Malware Analysis Report

2024-11-13 15:24

Sample ID 240619-bfrl7a1ane
Target GANG-Nuker.zip
SHA256 502b2bfc63c501480abe0209a1ad8889fba1903571d92da7b57990e2eee8b672
Tags
pyinstaller
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

502b2bfc63c501480abe0209a1ad8889fba1903571d92da7b57990e2eee8b672

Threat Level: Likely malicious

The file GANG-Nuker.zip was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller

Downloads MZ/PE file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 01:06

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\common.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\common.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240611-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe
PID 3424 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe
PID 2660 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1896 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2660 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe

"C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe"

C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe

"C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\GANG.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title PRESS ENTER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mode 120, 30

C:\Windows\system32\mode.com

mode 120, 30

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mode 120,30

C:\Windows\system32\mode.com

mode 120,30

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c if not exist "./chromedriver.exe" echo [+] Downloading Drivers:

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c if not exist "./chromedriver.exe" curl -#fkLo "./chromedriver.exe" "https://github.com/TT-Tutorials/addons/raw/main/chromedriver.exe"

C:\Windows\system32\curl.exe

curl -#fkLo "./chromedriver.exe" "https://github.com/TT-Tutorials/addons/raw/main/chromedriver.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc54fe3cb8,0x7ffc54fe3cc8,0x7ffc54fe3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12364492183423589033,10675651932024915173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
N/A 127.0.0.1:51916 tcp
N/A 127.0.0.1:51919 tcp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:51924 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
BE 88.221.83.187:443 www.bing.com tcp
GB 128.116.119.4:80 metrics.roblox.com tcp
GB 128.116.119.4:80 metrics.roblox.com tcp
GB 128.116.119.4:443 metrics.roblox.com tcp
US 8.8.8.8:53 js.rbxcdn.com udp
BE 23.14.90.82:443 css.rbxcdn.com tcp
BE 23.14.90.82:443 css.rbxcdn.com tcp
BE 23.14.90.82:443 css.rbxcdn.com tcp
BE 23.14.90.82:443 css.rbxcdn.com tcp
BE 23.14.90.82:443 css.rbxcdn.com tcp
BE 23.14.90.82:443 css.rbxcdn.com tcp
BE 23.14.90.81:443 apis.rbxcdn.com tcp
NL 2.18.121.28:443 js.rbxcdn.com tcp
NL 2.18.121.28:443 js.rbxcdn.com tcp
NL 2.18.121.28:443 js.rbxcdn.com tcp
NL 2.18.121.28:443 js.rbxcdn.com tcp
NL 2.18.121.28:443 js.rbxcdn.com tcp
NL 2.18.121.28:443 js.rbxcdn.com tcp
GB 128.116.119.4:443 locale.roblox.com udp
FR 128.116.122.3:443 roblox.com tcp
FR 18.155.129.16:443 roblox-api.arkoselabs.com tcp
GB 128.116.119.4:443 locale.roblox.com tcp
US 8.8.8.8:53 28.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 3.122.116.128.in-addr.arpa udp
US 8.8.8.8:53 16.129.155.18.in-addr.arpa udp
GB 128.116.119.4:443 locale.roblox.com tcp
GB 128.116.119.4:443 locale.roblox.com udp
BE 23.14.90.82:443 css.rbxcdn.com tcp
BE 23.14.90.88:443 apis.rbxcdn.com tcp
BE 23.14.90.89:443 images.rbxcdn.com tcp
BE 23.14.90.89:443 images.rbxcdn.com tcp
BE 23.14.90.89:443 images.rbxcdn.com tcp
BE 23.14.90.89:443 images.rbxcdn.com tcp
BE 23.14.90.89:443 images.rbxcdn.com tcp
BE 23.14.90.89:443 images.rbxcdn.com tcp
GB 128.116.119.4:443 locale.roblox.com udp
GB 128.116.119.4:443 locale.roblox.com udp
US 13.107.246.64:443 devtools.azureedge.net tcp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9229 tcp
GB 88.221.135.27:443 tcp
US 104.208.16.90:443 browser.pipe.aria.microsoft.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
BE 2.17.107.105:443 r.bing.com tcp
US 13.107.246.254:443 t-ring-s.msedge.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Africa\Djibouti

MD5 86dcc322e421bc8bdd14925e9d61cd6c
SHA1 289d1fb5a419107bc1d23a84a9e06ad3f9ee8403
SHA256 c89b2e253a8926a6cecf7eff34e4bfcdb7fe24daff22d84718c30deec0ea4968
SHA512 d32771be8629fb3186723c8971f06c3803d31389438b29bf6baa958b3f9db9a38971019583ba272c7a8f5eb4a633dfc467bfcb6f76faa8e290bad4fd7366bb2b

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Africa\Conakry

MD5 09a9397080948b96d97819d636775e33
SHA1 5cc9b028b5bd2222200e20091a18868ea62c4f18
SHA256 d2efac4e5f23d88c95d72c1db42807170f52f43dd98a205af5a92a91b9f2d997
SHA512 2eccf2515599ed261e96da3fbcfbab0b6a2dfc86a1d87e3814091709f0bfe2f600c3044c8555ed027978a8ae9045666ee639a8c249f48d665d8e5c60f0597799

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Africa\Kigali

MD5 b77fb20b4917d76b65c3450a7117023c
SHA1 b99f3115100292d9884a22ed9aef9a9c43b31ccd
SHA256 93f19e9551d58868ae5820752d2c93a486124c364463dc9c9489d0458f8bc682
SHA512 a088c2a4c7d72717257c3125c7c2aca28463d68306ea452afaad75b8a0f9e5730a8d9c430d14668809717a672dc63c4816762acb046b339da662da421a6d65df

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Africa\Lagos

MD5 8244c4cc8508425b6612fa24df71e603
SHA1 30ba925b4670235915dddfa1dd824dd9d7295eac
SHA256 cffeb0282ccbd7fba0e493ff8677a1e5a6dd5197885042e437f95a773f844846
SHA512 560c7581dcb2c800eae779005e41406beaf15d24efc763304e3111b9bb6074fe0ba59c48b5a2c5511245551b94418bbc35934d9bd46313fcc6e383323056668c

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\America\Curacao

MD5 adf95d436701b9774205f9315ec6e4a4
SHA1 fcf8be5296496a5dd3a7a97ed331b0bb5c861450
SHA256 8491e557ff801a8306516b8ca5946ff5f2e6821af31477eb47d7d191cc5a6497
SHA512 f8fceff3c346224d693315af1ab12433eb046415200abaa6cdd65fd0ad40673fdddf67b83563d351e4aa520565881a4226fb37d578d3ba88a135e596ebb9b348

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Etc\Greenwich

MD5 9cd2aef183c064f630dfcf6018551374
SHA1 2a8483df5c2809f1dfe0c595102c474874338379
SHA256 6d9f378883c079f86c0387a5547a92c449869d806e07de10084ab04f0249018d
SHA512 dafa0cb9d0a8e0ff75a19be499751ad85372aafa856ff06dd68ecf2b1c5578bb98a040becaecf0aed2c3e4ff7372ff200fe7614334756d19fe79dd61c01d4e92

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Europe\London

MD5 a40006ee580ef0a4b6a7b925fee2e11f
SHA1 1beba7108ea93c7111dabc9d7f4e4bfdea383992
SHA256 c85495070dca42687df6a1c3ee780a27cbcb82f1844750ea6f642833a44d29b4
SHA512 316ecacc34136294ce11dcb6d0f292570ad0515f799fd59fbff5e7121799860b1347d802b6439a291f029573a3715e043009e2c1d5275f38957be9e04f92e62e

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Europe\Oslo

MD5 7db6c3e5031eaf69e6d1e5583ab2e870
SHA1 918341ad71f9d3acd28997326e42d5b00fba41e0
SHA256 5ee475f71a0fc1a32faeb849f8c39c6e7aa66d6d41ec742b97b3a7436b3b0701
SHA512 688eaa6d3001192addaa49d4e15f57aa59f3dd9dc511c063aa2687f36ffd28ffef01d937547926be6477bba8352a8006e8295ee77690be935f76d977c3ea12fe

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Europe\Skopje

MD5 6213fc0a706f93af6ff6a831fecbc095
SHA1 961a2223fd1573ab344930109fbd905336175c5f
SHA256 3a95adb06156044fd2fa662841c0268c2b5af47c1b19000d9d299563d387093a
SHA512 8149de3fd09f8e0f5a388f546ffe8823bdcda662d3e285b5cebc92738f0c6548ccb6ed2a5d086fd738cb3edc8e9e1f81c5e2e48edb0571e7ea7f131675b99327

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\PRC

MD5 09dd479d2f22832ce98c27c4db7ab97c
SHA1 79360e38e040eaa15b6e880296c1d1531f537b6f
SHA256 64ffc2e43a94435a043c040d1d3af7e92d031adc78e7737af1861baa4eeef3e6
SHA512 f88ae25f3f04c7d5d5f98aafecc03cc7e4e56f1cd4c8deba6afd043f0fb7fe67b4d50e4df5493e77c6b34ba183e019442e736a13f784ba8c2847c06fd74ff200

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Pacific\Wallis

MD5 ed097511ad5bd6a55ab50bdb4f8e2e84
SHA1 cb335dbaaa6de98cf1f54d4a9e665c21e2cd4088
SHA256 bd3e94c56eca786a6d761f34163f404804c698bc7c59a8badf494c2f89b083cd
SHA512 d67cfc7b067b2c51db96e3cbeafa1367606907a5a59271a66643fe049fe81c34cbbaa5647147c4958ec28c9a926e44e632b0e20d54703c1569cf4a593e12c087

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\Pacific\Yap

MD5 4f050684532a74c1021f00ed1705305c
SHA1 65f9954328a5fda173ff0ce420428d024a7d32c3
SHA256 7a2fd78e68910cb87e454f78bafcfd0822084451f5af45fb58bfac07ee8317ad
SHA512 fdd735b45927456db652e261705c610fe2b346eca9ce1b97878883559474212247ce342a6b922da19646204181966f39662d375ce0d6a23a65766eb954c80801

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pytz\zoneinfo\UCT

MD5 38bb24ba4d742dd6f50c1cba29cd966a
SHA1 d0b8991654116e9395714102c41d858c1454b3bd
SHA256 8b85846791ab2c8a5463c83a5be3c043e2570d7448434d41398969ed47e3e6f2
SHA512 194867d0cf66c2de4969dbfeb58c775964ecb2132acdc1b000b5ef0998cefde4a2979ffc04ec8b7dcb430e43326a79d9cedb28ecea184345aa7d742eaf9234ac

C:\Users\Admin\AppData\Local\Temp\_MEI34242\python310.dll

MD5 342ba224fe440b585db4e9d2fc9f86cd
SHA1 bfa3d380231166f7c2603ca89a984a5cad9752ab
SHA256 cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432
SHA512 daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

C:\Users\Admin\AppData\Local\Temp\_MEI34242\base_library.zip

MD5 fd42ecbf9802fe6b598b16c9b5df86e1
SHA1 0fbdb97e5352b36d462dc7b480b88b3d3bc618db
SHA256 9f17d7fe304a31ef17edd42b56852336aaa9fa1ac00cfc3baeb404b4df1f4c68
SHA512 2bbc8b3793190f350cd9bf55a6ded05c990a3776a74ebec1ac49dfb9f04e77276622cd92f8ad1471f3fd204962521828a30ddff7b6fecbd56050ab8a586e4dd8

C:\Users\Admin\AppData\Local\Temp\_MEI34242\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_ctypes.pyd

MD5 9872a3aeee09cf796a1190b610cf0a54
SHA1 9d9eaba3946f4ea8b26e952586c01b9bd8395693
SHA256 147b080ceb8dfd6df865570addba3864659adef4b85a20b750f3ca6735c4bf1b
SHA512 b49503e5db34c0a6f5dbf9aee215c55f4c5d82cb0906e37a78252d13d9c3ce9673ebda026be3b801d6c1d1d4a070ad2a9fab5c9051c9586651ad363a0b469c3f

C:\Users\Admin\AppData\Local\Temp\_MEI34242\python3.DLL

MD5 4d9aacd447860f04a8f29472860a8362
SHA1 b0e8f5640c7b01c5eb3671d725c450bad9d4ca62
SHA256 82fc45243160de816b82c1c0412437bd677f0d1e53088416555a6e9e889734e9
SHA512 98726cb9a1d1ca0e60b7433090bbdd55411893551280883a120ca733e49d07be4012ee6ed43148a33d16635d726cd4a1214f4371b059d31ccd685aa2af7db2dd

C:\Users\Admin\AppData\Local\Temp\_MEI34242\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_socket.pyd

MD5 f73b9863071fb3088c08605f76b8e909
SHA1 e74bc96f45e1e0c283a93dc1a07e497cf724ff55
SHA256 8efdbacf67c223f47b608e57222cf80dd12cee163945847f6cfa9ea6c26ada36
SHA512 cc414add8e017c805d3d822b94781ef6a1c4260f959cb3c9825eabe35522af7c9f47796e4eea4b77d176c29030141dd92fd8119a7ed6b60248144e55b9da1c5c

C:\Users\Admin\AppData\Local\Temp\_MEI34242\select.pyd

MD5 fcacfa9c2694118ccc3cd6956949ce15
SHA1 e01aa8957f39133a4c77bbb03d1c3af5a5d9649b
SHA256 2bfa63b823c54d6b3c55dc17e446129fc02ca930d247abadbc7680f0f71d03a6
SHA512 57ca335b941059d5fe65e2cecf95bd59c02515d1f15da212cc845c77f673cc749ee77eb4381787a4b357cec8a722c37c991789d6ee872d5130b32d78c10468d3

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pywin32_system32\pywintypes310.dll

MD5 bd1ee0e25a364323faa252eee25081b5
SHA1 7dea28e7588142d395f6b8d61c8b46104ff9f090
SHA256 55969e688ad11361b22a5cfee339645f243c3505d2963f0917ac05c91c2d6814
SHA512 d9456b7b45151614c6587cee54d17261a849e7950049c78f2948d93a9c7446b682e553e2d8d094c91926dd9cbaa2499b1687a9128aec38b969e95e43657c7a54

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_bz2.pyd

MD5 183f1289e094220fbb2841918798598f
SHA1 e85072e38ab8ed17c13dd4c65dcf20ef8182672b
SHA256 164f1bf42630b589b50c8f0c6e55aaa8d817e439a00882be036fff3cbe8e6ded
SHA512 a0a5536709b0701c10b91ab1c670de80163689bd95168ea5dc5ebc11b20d84da4c639495779d0317659d6b1ce037daf34764f78759b3f0d785e33b52fa94ffad

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_lzma.pyd

MD5 fd4c7582bee16436bb3f790e1273eb22
SHA1 6d6850b03c5238fff6b53cb85f94eff965fa8992
SHA256 8aa5cd82d775ea718d3ddd270f0b28985d8711ef937447ee2168318200f0eb80
SHA512 c508bea6e1eed5b71b3e78d0817c6fce27152f6bc539fea94c7923183339c1559655b74808ef0403dbc458e037342de97c3b01e06e7b7f56ce152267f8db8a80

C:\Users\Admin\AppData\Local\Temp\_MEI34242\pyexpat.pyd

MD5 3a283295d506a8c86ab643ce2c743223
SHA1 e45de5dea739cc089da1d9449d8f8a9bfd0aadde
SHA256 1f8c0a490e6d0b9c16a58abb01398b4642fba73797b714df5a5418051248422b
SHA512 c56b853cd856b7d7a5da5444f41aedfc5a9fef9865194006a0073f90f162d50b22eeb953d1f8aa2a5395188636451016f9332126fc9d2399800da4ab7d80c6fc

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_queue.pyd

MD5 1ac1d8599977b0731665ba01e946f481
SHA1 a90181902acd3262920f1e7f11d030cd086d57c7
SHA256 c6d4f9c54efe7536bba4f9a2a4e7da46c5af74771ea2fa881287c61db9676986
SHA512 473b7fba46339eaad4c1680491c2d533f005fc5ddef2104f3d3600145c0368a79757068b9b78017cf9700c7167f23b77beb84ee522472234c32d0c5287dd80d1

C:\Users\Admin\AppData\Local\Temp\_MEI34242\libcrypto-1_1.dll

MD5 6f4b8eb45a965372156086201207c81f
SHA1 8278f9539463f0a45009287f0516098cb7a15406
SHA256 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA512 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_ssl.pyd

MD5 955b117ae363945352c6ba5a18163736
SHA1 0b85d366b38120157e65f5a19551c42569b1a6f5
SHA256 09fdf00110acfa4c3239de64d7955a625195625745559432a13e97c9d0e01368
SHA512 02f3e1a25f92b2b86e3883bb6ae2f1bfbffd6695bcb56e301bc157d38f205565e58b598f382220778da0ccf3e90f7ee9fd1e44e64cb387a7a5c00df00aafe57b

C:\Users\Admin\AppData\Local\Temp\_MEI34242\libssl-1_1.dll

MD5 8769adafca3a6fc6ef26f01fd31afa84
SHA1 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA256 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512 fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

C:\Users\Admin\AppData\Local\Temp\_MEI34242\VCRUNTIME140_1.dll

MD5 75e78e4bf561031d39f86143753400ff
SHA1 324c2a99e39f8992459495182677e91656a05206
SHA256 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
SHA512 ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

C:\Users\Admin\AppData\Local\Temp\_MEI34242\msvcp140.dll

MD5 9ff712c25312821b8aec84c4f8782a34
SHA1 1a7a250d92a59c3af72a9573cffec2fcfa525f33
SHA256 517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094
SHA512 5a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_brotli.cp310-win_amd64.pyd

MD5 6d44fd95c62c6415999ebc01af40574b
SHA1 a5aee5e107d883d1490257c9702913c12b49b22a
SHA256 58bacb135729a70102356c2d110651f1735bf40a602858941e13bdeabfacab4a
SHA512 59b6c07079f979ad4a27ec394eab3fdd2d2d15d106544246fe38f4eb1c9e12672f11d4a8efb5a2a508690ce2677edfac85eb793e2f6a5f8781b258c421119ff3

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_hashlib.pyd

MD5 f883652e056ff4882e1bc900d382edab
SHA1 34f5d93eea4defe48135bf7000cce8cfa9e53eeb
SHA256 583f6d20998e45ff94400efaeecc4e17204449a0cc7ba68a20d1e8d13617f27b
SHA512 4df74da9feea4e06149b22d08d249b7207c7b7ab0d44a8a9ddaa7810718b28ee56c0ee8429154c28525b6f9379357293b8dece10491c32fb72d1c8c82dbde89d

C:\Users\Admin\AppData\Local\Temp\_MEI34242\unicodedata.pyd

MD5 1218db005c9c809ab151e3fc15f4c41e
SHA1 e53cd5c9a4e39ed30e871aea0aef67294cbf4130
SHA256 a84f488f2ae2a74268da36bd8c3fe7b6e8d2b9b89a3c99f5173a827a8ddca2f4
SHA512 28c9c031b881b6c585e5fdda006f8c7c257c55ad15651dda6412e26f52d0e6acfaa58547da7e04b5a52c0f9962e94e5d7e48679733e0495b335cb6a37851758f

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_elementtree.pyd

MD5 8b889978e9cf98745fa561fceab0bddc
SHA1 5c10ebf6fe9ab131e0c0a2bbd0b38ef3ada839d5
SHA256 a775ac6121472cef0505629f99fe17e46334fd453def61162d3deba679e58baf
SHA512 afe3cc75b0c861b961dc7127780d0df0794c7af93c1716a9ce6ad828a0b7e7106240bfad0a02bc81b9663bc0f05c1e97183d1b326cd3ba446a44ab0696b2c6cd

C:\Users\Admin\AppData\Local\Temp\_MEI34242\lxml\etree.cp310-win_amd64.pyd

MD5 da566fba4cc4371446fbd2a210b14d91
SHA1 f6b1718cad1249182c495b540adf5f1cfa2418aa
SHA256 5be41a4d5d0b2991408a4e987703c8c666b7f1d50797f0149dbfba02dc2e43c6
SHA512 b661133fba0509d70f625e9dddb908732d3a326411f68b20c7cafd86d33093d312a95eee750b57693cb349781d2dd4176be76ee4d715920d3d6d292ae51779f7

C:\Users\Admin\AppData\Local\Temp\_MEI34242\lxml\_elementpath.cp310-win_amd64.pyd

MD5 3c211c05c085c100fc3fae1e7d983abc
SHA1 fdf9ffac4af54541eedbe46b9f733b513be03157
SHA256 13ce41b1370dfa90be90691b1fcbab186172d90573a6aaf73e4068d9a17b95bf
SHA512 2e196fb09e6608e9e81e224a0c2ff903870170fb31ed67e76805ba1badf288dcb85aeacf5241016df1e9c9682fed5ead7cb42586735b912653219c2540ac814e

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_asyncio.pyd

MD5 b988a4de700d7016b472534990fb91c7
SHA1 d53a24f4bc5cc26a1ff04292e0935b0e2aefad61
SHA256 91d9bf73b360ba801ba595e90dbff182ef9c682331e2d39d210999a63d4bde54
SHA512 bea0c0caf2d8b58aa8d066f9e475938a94320e027656d48114e988c96955d7eaad73442290fdc0ff4034484cda53a8a2a38075b667305750af3eb4ecb4c83904

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_overlapped.pyd

MD5 f6d69dac927d18c3596f490bbb642b8e
SHA1 c40db435db3e1aeb2c3cb03635f74a92be54657d
SHA256 b4c2156119bee84c5d153415d9fe802825a7179877b8943dc00c38a5c985eb7d
SHA512 30ec35604d957ba5961590a91b88f6cb209a1d09ad43c5f24195617ff9002fd6a3f359676e4844c5793348ea9be9611d759a4fc92e8b46752e357398f8fb09e4

C:\Users\Admin\AppData\Local\Temp\_MEI34242\_tkinter.pyd

MD5 dea4e7b79d307cda01a7cc983bce35ce
SHA1 b2497b7b209bf63e868538a37e9a398e8ba13d7c
SHA256 072ca785120b78644549e6da6ab742003d81f098831c9f969a51dbe50e5213d3
SHA512 f625ae5bbad6a8c29c2959d2096fbf322816a51dbe0809cc471d35fd93e9cd97259709890766a1e1109f90a029ec6ef3d521d705b09b78025822927f66307908

C:\Users\Admin\AppData\Local\Temp\_MEI34242\tk86t.dll

MD5 4b6270a72579b38c1cc83f240fb08360
SHA1 1a161a014f57fe8aa2fadaab7bc4f9faaac368de
SHA256 cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08
SHA512 0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

C:\Users\Admin\AppData\Local\Temp\_MEI34242\tcl86t.dll

MD5 75909678c6a79ca2ca780a1ceb00232e
SHA1 39ddbeb1c288335abe910a5011d7034345425f7d
SHA256 fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860
SHA512 91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

C:\Users\Admin\AppData\Local\Temp\_MEI34242\tcl\encoding\cp1252.enc

MD5 e9117326c06fee02c478027cb625c7d8
SHA1 2ed4092d573289925a5b71625cf43cc82b901daf
SHA256 741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e
SHA512 d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

C:\Users\Admin\AppData\Local\Temp\_MEI34242\PIL\_imaging.cp310-win_amd64.pyd

MD5 6f9f5e464f798717f3269ddc1a8f7134
SHA1 f54f230966e957fb4fd5804b377821fcc4495fe4
SHA256 3c53bbc597b1ee75d172353cc0eca706665d0666472fb62c8d1937f8a1508ba8
SHA512 c000c43fe11d4174389ad2f2661e881fbf84d710c0b7fe9595a88a726b86fe1f855fe810ef29ff246d4a97213740da0b09e27abd844388b57ebe0e554e9917ab

C:\Users\Admin\AppData\Local\Temp\_MEI34242\numpy\core\_multiarray_umath.cp310-win_amd64.pyd

MD5 022e1786b4fed90c93d635b4fafcc4c4
SHA1 4d2b2358c622867fe8ebc18128c397199d0a1764
SHA256 818ddab49cfc16ae34e57a524f408f5e45040cb08cbec184d7f9de70e99c3bc5
SHA512 aca462d5cb891e1628988f2e84c104b66817d6c1d7ef99748314be1665eac36ae46a7e71c3765646907fd203179aa4cb35db3f79bf364543f60856bd3f5c8d31

C:\Users\Admin\AppData\Local\Temp\_MEI34242\libopenblas.FB5AE2TYXYH2IJRDKGDGQ3XBKLKTF43H.gfortran-win_amd64.dll

MD5 0f103ac8dcd431d1506021cf89c97cfb
SHA1 15ea221479493782fbb3ef222fc6d906defb54fd
SHA256 ae22eb4ba9fa95ae3c05395e5449e192191253b3f17639393463f887c4e5105b
SHA512 c52d42eebb30d8217b052791bcca6295c2386e65a6a33431a43eac67d44027dce30ad2037bae06598d0be85d971444e4270aba32456146a3a24a14a782e5f99b

memory/2660-2169-0x0000000070200000-0x0000000072088000-memory.dmp

memory/2660-2170-0x000002CFD68D0000-0x000002CFDAC98000-memory.dmp

memory/2660-2175-0x000002CFD68D0000-0x000002CFDAC98000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5c4605aed5013f25a162a5054965829c
SHA1 4cec67cbc5ec1139df172dbc7a51fe38943360cf
SHA256 5c16c584cda1f348a7030e9cab6e9db9e8e47a283dd19879f8bb6d75e170827f
SHA512 bf2a5602fde0de143f9df334249fef2e36af7abeda389376a20d7613e9ccad59f2ca0447576ac1ed60ecf6ab1526c37e68c4614d79ae15c53e1774d325b4036f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3066a8b5ee69aa68f709bdfbb468b242
SHA1 a591d71a96bf512bd2cfe17233f368e48790a401
SHA256 76f6f3fcef4b1d989542e7c742ff73810c24158ac4e086cbd54f13b430cc4434
SHA512 ad4d30c7be9466a797943230cb9f2ca98f76bf0f907728a0fa5526de1ed23cd5cf81b130ee402f7b3bb5de1e303b049d2867d98cf2039b5d8cb177d7a410b257

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1cf59575f2a2dafa3eb7c132693dfa91
SHA1 e44ff225519e191bcbac7181a9f0ab81cce39577
SHA256 bbfa853bb2e845e3926014324dd6821ea0cbf0bcba3e967731434ad37dc3b31a
SHA512 486e1437bfa145d2ac038ca0d044533b0c80b40b44f3bf947c797a39134ecbe715ae0400d21f55273ed1bcffdff9b6ddc40f8025fd27018c6eef9ec2642eab49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8a5d2bc05271b3ccf46e9b261b78831b
SHA1 e8fad97228e9f9f1cc72a288f14367287c0024c5
SHA256 a35ba2ee4f8c9d719cad3121302edf6422df27aaee3cfbe085c3493234f56af7
SHA512 a9ce63ecd55b75ca55922607306ac1d372db3134eed2c078fc066ec117493b5bf27cc514fc46460ce4c222edddc49185cd01bcd34162d7742a5267b3990ee70f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c775a405b9886ac3e687ecfd59620d90
SHA1 8faf59cc7337a53caa0cb83d15159e2a6c6228d8
SHA256 83bab6e8ce31f509d4e5852e9c46e247f7490287d59a872b51478793222e5f66
SHA512 8fd8b6db0a344e47ef61842dc5fb49a30a9431128c60af912fbf45f66441ad2a1e9bdd9cf354cb0727ca7fe5b701aecee5c3a25e432d71de8dede3bb5f9d4d25

memory/2660-2259-0x000002CFD68D0000-0x000002CFDAC98000-memory.dmp

memory/2660-2273-0x0000000070200000-0x0000000072088000-memory.dmp

memory/2660-2274-0x000002CFD68D0000-0x000002CFDAC98000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fe2b452182da738b2c2a3c6157fca1ae
SHA1 14795c21ecc2b884122318d8f64c0a6cf6d8f7a3
SHA256 e03607736613c620117533da91b11876af4e7680b2bdd06d89656eaa08e796bc
SHA512 9a812f22145c2a314cdc4f7c081dc764eb3aaef24d938ad561f378aa6601f1a840e542084c35c5b74b95b6b5f8d17295834a892be9df8d28fa2a99dd1492367b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 62ef1dd804d5dc59edac8efc8760e08f
SHA1 64a4ca793992ec35f69982d39630821366c68b4c
SHA256 e93697eed962aeaf7628ef6545dd71c50ff5a0b04606ec5c4018f477727b094a
SHA512 eed295036d1e1c2e2d67d6403e1209a8455eb90097adebfdc98cf91a1f9cff1696b23b4779802c665c4c168af5253db917fd1634be6c0bd3028bb2afbbd40fa6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0c9ef8ea61f62edbbdb92f19c4eca063
SHA1 5be939a4aa8beea7f8e98cea833861af4e4afd1e
SHA256 6079eb71fea36e1ae1cb6057b3efe8ed0886cf14baf9e32ef570a89eff973ff7
SHA512 75723bb5b6376f4baa9be44e7f48f7c1ee4452c85f469eab09b5395940426e5e73ca37db4518b2542e34b4a51b6e9a098f97a72fe892103e389af42573ef74f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594973.TMP

MD5 ed41eb952870e5fc06cbec9dac0c87d8
SHA1 3a0b99afd482e16d18a677851c9b5a96478b6d27
SHA256 cdfbfc685c8ca5b583754ff3f7452ee77dc49dbf034c294167e9d1a7f7647e5b
SHA512 5f6f3aea610a99eca227f1f530f0e81585872667d760effcf65db9b54950850b3b93fa625804ee1f37e05721d6dd6f1e8728c9be9e25322dba8c1b5700ab3760

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8c470aff72ce3da8c9e2626bf3e4ff8d
SHA1 c71de5a05a542957d4cbf70910e6e3238aefb62b
SHA256 f88391ed1f7d9a2e195fcfc5aa30ac646992182da231b7e9c85a7ad925028d0b
SHA512 ed6111ceeba74b2cf60e58e06411fa9a16e68ae3710c4cf268abdef36dc1f83291eb08f9357ee5446de2d53ceeabe41c2750aca9b33b6175efd39df092739be5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2be1bd071d27048c4b8ddc0893c75621
SHA1 be0db10a4fea719f22fd67168204f3c70283c5fa
SHA256 94445f54e7fdca0c1e0dc67f9b5fb7e0938eb750c589c80909546673314bcacd
SHA512 3c39f6452a687109eaee151de381d0eb26645ddb6e4f941ef6ded2e46ebc90918659ce26fa39b8509fa334189efda8a572a3456b27ff356a01db0823efe40f42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 adfcf10cb4e41ddfa188e9c61fa968ed
SHA1 ff57e0fe131a7cdc7ab0d190d1f7bb456a654917
SHA256 fead66f8ed676507aff3042c06dda6c73ef2307db9e7200a805d716e2aae19ea
SHA512 73436d5eaba33b471067e0ca69a391a6f38d16ded272c024773bf592d7121e649d18ec8afa44b47f589736533c1036cd960ee2d280eb87b5c3165c63cd60d87c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240508-en

Max time kernel

141s

Max time network

161s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Account_Nuker.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Account_Nuker.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240508-en

Max time kernel

142s

Max time network

153s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Auto_Login.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Auto_Login.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240508-en

Max time kernel

127s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\QR_Grabber.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\QR_Grabber.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240508-en

Max time kernel

87s

Max time network

97s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Server_Lookup.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Server_Lookup.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240508-en

Max time kernel

86s

Max time network

99s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\DM_Deleter.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\DM_Deleter.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240611-en

Max time kernel

89s

Max time network

98s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Token_Info.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Token_Info.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240508-en

Max time kernel

114s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\ignore\ignore.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\ignore\ignore.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240508-en

Max time kernel

143s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\libarys.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\libarys.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.229.19:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:09

Platform

win11-20240508-en

Max time kernel

86s

Max time network

93s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\update.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\update.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A