SHA512 c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

C:\Users\Admin\AppData\Local\Temp\_MEI20642\base_library.zip

MD5 bc59d0993c320b3cd7f7dc2a8021cf9a
SHA1 2c64beaeb8f167d8f1ba80cde7aa83f3cc689a05
SHA256 175e5ecd65e165a1a4ee0f2625918b8ddf52744cc0094c82efbc22a53ec200af
SHA512 c9f0f62e895c2ff9f2efaee609c1c56ebbfbadc4f38c298927841558edc9c80ee1a3bdc111e8bcfc6a5bf6b8ae2db94441315356d216281bd1d3f1950cfa7534

C:\Users\Admin\AppData\Local\Temp\_MEI20642\_ctypes.pyd

MD5 8adb1345c717e575e6614e163eb62328
SHA1 f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3
SHA256 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8
SHA512 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae

C:\Users\Admin\AppData\Local\Temp\_MEI20642\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI20642\_socket.pyd

MD5 1d53841bb21acdcc8742828c3aded891
SHA1 cdf15d4815820571684c1f720d0cba24129e79c8
SHA256 ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b
SHA512 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9

C:\Users\Admin\AppData\Local\Temp\_MEI20642\select.pyd

MD5 a2ab334e18222738dcb05bf820725938
SHA1 2f75455a471f95ac814b8e4560a023034480b7b5
SHA256 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7
SHA512 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679

C:\Users\Admin\AppData\Local\Temp\_MEI20642\_bz2.pyd

MD5 fc0d862a854993e0e51c00dee3eec777
SHA1 20203332c6f7bd51f6a5acbbc9f677c930d0669d
SHA256 e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863
SHA512 b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f

C:\Users\Admin\AppData\Local\Temp\_MEI20642\_lzma.pyd

MD5 60e215bb78fb9a40352980f4de818814
SHA1 ff750858c3352081514e2ae0d200f3b8c3d40096
SHA256 c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806
SHA512 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230

C:\Users\Admin\AppData\Local\Temp\_MEI20642\pyexpat.pyd

MD5 11a886189eb726d5786926cc09f9e116
SHA1 d94295368a1285681fb03bac0553eb1495d43805
SHA256 dc38bdbe10cfaa99799e0c87aa8444fc062d445b87686d6593ffca46cc938031
SHA512 405c56487a91ad1209029ca6ea125642076251f0a8c069eef0e30ce484381db7bf24d2f5cd74b83d1c8c1358f92f35fa6ed7b75601ace611cf36bb2331588684

C:\Users\Admin\AppData\Local\Temp\_MEI20642\win32api.pyd

MD5 62c6c784ded5ac6296f7ad9770b86cfc
SHA1 ee7d9e60ec42e8548c26681f5122ade0b103134c
SHA256 25b36692d216af99f1526dc473ba34caf19b403fe15a19269c72e683aed8ed88
SHA512 d200a874581a0d4ee2943ff012dbc43e4f5d91ea01c6a61c73a065d8708a8198d4e38e91b9a9a73276cd44d8394dda83a76b14b275502911f5dfaa113e11018c

C:\Users\Admin\AppData\Local\Temp\_MEI20642\pywintypes38.dll

MD5 9d95a3e8f0ff313d13b5057b34ed2380
SHA1 0a9407bda668ee9fa597fa03210b299a98b87ae9
SHA256 b2d639f897aa376f7cbac7c1989cd176486a7aa0d0b2fa3d3ade410f5430978f
SHA512 10019a6790c9152be88c0eb75f38b650070325a91fe930aeca6f4e4740ea30774f0c475e084bf833b16e4f9a0332d8ae6c981c661f0b0641997f0fdccd9b7ca2

C:\Users\Admin\AppData\Local\Temp\_MEI20642\pythoncom38.dll

MD5 a4dfd0918c4f6335a14cc00cdd3978dc
SHA1 85ade339728c852906d53dba9a10820ecee1d7ce
SHA256 452edd825eac1b2eb77685fe4cbdf3244ca058c6c90d07d042a3b6be6f9215dc
SHA512 d9167da605d9282dd87d36228a9a9eddb15dd646e1e3793f0b7fbd5c62aed1c2e5bd2261e5be7dec7c9a34f50823bcf95a0bc9fed77e0ab39d4265a1905a6e1d

C:\Users\Admin\AppData\Local\Temp\_MEI20642\_ssl.pyd

MD5 84dea8d0acce4a707b094a3627b62eab
SHA1 d45dda99466ab08cc922e828729d0840ae2ddc18
SHA256 dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6
SHA512 fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108

C:\Users\Admin\AppData\Local\Temp\_MEI20642\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI20642\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI20642\_pytransform.dll

MD5 ef0bc18d982cd691563c63eccbce295c
SHA1 5abe5eb0d0a575710b6bab64576eed86030bce58
SHA256 f0c0458fc473253afcd810ee7a5c96db6431d002fb7220a1210714076a7560df
SHA512 87d0564473837d0a4818b04beaa7c869319f1ad19b0eff3282ad69173ca600254948bdc21f83b0c3f7c9e26159990a400a68b9903034aa749263df95c8e3ce93

memory/2604-1121-0x00007FFEE0000000-0x00007FFEE0001000-memory.dmp

memory/2604-1120-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1118-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1116-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1114-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1112-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1110-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1108-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1100-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1098-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1096-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1094-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1092-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1090-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1088-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1080-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1078-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1076-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1074-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1072-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1070-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1068-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1066-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1064-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1062-0x000001CEF8FF0000-0x000001CEF8FF1000-memory.dmp

memory/2604-1061-0x000001CEF8FE0000-0x000001CEF8FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20642\_queue.pyd

MD5 1fc2c6b80936efc502bfc30fc24caa56
SHA1 4e5b26ff3b225906c2b9e39e0f06126cfc43a257
SHA256 9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514
SHA512 d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee

C:\Users\Admin\AppData\Local\Temp\_MEI20642\_hashlib.pyd

MD5 5fa7c9d5e6068718c6010bbeb18fbeb3
SHA1 93e8875d6d0f943b4226e25452c2c7d63d22b790
SHA256 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155
SHA512 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5

C:\Users\Admin\AppData\Local\Temp\_MEI20642\unicodedata.pyd

MD5 549c9eeda8546cd32d0713c723abd12a
SHA1 f84b2c529cff58b888cc99f566fcd2eba6ff2b8e
SHA256 5d5e733397ef7c4946cf26c84b07312cb12eaf339374613d4381e694ef38169b
SHA512 9432daf045bac3e322b1797f49afe50f76faf8b7d8db063a1d56578016c813881af3324e2529032a8644a04b58ccc9d2c363bf92b56115f06b9eefebfab08180

C:\Users\Admin\AppData\Local\Temp\_MEI20642\certifi\cacert.pem

MD5 c760591283d5a4a987ad646b35de3717
SHA1 5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134
SHA256 1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e
SHA512 c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

C:\Users\Admin\AppData\Local\Temp\_MEI20642\sqlite3.dll

MD5 a2dbd94878af1bb29f8725a834696a60
SHA1 01c40f2949604183fb8c76fd5e7803009a83ce4d
SHA256 6af14006a4d732fc0c4bd44317457fca8c37d12ffcaf845790d3f57da75451fb
SHA512 6aad1e43e272b178127334c48925f69422ca9a4e6e4636e4c5a522a3b3690e0a715c1a3c400ec6962b6eeaac0ff2612208595d72747de3e286745eca90ee9953

C:\Users\Admin\AppData\Local\Temp\_MEI20642\win32crypt.pyd

MD5 ae58c89929b50d7a2c3fb93ff34a57b4
SHA1 164ba95be9075b97637ab54481d4117b28667de0
SHA256 e1f1fa417ff19efe3b0bed5b49a0e9f60728569b252817d79c9fb66b03e7305d
SHA512 090082d3419f6234fc63499e76da090afec107b7d367083f84079d9b1850ce324697357c836f02d7046695f67492f44000f71c1b32598d56eed839d015d790e6

C:\Users\Admin\AppData\Local\Temp\_MEI20642\Crypto\Util\_strxor.cp38-win_amd64.pyd

MD5 c718722a0c7e48a91b492b604ca15125
SHA1 6fa5b7da8366bfd7ae575452d389d01bfa25e6b4
SHA256 248962dbfabfd47f79df23f22754e6644404ccd10f152420a639de12215a615f
SHA512 953aa4827746ad544e799976724f657a56337407bebcc0c721b926caa74fae6bfc42acbd194c4220f3e0e4edc5e325674be3f0773859f9ed40ad943a359058dd

C:\Users\Admin\AppData\Local\Temp\_MEI20642\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd

MD5 c04554cf7f89e2d360ebcc39f85a2970
SHA1 42ac403bd2a854d7f6ac60a299594a9c4a793f35
SHA256 264ed03313efc36ef0794e3c716319e0aa4774c3d0a26c522dcfa7be1f46349f
SHA512 668928abb8510d36dcc2e9ff7cd10353c3cbc10af199ca4c909770921fdcbe4aeedc5dfb106c91cf480c86a2ab78e2da6278d859aae93cb72bc50de432411ed9

C:\Users\Admin\AppData\Local\Temp\_MEI20642\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd

MD5 b537c5216bd68311d50b10d62d02b9bb
SHA1 eb613bdabc18ee0f43afa4a13e684d0f8bc57817
SHA256 2b4fefd3688f5e92b1c3ef745d3463d44d9c071b9e2e190a7179191cd3b1e3a5
SHA512 1a3a8e9454646d7ac87f0acc34092da9c3873e4912ea8cb7c335d58a1bf7336d370dda9da13fdc6148ebfe93e3b75ceebc0684a5ee7b4ae24e8e2b5d053afe38

C:\Users\Admin\AppData\Local\Temp\_MEI20642\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd

MD5 6f1d3ed33d7dfeae5642406d76ff2084
SHA1 014cfee7d754564928ed2df2fef933aeda915918
SHA256 f5918822781473d44f69030a9b32bcaeffa8671f1328c48085c9671f140d1273
SHA512 e55f57ef9411979ab164d5c3faca609856ddaa273ee817225ba77a12ddad02da464378ca0cbd98ddec708aeac96845ab8c718d35edc88b0ab06bb14ed53647ca

C:\Users\Admin\AppData\Local\Temp\_MEI20642\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd

MD5 03c703a8f4c2a1443cccc8316af8940c
SHA1 046d8c846d9393e472064aa1250826994a785577
SHA256 ca09e03d93f3a330a467afd7fb998ad81dfd75fa7a1c2e202d6898f229c269d4
SHA512 a65bf31452e984de1f951a3bca97c9dc27ac113e5fd4e0d29fa2b67e6c1b24d48ba6513d1e2ceaa7617e92305171e9675379a0e97980a3ceec209c49cd687329

C:\Users\Admin\AppData\Local\Temp\_MEI20642\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd

MD5 d4535f5b8683cd4b523d1f97232d3772
SHA1 1a6ce4eeb5acd1762f629478db14dfe8e361967f
SHA256 a8bd1b23f25393b26570a23f3083227dca1e2a6c4422581ff3e46cea3c4ac4ad
SHA512 447c9b1772f4a4f91961268e1b87c3576415f5257197db16336a3be8601dcfc8cd01dd1bb0676403633c58b8593aa9f558bbd53ccd994f5702df38c265358730

C:\Users\Admin\AppData\Local\Temp\_MEI20642\_sqlite3.pyd

MD5 a3a0cb078aa4fc5d5a081be54745a4c9
SHA1 42b1873c4633f9a0288ce4ee44c50234c0f03e22
SHA256 e0ed20d5ae660a18bf60e907ba7f21013e04305aa67aa3b8b5a1cee9bd4dcd27
SHA512 ac6628bf3908c053362b8c840a7934d704413ae673702052b06d23d71995702d1c562e36a6bde3ad0170eb71a77f43d702ad71f74bc21a3d770f05b95be16f4e

C:\Users\Admin\AppData\Local\sqlite_file

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

memory/2604-1162-0x0000000070A00000-0x0000000070ACF000-memory.dmp