Malware Analysis Report

2024-09-22 06:44

Sample ID 240620-dzx97a1ann
Target 78c12e107561655fed35af72ed4c7400.bin
SHA256 6c793eaf5b5b700aeed6cad66aa3bff7499bf8b1815cf09d5a39e2403da5dbfd
Tags
asyncrat default discovery rat upx spyware stealer persistence privilege_escalation pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c793eaf5b5b700aeed6cad66aa3bff7499bf8b1815cf09d5a39e2403da5dbfd

Threat Level: Known bad

The file 78c12e107561655fed35af72ed4c7400.bin was found to be: Known bad.

Malicious Activity Summary

asyncrat default discovery rat upx spyware stealer persistence privilege_escalation pyinstaller

Async RAT payload

AsyncRat

Asyncrat family

Async RAT payload

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Detects Pyinstaller

Checks processor information in registry

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 03:27

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 03:27

Reported

2024-06-20 03:30

Platform

win7-20231129-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Checks installed software on the system

discovery

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\System32\cmd.exe
PID 2012 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\System32\cmd.exe
PID 2012 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\System32\cmd.exe
PID 2012 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 760 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 760 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 760 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2564 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe
PID 2564 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe
PID 2564 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'

C:\Users\Admin\AppData\Roaming\win.exe

"C:\Users\Admin\AppData\Roaming\win.exe"

Network

Country Destination Domain Proto
US 72.5.43.15:4449 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp
US 72.5.43.15:4449 tcp

Files

memory/2012-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

memory/2012-1-0x0000000001390000-0x00000000013A8000-memory.dmp

memory/2012-3-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/2012-12-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.bat

MD5 0b5bb5a20a30551c018d0d021c7d4e41
SHA1 d1cdca28bc6e7b35d8d07e97c998883576f18ee3
SHA256 7a26fec5da7dd7e3e042dfbbbb793a5d2684a6a4541ffc8adc128e4cd7286954
SHA512 916421b947d9c9cb31b8df5fd213458c81d57a5513619e3ad7f829104605cc432acdab709dda8e5cb9111ed71c1a5a8594863f258f83d0747591a76587df47cc

memory/2012-14-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\win.exe

MD5 4fa7b1eec1fc84eb3a13c29e5a37aae7
SHA1 dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326
SHA256 5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
SHA512 5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

memory/2684-18-0x0000000001270000-0x0000000001288000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar41F5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 3d0b71ed4997f278606fdc7d4da8b611
SHA1 d7efb1da38848b6640077f36c9f63595cb1cb3d5
SHA256 ee890084dbf184698594062d2736d1aa4d272269f6aa5c208774dcc660a6cb8c
SHA512 dc485eef79e2ce8340cf1e8112e1d6a2ccc0416d95503fc97958a4f47a38e6ead4ca506dfa14dace2d96b17fa20a2fac93b04b82bb01e88d775be703c519872a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 03:27

Reported

2024-06-20 03:30

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\win7\runtime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5748.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\win.exe

"C:\Users\Admin\AppData\Roaming\win.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 72.5.43.15:4449 tcp
US 8.8.8.8:53 15.43.5.72.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3268-0-0x00007FFF9AD93000-0x00007FFF9AD95000-memory.dmp

memory/3268-1-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

memory/3268-3-0x00007FFF9AD90000-0x00007FFF9B851000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5748.tmp.bat

MD5 22f178b1b0ca5b1a4a9c48a48da83bc1
SHA1 eb23d0b23f51ea9a000ff1b22d3b494c2c0e3d50
SHA256 723ecc5067dc5e5dbcc9f7ee48733ae7671f8de33a84c3617020b7a8226cb8cd
SHA512 167f9cacdc66a98faf142563a97be55a6e18814d16e436ec74070da0e7206964c1f356c1b7aedcfcad634405912b3683d27303d21181b4119e634c0887ad7316

C:\Users\Admin\AppData\Roaming\win.exe

MD5 4fa7b1eec1fc84eb3a13c29e5a37aae7
SHA1 dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326
SHA256 5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
SHA512 5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/3268-15-0x00007FFF9AD90000-0x00007FFF9B851000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 03:27

Reported

2024-06-20 03:30

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\win7\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

C:\Users\Admin\AppData\Local\Temp\win7\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21282\python310.dll

MD5 08812511e94ad9859492a8d19cafa63e
SHA1 492b9fefb9cc5c7f80681ebfa373d48b3a600747
SHA256 9742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c
SHA512 6f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e

memory/2472-87-0x000007FEF59B0000-0x000007FEF5E16000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 03:27

Reported

2024-06-20 03:30

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

62s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Users\Admin\AppData\Local\Temp\win7\win5.exe
PID 4888 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Users\Admin\AppData\Local\Temp\win7\win5.exe
PID 4652 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1072 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4652 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 3752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2072 wrote to memory of 3752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4652 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1208 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4652 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\win7\win5.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3612 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\win7\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

C:\Users\Admin\AppData\Local\Temp\win7\win5.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win5.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\win7\win5.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cloudflare.com udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 api.telegram.org udp
N/A 127.0.0.1:61090 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI48882\python310.dll

MD5 08812511e94ad9859492a8d19cafa63e
SHA1 492b9fefb9cc5c7f80681ebfa373d48b3a600747
SHA256 9742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c
SHA512 6f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e

C:\Users\Admin\AppData\Local\Temp\_MEI48882\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

memory/4652-89-0x00007FFFB78F0000-0x00007FFFB7D56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\base_library.zip

MD5 4f5d0a65688077974c1de3d449171067
SHA1 a67e200580c058c632d2fda71a3314994897dca7
SHA256 af2360ebd547b584bc279cf3f69bfb067ecfd21c68a54d39a4118aed5a3352c3
SHA512 77831af6f6cca7b11d1f931f7e7a3368ddaeb09ac1b3d7e60732b98c90316b63b5f1aec8ab70439a07b5d3c50489b9ca3c1800f60d9f1fef53c925437042d83e

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_ctypes.pyd

MD5 58ecf4a9a5e009a6747580ac2218cd13
SHA1 b620b37a1fff1011101cb5807c957c2f57e3a88d
SHA256 50771b69dced2a06327b51f8541535e783c34b66c290096482efcfd9df89af27
SHA512 dec698a310eb401341910caae769cbdf9867e7179332e27f4594fd477e3686c818b2f3922d34e0141b12e9e9542ad01eb25d06c7bb9d76a20ce288610a80e81a

C:\Users\Admin\AppData\Local\Temp\_MEI48882\python3.DLL

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

C:\Users\Admin\AppData\Local\Temp\_MEI48882\libffi-7.dll

MD5 da6331f94e77d27b8124799ad92e0747
SHA1 55b360676c6702faf49cf4abfc33b34ffa2f4617
SHA256 3908a220d72d4252ad949d55d4d76921eeca4ab2a0dca5191b761604e06ae136
SHA512 faf3ec3d28d90ca408b8f07563169ebc201d9fb7b3ea16db9da7e28979bf787537ad2004fbde9443a69e8e1a6f621c52ff6b3d300897fb9e8b33763e0e63f80c

memory/4652-97-0x00007FFFCADA0000-0x00007FFFCADC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_bz2.pyd

MD5 37327e79a5438cbd6d504c0bbd70cd04
SHA1 7131a686b5c6dfd229d0fff9eba38b4c717aedb5
SHA256 7053a4bd8294112e45620b2c15e948b516c3a6c465226a08a3a28b59f1fa888d
SHA512 99472a2a68e1d4e5f623d4a545eca11d3ae7d9f626142f2a66e33e5a50cd54d81b6b36a6e1d499a9d479d7667a161d4a1d838fadb4a999c71ff70aad52001603

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_lzma.pyd

MD5 6516e2f6c5fb9cdee87a881507966e4d
SHA1 626a8713059d45a2ac7b5555db9295b33a496527
SHA256 92a3d1698b95e7d03d9b4dce40e2ef666c00d63bb5c9b8c7327386daa210b831
SHA512 0331ddfbe324884df3af8915c014f6a0d042a16360b48732988c37e7fce1d55b7156a0ba41a125a5a56db2207f6c2a847c244bb491a0832c9d48a657f2418872

memory/4652-102-0x00007FFFCF690000-0x00007FFFCF69F000-memory.dmp

memory/4652-103-0x00007FFFCABA0000-0x00007FFFCABB8000-memory.dmp

memory/4652-105-0x00007FFFC6F90000-0x00007FFFC6FBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_socket.pyd

MD5 329d4b000775ec70a6f2ffb5475d76f6
SHA1 19c76b636391d70bd74480bf084c3e9c1697e8a4
SHA256 f8da40be37142b4cb832e8fc461bed525dbaae7b2e892f0eca5a726d55af17a6
SHA512 5ee676215cf87639e70caa4de05dc676cd51a38aea4d90de4ce82c90976895faf15e5cbc821a08554a9171d82bef88c30e247a36c54f75668a52843229146ca5

memory/4652-108-0x00007FFFC6F70000-0x00007FFFC6F89000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\select.pyd

MD5 def0aa4c7cbaac4bcd682081c31ec790
SHA1 4ff8f9df57a2383f4ad10814d77e30135775d012
SHA256 6003e929e7e92e39482a2338783aa8e2a955a66940c84608a3399876642521a1
SHA512 35a080c44b5eee298dd1f0536e7442bf599ca53efc664b91c73f5a438cb7b643da5542ccbeea6e5a38b83132bacfdf09521e040cb1a3a05bddfbec0cfd79fdc4

memory/4652-111-0x00007FFFCAF90000-0x00007FFFCAF9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\pyexpat.pyd

MD5 9e92c1438b1e45452cd56a06ec7acfd9
SHA1 387a59128ce01459f827c37ab6f6bbe262d897a1
SHA256 806e53be1719d5915adb52aa4b5cb7491f9d801b7a0a0b08dc39a0d2df19f42e
SHA512 ab7576ee61c2ece0bcae9eb8973212a7cd0beb62a645e4b5f20030496fbe0f70c85166143b87f81c1b23d1016953675ffd93ec4c4267a7eef8103778ac1e26be

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_queue.pyd

MD5 ba0e6f7bb8c984bf3bf3c8aab590bd06
SHA1 4d7879a0ccbd763470687f79aa77cd5e2bb8df5c
SHA256 13cefe24c807a11fb6835608e2c3e27b9cdcddb3015848c30c77a42608b52b19
SHA512 ecf5d4f058fd101d44b6aa7fe7aa45b9490fcfe2c001936b98032fe54514a8fdf4460ff9d1f6d53e991cc1bffdce66a8897d45f3aa7b123f931ff97dd2ee2001

memory/4652-117-0x00007FFFCAC50000-0x00007FFFCAC5D000-memory.dmp

memory/4652-114-0x00007FFFC6EA0000-0x00007FFFC6ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\pywin32_system32\pywintypes310.dll

MD5 a391254584f1db07899831b8092b3be5
SHA1 2ea8f06af942db9bbd10a5ae0b018e9fd910aedb
SHA256 cc3335aeef6bdaca878ad9c4b65a8b7e4d36e417aed5758654062aee71905e08
SHA512 2a7cdd0c35c3d3d6306b89a6fd3be8d6edfda05d67c866bf1459b4d319584b0a6841dd952641e50dac504a97eca086bd4f1cfaef6e89528929f2f4c9160f876c

C:\Users\Admin\AppData\Local\Temp\_MEI48882\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

memory/4652-125-0x00007FFFC6C50000-0x00007FFFC6C7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\pywin32_system32\pythoncom310.dll

MD5 ad1f902970ba4d8a033b00e8f023f418
SHA1 711ba4ec9c64a9a988e68e805810227036036d7d
SHA256 851c2929e954ed54ae2562fcc9926fd841ece7cf27527eba66b7acace3e6b4ed
SHA512 7bc40705eb9ac8e0be8ef11b34318865d593cbc5bc0e77545564ce59281d9a58ed5ed23b42a69566944cb3de2ce8c241545ca75a7813dc96a4f065bff2bed25c

memory/4652-127-0x00007FFFC6980000-0x00007FFFC6A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\win32\win32api.pyd

MD5 f97aec050182a9812f9fa5e5389171d7
SHA1 102ce68032e31f9ea9b778ec9e24958847e11060
SHA256 408d6b3cadb55b78af16fd5a365da69a82c06a19fb5ad73421ed276791d5177d
SHA512 6c3d86dedb03540a88ee1a4058d177679c451fdb360a111764ded2c124d5183098e407dd7db74d5203e554afb3479a6f855c53df1aae6fcb874b691ca2d75461

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_uuid.pyd

MD5 b68c98113c8e7e83af56ba98ff3ac84a
SHA1 448938564559570b269e05e745d9c52ecda37154
SHA256 990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2
SHA512 33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

C:\Users\Admin\AppData\Local\Temp\_MEI48882\psutil\_psutil_windows.pyd

MD5 785ebe1a8d75fd86e6f916c509e5cf50
SHA1 576b9575c06056f2374f865cafecbc5b68fa29c8
SHA256 e4e8cbd99258b0b2b667fe9087a3b993861ee8ba64785320f8f9abfa97a8d455
SHA512 3665d9b97e5ab674fe8b2edd47212521ea70197e599ce9c136013b2a08a707c478b776642293a0457bf787b4067ba36ed5699ab17c13a2e26e7061e8f3813c3a

memory/4652-132-0x00007FFFC6B90000-0x00007FFFC6BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_ssl.pyd

MD5 318a431cbb96d5580d8ebae5533bf3bf
SHA1 920c2338a5a5b35306201e89568fac9fbfd8aad8
SHA256 88bc111e9df1eb452cd9e8cd742ce9b62a7729bafb77d233f954e12122c695b7
SHA512 adfa5fa9c6401320b3d6317e4c39db5011e7ea4f83b4a13920c64a6869f5c1cc4fb0422684a3a5720c8a021a6054960e351d90078517b2bfd06ff2baeed7fa87

C:\Users\Admin\AppData\Local\Temp\_MEI48882\libssl-1_1.dll

MD5 0e65d564ff5ce9e6476c8eb4fafbee5a
SHA1 468f99e63524bb1fd6f34848a0c6e5e686e07465
SHA256 8189368cd3ea06a9e7204cd86db3045bd2b507626ec9d475c7913cfd18600ab0
SHA512 cff6a401f3b84c118d706a2ac0d4f7930a7ce7aefb41edbbb44324f4bc3ebdb95d4f25906be28ef75ddc2aed65af974ec2cd48378dab1e636afc354e22cac681

C:\Users\Admin\AppData\Local\Temp\_MEI48882\libcrypto-1_1.dll

MD5 720d47d6ac304646aadb93d02e465f45
SHA1 e8d87c13fc815cdda3dbacb9f49d76dc9e1d7d8c
SHA256 adfe41dbb6bc3483398619f28e13764855c7f1cd811b8965c9aac85f989bdcc1
SHA512 fb982e6013fa471e2bb6836d07bbd5e9e03aec5c8074f8d701fc9a4a300ae028b4ef4ec64a24a858c8c3af440855b194b27e57653acdd6079c4fb10f6ea49b38

memory/4652-138-0x00007FFFC6B70000-0x00007FFFC6B8C000-memory.dmp

memory/4652-137-0x00007FFFCADA0000-0x00007FFFCADC4000-memory.dmp

memory/4652-131-0x00007FFFB78F0000-0x00007FFFB7D56000-memory.dmp

memory/4652-147-0x000001D245240000-0x000001D2455B9000-memory.dmp

memory/4652-148-0x00007FFFB7E00000-0x00007FFFB8179000-memory.dmp

memory/4652-146-0x00007FFFC6380000-0x00007FFFC6438000-memory.dmp

memory/4652-143-0x00007FFFC6B40000-0x00007FFFC6B6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\zstandard\backend_c.cp310-win_amd64.pyd

MD5 7142a05614d2b9af1f2d9c0a579d9df7
SHA1 18543d1c02a43ebafc500946a9977848d729ee50
SHA256 f33e887aa9e6eeb5c111b9fb5069e119032c44f72e0c80423611ef9fc51874d6
SHA512 8e90a6c51eea02888039cd772648928a900cefc2f64b61825cd7787657755245f658dc053d01f9a4f032a527737e6e0f4b9e4428e9a2270543b7d9435600e365

memory/4652-152-0x00007FFFC6060000-0x00007FFFC60E7000-memory.dmp

memory/4652-151-0x00007FFFC6F70000-0x00007FFFC6F89000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_hashlib.pyd

MD5 b2e9c716b3f441982af1a22979a57e11
SHA1 fb841dd7b55a0ae1c21e483b4cd22e0355e09e64
SHA256 4dece1949a7ad2514bb501c97310cc25181cb41a12b0020c4f62e349823638a2
SHA512 9d16d69883054647af2e0462c72d5035f5857caaa4194e8d9454bf02238c2030dfa5d99d648c9e8a0c49f96f5ad86f048b0a6a90be7c60771704d97cabea5f42

C:\Users\Admin\AppData\Local\Temp\_MEI48882\charset_normalizer\md.cp310-win_amd64.pyd

MD5 8e797a3cf84bdffd5f9cd795e6499fea
SHA1 f422d831507ef9e0592ad8687d8a37df20b7f4c2
SHA256 0bc1ee228af2774d4011acba687b201995b9b1f192062140341d07b6b5f66e5f
SHA512 6d9b30634a27f8bf6a1d3e169aa45595e414f5c8f0dce12b00b56e1428ad71f88925bb553dad160cb7d99fb26d5f4834924e9bcf79708a57037e748a886af252

memory/4652-159-0x00007FFFC8680000-0x00007FFFC868B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 4ae75ebcf135a68aca012f9cb7399d03
SHA1 914eea2a9245559398661a062516a2c51a9807a7
SHA256 cde4e9233894166e41e462ee1eb676dbe4bee7d346e5630cffdfc4fe5fd3a94b
SHA512 88e66f5ddebeea03cf86cdf90611f371eef12234b977976ab1b96649c162e971f4b6a1d8b6c85d61fa49cdb0930a84cbfcd804bdef1915165a7a459d16f6fb6e

memory/4652-158-0x00007FFFC6B20000-0x00007FFFC6B35000-memory.dmp

memory/4652-162-0x00007FFFC68F0000-0x00007FFFC6913000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\unicodedata.pyd

MD5 e4273defe106039481317745f69b10e0
SHA1 a8425164e78a3ab28ad0a7efaf9d9b0134effd57
SHA256 9247f28ff6ba4f7ae41e2d69104717b01a916dbb36944115184abbec726d03df
SHA512 7b87dcd1406f3e327bb70450d97ac3c56508c13bbeee47b00f47844695951371fe245d646641bc768b5fdc50e0d0f7eef8b419d497240aef39ae043f74ba0260

memory/4652-164-0x00007FFFB7460000-0x00007FFFB7578000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_sqlite3.pyd

MD5 3b9ae6c00a7519bffdfde41390c4e519
SHA1 cefcccb40c0dfb61e96c2512bf42289ab5967ab8
SHA256 9a7ddfd50ca0fdc2606d2bf293b3538b45cf35caae440fa5610cc893ce708595
SHA512 a9628fbd393d856e85fc73d8016fbda803a6d479da00ff7cc286c34ddddc7bfc108d9b32a2d8c7e9d5c527c94f3653233ca22c0466cf18b7f03af0318b99d1dc

memory/4652-171-0x00007FFFB72E0000-0x00007FFFB745A000-memory.dmp

memory/4652-170-0x00007FFFC68D0000-0x00007FFFC68EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\Crypto\Cipher\_raw_ecb.pyd

MD5 a59d0338d1ec2141e1b7224304bb4ad0
SHA1 c29834a0ad7991abd25c55021d40179ee96214a6
SHA256 477f4cb7f7af895dce3e661b7758bdca90b5a93ab9532fff716df56f30c37e1f
SHA512 ca79d092a4e35d982c26969ef02c2be9a449a028e52b16f96043a4b721e2467d89ef6489172ce8112748d34b16fa9810e3c85c5e721c823518448768c43521e6

C:\Users\Admin\AppData\Local\Temp\_MEI48882\Crypto\Cipher\_raw_cbc.pyd

MD5 517a8f3253f90ece747345acd703c078
SHA1 f430ca09f77bc0f74f9f2a01a90d0846f5fb526e
SHA256 3f18b801cff71cc1fdba29b3a4f614588a8d46c6db907e28e7c57069eb0f29cd
SHA512 59d2a36e3c20c8fd6694563db53fc3b0f6e77c1f06fd21427d142033b9437a31e95b2cf8b20dcab31e9786dbebbf326ad5210c919c64c07d4ebb9265e1a61ea8

C:\Users\Admin\AppData\Local\Temp\_MEI48882\Crypto\Cipher\_raw_ofb.pyd

MD5 d09e8561788b80cc248f990f5a604509
SHA1 6a7ed31508520d1f99b2b45acff1aea79a2a50cf
SHA256 e58673cd9bd054c299c469fd694ae16a16b5c9ba3fb1f6a98390dd069374297c
SHA512 18818a7afcee0beee09b3779475fde5be086e98a07e41fcd09175e1712e4c931cdf84dc893461c4d01080170ee63d689293a57f9ddff90f82563828b12cf995e

C:\Users\Admin\AppData\Local\Temp\_MEI48882\Crypto\Cipher\_raw_cfb.pyd

MD5 97dd8bc6330e9957b58b238b2b1e295f
SHA1 b7286fd2af1a41dfde3f9d07728be96cfe69a4b8
SHA256 f08e5d38771b7d0c59f3d04409006246711629a439751c006e72be05ec176ce1
SHA512 038a727c4a0b578c44d08c8d8e8111a7408355595d79f0f98ef807bf01b90a5e01b5f5bc0ca9bf876d9e2a412010056b92b8315be45a02aa26c7cbbc3ab73fec

memory/4652-182-0x00007FFFC6820000-0x00007FFFC682B000-memory.dmp

memory/4652-181-0x00007FFFC6B10000-0x00007FFFC6B1C000-memory.dmp

memory/4652-180-0x00007FFFC6E90000-0x00007FFFC6E9B000-memory.dmp

memory/4652-192-0x00007FFFC6710000-0x00007FFFC671C000-memory.dmp

memory/4652-196-0x00007FFFC5FF0000-0x00007FFFC5FFC000-memory.dmp

memory/4652-195-0x00007FFFC6B40000-0x00007FFFC6B6E000-memory.dmp

memory/4652-203-0x00007FFFC5D90000-0x00007FFFC5DB9000-memory.dmp

memory/4652-202-0x00007FFFC5DC0000-0x00007FFFC5DCC000-memory.dmp

memory/4652-201-0x00007FFFC5F90000-0x00007FFFC5FA2000-memory.dmp

memory/4652-200-0x00007FFFC5FE0000-0x00007FFFC5FED000-memory.dmp

memory/4652-199-0x00007FFFB7E00000-0x00007FFFB8179000-memory.dmp

memory/4652-194-0x00007FFFC6000000-0x00007FFFC600C000-memory.dmp

memory/4652-193-0x00007FFFC66B0000-0x00007FFFC66BB000-memory.dmp

memory/4652-191-0x00007FFFC6380000-0x00007FFFC6438000-memory.dmp

memory/4652-190-0x00007FFFC6010000-0x00007FFFC601B000-memory.dmp

memory/4652-189-0x00007FFFC6020000-0x00007FFFC602B000-memory.dmp

memory/4652-188-0x00007FFFC6030000-0x00007FFFC603C000-memory.dmp

memory/4652-187-0x00007FFFC6040000-0x00007FFFC604C000-memory.dmp

memory/4652-186-0x00007FFFC6050000-0x00007FFFC605E000-memory.dmp

memory/4652-185-0x00007FFFC6360000-0x00007FFFC636D000-memory.dmp

memory/4652-184-0x00007FFFC6370000-0x00007FFFC637C000-memory.dmp

memory/4652-183-0x000001D245240000-0x000001D2455B9000-memory.dmp

memory/4652-179-0x00007FFFC6F60000-0x00007FFFC6F6B000-memory.dmp

memory/4652-169-0x00007FFFC6980000-0x00007FFFC6A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\sqlite3.dll

MD5 7e7228ddf41d2f4cd6f848121550dcb7
SHA1 e803025ce8734b8dc8427aa5234bc50d069724d4
SHA256 3ad86547fcfb8478f0825d4b72311eb3a9fc6ed6441c85821000a763828deb8e
SHA512 2bf6e37b5bd87d2a5cb9903a550607c50a51d306fbdbf86ca879268cdf78c95fc82c8868e07f1dc146467facdab2437de18f9b2f6ca06cc58c201451bb55a1ff

memory/4652-205-0x00007FFFB7080000-0x00007FFFB72D2000-memory.dmp

memory/4652-204-0x00007FFFC6060000-0x00007FFFC60E7000-memory.dmp

memory/4652-206-0x00007FFFC54D0000-0x00007FFFC54E4000-memory.dmp

memory/4652-208-0x00007FFFC03A0000-0x00007FFFC03B0000-memory.dmp

memory/4652-209-0x00007FFFC68F0000-0x00007FFFC6913000-memory.dmp

memory/4652-210-0x00007FFFB7460000-0x00007FFFB7578000-memory.dmp

memory/4652-212-0x00007FFFB72E0000-0x00007FFFB745A000-memory.dmp

memory/4652-211-0x00007FFFC68D0000-0x00007FFFC68EF000-memory.dmp

memory/4652-213-0x00007FFFB78F0000-0x00007FFFB7D56000-memory.dmp

memory/4652-223-0x00007FFFC6980000-0x00007FFFC6A3C000-memory.dmp

memory/4652-222-0x00007FFFC6C50000-0x00007FFFC6C7E000-memory.dmp

memory/4652-218-0x00007FFFC6F70000-0x00007FFFC6F89000-memory.dmp

memory/4652-214-0x00007FFFCADA0000-0x00007FFFCADC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\win7\downloads_db

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\Temp\win7\downloads_db

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\1zMabqQMTE.tmp

MD5 78855c87b9d2682c8141f1afe227dd1d
SHA1 8b0bf8584c49cf70bebb1b289f765532eb0cb127
SHA256 c9217d14f586d9e694446bcf76f67442b2440af2a3bce5fa593194bcd314f4e0
SHA512 cb54bb1683f31ef4f5f4766745909a48dbf61cbbff409a3a596d8b71d65a9f879c47eb479c67e58dd3a05a0049d5bdbd4215242490a9f552ad131d5ef95975b4

C:\Users\Admin\AppData\Local\Temp\AhZ7eksXaS.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/4652-281-0x00007FFFB78F0000-0x00007FFFB7D56000-memory.dmp

memory/4652-304-0x00007FFFB7080000-0x00007FFFB72D2000-memory.dmp

memory/4652-303-0x00007FFFB72E0000-0x00007FFFB745A000-memory.dmp

memory/4652-302-0x00007FFFC68D0000-0x00007FFFC68EF000-memory.dmp

memory/4652-305-0x00007FFFC54D0000-0x00007FFFC54E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

MD5 678c00a38870dd1679f12780bf2dbc0d
SHA1 7c5ac0723566497601ccaa782d0196f550b13d86
SHA256 95d0e8db1db7bc6fe498052f0cb981e0b3b8d4761a6254a0b3239588cc0744ac
SHA512 a9f9187566ca2008fd286cbf0ce06479b6158fd67c05fcc4fe28f391e153a829121184ca07b2804e8f8f492b99b7900921d6010f4216ed8d0629591a737b2a91

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

MD5 190c46b5065a4bdf11f434a3e8f49ae4
SHA1 f47dbf81648cfcdd9817f60e55326dab0a2cb5cb
SHA256 9d89630da3bde9505d4c2cc684eb01c2d4d7d11028d01d309aca12b064f779e6
SHA512 8f71ea206e367f2f32bf241dd8513a9f436ec4980c401527f4941048a66159b5909438381f7a36179208399fd7a0b41f208c9904e1afd5d0dd0ef8edb56661c6

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\AddStop.zip

MD5 ff80c3072c2b80c340ab5b40bbcbab35
SHA1 ad19f3bbd36ae256bf8093b0e9be00807c78e837
SHA256 985b488c907f0ee08230eed6cfdc90a44c9d7f97064553d7d33b586343c920ca
SHA512 cc569f5550d498ccd6343a97bb0151659c7d701ede17bbe6cb78a7fd5dfd3ea61f955c09970e62969079d602ab89deb15a00b11651fd22ffa7dc037affb07cef

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\BackupFind.jpg

MD5 565a4b944099e7f7e21ec442582bd10f
SHA1 3810f7d9cc4b40d3d1f8cd79eff0f886da2f8bed
SHA256 925bbf04d4159c70a73338e11d1ae0b822a83b7c5322579c60e16534c0d433ed
SHA512 b5ac493d94e44d10af565d2c177354fd3cd0f484459f2413330e81922ca53b2a7469578d6793a1882c6371d173cb6d637db9d4ec1272e8eb55db5a0072693845

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\CompareClose.csv

MD5 e7a6fd019c769d0caeaee55df536aafd
SHA1 846659919a3ec3fe107d82898614325758d44cdd
SHA256 fa04637c3fc13b330c137829530114257b768ab9dd35d142308248c1fdf1c24c
SHA512 5197378970f81c6d890e16b857fd2950e7735408150b22e72c9fda004b4afb179e3a8fffffc5eea2bbe49a53ac44563552079b537ca9f90ad057b0a5b9497933

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\GrantMove.docx

MD5 a5b9f6236d3631f581387dc178a845d9
SHA1 efa1b2c8579043852e6aee24bc89bcac3830084f
SHA256 290b49ba91ffac8250fe3ec60f553eda844a9ad82a833bcdf7bbcd4ffe77e664
SHA512 562b7993439dab67f7bb9cda322bc1db778339ead020cc4c2298fb9d6263e990ab41030aed9784f0513e8ab2bcf3a3e9560547d0149cc652243ec14362db4b87

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\ProtectConnect.jpeg

MD5 1dde8d1bbc6a004170dfd371190d8557
SHA1 80bed801e7a7da77774b756414fc5d76a8e663db
SHA256 a61dfb9e9298c3e111b09013625bf3d38c112eef7aa3f70a20601c77811f43c3
SHA512 52647b7c297ea5e49628672853399b72486a9eafc4f8c13369066c0d2b4a5ff8a7941169b96cc1c0711b871f438958fd40051fc67f77d4bc51f330927d25b91b

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\GroupDisable.docx

MD5 9bcb658c825917d58d881e89b4c066c6
SHA1 fba4d234df234f69557112e378fa026130ddc825
SHA256 6ccf6625b455752538d695a40c6228b9836cb48c388d0cbbf268ca7a67d1c3e9
SHA512 b8038d133446034d70238cd3fcbc60d3d1332bcc71e98ee09bed5ea7221125e15c1f4e30f6c4bd17edfe4c1c1aa79decaa3db123b183820a2caa40ab668c3b60

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\ConvertFromInstall.txt

MD5 3ada1f3db71d894dc305e4877b404c1c
SHA1 5b23d5f4bca1b597b5f338cb826876d2e9c6381f
SHA256 4295a321bd4586e056e4499b7ca9133e376073482b7c7a1a6cc8698e21ad7a93
SHA512 48073f89f816b5e1e89b609f818ee9bdd24c5387965a8526e7048916adc8bf70fdb7098829ea1414d8e9e5bf734b5664c498b4e08063c6b4cc5829208a6c56b2

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\ConfirmWait.docx

MD5 33f0c0fc1615cbc6439e0607bb5ef3fe
SHA1 abfb120e94def5ff2e044638ad864e5d6e8b8961
SHA256 f6e05a48acfb0c01a1880db8d7218aa06aa6b8944e167fe7f50dce4596c7b7fe
SHA512 11c3bf85b88010b6849c09ae6a5f78c048319b0fd1a3e8e0036e026fe09f4a61f5373aa326063f7ab0ff55b403e409f56925b223eac9aeb9485d02ca8c62807e

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\n89wI8ljJQ\common(0)\ResumeStop.png

MD5 e9bc419009e47dd8753a07b756fee0a2
SHA1 3f0df068719b618f25c6d35f4dcc2fcee9b003a9
SHA256 6450fff49e1cba8352fe561d9c2a38e659e62512436c2949b5b3f358a9ee3c26
SHA512 d599888844672e569720ed6915f362192e1560ac7e8699892e2d8e97c42fb3401770cb08f9b89b9ac2e21beb429ca73c332617edfb0ab74ff47d7664f6ea6583

memory/4092-683-0x0000024F34E90000-0x0000024F34EB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4sqvzkh.2hd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4652-732-0x00007FFFC6B40000-0x00007FFFC6B6E000-memory.dmp

memory/4652-734-0x00007FFFC8680000-0x00007FFFC868B000-memory.dmp

memory/4652-741-0x00007FFFC68D0000-0x00007FFFC68EF000-memory.dmp

memory/4652-752-0x00007FFFC6030000-0x00007FFFC603C000-memory.dmp

memory/4652-751-0x00007FFFC6000000-0x00007FFFC600C000-memory.dmp

memory/4652-750-0x00007FFFC6050000-0x00007FFFC605E000-memory.dmp

memory/4652-749-0x00007FFFC6360000-0x00007FFFC636D000-memory.dmp

memory/4652-748-0x00007FFFC6370000-0x00007FFFC637C000-memory.dmp

memory/4652-747-0x00007FFFC66B0000-0x00007FFFC66BB000-memory.dmp

memory/4652-746-0x00007FFFC6820000-0x00007FFFC682B000-memory.dmp

memory/4652-745-0x00007FFFC6B10000-0x00007FFFC6B1C000-memory.dmp

memory/4652-744-0x00007FFFC6E90000-0x00007FFFC6E9B000-memory.dmp

memory/4652-743-0x00007FFFC6F60000-0x00007FFFC6F6B000-memory.dmp

memory/4652-742-0x00007FFFB72E0000-0x00007FFFB745A000-memory.dmp

memory/4652-740-0x00007FFFB7460000-0x00007FFFB7578000-memory.dmp

memory/4652-739-0x00007FFFC68F0000-0x00007FFFC6913000-memory.dmp

memory/4652-738-0x00007FFFC5FF0000-0x00007FFFC5FFC000-memory.dmp

memory/4652-737-0x00007FFFC6B20000-0x00007FFFC6B35000-memory.dmp

memory/4652-736-0x00007FFFC6060000-0x00007FFFC60E7000-memory.dmp

memory/4652-735-0x00007FFFC6380000-0x00007FFFC6438000-memory.dmp

memory/4652-733-0x00007FFFB7E00000-0x00007FFFB8179000-memory.dmp

memory/4652-731-0x00007FFFC6B70000-0x00007FFFC6B8C000-memory.dmp

memory/4652-730-0x00007FFFC6B90000-0x00007FFFC6BBB000-memory.dmp

memory/4652-729-0x00007FFFC6980000-0x00007FFFC6A3C000-memory.dmp

memory/4652-728-0x00007FFFC6C50000-0x00007FFFC6C7E000-memory.dmp

memory/4652-727-0x00007FFFCAC50000-0x00007FFFCAC5D000-memory.dmp

memory/4652-726-0x00007FFFC6EA0000-0x00007FFFC6ED5000-memory.dmp

memory/4652-725-0x00007FFFCAF90000-0x00007FFFCAF9D000-memory.dmp

memory/4652-724-0x00007FFFC6F70000-0x00007FFFC6F89000-memory.dmp

memory/4652-723-0x00007FFFC6F90000-0x00007FFFC6FBC000-memory.dmp

memory/4652-722-0x00007FFFCABA0000-0x00007FFFCABB8000-memory.dmp

memory/4652-721-0x00007FFFCF690000-0x00007FFFCF69F000-memory.dmp

memory/4652-720-0x00007FFFCADA0000-0x00007FFFCADC4000-memory.dmp

memory/4652-719-0x00007FFFB78F0000-0x00007FFFB7D56000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 03:27

Reported

2024-06-20 03:30

Platform

win7-20240220-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\win7\win6.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1636_133633276543926000\main.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\onefile_1636_133633276543926000\main.exe

MD5 677a4308b447726c114cabae725f8cb0
SHA1 440ac32a073a81a5afd1c695fb55b6df5f8813d2
SHA256 9be96084ae3f0f51038b6061a33f74acc16aaf02f3f6061f9170295f4b11900d
SHA512 a4826acecb86d38de53330ee623d396f73a018039e45849e4b37c8a9f44c60c1de65fdde0dc215e42f5fde1bd624bef640e94b98dd4ea7f12e200c39f4677618

\Users\Admin\AppData\Local\Temp\onefile_1636_133633276543926000\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

memory/2628-58-0x000000013F1D0000-0x000000013FE7A000-memory.dmp

memory/1636-111-0x000000013FAC0000-0x0000000140352000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 03:27

Reported

2024-06-20 03:30

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\win7\win6.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 4012 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\win7\win6.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 3688 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe
PID 1628 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 3240 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 3240 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 4028 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4028 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 772 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 772 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3004 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3004 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5032 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5032 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4452 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4452 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2540 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 3352 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3352 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1132 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1132 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2300 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2300 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4536 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 1560 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1560 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4536 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 4516 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4516 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4536 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe C:\Windows\system32\cmd.exe
PID 1600 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1600 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4164 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4164 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com

Processes

C:\Users\Admin\AppData\Local\Temp\win7\win6.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\win7\win6.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=720"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=728"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=456"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=552"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=580"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im opera.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im brave.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im opera.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\taskkill.exe

taskkill /f /im vivaldi.exe

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\taskkill.exe

taskkill /f /im browser.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=568"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=824"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=924"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=948"

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe" "--multiprocessing-fork" "parent_pid=3688" "pipe_handle=972"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
N/A 127.0.0.1:61397 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:61403 tcp
N/A 127.0.0.1:61410 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
GB 172.217.16.227:443 gstatic.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
N/A 127.0.0.1:61417 tcp
N/A 127.0.0.1:61421 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:61434 tcp
NL 149.154.167.220:443 api.telegram.org tcp
GB 172.217.16.227:443 gstatic.com tcp
N/A 127.0.0.1:61440 tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:61444 tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:61453 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\main.exe

MD5 677a4308b447726c114cabae725f8cb0
SHA1 440ac32a073a81a5afd1c695fb55b6df5f8813d2
SHA256 9be96084ae3f0f51038b6061a33f74acc16aaf02f3f6061f9170295f4b11900d
SHA512 a4826acecb86d38de53330ee623d396f73a018039e45849e4b37c8a9f44c60c1de65fdde0dc215e42f5fde1bd624bef640e94b98dd4ea7f12e200c39f4677618

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\vcruntime140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

MD5 7910fb2af40e81bee211182cffec0a06
SHA1 251482ed44840b3c75426dd8e3280059d2ca06c6
SHA256 d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f
SHA512 bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd

MD5 4652c4087b148d08adefedf55719308b
SHA1 30e06026fea94e5777c529b479470809025ffbe2
SHA256 003f439c27a532d6f3443706ccefac6be4152bebc1aa8bdf1c4adfc095d33795
SHA512 d4972c51ffbce63d2888ddfead2f616166b6f21a0c186ccf97a41c447c1fac6e848f464e4acde05bea5b24c73c5a03b834731f8807a54ee46ca8619b1d0c465d

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\_queue.pyd

MD5 d8c1b81bbc125b6ad1f48a172181336e
SHA1 3ff1d8dcec04ce16e97e12263b9233fbf982340c
SHA256 925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14
SHA512 ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd

MD5 f0027550d46509b0514cf2bf0cc162bc
SHA1 5b5a9fd863a216b2444ccbd51b1f451d6eca8179
SHA256 77300a458bb8dc0d4ff4d8bddb3289e90cb079418dbed3e20d2c9a445f39746e
SHA512 bb09b814dbe3e4361abbafec4768208c98a7f455ef311b653d61b0b6098197bdac43e74e2e3868e486819f147b8f7c442c76e5181cc5a7eb13b6e2c2e07bf9b7

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd

MD5 e9454a224d11e1bd68c7069b7f5f61a7
SHA1 793098653d93652415f8bace81434f6f4490cf1a
SHA256 711f292ace44576f5de4f592adebd9d21faf569357c289425251d8dce4fa84cc
SHA512 17d993a0c4b56219e8c224eb2bdea92d9cc4bd3809b0f9fa4cf0ddfdc5eab4371441d488ea851abf2f88c691d57a268d5cdcaa9d11d4dd091bc130638fe36460

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

MD5 33d0b6de555ddbbbd5ca229bfa91c329
SHA1 03034826675ac93267ce0bf0eaec9c8499e3fe17
SHA256 a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5
SHA512 dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_overlapped.pyd

MD5 fdf8663b99959031780583cce98e10f5
SHA1 6c0bafc48646841a91625d74d6b7d1d53656944d
SHA256 2ebbb0583259528a5178dd37439a64affcb1ab28cf323c6dc36a8c30362aa992
SHA512 a5371d6f6055b92ac119a3e3b52b21e2d17604e5a5ac241c008ec60d1db70b3ce4507d82a3c7ce580ed2eb7d83bb718f4edc2943d10cb1d377fa006f4d0026b6

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\_uuid.pyd

MD5 b68c98113c8e7e83af56ba98ff3ac84a
SHA1 448938564559570b269e05e745d9c52ecda37154
SHA256 990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2
SHA512 33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

MD5 5279d497eee4cf269d7b4059c72b14c2
SHA1 aff2f5de807ae03e599979a1a5c605fc4bad986e
SHA256 b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc
SHA512 20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

MD5 914925249a488bd62d16455d156bd30d
SHA1 7e66ba53f3512f81c9014d322fcb7dd895f62c55
SHA256 fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4
SHA512 21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32crypt.pyd

MD5 acc2c2a7dd9ba8603ac192d886ff2ace
SHA1 eae213d0b86a7730161d8cc9568d91663948c638
SHA256 4805c4903e098f0ae3c3cbebd02b44df4d73ab19013784f49a223f501da3c853
SHA512 23b97707843d206833e7d4f0dfcad79a597de0867bab629026dd26bff9f1c640bb4cd1bc6bce7abe48353feac8c367e93ea7b15425d6ff8b1aea07a716f5e491

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\onefile_4012_133633276554565758\pywintypes310.dll

MD5 ceb06a956b276cea73098d145fa64712
SHA1 6f0ba21f0325acc7cf6bf9f099d9a86470a786bf
SHA256 c8ec6429d243aef1f78969863be23d59273fa6303760a173ab36ab71d5676005
SHA512 05bab4a293e4c7efa85fa2491c32f299afd46fdb079dcb7ee2cc4c31024e01286daaf4aead5082fc1fd0d4169b2d1be589d1670fcf875b06c6f15f634e0c6f34

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Cipher\_raw_ecb.pyd

MD5 821aaa9a74b4ccb1f75bd38b13b76566
SHA1 907c8ee16f3a0c6e44df120460a7c675eb36f1dd
SHA256 614b4f9a02d0191c3994205ac2c58571c0af9b71853be47fcf3cb3f9bc1d7f54
SHA512 9d2ef8f1a2d3a7374ff0cdb38d4a93b06d1db4219bae06d57a075ee3dff5f7d6f890084dd51a972ac7572008f73fde7f5152ce5844d1a19569e5a9a439c4532b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Cipher\_raw_cbc.pyd

MD5 ff2c1c4a7ae46c12eb3963f508dad30f
SHA1 4d759c143f78a4fe1576238587230acdf68d9c8c
SHA256 73cf4155df136db24c2240e8db0c76bedcbb721e910558512d6008adaf7eed50
SHA512 453ef9eed028ae172d4b76b25279ad56f59291be19eb918de40db703ec31cddf60dce2e40003dfd1ea20ec37e03df9ef049f0a004486cc23db8c5a6b6a860e7b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Cipher\_raw_cfb.pyd

MD5 fe489576d8950611c13e6cd1d682bc3d
SHA1 2411d99230ef47d9e2e10e97bdea9c08a74f19af
SHA256 bb79a502eca26d3418b49a47050fb4015fdb24bee97ce56cdd070d0fceb96ccd
SHA512 0f605a1331624d3e99cfdc04b60948308e834aa784c5b7169986eefbce4791faa148325c1f1a09624c1a1340e0e8cf82647780ffe7b3e201fdc2b60bcfd05e09

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Cipher\_raw_ofb.pyd

MD5 619fb21dbeaf66bf7d1b61f6eb94b8c5
SHA1 7dd87080b4ed0cba070bb039d1bdeb0a07769047
SHA256 a2afe994f8f2e847951e40485299e88718235fbefb17fccca7ace54cc6444c46
SHA512 ee3dbd00d6529fcfcd623227973ea248ac93f9095430b9dc4e3257b6dc002b614d7ce4f3daab3e02ef675502afdbe28862c14e30632e3c715c434440615c4dd4

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Cipher\_raw_ctr.pyd

MD5 a33ac93007ab673cb2780074d30f03bd
SHA1 b79fcf833634e6802a92359d38fbdcf6d49d42b0
SHA256 4452cf380a07919b87f39bc60768bcc4187b6910b24869dbd066f2149e04de47
SHA512 5d8bdca2432cdc5a76a3115af938cc76cf1f376b070a7fd1bcbf58a7848d4f56604c5c14036012027c33cc45f71d5430b5abbfbb2d4adaf5c115ddbd1603ab86

memory/3240-138-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/1628-136-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/3496-135-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/2540-137-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/4536-139-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/4072-151-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/1908-154-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/2176-153-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/1096-152-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/2312-150-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/4012-155-0x00007FF673D10000-0x00007FF6745A2000-memory.dmp

memory/3688-156-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/3688-160-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/3688-163-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/3688-168-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\archive1.zip

MD5 6a2126b41b89eae22c7c70ff09cdbd28
SHA1 03ddab8c1b3ec3f311f8a7b7cff5f2af73a8f1dc
SHA256 023fb57d195364113e23db52daba33913807197ca8e60f54752ace7b8a34ff7a
SHA512 59f63d9700df62663f3730efb1d27f1af8138780dce1082192c46295c0702687cede30d7a9987c688b9c91431fbdb0f624182d536a15a1fdfab6b0c6ba26ca57

memory/3688-171-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/3688-174-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/3688-175-0x00007FF66FE60000-0x00007FF670B0A000-memory.dmp

memory/4012-181-0x00007FF673D10000-0x00007FF6745A2000-memory.dmp