Analysis Overview
SHA256
34d8469a325db034742a082299caef8a82f2e0e18e6988fdaf15efea34f9ef6f
Threat Level: Known bad
The file Towers (Paid).exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Detects Pyinstaller
Unsigned PE
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 00:26
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 00:26
Reported
2024-06-19 00:29
Platform
win7-20240419-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn | \??\c:\windows\resources\svchost.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe
"C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe"
\??\c:\users\admin\appdata\local\temp\towers (paid).exe
"c:\users\admin\appdata\local\temp\towers (paid).exe "
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:29 /f
\??\c:\users\admin\appdata\local\temp\towers (paid).exe
"c:\users\admin\appdata\local\temp\towers (paid).exe "
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:30 /f
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:31 /f
Network
Files
memory/2052-0-0x0000000000400000-0x000000000041F000-memory.dmp
\Users\Admin\AppData\Local\Temp\towers (paid).exe
| MD5 | 4e2a9aa7d93e6cda6f3831f10c9ece80 |
| SHA1 | da1496dad066f80f571ff0994607830c5a70986d |
| SHA256 | eb0977c478c7afe1086e14cf514706594d2501dcfcb1239cf0f5ff97ea589409 |
| SHA512 | ca1bc5266b067f4f49b30f84eceb1a0902c8605641ba4bfc6ffb31bbe23e29321e4892bd02129166a335cbdaea6d3d2c7f6daadce733c5f6294a68f658568eed |
\Windows\Resources\Themes\icsys.icn.exe
| MD5 | e63a011650ec624ee8e1ee2194b321e9 |
| SHA1 | 616d14ed379a3141fa0fa74d3e5ac6861d191e2f |
| SHA256 | 6d10f4f1764022997a23b74dd149815f9afa3f884beca1d09636275d57022999 |
| SHA512 | ee4c4acee45595a250d5c6aa98ea1717f8e233baaa6fe253493878b47c3a6dc18332ddef8e55ac0e7676d1d446bbaebd681c62cd7c37443ee5f286446e5aa416 |
memory/2052-14-0x0000000000290000-0x00000000002AF000-memory.dmp
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 372711757ba220832d00d231b06fc9c5 |
| SHA1 | f08dcd7d79b4515ffbc5181a954cfb6e8bf7986d |
| SHA256 | 3d04452c098220399902c06c4fb47075df8528e0b75806cf1446cf2c98170c40 |
| SHA512 | 194ea63358f8d365f867f8ce36d9c9d6cf7b95efb7060e6a4a4f4ea0f0449a007330d098d9e09bf7cbb385e0c4d5d35c5056685d4236a3fe753530388ced7496 |
\Windows\Resources\spoolsv.exe
| MD5 | f3f77b02c0077e4289e1f6a05ed72b85 |
| SHA1 | 489b382282206e12add4fb3aa6f422817a01734b |
| SHA256 | 29ffa37a38125d02ddd6afd865beb9026412ee4acd9c8aad75879f7d4d31f4f8 |
| SHA512 | a05b183466530719d789782c2ce422c3f76099d820dbd850da4eb959a6d3c07c34c4a7ae1d762b41b3b12e6e7326ba0322d46d5ba9b907e62afe3cf67f6355e7 |
C:\Windows\Resources\svchost.exe
| MD5 | c5004257ac920db68562ae5678c6b844 |
| SHA1 | 1e183f11824b335b5ee8de05260ae6e66eb7483f |
| SHA256 | 1c9d54b11444f6f2503001c75f5068bff82de9479b7201b9ebf3f731bdabf969 |
| SHA512 | 1e4358aef5ed987a7acfd61d38145aa740bf4b6579e98a0b2242af3400562400d20feb716b06726422d934e9ff011a29d90d894d6f5b95e915da1ede6591d55c |
memory/1796-115-0x00000000003C0000-0x00000000003DF000-memory.dmp
memory/1796-114-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2648-104-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2544-117-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2544-119-0x00000000003D0000-0x00000000003EF000-memory.dmp
memory/2524-103-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2052-121-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2780-120-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI5482\ucrtbase.dll
| MD5 | bb0e3819e308a153c99fa6bccf2f4e77 |
| SHA1 | d96dc06cb9f441869c5088aaee4e55a81fa14387 |
| SHA256 | 83e7252e6af0e63bd80bc996eed6cb687c36b94f20a55a16145d5e68076b1587 |
| SHA512 | 7eb23a895bc4fac0cda16b1ab8cdcdacac7ade76519b5d9e14d2917025f3cdd7fc4bd16d22df59a8dfe7b110eb8a8ce98a50355aa32d8c49bcab3596bd0a01ed |
C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-localization-l1-2-0.dll
| MD5 | bceb3a4fd70578a2bb1e5138edeeeeb3 |
| SHA1 | 9796afc837c53a83a8e77d4c2bc88c26b31ff525 |
| SHA256 | 8a4b5a175d575d1037a046156630df4ca5389b4919a9746e1a2f5d456ca50bd8 |
| SHA512 | 7fcc7c22032a22e79b6438f86e491a179f74a9a33ce64d8a6ebc3fb6f9ff1f2e2ece15cba19fe756a90b104c6beea8f892a98193770b478fecb9dedb1b66cd25 |
C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | c58e2f3828248f84280f0719fda08fd2 |
| SHA1 | 9679c51b4035da139a1cc9b689cb2ea1c2e7cdec |
| SHA256 | a1b79943cdf8ded063cdaec144f8a170de8bbe97b696445885709573c5e0faeb |
| SHA512 | 57ccc658870e9d446f9c9d130adde6b96428999697b007e844b7714998d2a23eabed92460c1275a92f1ceca29be232d5d97e29f0d4d07cc749cde41bcb5f8729 |
C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-file-l1-2-0.dll
| MD5 | cc44206c303277d7addb98d821c91914 |
| SHA1 | 9c50d5fac0f640d9b54cd73d70063667f0388221 |
| SHA256 | 9b7895c39ee69f22a3adc24fe787cba664ad1213cea8bc3184ed937d5121e075 |
| SHA512 | e79df82d7b2281987d6f67780c1c2104e0135c9cfbcb825055f69835b125dedb58dcd1d5c08cd4e8666f598d49602b36289b077e3a528db88f02ee603a6e8819 |
C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 842d23af3a6a12b10c9a4ee4d79ec1c1 |
| SHA1 | 2cd46ebdd418b12444dc351c0073dafc5b9eabd5 |
| SHA256 | 33adac3484118f56f3d8d8745431cef241d643b46956e08fbb62a63a6f2236da |
| SHA512 | 45a8238862b6ad157d261e5120d1bfd3925fa7e429025d7470ce82f64e51c209f4231f37b3445a4cd3f6649c4b0222bfbd845a16c0e5e022685b081b39cd9296 |
C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-file-l2-1-0.dll
| MD5 | 7816039fc35232c815b933c47d864c88 |
| SHA1 | e68fb109a6921f64ae05104ba1afc1952b868b9a |
| SHA256 | 9c8f443b3a42e9e1aaa110b12c85f99b3d42ce22849cc3072cf56e29ccdd8401 |
| SHA512 | 943b5eae98337652b3ee8c0ad88172d5cc22bbee14e517a91c0d67b89cfbbc68cb854a3f53badcb49d355ec6e748de5579e8bf6a0f8ee28f85ba11808fb79e25 |
C:\Users\Admin\AppData\Local\Temp\_MEI5482\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 00:26
Reported
2024-06-19 00:29
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\towers (paid).exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe
"C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe"
\??\c:\users\admin\appdata\local\temp\towers (paid).exe
"c:\users\admin\appdata\local\temp\towers (paid).exe "
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
\??\c:\users\admin\appdata\local\temp\towers (paid).exe
"c:\users\admin\appdata\local\temp\towers (paid).exe "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault445c50e9hee2ch4633h9df6h11f161a5a6d0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc3bba46f8,0x7ffc3bba4708,0x7ffc3bba4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1788,15889987451400041709,18049542054072408275,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1788,15889987451400041709,18049542054072408275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1788,15889987451400041709,18049542054072408275,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
Files
memory/4232-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\towers (paid).exe
| MD5 | 4e2a9aa7d93e6cda6f3831f10c9ece80 |
| SHA1 | da1496dad066f80f571ff0994607830c5a70986d |
| SHA256 | eb0977c478c7afe1086e14cf514706594d2501dcfcb1239cf0f5ff97ea589409 |
| SHA512 | ca1bc5266b067f4f49b30f84eceb1a0902c8605641ba4bfc6ffb31bbe23e29321e4892bd02129166a335cbdaea6d3d2c7f6daadce733c5f6294a68f658568eed |
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | e63a011650ec624ee8e1ee2194b321e9 |
| SHA1 | 616d14ed379a3141fa0fa74d3e5ac6861d191e2f |
| SHA256 | 6d10f4f1764022997a23b74dd149815f9afa3f884beca1d09636275d57022999 |
| SHA512 | ee4c4acee45595a250d5c6aa98ea1717f8e233baaa6fe253493878b47c3a6dc18332ddef8e55ac0e7676d1d446bbaebd681c62cd7c37443ee5f286446e5aa416 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 0c2c89c5d3f4492156a3ebc029ad89a1 |
| SHA1 | a70ce9b379f428edb1e77a835b7c9f0207ccc413 |
| SHA256 | 02cbf5fc873fbe1b248bc3fd20d6e991ca2ac498fc7f67a04f91fbb1b764dcb8 |
| SHA512 | 6cd243e756f5b36a3c1f093f768f5a2a09c2e1c314e6c402d4b1802ba18576e6f9e566112f886b60608482c9d219464c3025e6190ec4daabd416c678f8ffa712 |
C:\Windows\Resources\spoolsv.exe
| MD5 | a126026355c629e3644e8724e7681064 |
| SHA1 | ff3f025b0b46bc64952b61bdfcc929464a1cc830 |
| SHA256 | 2e23760629d8d974f35605aa2f31aff52ee713af142e9bed42bc4ce6d751caf4 |
| SHA512 | 67c2ceb2484a7281dfb4b886dd1f504f96576187a61705ef5335a982ca295dea635fc78342be6191143925eae3f0694bf64319e984e75081d79467a5084d65a6 |
C:\Windows\Resources\svchost.exe
| MD5 | 23184003b8e555a3408a4fd86869c354 |
| SHA1 | 3021303cb4d9e823e9b5a68d0d8c4e30c00e939e |
| SHA256 | f7b03bfc3cecdbfc011df79bb10b3df824f91fe95a2112cf16fdfdb15be331db |
| SHA512 | 01c147631e4bef5b98e4b79e64840cffdb6e15f084cf21fdbc18e11e5e445bf84ac8baa4c8d76758887e96a617f52291ce9635c82a38f90aa8f3dadfd05ef8b0 |
memory/2676-103-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3052-138-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3944-146-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI32042\ucrtbase.dll
| MD5 | bb0e3819e308a153c99fa6bccf2f4e77 |
| SHA1 | d96dc06cb9f441869c5088aaee4e55a81fa14387 |
| SHA256 | 83e7252e6af0e63bd80bc996eed6cb687c36b94f20a55a16145d5e68076b1587 |
| SHA512 | 7eb23a895bc4fac0cda16b1ab8cdcdacac7ade76519b5d9e14d2917025f3cdd7fc4bd16d22df59a8dfe7b110eb8a8ce98a50355aa32d8c49bcab3596bd0a01ed |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\python3.dll
| MD5 | 07bd9f1e651ad2409fd0b7d706be6071 |
| SHA1 | dfeb2221527474a681d6d8b16a5c378847c59d33 |
| SHA256 | 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5 |
| SHA512 | def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_lzma.pyd
| MD5 | b5fbc034ad7c70a2ad1eb34d08b36cf8 |
| SHA1 | 4efe3f21be36095673d949cceac928e11522b29c |
| SHA256 | 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6 |
| SHA512 | e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\pyexpat.pyd
| MD5 | 6bc89ebc4014a8db39e468f54aaafa5e |
| SHA1 | 68d04e760365f18b20f50a78c60ccfde52f7fcd8 |
| SHA256 | dbe6e7be3a7418811bd5987b0766d8d660190d867cd42f8ed79e70d868e8aa43 |
| SHA512 | b7a6a383eb131deb83eee7cc134307f8545fb7d043130777a8a9a37311b64342e5a774898edd73d80230ab871c4d0aa0b776187fa4edec0ccde5b9486dbaa626 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_queue.pyd
| MD5 | 23f4becf6a1df36aee468bb0949ac2bc |
| SHA1 | a0e027d79a281981f97343f2d0e7322b9fe9b441 |
| SHA256 | 09c5faf270fd63bde6c45cc53b05160262c7ca47d4c37825ed3e15d479daee66 |
| SHA512 | 3ee5b3b7583be1408c0e1e1c885512445a7e47a69ff874508e8f0a00a66a40a0e828ce33e6f30ddc3ac518d69e4bb96c8b36011fb4ededf9a9630ef98a14893b |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\libssl-1_1.dll
| MD5 | de72697933d7673279fb85fd48d1a4dd |
| SHA1 | 085fd4c6fb6d89ffcc9b2741947b74f0766fc383 |
| SHA256 | ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f |
| SHA512 | 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_hashlib.pyd
| MD5 | 49ce7a28e1c0eb65a9a583a6ba44fa3b |
| SHA1 | dcfbee380e7d6c88128a807f381a831b6a752f10 |
| SHA256 | 1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430 |
| SHA512 | cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\cryptography\hazmat\bindings\_openssl.pyd
| MD5 | c13cd7eaa142967f046b9d946c13f440 |
| SHA1 | c93f916166e336a22c2468ad7d4bdfad3587eb30 |
| SHA256 | ef97e76d44a88f7c6b3fff9bee09ef265e709694d3662730edf38670442f69e7 |
| SHA512 | 82222fb79ae6a3a1f774aed6bcb08f28ec01d6f0461318b94b7b9288ec1d87d40bd2f09f9b168c88471710db9993def9a9456b9dcbf46ada5a71b7c53613754b |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_cffi_backend.cp310-win_amd64.pyd
| MD5 | 6f1b90884343f717c5dc14f94ef5acea |
| SHA1 | cca1a4dcf7a32bf698e75d58c5f130fb3572e423 |
| SHA256 | 2093e7e4f5359b38f0819bdef8314fda332a1427f22e09afc416e1edd5910fe1 |
| SHA512 | e2c673b75162d3432bab497bad3f5f15a9571910d25f1dffb655755c74457ac78e5311bd5b38d29a91aec4d3ef883ae5c062b9a3255b5800145eb997863a7d73 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\unicodedata.pyd
| MD5 | 102bbbb1f33ce7c007aac08fe0a1a97e |
| SHA1 | 9a8601bea3e7d4c2fa6394611611cda4fc76e219 |
| SHA256 | 2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758 |
| SHA512 | a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\MSVCP140.dll
| MD5 | bf78c15068d6671693dfcdfa5770d705 |
| SHA1 | 4418c03c3161706a4349dfe3f97278e7a5d8962a |
| SHA256 | a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb |
| SHA512 | 5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\VCRUNTIME140_1.dll
| MD5 | fcda37abd3d9e9d8170cd1cd15bf9d3f |
| SHA1 | b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2 |
| SHA256 | 0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6 |
| SHA512 | de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_brotli.cp310-win_amd64.pyd
| MD5 | 6d44fd95c62c6415999ebc01af40574b |
| SHA1 | a5aee5e107d883d1490257c9702913c12b49b22a |
| SHA256 | 58bacb135729a70102356c2d110651f1735bf40a602858941e13bdeabfacab4a |
| SHA512 | 59b6c07079f979ad4a27ec394eab3fdd2d2d15d106544246fe38f4eb1c9e12672f11d4a8efb5a2a508690ce2677edfac85eb793e2f6a5f8781b258c421119ff3 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_ssl.pyd
| MD5 | 35f66ad429cd636bcad858238c596828 |
| SHA1 | ad4534a266f77a9cdce7b97818531ce20364cb65 |
| SHA256 | 58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc |
| SHA512 | 1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\select.pyd
| MD5 | adc412384b7e1254d11e62e451def8e9 |
| SHA1 | 04e6dff4a65234406b9bc9d9f2dcfe8e30481829 |
| SHA256 | 68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1 |
| SHA512 | f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_socket.pyd
| MD5 | e137df498c120d6ac64ea1281bcab600 |
| SHA1 | b515e09868e9023d43991a05c113b2b662183cfe |
| SHA256 | 8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a |
| SHA512 | cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\pywin32_system32\pythoncom310.dll
| MD5 | e3b435bc314f27638f5a729e3f3bb257 |
| SHA1 | fd400fc8951ea9812864455aef4b91b42ba4e145 |
| SHA256 | 568982769735d04d7cc4bdd5c7b2b85ec0880230b36267ce14114639307b7bca |
| SHA512 | c94baffbec5cadf98e97e84ba2561269ee6ad60a47cc8661f7c544a5179f9e260fbec1c41548379587b3807670b0face9e640e1d6bca621e78ef93e0bb43efcc |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\win32api.pyd
| MD5 | 931c91f4f25841115e284b08954c2ad9 |
| SHA1 | 973ea53c89fee686930396eb58d9ff5464b4c892 |
| SHA256 | 7ab0d714e44093649551623b93cc2aea4b30915adcb114bc1b75c548c3135b59 |
| SHA512 | 4a048a7a0949d853ac7568eb4ad4bba8d7165ec4191ce8bc67b0954080364278908001dbce0f4d39a84a1c2295f12d22a7311893f6b2e985c3ad96bd421aa3b8 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_bz2.pyd
| MD5 | a4b636201605067b676cc43784ae5570 |
| SHA1 | e9f49d0fc75f25743d04ce23c496eb5f89e72a9a |
| SHA256 | f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c |
| SHA512 | 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\pywin32_system32\pywintypes310.dll
| MD5 | a44f3026baf0b288d7538c7277ddaf41 |
| SHA1 | c23fbdd6a1b0dc69753a00108dce99d7ec7f5ee3 |
| SHA256 | 2984df073a029acf46bcaed4aa868c509c5129555ed70cac0fe2235abdba6e6d |
| SHA512 | 9699a2629f9f8c74a7d078ae10c9ffe5f30b29c4a2c92d3fcd2096dc2edceb71c59fd84e9448bb0c2fb970e2f4ade8b3c233ebf673c47d83ae40d12a2317ca98 |
C:\Users\Admin\AppData\Local\Temp\_MEI32042\_ctypes.pyd
| MD5 | 87596db63925dbfe4d5f0f36394d7ab0 |
| SHA1 | ad1dd48bbc078fe0a2354c28cb33f92a7e64907e |
| SHA256 | 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4 |
| SHA512 | e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b |
memory/4232-158-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2416-157-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI32042\base_library.zip
| MD5 | 7dcd85d0a47b83595a7a3e619d6ced9c |
| SHA1 | d5aa0d0df85ff5e6e1aecb9bcfa6912c87912f4b |
| SHA256 | 3102319bc708e22941ba9c55ce38c3a2c26de0138fd63aa64b06c7f0b0120515 |
| SHA512 | e9a8f8483feb4a987f92a6e10a5c256fa8800a44ccd78b93ed7295c130566ba0356c2be139aac3c5ef7861d6378848454700882760b655153b8b81d90b9fb22c |
memory/2124-205-0x000002363C720000-0x000002363C721000-memory.dmp
memory/2124-207-0x000002363C720000-0x000002363C721000-memory.dmp
memory/2124-206-0x000002363C720000-0x000002363C721000-memory.dmp
memory/2124-217-0x000002363C720000-0x000002363C721000-memory.dmp
memory/2124-216-0x000002363C720000-0x000002363C721000-memory.dmp
memory/2124-215-0x000002363C720000-0x000002363C721000-memory.dmp
memory/2124-214-0x000002363C720000-0x000002363C721000-memory.dmp
memory/2124-213-0x000002363C720000-0x000002363C721000-memory.dmp
memory/2124-212-0x000002363C720000-0x000002363C721000-memory.dmp
memory/2124-211-0x000002363C720000-0x000002363C721000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 612a6c4247ef652299b376221c984213 |
| SHA1 | d306f3b16bde39708aa862aee372345feb559750 |
| SHA256 | 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a |
| SHA512 | 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | aa8e358c8654092fac1e8f16f33f5999 |
| SHA1 | 2d4db5629c4acfaa6d9baa45b6375a16d51bed2a |
| SHA256 | 9b05e0d0fd5d5956a4fe5f4a42a0d06eb88ffe71c3d053a8d7ff054c4b2d7e00 |
| SHA512 | 718d834916a8956a23fa8b4147069efaaa54369ac850ce83bb6cd367b3493f2d5a3e5effa55c3a041357014f37e286471f94e9d761480e0561e406b495403f38 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a518022663485de76e66bb9dd5917bc5 |
| SHA1 | 90285e58fb8f03f4a4a03ba50bdf7334ed674116 |
| SHA256 | 57106f7139521093d5a6e8335d858c77b3f4bc55583698bd92381d1664271f23 |
| SHA512 | e8dbb60ef4950038b7919ed31c66ad70be66894216fe27344a3d03ea9d1a03fd930aa5c0313f5a3b882e6924fa6cdb00ba11c564d8fa236b95c28da0d96fdff3 |