Analysis

  • max time kernel
    1680s
  • max time network
    1685s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 14:20

General

  • Target

    https://cdn.discordapp.com/attachments/1239648177007624202/1242214561080410272/DiscordGiftCodeBruteForcer.exe?ex=6673ea36&is=667298b6&hm=d55c63c88970cfcfd5a735244186b2092697930472b18d830c8f4baa0adfa9d3&

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 52 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1239648177007624202/1242214561080410272/DiscordGiftCodeBruteForcer.exe?ex=6673ea36&is=667298b6&hm=d55c63c88970cfcfd5a735244186b2092697930472b18d830c8f4baa0adfa9d3&
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbf60746f8,0x7ffbf6074708,0x7ffbf6074718
      2⤵
        PID:2116
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        2⤵
          PID:760
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4112
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
          2⤵
            PID:5064
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
            2⤵
              PID:2008
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
              2⤵
                PID:1260
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
                2⤵
                  PID:1484
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3944
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                  2⤵
                    PID:3696
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                    2⤵
                      PID:3156
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3364 /prefetch:8
                      2⤵
                        PID:4968
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
                        2⤵
                          PID:4344
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6124 /prefetch:8
                          2⤵
                            PID:1612
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
                            2⤵
                              PID:3476
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
                              2⤵
                                PID:4880
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4364
                              • C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe
                                "C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"
                                2⤵
                                • Executes dropped EXE
                                PID:5024
                                • C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe
                                  "C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5324
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c pause
                                    4⤵
                                      PID:5464
                                • C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe
                                  "C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:5656
                                  • C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe
                                    "C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"
                                    3⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5812
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c pause
                                      4⤵
                                        PID:5908
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 /prefetch:2
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:6068
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
                                    2⤵
                                      PID:5584
                                    • C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe
                                      "C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:5772
                                      • C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe
                                        "C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5700
                                    • C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe
                                      "C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:640
                                      • C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe
                                        "C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2772
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2772
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:3228
                                      • C:\Windows\System32\rundll32.exe
                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                        1⤵
                                          PID:5432
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k SDRSVC
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4456
                                        • C:\Windows\system32\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\proxies.txt
                                          1⤵
                                          • Opens file in notepad (likely ransom note)
                                          PID:5864
                                        • C:\Windows\system32\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\hits.txt
                                          1⤵
                                          • Opens file in notepad (likely ransom note)
                                          PID:1744

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\139be4aa-8477-402e-8b16-cc8975559901.tmp

                                          Filesize

                                          11KB

                                          MD5

                                          32ad7669f64df152349e05fc84414cbc

                                          SHA1

                                          f6f8057ca66abd2ea23b282d8bd6b25328152810

                                          SHA256

                                          306aade45b64b6f6480a960b9b18dcd6da2388431ffc6b00d59d5351d10d04df

                                          SHA512

                                          d06b02428b66bca3449db232a789f95d55ff970819f3d42860b0afcd911221c8f5304e94fbd9381a2408e6f4bcbde74e73f138d084e101b3cea2555f2396f4e8

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          db9081c34e133c32d02f593df88f047a

                                          SHA1

                                          a0da007c14fd0591091924edc44bee90456700c6

                                          SHA256

                                          c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

                                          SHA512

                                          12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          3a09f853479af373691d131247040276

                                          SHA1

                                          1b6f098e04da87e9cf2d3284943ec2144f36ac04

                                          SHA256

                                          a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

                                          SHA512

                                          341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                          Filesize

                                          186B

                                          MD5

                                          094ab275342c45551894b7940ae9ad0d

                                          SHA1

                                          2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

                                          SHA256

                                          ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

                                          SHA512

                                          19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          6KB

                                          MD5

                                          d0b7db5fe61ee106820eca8d0f6a2b11

                                          SHA1

                                          925a4943fd69e0f828fd2e0497e5ac6166d6ac39

                                          SHA256

                                          f5c69bd686db1f681cf153b3df95a820d8a5cfe29508537ba7fe6a6b75df8042

                                          SHA512

                                          c953b9a714fdb1d392d3440699fa60f274b2deaeb32520f04db2b9f147e934e3d5bbf2c5758f034778bd152d208c835fa78757f2662874a41d8eece5cb889c6d

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          6KB

                                          MD5

                                          28a8e9abaca2a3b29ededabfad6267b3

                                          SHA1

                                          510ee7e30b51b32f345bee03dcd85e4b806fafe4

                                          SHA256

                                          1b15959a8f1c84c928d8ba262af5a738ba1c4250573d7ac9c1ddc369279744a8

                                          SHA512

                                          bee4760118b483e09cfa9d0acf0f2fc19016af2aca8c60b4d3cdf59b4c60c3b184c2ca632e5021b742f6589e4c3d4f2aaba0572fad2b4a978b9ecc82a546d83b

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                          Filesize

                                          16B

                                          MD5

                                          6752a1d65b201c13b62ea44016eb221f

                                          SHA1

                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                          SHA256

                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                          SHA512

                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          11KB

                                          MD5

                                          7e44a97d1e4d061cc91d3a5e14917d32

                                          SHA1

                                          63d1af472dd64302685abf744e324fd336f92a1b

                                          SHA256

                                          cfb9837f5a6336fc78a83079176338a29b758f322598beb067c0dc5a4b0bb3de

                                          SHA512

                                          eb96805d186f3bd47b47451929bd2f3728bfe49ce43ef9617cbd20903c53058cb0f0b87b398e394bdddf7a83d5ffc137c9504f35417e4c340b53f601ff6e94fd

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          12KB

                                          MD5

                                          a0d6f2d0c7949487619ead737e11b0ad

                                          SHA1

                                          59daa32611af3d234082e30a9e1bda50dfd44b4b

                                          SHA256

                                          7cbeb327ee267c994672b280dfed0868680177e49f8f29a1b6f26f061abfc856

                                          SHA512

                                          316205a4c011e9f6265698397bab0d8b80754d5bf2291611beb2f9b7ccea76b307e85890596371c1e635618581666c0c9ef8fef41a1b695a64cdd85d42d5ad73

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          11KB

                                          MD5

                                          4698c5cbd02778ad9af9896ce3c7c33e

                                          SHA1

                                          2449a68bf739eba59b55082cfe1955ba75d7483a

                                          SHA256

                                          8b9b5a2adba8ed29fc16cbd826ed38d3ea709a1700a6c11e56aa67c477a15126

                                          SHA512

                                          d4e81cf3351e3d2fd7efef3a793078c8900bb0e9ff10803d669918b5848194675b4fc18fa47cc9c3ebb778605029855b876624d2621edf3592f43190b30db8c1

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\DiscordGiftCodeBruteForcer.exe.manifest

                                          Filesize

                                          1KB

                                          MD5

                                          b4f99cb5db04feee991937c3d0561de2

                                          SHA1

                                          55e5e7982a4f3a4596a132001bee409e5f42a4b2

                                          SHA256

                                          0ce2b4dec822694d469c40d331829083ab1f9203e09db329cda2de7c01a68469

                                          SHA512

                                          b80e5b317ff54269d61eb43dd45e645f1271f49f58b9347e32edc5f0905f5eba84818fdb3648127b5e650f46e5b97fd287cc11337a2b0d7dde5feeab4fc0748c

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\VCRUNTIME140.dll

                                          Filesize

                                          85KB

                                          MD5

                                          edf9d5c18111d82cf10ec99f6afa6b47

                                          SHA1

                                          d247f5b9d4d3061e3d421e0e623595aa40d9493c

                                          SHA256

                                          d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

                                          SHA512

                                          bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\_bz2.pyd

                                          Filesize

                                          92KB

                                          MD5

                                          6e22d22c5edb0327d58a62a16d2633e8

                                          SHA1

                                          8564b7bed2e1b4f256dd96d26e7415d778285c54

                                          SHA256

                                          319b0a8417f2d95a96b23ef6746ac02865059072214a1b3b9e3ef8c4096e38b7

                                          SHA512

                                          1efbf211c3af3e6a2eab9e1799f82138d1dc6518044a49fbf9e296bab92c4c4b69948d8834e7c68422bf4982abcda8fddb2de9cdc50bb66b90e0a58a1bc2519e

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\_cffi_backend.cp36-win_amd64.pyd

                                          Filesize

                                          167KB

                                          MD5

                                          67906bd5a2a22579d94e60d671b978ac

                                          SHA1

                                          03d8833f41d5d6ab5c7846ce04cbf93eff17e751

                                          SHA256

                                          7c6c476147e5c48645aab10afd4474a153b37d9ca243f456f84e9ef215b490c0

                                          SHA512

                                          47242101219573a0470bac9fa35765be89ffedfe4ba0fc3cbe13ee6fcc231e6a92c7ab7204ec82fe9ac25e9325b361bbe4df9a0f58ce6d0b2641ffe3684f774e

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\_ctypes.pyd

                                          Filesize

                                          128KB

                                          MD5

                                          f5d2650f9226d17671ca10c453b0fb9b

                                          SHA1

                                          e47e33a740e65ac29e7f779128967fe25be19869

                                          SHA256

                                          9e79b96f69cd2fb0da753359699431e922d6f3d68a073b7e86b7d57dce221617

                                          SHA512

                                          d90c6ff9cda0a9e25c8512ac62db044e63730591de334f14422b7ec543882675bcc51092992f44304c55fd5a7433d75426fb21845ee061b7053f7bfc3317a073

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\_hashlib.pyd

                                          Filesize

                                          1.6MB

                                          MD5

                                          571f6da010e273428c3b20cd98e4f3f2

                                          SHA1

                                          8b7df1c7f150c44a32c38c9497d9b0d86576d17d

                                          SHA256

                                          b3937480942b42b591453826fe5600e4af08a60c56e5c960ee91c05e3c10a770

                                          SHA512

                                          c4b30709a4ada16df89f4b4e6504b38f7d8de1da6bd64f4728bdc4627f447eca311e82c1fe826c39001fe799259975ac2e41b05847681cc37a2346d78080e88e

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\_lzma.pyd

                                          Filesize

                                          248KB

                                          MD5

                                          083b382d8f5b11ba384965349787a661

                                          SHA1

                                          b1f16395d9eadb0921530edee7dcf279ff6db3a2

                                          SHA256

                                          792c63be95ffa45d699403399ff0bbae87fbf1699103978cf7f2e93e9f91784a

                                          SHA512

                                          2df67d680fa529c85636d164b0a401fb3ae0afbec8a263c6db71f68050aea033d2a4ca1cb1f3eb003b06497a9b4d6de8f9400c4cd3bec6308718b4db8e5a1fad

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\_socket.pyd

                                          Filesize

                                          72KB

                                          MD5

                                          066722e8118f2b864b92826eea77d6c9

                                          SHA1

                                          f9da490850ff04882863ca20f745e7f1f8e3ba39

                                          SHA256

                                          573854cd21c2514c138a167aec4d4334c6e1658c37ca779d8b907f596f127c24

                                          SHA512

                                          3719644b243cdfd4fe568e1d1f6494a2db8de963da2075e47d86102e4ecc180256e030bc39abe5ba120990d6b04151655200d7d21cb42ccf891e7f72a2f8d9c0

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\_ssl.pyd

                                          Filesize

                                          2.0MB

                                          MD5

                                          1f20676f86cafd39263fb36e77175833

                                          SHA1

                                          757dad47b44b270d51f32f619f0362a7e5fe3b51

                                          SHA256

                                          7f7b7f4ed7eefd2cd2db15a5c36042bcb95f76af8c29d834d49d36b12a4beb60

                                          SHA512

                                          e30373c5924e9c8ec8f418bf871251fbdc34cabcf7a33aa0b5f721f7923f4144e0febf9a9b3c83684f2899dd7fe7dae077bfc44bf96db53d083845d2ca20d970

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\base_library.zip

                                          Filesize

                                          752KB

                                          MD5

                                          45c2980781a10d22d5212d9a942311a0

                                          SHA1

                                          7d4121369cf859ea4394ebefea4a888fc8264b27

                                          SHA256

                                          bf61051bb15c99f8bedb99b107a870e7caf0848452868a633e8b3812dc1ad390

                                          SHA512

                                          808e35766f605439eaa1944dbbafddcbe707b93cc824b480c2719b3aff52bb2abd445b10f944a79641cc847bc6182a3d9188d2c18c9feb898979924b60375fe4

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\cryptography\hazmat\bindings\_constant_time.cp36-win_amd64.pyd

                                          Filesize

                                          12KB

                                          MD5

                                          eaaebf3d22e1dd483d6e8b7009f0fb13

                                          SHA1

                                          b4c1ed0bdd683e03849312822c626489ca0d3ccc

                                          SHA256

                                          97f9f16a2b799288c51a698620ebd39a5a4d65509bc3a12784f80763623c822b

                                          SHA512

                                          247dd56112cc5789a5a391d037b81c128adec27618d53902a040efdc68869fccf31440ba0b7e69b0c305e82880fd630aae2c895dc0afe5425e48ac51972bea46

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\cryptography\hazmat\bindings\_openssl.cp36-win_amd64.pyd

                                          Filesize

                                          2.9MB

                                          MD5

                                          6ed5a5101b7e4c0ec64786f1506915c7

                                          SHA1

                                          c9df61f2d46d8cb4be237c5092fc6cdfe950853d

                                          SHA256

                                          1e89f6a6925e97a91cf3c1b3e4721cc1289fe145824ade042acfce94e5f3f1ec

                                          SHA512

                                          6f9deeb2639da24272a9218ba6b4ced6f8dd8234b5fa68c1eec34225e7f3138239fa1406af3bc97dd5b8470aa0d45b569fcf1a352a4ffa291254d5b0b1213a75

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\python36.dll

                                          Filesize

                                          3.4MB

                                          MD5

                                          5ad92cd8ea4f899ad63d2cb442099737

                                          SHA1

                                          7889e4ff08389053e3d434742df023ebd2767cf1

                                          SHA256

                                          5d76cd4d993b02c8cb8bba34d03ad9be1698e26b3cdb51a4c13a637558b4a68c

                                          SHA512

                                          aa90b57c066a6b15276b7a1842a168d7ce471b08c71756a1a9fafba3e1c2ecfd007d8ce996ac611e2822ee614029a975ff5ad3126b9fad2ce321fbced563dbbb

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\select.pyd

                                          Filesize

                                          26KB

                                          MD5

                                          b35525165a7d2d4340a583de73719571

                                          SHA1

                                          b5ae07d461e91ccbc2ecbd3ce74c90f6d3757f3c

                                          SHA256

                                          f407806704d6fac51554d581e078344b089013e7c2fa3dbf4440246a498a82c3

                                          SHA512

                                          40af07025de6f3569c2466c3d146e14443e3f00f1c21ac302e8f685b6b73abdaad0d1178a8d867230e3635337136e0f7b2bdb04fa50224b21aceccb5e1bb0a2f

                                        • C:\Users\Admin\AppData\Local\Temp\_MEI50242\unicodedata.pyd

                                          Filesize

                                          885KB

                                          MD5

                                          3a6da8ace7fe6c708b58fffce1d4e93c

                                          SHA1

                                          7ddb16a5988485d5e8eca20f1890827895937a83

                                          SHA256

                                          1c421c15e69508d1036ce5a670360b988cea16abc4f2a8e069ba877fa917aef7

                                          SHA512

                                          da163f5daf9e0faea1ca0c428a8f902afde341ce5793c83cc0a10086170b21b3385fc570c0fabf2c0dec7cb929b7b465872c9db33f149a75cf4ab80bde69dba3

                                        • C:\Users\Admin\Downloads\Unconfirmed 488287.crdownload

                                          Filesize

                                          7.9MB

                                          MD5

                                          1dd5d71552b8ec78b9056be86119e9c4

                                          SHA1

                                          b54998ef726b9840eb71227f68896ef52a3d1a09

                                          SHA256

                                          d44023ff21143bdb829f1098fba8371d2b41098b7a0277f7103e4f77540f9c34

                                          SHA512

                                          3b996fbf0412e2792ddf6d37e39078351e9451529e37f7cc9be1a0d9c53c6435557cb0a5255ebea592ffe604bdb30ffc108aa2e1e90b9452043d3921f67a4a23

                                        • \??\pipe\LOCAL\crashpad_1012_NRGKKAXKUVVNCQCW

                                          MD5

                                          d41d8cd98f00b204e9800998ecf8427e

                                          SHA1

                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                          SHA256

                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                          SHA512

                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e