Malware Analysis Report

2024-09-09 18:02

Sample ID 240618-pxkrvsterb
Target boblox.exe
SHA256 a0135afc132a7f95cb5ebf4fe806806689338c50572ec36941b88b2dab5be2a7
Tags
persistence privilege_escalation spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a0135afc132a7f95cb5ebf4fe806806689338c50572ec36941b88b2dab5be2a7

Threat Level: Shows suspicious behavior

The file boblox.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence privilege_escalation spyware stealer upx

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 12:42

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 12:42

Reported

2024-06-18 12:45

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boblox.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Users\Admin\AppData\Local\Temp\boblox.exe
PID 2040 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Users\Admin\AppData\Local\Temp\boblox.exe
PID 2044 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\SYSTEM32\netsh.exe
PID 2044 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\SYSTEM32\netsh.exe
PID 2044 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1392 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2044 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\System32\Wbem\wmic.exe
PID 2044 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\System32\Wbem\wmic.exe
PID 2044 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1612 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2044 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 408 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 408 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2044 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 4292 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4292 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2044 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 3948 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3948 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2044 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe C:\Windows\system32\cmd.exe
PID 3160 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3160 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\boblox.exe

"C:\Users\Admin\AppData\Local\Temp\boblox.exe"

C:\Users\Admin\AppData\Local\Temp\boblox.exe

"C:\Users\Admin\AppData\Local\Temp\boblox.exe"

C:\Windows\SYSTEM32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get Name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"

C:\Windows\System32\Wbem\WMIC.exe

wmic path softwarelicensingservice get OA3xOriginalProductKey

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI20402\python312.dll

MD5 8f165bfadf970edafd59067ad45a3952
SHA1 16c1876f2233087156b49db35d4d935c6e17be6a
SHA256 22470af77229d53d9141823c12780db63c43703dd525940bc479730d2e43513d
SHA512 b3af95dc9a68e21e8eca98e451b935f72663c2552ebf26de299716f17193f238d55c292df953d641defcbcec3ea18eb37cd4b839800804efa8f40658427263ae

C:\Users\Admin\AppData\Local\Temp\_MEI20402\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/2044-714-0x00007FFF90DE0000-0x00007FFF914A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20402\python3.DLL

MD5 a07661c5fad97379cf6d00332999d22c
SHA1 dca65816a049b3cce5c4354c3819fef54c6299b0
SHA256 5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b
SHA512 6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

C:\Users\Admin\AppData\Local\Temp\_MEI20402\base_library.zip

MD5 43935f81d0c08e8ab1dfe88d65af86d8
SHA1 abb6eae98264ee4209b81996c956a010ecf9159b
SHA256 c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0
SHA512 06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_ctypes.pyd

MD5 fc609234e81821c069d54a7c8d4a7e05
SHA1 9aef96aa0276feb2df28ce0abf4ec1f2f766d011
SHA256 506cdca8f4cc4754a78edac3be230a5ec7ca4a0d61ef08fe0accab4080b2c69e
SHA512 bea687c1a9ed32db6c99be1c8689ac9e498f0ffce74c0c66c6c7653d58b6ee90e50df66c8a48b49854d47142fa9a930047f4828651193f7a500ae7fbc1882d2e

C:\Users\Admin\AppData\Local\Temp\_MEI20402\libffi-8.dll

MD5 be8ceb4f7cb0782322f0eb52bc217797
SHA1 280a7cc8d297697f7f818e4274a7edd3b53f1e4d
SHA256 7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676
SHA512 07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

memory/2044-724-0x00007FFFA2050000-0x00007FFFA205F000-memory.dmp

memory/2044-723-0x00007FFFA10A0000-0x00007FFFA10C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_bz2.pyd

MD5 ab542da47a7745a2f588ca78d41734e0
SHA1 d8f1601548510333e35199e3b6bb4eaf994ca9ae
SHA256 4aba601dd528a85dad5975daf6aa394002c8a38582e4abb05a89684f52130084
SHA512 d80228ae846c562e08b08b92796e871e546760cd8ed92cbbe526675947ea2a5524ff4a93210e820c9f646912db24ff112ed2a354fc018a53a5161934c7fbd0f0

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_lzma.pyd

MD5 ed15089e3c0c1b2ab5b73354abf0087b
SHA1 f51ade203d249e27ebf9ae2159220fabdb8726c0
SHA256 02fe60ad99452d53294514e8c6b8d95d79cc013742e3a4cd74b36601fc3fb09b
SHA512 a9f869b2988057c37d14ee56495ecbf2ec688517203a7e2d1bc1488f4d37c6e3d3fb6fb439442c86679a9cebbbd5b2e7b11d42f64bdbce7212b6411cd27073ac

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_wmi.pyd

MD5 54ba74f0c557b0c0463c08b5d2439379
SHA1 8aa3f3f50501962f4a64ead15b24b6a77b06c5c5
SHA256 53d4c23bc2ba89ee5050bae9b498eebbcde5a1906e51389742780f0c976b861f
SHA512 fa4b6ca32a635f3a17d1e50b2b0a0c9e184cc104c2632b1d57c2a14db30272e6985a5665c567f49a5d4a6f36bfe80db9b5c591856d1667c024631a7050efb5fe

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_uuid.pyd

MD5 50521b577719195d7618a23b3103d8aa
SHA1 7020d2e107000eaf0eddde74bc3809df2c638e22
SHA256 acbf831004fb8b8d5340fe5debd9814c49bd282dd765c78faeb6bb5116288c78
SHA512 4ee950da8bbbd36932b488ec62fa046ac8fc35783a146edadbe063b8419a63d4dfb5bbd8c45e9e008fe708e6fc4a1fee1202fce92ffc95320547ba714fed95e1

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_ssl.pyd

MD5 318cfedf19856dbbc627e79ed9fd2b9c
SHA1 fb9b5565a033a8c6a4aee3f0a27de047714442d1
SHA256 efa7fef1f1456e19c44a787b62d047f5d73c6abb6a6d4201d125dc3d101fff09
SHA512 d5d616400fa33751bec6ce8786d4c29e6307f2042db0602907354734ff72387570201420290f5e99c375059ef7217159e254c44291b36f7f296574f506211e10

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_sqlite3.pyd

MD5 435b49a7f84e7fbe0c6681932de37179
SHA1 a8a285579de10dacbfd053735c6f0ab930fe0fe2
SHA256 5321e5c26a9bcaebb58f11241121bd0d1e45f98dcfbb4d8457eae42f17b8328a
SHA512 13d7d7120a7a150d789b92964acbe6d2ea7ebb130d6cb1833456ea1cdd6654cdd1d8841165296b3f077935dbaec4a37ca7e45c395c0b72d9b6dc970dbb76136a

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_socket.pyd

MD5 552d390e9c359bf460b87cfb9a24a48b
SHA1 d4920c3355b18087e9a392bea152cef90cc04a60
SHA256 f11b57f08a31e172cabae66830f9ef936e322a4df03ba5230d1621db4e7a24b6
SHA512 cfc59e43ab855f1c571db92c0df1258e88bc6db9d8569c2a5242b90d22f327503f4b4402f79f816f53f12a43f3d1ca84066231f0a3e719758340813f79528d8e

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_queue.pyd

MD5 6cff25f6eb2872a07d52591cffe97ed7
SHA1 1e51fc338bcf4e868a827c8dd2d3573a60ec9a73
SHA256 b58694a5585645827ce1f0aa285e176e9328584917a36434132fd71c3f017d8d
SHA512 e847437f88dfd473272ed89f06fc9939c2e58e71f309275afa89599b4d79365459f763815660499be69b93b2440f3ed0dec88192d7d5b2be6ac2b79009a6442a

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_overlapped.pyd

MD5 d2b3134bae2e401e1753aac8b9ca577e
SHA1 3b4c4fe61c724a6bc4ee423ee7a1efb007a1f515
SHA256 2386cf6ceaef4c6aa13974f913d6b3e6cde3b48e2fbb73f5c63ae6fe4384836f
SHA512 215609827121d9da6fa0bc884bd388391c46a799c22d54762775d591d9ae5e6bbce70011bc5f5237b6e526b79416c00f5daa8fc6baf70450ce37ced17fafa1f6

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_multiprocessing.pyd

MD5 a2de86f88aad5c050f86d258b1f05617
SHA1 11824bbb09e5ee9865cadcbbfda1e0664c6d98ff
SHA256 f10fc80b19740eceb7fdce89c30d6670c9af7ed600fa7f881d27b8b5a054495f
SHA512 3662a8e6afa6b385a3e2682a49b0ae57f0f2aefc029eaaf841a228ec76c0f79c4e963b6f22eb345f4cad72b35bd72576a79a282d9816cf9b37b762773c10a80b

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_hashlib.pyd

MD5 fa6ae459e8a2c3071bd373da5a4cfe18
SHA1 dbf6462e952efe70f4ad72c0c8688456833462d5
SHA256 20af24170652420bc06adbb2fc159ae9e61e71f2cad5370b423c9ce4c57ad5e1
SHA512 9846f7fcf86fd67b03080a6ec270e4c6ecb0fee7bd0019fddd976c26e062c5d41f35691384a2307ca80289010f73cecf7326d7f446971639698b2948c4f67c08

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_decimal.pyd

MD5 e3245ba10c125de02593c0a67669ab17
SHA1 6b846b98ee8f663aa39d3c6c960df8bc84d82193
SHA256 306cc1df8631d632e9831d6a710c8776784c4655b107424290338c385e743026
SHA512 26c4d7280a93dc004b0a92689c43b9bcb6c0afa282d24581051fd18d0037499c2c77431636ca20a9225af002f254526cf66ff466b3b7fad0d73b8096ce1594fc

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_cffi_backend.cp312-win_amd64.pyd

MD5 5225e3fc11136d4ad314367fa911a8b1
SHA1 c2cfb71d867e59f29d394131e0e6c8a2e71dee32
SHA256 08005b24e71411fc4acdb312a4558339595b1d12c6917f8d50c6166a9f122abe
SHA512 87bdeacaca87dc465de92fe8dda425560c5e6e149883113f4541f2d5ecc59f57523cde41ad48fa0081f820678182648afbf73839c249fe3f7d493dcf94e76248

C:\Users\Admin\AppData\Local\Temp\_MEI20402\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI20402\pyexpat.pyd

MD5 7291100352b163626455abf2252f2a96
SHA1 3c4d13bbf5fb69fe6f2af70f675ed2e437cea893
SHA256 01974148486d569e9f1ad62d36d4d54b5396b07c853bd50f358d5580fde331f4
SHA512 fc384703828bb7a38b51dcf1a131b49283808b5658395e1d1c5ee9a204f895da0c29b12a7b1fc9aa468babc5d6f03be638fecf519e41911bf015a481f95458bc

C:\Users\Admin\AppData\Local\Temp\_MEI20402\select.pyd

MD5 3b214dfb6ec4ca67be55b3aa52922827
SHA1 f665ffeab25d2bab506b873be944280586eb50f6
SHA256 7507a92c4787e9e7936a0b4a8eeb0a3f24e5ee12ae58cd7988543581d99817ac
SHA512 de4e9b9d79b01d21aca74179c6a3e8fc6fe041f71cdd78910fd893cda90c2cfe7e54ade91064333f37ffc880d446879a64dd8bb790677039df56df1f80ec6b45

memory/2044-759-0x00007FFFA0E80000-0x00007FFFA0E8D000-memory.dmp

memory/2044-758-0x00007FFFA0C70000-0x00007FFFA0C89000-memory.dmp

memory/2044-755-0x00007FFFA0E90000-0x00007FFFA0EC6000-memory.dmp

memory/2044-754-0x00007FFFA16A0000-0x00007FFFA16AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20402\libcrypto-3.dll

MD5 63eb76eccfe70cff3a3935c0f7e8ba0f
SHA1 a8dd05dce28b79047e18633aee5f7e68b2f89a36
SHA256 785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e
SHA512 8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322

memory/2044-763-0x00007FFFA0C60000-0x00007FFFA0C6D000-memory.dmp

memory/2044-765-0x00007FFF908B0000-0x00007FFF90DD9000-memory.dmp

memory/2044-764-0x00007FFFA0C40000-0x00007FFFA0C54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20402\_asyncio.pyd

MD5 6880e3d5872fefa9810753e181cf3033
SHA1 e875467792bbe3c4117040f6cf935a7a60a21d55
SHA256 c7000207e8c406f3a18b006649248906963834ff901c7b8b9f627d534e31575b
SHA512 f501bfe8300b20a621d587d9a86e1228ab90da5f4cab8ed47a2822617ca5eeaf66691756228745ff24084ba481f6b3eedcddfc4a4869cd56334e8ca53a92148d

C:\Users\Admin\AppData\Local\Temp\_MEI20402\unicodedata.pyd

MD5 97f08bbcf9903c768668b1cd1e30aada
SHA1 84e2dc5c3662bd39ac09b5f682a59104ffec16d2
SHA256 c5c2997c3b16eb8b89fe230582a579a753efc8317ffd95d9795ec2762aa54ed9
SHA512 076ca0017ae252d62d4a3bd7a42af95800e39a164bda990a0ca651aa2f0df2736c0dfdc086d8328a1834ae89f17716c5f76e798460a90263d1d8b6f2c233c686

C:\Users\Admin\AppData\Local\Temp\_MEI20402\sqlite3.dll

MD5 b26fa7619d82c7272b7279eb7aae801c
SHA1 fa6a3240a531615a0853306f3b3d66aed98a04d8
SHA256 74dc76a2a2d06d61f9f06bd3b0972bfb30ab57b0e5cb8c3011e79ce4a52924f0
SHA512 20b0d6cf3e07ca0d565f140c9f9c1e218406ed9bdaaf75433858acb250bfb71bb134a6479fdcf6d4d0e0252707b1fb14f9c9d3e4d6a40824c3fdc7a43dfad0ee

C:\Users\Admin\AppData\Local\Temp\_MEI20402\luna.aes

MD5 317423404233dd16512405b7b18c4baf
SHA1 884ad410710e2d49eb5cb75c0282c45da0645396
SHA256 9f47ea291c38cc6aa357a18f4b8120a5f88fb028150fe2e3edd5843662393962
SHA512 a36c16f3a65052de9c15ccfd480fa429ec8a431d801062bdf95bdb5525965aacc82307e6023bce55093c1dfc7a24e884d096ea3343def2e42fa61cb38c7a6b85

C:\Users\Admin\AppData\Local\Temp\_MEI20402\libssl-3.dll

MD5 7e87c34b39f3a8c332df6e15fd83160b
SHA1 db712b55f23d8e946c2d91cbbeb7c9a78a92b484
SHA256 41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601
SHA512 eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559

memory/2044-728-0x00007FFFA0F00000-0x00007FFFA0F1A000-memory.dmp

memory/2044-730-0x00007FFFA0ED0000-0x00007FFFA0EFD000-memory.dmp

memory/2044-768-0x00007FFFA0C00000-0x00007FFFA0C33000-memory.dmp

memory/2044-769-0x00007FFF907E0000-0x00007FFF908AD000-memory.dmp

memory/2044-771-0x00007FFFA0BD0000-0x00007FFFA0BE6000-memory.dmp

memory/2044-774-0x00007FFF92D50000-0x00007FFF92D62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20402\zstandard\backend_c.cp312-win_amd64.pyd

MD5 4dd9c42a89ddf77fef7aa34a71c5b480
SHA1 fc4c03ffcf81fb255b54c4f16f6ed90d5a1f37d4
SHA256 f76dc6f9ace0d356dbfdea443c3d43232342f48384f4afc7293b2ace813477e7
SHA512 02c04fa2fa1d8136730f2596740049664a4f9343fb56de195988d80151cb38e67e7fee1c140d2c5d7c439f19df377cc6e253f5178711f72b821eae3076b4e142

C:\Users\Admin\AppData\Local\Temp\_MEI20402\charset_normalizer\md.cp312-win_amd64.pyd

MD5 e4fad9ff1b85862a6afaca2495d9f019
SHA1 0e47d7c5d4de3a1d7e3bb31bd47ea22cc4ddeac4
SHA256 e5d362766e9806e7e64709de7e0cff40e03123d821c3f30cac5bac1360e08c18
SHA512 706fb033fc2079b0aabe969bc51ccb6ffaaf1863daf0e4a83d6f13adc0fedab61cee2b63efb40f033aea22bf96886834d36f50af36e6e25b455e941c1676a30a

memory/2044-781-0x00007FFF90DE0000-0x00007FFF914A4000-memory.dmp

memory/2044-786-0x00007FFFA10A0000-0x00007FFFA10C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20402\certifi\cacert.pem

MD5 2a6bef11d1f4672f86d3321b38f81220
SHA1 b4146c66e7e24312882d33b16b2ee140cb764b0e
SHA256 1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c
SHA512 500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9

memory/2044-785-0x00007FFF92D20000-0x00007FFF92D47000-memory.dmp

memory/2044-784-0x00007FFF90630000-0x00007FFF9074B000-memory.dmp

memory/2044-783-0x00007FFFA0B50000-0x00007FFFA0B5B000-memory.dmp

memory/2044-782-0x00007FFF90750000-0x00007FFF907D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20402\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

MD5 5c643741418d74c743ca128ff3f50646
SHA1 0b499a3228865a985d86c1199d14614096efd8a0
SHA256 2d86563fdfdc39894a53a293810744915192f3b3f40a47526551e66cdb9cb35c
SHA512 45d02b854557d8f9c25ca8136fa6d3daed24275cc77b1c98038752daed4318bd081c889ff1f4fa8a28e734c9167f477350a8fa863f61729c30c76e7a91d61a97

C:\Users\Admin\AppData\Local\Temp\_MEI20402\psutil\_psutil_windows.pyd

MD5 8a8e3fdcafb2d8f07b54028edafb5b09
SHA1 9eccb4d95d1e700109e3c786713b523958b14c25
SHA256 a1a297c62345f33d3bdb7db4e4b23b3aad75057440d1218d34291b57b1538423
SHA512 a32dc4e508e0b844fa7fd1efade9af999b3bd9116bc93657d6718608b8cdee3e3b1b753ea52549d2f36a831f7bf0edd661f57693d1fa5b1b84bc0d894fcff258

memory/2044-791-0x00007FFF92920000-0x00007FFF92938000-memory.dmp

memory/2044-795-0x00007FFF901B0000-0x00007FFF9032F000-memory.dmp

memory/2044-794-0x00007FFF919B0000-0x00007FFF919D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20402\Cryptodome\Cipher\_raw_cbc.pyd

MD5 d9f0780e8df9e0adb12d1c4c39d6c9be
SHA1 2335d8d81c1a65d4f537553d66b70d37bc9a55b6
SHA256 e91c6bba58cf9dd76cb573f787c76f1da4481f4cbcdf5da3899cce4d3754bbe7
SHA512 7785aadb25cffdb736ce5f9ae4ca2d97b634bc969a0b0cb14815afaff4398a529a5f86327102b8005ace30c0d196b2c221384a54d7db040c08f0a01de3621d42

C:\Users\Admin\AppData\Local\Temp\_MEI20402\Cryptodome\Cipher\_raw_ecb.pyd

MD5 768559588eef33d33d9fa64ab5ed482b
SHA1 09be733f1deed8593c20afaf04042f8370e4e82f
SHA256 57d3efc53d8c4be726597a1f3068947b895b5b8aba47fd382c600d8e72125356
SHA512 3bf9cd35906e6e408089faea9ffcdf49cc164f58522764fe9e481d41b0e9c6ff14e13b0954d2c64bb942970bbf9d94d07fce0c0d5fdbd6ca045649675ecff0f2

memory/2044-807-0x00007FFF919A0000-0x00007FFF919AC000-memory.dmp

memory/2044-806-0x00007FFF92900000-0x00007FFF9290B000-memory.dmp

memory/2044-805-0x00007FFFA0E80000-0x00007FFFA0E8D000-memory.dmp

memory/2044-804-0x00007FFF92910000-0x00007FFF9291C000-memory.dmp

memory/2044-824-0x00007FFF90600000-0x00007FFF9060C000-memory.dmp

memory/2044-823-0x00007FFF90610000-0x00007FFF9061E000-memory.dmp

memory/2044-822-0x00007FFFA0C40000-0x00007FFFA0C54000-memory.dmp

memory/2044-821-0x00007FFF90620000-0x00007FFF9062C000-memory.dmp

memory/2044-820-0x00007FFF8FF10000-0x00007FFF90155000-memory.dmp

memory/2044-819-0x00007FFF90160000-0x00007FFF9017C000-memory.dmp

memory/2044-818-0x00007FFF90540000-0x00007FFF9054B000-memory.dmp

memory/2044-817-0x00007FFF90180000-0x00007FFF901AE000-memory.dmp

memory/2044-816-0x00007FFF90550000-0x00007FFF90579000-memory.dmp

memory/2044-815-0x00007FFF90580000-0x00007FFF9058C000-memory.dmp

memory/2044-814-0x00007FFF90590000-0x00007FFF905A2000-memory.dmp

memory/2044-813-0x00007FFF905B0000-0x00007FFF905BD000-memory.dmp

memory/2044-812-0x00007FFF905C0000-0x00007FFF905CC000-memory.dmp

memory/2044-811-0x00007FFF905D0000-0x00007FFF905DC000-memory.dmp

memory/2044-810-0x00007FFF905E0000-0x00007FFF905EB000-memory.dmp

memory/2044-809-0x00007FFF905F0000-0x00007FFF905FB000-memory.dmp

memory/2044-808-0x00007FFF908B0000-0x00007FFF90DD9000-memory.dmp

memory/2044-803-0x00007FFF97E30000-0x00007FFF97E3B000-memory.dmp

memory/2044-802-0x00007FFF9A6C0000-0x00007FFF9A6CC000-memory.dmp

memory/2044-801-0x00007FFF9FE20000-0x00007FFF9FE2B000-memory.dmp

memory/2044-800-0x00007FFF9FEA0000-0x00007FFF9FEAB000-memory.dmp

memory/2044-799-0x00007FFFA16A0000-0x00007FFFA16AF000-memory.dmp

memory/2044-862-0x00007FFF907E0000-0x00007FFF908AD000-memory.dmp

memory/2044-863-0x00007FFFA0BD0000-0x00007FFFA0BE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Common Files\BackupUndo.bin

MD5 41ea0340b802f291a8fce5d3d2f5c39c
SHA1 4832c12c5c704549c456f91d97643394919581f3
SHA256 a93d24ff5cb7a562fcd79eb4d1bdc9eab9e08bdc75ea0a358528a500f56be96e
SHA512 db24130ca9b4bde8200d858aaa343c8b7e3c602ca1ad521bafd1931eaab16e99fc8d17c2073a0765264329790d1e0ff9daf12020c5b3877a92ceccc9eb482afe

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Common Files\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Common Files\ExportBackup.dotx

MD5 1a0139ca62b7a4ea410ffb0b44c47cc1
SHA1 d0bef29febe4ec1bc2fe58192810678452fad960
SHA256 08915258e6fe2b336e94e16ef0de45ddfe25a9b558642b91c1550672556007f9
SHA512 97b0b9df218afdc801ae87e4b646e3d33525f8539b3206eebe04ba81126cf94e64d2079fd6a340bada7773c2fab86d1e7fb8ce9724077b92a15e7c13620173e2

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Common Files\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Common Files\BackupUnlock.DVR-MS

MD5 aeb504c1a9be5743cf819d9de57c9109
SHA1 6e3039c6cd4f3b501f3bc50fff70950e98ba21d3
SHA256 9c3d0b8d3626aac519ffc8b7e0abcc94e3b7027f8b8a1dd622952852b41fb901
SHA512 e899adb9e0393bddf9185e43602398ce1e781c6ca7513e517be28b65e45ba2d760fba2312c11deb4fbf4c2fd20578e7fb3b1c58318e66af3042fb453e91afeb9

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Common Files\FindSet.csv

MD5 3bfde5e15494ef4a56e6040b0af506f2
SHA1 3cd175913003211e04282144121e0eea06124588
SHA256 77939cbc28fc01ccddffb3b1ddd9a87ed025aa3b8a03b96d5d65a7f0d4a77216
SHA512 245bacb1f4c50d206e6e0908629a56bc214334de2290c01c2050b5afefc62a7784caae105051f94d0e046c3d5364cdc482a92137e14588fb04337019c73b7f5d

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Common Files\LockMount.rtf

MD5 38eb2dda29f3671ebd127309164a61f6
SHA1 18a6bb6f2425046eb785cca3a0479fdda5d8ec00
SHA256 495f41764759024318ea8823e2ed127e4a400d17157795fc639f9227a79d97c1
SHA512 ea51bfa2288786eab9804ab405508eea9da2131b52b678b010a77763d430cc30349a9c2c5e64fd7d81bc36bf7ae5468978700911a1c4b837eeec66485ccfce81

C:\Users\Admin\AppData\Local\Temp\MK2d7fwA0d\Common Files\WaitWrite.xls

MD5 0a06b1ad7adc6461eaacb2a7f663995b
SHA1 de11d1133d7f3186189a3e7f18391d04db9bca32
SHA256 30cbe6752ca3a24337604238e53c49ac8d7da9d038ad1c4b13829ce264208684
SHA512 4dcde8b7a54887770f0d43df8cae686f2ff9dc86535a11556a36fbcac943786f52b0fe98078fc083bb1e8d437498b4f2feffebdbfe46c15772227c4f4333eaf5

memory/2044-924-0x00007FFF92920000-0x00007FFF92938000-memory.dmp

memory/2044-936-0x00007FFF92D20000-0x00007FFF92D47000-memory.dmp

memory/2044-935-0x00007FFF90630000-0x00007FFF9074B000-memory.dmp

memory/2044-926-0x00007FFF901B0000-0x00007FFF9032F000-memory.dmp

memory/2044-925-0x00007FFF919B0000-0x00007FFF919D4000-memory.dmp

memory/2044-916-0x00007FFFA0C00000-0x00007FFFA0C33000-memory.dmp

memory/2044-905-0x00007FFFA10A0000-0x00007FFFA10C5000-memory.dmp

memory/2044-904-0x00007FFF90DE0000-0x00007FFF914A4000-memory.dmp

memory/2044-943-0x00007FFFA63E0000-0x00007FFFA63EF000-memory.dmp

memory/2044-996-0x00007FFF90630000-0x00007FFF9074B000-memory.dmp

memory/2044-1005-0x00007FFF9FEA0000-0x00007FFF9FEAB000-memory.dmp

memory/2044-1017-0x00007FFF8FF10000-0x00007FFF90155000-memory.dmp

memory/2044-1016-0x00007FFF90160000-0x00007FFF9017C000-memory.dmp

memory/2044-1015-0x00007FFF90540000-0x00007FFF9054B000-memory.dmp

memory/2044-1014-0x00007FFF90180000-0x00007FFF901AE000-memory.dmp

memory/2044-1013-0x00007FFF90550000-0x00007FFF90579000-memory.dmp

memory/2044-1012-0x00007FFF90580000-0x00007FFF9058C000-memory.dmp

memory/2044-1011-0x00007FFF90590000-0x00007FFF905A2000-memory.dmp

memory/2044-1010-0x00007FFF905B0000-0x00007FFF905BD000-memory.dmp

memory/2044-1009-0x00007FFF905C0000-0x00007FFF905CC000-memory.dmp

memory/2044-1008-0x00007FFF905D0000-0x00007FFF905DC000-memory.dmp

memory/2044-1007-0x00007FFF905E0000-0x00007FFF905EB000-memory.dmp

memory/2044-1006-0x00007FFF905F0000-0x00007FFF905FB000-memory.dmp

memory/2044-1004-0x00007FFF90600000-0x00007FFF9060C000-memory.dmp

memory/2044-1003-0x00007FFF97E30000-0x00007FFF97E3B000-memory.dmp

memory/2044-1002-0x00007FFF9A6C0000-0x00007FFF9A6CC000-memory.dmp

memory/2044-1001-0x00007FFF9FE20000-0x00007FFF9FE2B000-memory.dmp

memory/2044-1000-0x00007FFF919A0000-0x00007FFF919AC000-memory.dmp

memory/2044-999-0x00007FFF901B0000-0x00007FFF9032F000-memory.dmp

memory/2044-998-0x00007FFF919B0000-0x00007FFF919D4000-memory.dmp

memory/2044-997-0x00007FFF92920000-0x00007FFF92938000-memory.dmp

memory/2044-995-0x00007FFFA0B50000-0x00007FFFA0B5B000-memory.dmp

memory/2044-994-0x00007FFF90750000-0x00007FFF907D7000-memory.dmp

memory/2044-993-0x00007FFF92D50000-0x00007FFF92D62000-memory.dmp

memory/2044-992-0x00007FFFA0BD0000-0x00007FFFA0BE6000-memory.dmp

memory/2044-991-0x00007FFF907E0000-0x00007FFF908AD000-memory.dmp

memory/2044-990-0x00007FFFA0C00000-0x00007FFFA0C33000-memory.dmp

memory/2044-989-0x00007FFF90610000-0x00007FFF9061E000-memory.dmp

memory/2044-988-0x00007FFFA0C40000-0x00007FFFA0C54000-memory.dmp

memory/2044-987-0x00007FFFA0C60000-0x00007FFFA0C6D000-memory.dmp

memory/2044-986-0x00007FFFA0E80000-0x00007FFFA0E8D000-memory.dmp

memory/2044-985-0x00007FFFA0C70000-0x00007FFFA0C89000-memory.dmp

memory/2044-984-0x00007FFFA0E90000-0x00007FFFA0EC6000-memory.dmp

memory/2044-983-0x00007FFF92910000-0x00007FFF9291C000-memory.dmp

memory/2044-982-0x00007FFFA0ED0000-0x00007FFFA0EFD000-memory.dmp

memory/2044-981-0x00007FFFA0F00000-0x00007FFFA0F1A000-memory.dmp

memory/2044-980-0x00007FFFA2050000-0x00007FFFA205F000-memory.dmp

memory/2044-979-0x00007FFFA10A0000-0x00007FFFA10C5000-memory.dmp

memory/2044-978-0x00007FFF90620000-0x00007FFF9062C000-memory.dmp

memory/2044-975-0x00007FFF92900000-0x00007FFF9290B000-memory.dmp

memory/2044-965-0x00007FFF92D20000-0x00007FFF92D47000-memory.dmp

memory/2044-958-0x00007FFF908B0000-0x00007FFF90DD9000-memory.dmp

memory/2044-952-0x00007FFFA16A0000-0x00007FFFA16AF000-memory.dmp

memory/2044-947-0x00007FFF90DE0000-0x00007FFF914A4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 12:42

Reported

2024-06-18 12:45

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boblox.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boblox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\boblox.exe

"C:\Users\Admin\AppData\Local\Temp\boblox.exe"

C:\Users\Admin\AppData\Local\Temp\boblox.exe

"C:\Users\Admin\AppData\Local\Temp\boblox.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI15962\python312.dll

MD5 8f165bfadf970edafd59067ad45a3952
SHA1 16c1876f2233087156b49db35d4d935c6e17be6a
SHA256 22470af77229d53d9141823c12780db63c43703dd525940bc479730d2e43513d
SHA512 b3af95dc9a68e21e8eca98e451b935f72663c2552ebf26de299716f17193f238d55c292df953d641defcbcec3ea18eb37cd4b839800804efa8f40658427263ae

memory/1776-712-0x000007FEF5BF0000-0x000007FEF62B4000-memory.dmp

memory/1776-713-0x000007FEF5BF0000-0x000007FEF62B4000-memory.dmp