c120fc93ef0d8bbd082f5aa995c8338a656f8757de536d547ba4efb960870384

Analysis

max time kernel
131s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/07/2024, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free-fp-shop-external.exe
Size

58.9MB
MD5

fe097b48d737ede523bb82abbde9cecf
SHA1

539cdf8b31830cbe7c44c5da082f09507b85ce51
SHA256

c120fc93ef0d8bbd082f5aa995c8338a656f8757de536d547ba4efb960870384
SHA512

ebefc6a4ad3abf2170ef01cbb47b065c1c8316be350a0ed6eddace9bee139e2cee85d86ea1615bbc559cb7b1acb0419a63c477d013e679da855fe9fffc458ef0
SSDEEP

786432:eW5927QqMoknvNpA+vIlo0FdGgCdb2eUc5w+KvIFVOjXESWqE5SezRBtcy2SFsEJ:nMQqMrlpA+Ql4JdtsvIFVO8qQZWy4E

Score

8^/10

execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
956	powershell.exe
2320	powershell.exe
2748	powershell.exe

Loads dropped DLL 57 IoCs

pid	Process
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001b02c-724.dat	upx
behavioral1/memory/5036-728-0x00007FF872770000-0x00007FF872E34000-memory.dmp	upx
behavioral1/files/0x000700000001ac2f-730.dat	upx
behavioral1/memory/5036-736-0x00007FF873880000-0x00007FF8738A5000-memory.dmp	upx
behavioral1/files/0x000700000001ac66-735.dat	upx
behavioral1/memory/5036-738-0x00007FF876880000-0x00007FF87688F000-memory.dmp	upx
behavioral1/files/0x000700000001ac2d-739.dat	upx
behavioral1/files/0x000700000001ac32-741.dat	upx
behavioral1/files/0x000700000001ac65-743.dat	upx
behavioral1/files/0x000700000001ac35-757.dat	upx
behavioral1/files/0x000700000001b02a-746.dat	upx
behavioral1/files/0x000700000001ac36-768.dat	upx
behavioral1/files/0x000700000001ac31-771.dat	upx
behavioral1/memory/5036-778-0x00007FF8726E0000-0x00007FF8726F4000-memory.dmp	upx
behavioral1/memory/5036-783-0x00007FF8726A0000-0x00007FF8726D3000-memory.dmp	upx
behavioral1/memory/5036-782-0x00007FF8725D0000-0x00007FF87269D000-memory.dmp	upx
behavioral1/memory/5036-781-0x00007FF8621A0000-0x00007FF8626C9000-memory.dmp	upx
behavioral1/files/0x000700000001ac67-780.dat	upx
behavioral1/files/0x000700000001ac38-779.dat	upx
behavioral1/memory/5036-777-0x00007FF872700000-0x00007FF87270D000-memory.dmp	upx
behavioral1/memory/5036-776-0x00007FF873810000-0x00007FF87381D000-memory.dmp	upx
behavioral1/memory/5036-775-0x00007FF872710000-0x00007FF872729000-memory.dmp	upx
behavioral1/memory/5036-774-0x00007FF872730000-0x00007FF872766000-memory.dmp	upx
behavioral1/memory/5036-773-0x00007FF875A30000-0x00007FF875A3F000-memory.dmp	upx
behavioral1/files/0x000700000001b02f-769.dat	upx
behavioral1/files/0x000700000001ac3a-765.dat	upx
behavioral1/memory/5036-764-0x00007FF873830000-0x00007FF87385D000-memory.dmp	upx
behavioral1/memory/5036-763-0x00007FF873860000-0x00007FF87387A000-memory.dmp	upx
behavioral1/files/0x000700000001ac37-759.dat	upx
behavioral1/files/0x000700000001ac34-756.dat	upx
behavioral1/files/0x000700000001ac33-755.dat	upx
behavioral1/files/0x000700000001ac30-753.dat	upx
behavioral1/files/0x000700000001ac2e-752.dat	upx
behavioral1/files/0x000700000001ac2c-751.dat	upx
behavioral1/files/0x000700000001b031-749.dat	upx
behavioral1/files/0x000700000001b030-748.dat	upx
behavioral1/memory/5036-787-0x00007FF872330000-0x00007FF872342000-memory.dmp	upx
behavioral1/memory/5036-786-0x00007FF872350000-0x00007FF872366000-memory.dmp	upx
behavioral1/memory/5036-789-0x00007FF870D50000-0x00007FF870E6B000-memory.dmp	upx
behavioral1/files/0x000700000001b038-790.dat	upx
behavioral1/files/0x000700000001ac41-796.dat	upx
behavioral1/files/0x000700000001ac40-794.dat	upx
behavioral1/memory/5036-792-0x00007FF8722A0000-0x00007FF872327000-memory.dmp	upx
behavioral1/memory/5036-799-0x00007FF872260000-0x00007FF872287000-memory.dmp	upx
behavioral1/memory/5036-798-0x00007FF872290000-0x00007FF87229B000-memory.dmp	upx
behavioral1/files/0x000700000001ac8a-801.dat	upx
behavioral1/memory/5036-809-0x00007FF873880000-0x00007FF8738A5000-memory.dmp	upx
behavioral1/memory/5036-808-0x00007FF870CD0000-0x00007FF870CF4000-memory.dmp	upx
behavioral1/memory/5036-807-0x00007FF86D1E0000-0x00007FF86D35F000-memory.dmp	upx
behavioral1/memory/5036-806-0x00007FF872230000-0x00007FF872248000-memory.dmp	upx
behavioral1/memory/5036-805-0x00007FF872770000-0x00007FF872E34000-memory.dmp	upx
behavioral1/files/0x000700000001abff-812.dat	upx
behavioral1/memory/5036-819-0x00007FF8701D0000-0x00007FF8701DC000-memory.dmp	upx
behavioral1/memory/5036-818-0x00007FF8701E0000-0x00007FF8701EB000-memory.dmp	upx
behavioral1/memory/5036-817-0x00007FF8701F0000-0x00007FF8701FC000-memory.dmp	upx
behavioral1/memory/5036-816-0x00007FF870200000-0x00007FF87020B000-memory.dmp	upx
behavioral1/memory/5036-815-0x00007FF870CA0000-0x00007FF870CAC000-memory.dmp	upx
behavioral1/memory/5036-814-0x00007FF870CB0000-0x00007FF870CBB000-memory.dmp	upx
behavioral1/memory/5036-813-0x00007FF870CC0000-0x00007FF870CCB000-memory.dmp	upx
behavioral1/files/0x000700000001ac04-811.dat	upx
behavioral1/memory/5036-833-0x00007FF86EA20000-0x00007FF86EA3C000-memory.dmp	upx
behavioral1/memory/5036-832-0x00007FF86EAD0000-0x00007FF86EADB000-memory.dmp	upx
behavioral1/memory/5036-834-0x00007FF861DB0000-0x00007FF862195000-memory.dmp	upx
behavioral1/memory/5036-831-0x00007FF86E2F0000-0x00007FF86E31E000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
8	discord.com
9	discord.com
14	discord.com
15	discord.com
3	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4612	WMIC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1988	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
3376	powershell.exe
3376	powershell.exe
5036	free-fp-shop-external.exe
5036	free-fp-shop-external.exe
3376	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
2320	powershell.exe
2320	powershell.exe
2320	powershell.exe
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	free-fp-shop-external.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeIncreaseQuotaPrivilege	956	powershell.exe
Token: SeSecurityPrivilege	956	powershell.exe
Token: SeTakeOwnershipPrivilege	956	powershell.exe
Token: SeLoadDriverPrivilege	956	powershell.exe
Token: SeSystemProfilePrivilege	956	powershell.exe
Token: SeSystemtimePrivilege	956	powershell.exe
Token: SeProfSingleProcessPrivilege	956	powershell.exe
Token: SeIncBasePriorityPrivilege	956	powershell.exe
Token: SeCreatePagefilePrivilege	956	powershell.exe
Token: SeBackupPrivilege	956	powershell.exe
Token: SeRestorePrivilege	956	powershell.exe
Token: SeShutdownPrivilege	956	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeSystemEnvironmentPrivilege	956	powershell.exe
Token: SeRemoteShutdownPrivilege	956	powershell.exe
Token: SeUndockPrivilege	956	powershell.exe
Token: SeManageVolumePrivilege	956	powershell.exe
Token: 33	956	powershell.exe
Token: 34	956	powershell.exe
Token: 35	956	powershell.exe
Token: 36	956	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeIncreaseQuotaPrivilege	2320	powershell.exe
Token: SeSecurityPrivilege	2320	powershell.exe
Token: SeTakeOwnershipPrivilege	2320	powershell.exe
Token: SeLoadDriverPrivilege	2320	powershell.exe
Token: SeSystemProfilePrivilege	2320	powershell.exe
Token: SeSystemtimePrivilege	2320	powershell.exe
Token: SeProfSingleProcessPrivilege	2320	powershell.exe
Token: SeIncBasePriorityPrivilege	2320	powershell.exe
Token: SeCreatePagefilePrivilege	2320	powershell.exe
Token: SeBackupPrivilege	2320	powershell.exe
Token: SeRestorePrivilege	2320	powershell.exe
Token: SeShutdownPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeSystemEnvironmentPrivilege	2320	powershell.exe
Token: SeRemoteShutdownPrivilege	2320	powershell.exe
Token: SeUndockPrivilege	2320	powershell.exe
Token: SeManageVolumePrivilege	2320	powershell.exe
Token: 33	2320	powershell.exe
Token: 34	2320	powershell.exe
Token: 35	2320	powershell.exe
Token: 36	2320	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeIncreaseQuotaPrivilege	2748	powershell.exe
Token: SeSecurityPrivilege	2748	powershell.exe
Token: SeTakeOwnershipPrivilege	2748	powershell.exe
Token: SeLoadDriverPrivilege	2748	powershell.exe
Token: SeSystemProfilePrivilege	2748	powershell.exe
Token: SeSystemtimePrivilege	2748	powershell.exe
Token: SeProfSingleProcessPrivilege	2748	powershell.exe
Token: SeIncBasePriorityPrivilege	2748	powershell.exe
Token: SeCreatePagefilePrivilege	2748	powershell.exe
Token: SeBackupPrivilege	2748	powershell.exe
Token: SeRestorePrivilege	2748	powershell.exe
Token: SeShutdownPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeSystemEnvironmentPrivilege	2748	powershell.exe
Token: SeRemoteShutdownPrivilege	2748	powershell.exe
Token: SeUndockPrivilege	2748	powershell.exe
Token: SeManageVolumePrivilege	2748	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 5036	1016	free-fp-shop-external.exe	73
PID 1016 wrote to memory of 5036	1016	free-fp-shop-external.exe	73
PID 5036 wrote to memory of 1420	5036	free-fp-shop-external.exe	75
PID 5036 wrote to memory of 1420	5036	free-fp-shop-external.exe	75
PID 5036 wrote to memory of 3832	5036	free-fp-shop-external.exe	77
PID 5036 wrote to memory of 3832	5036	free-fp-shop-external.exe	77
PID 1420 wrote to memory of 3376	1420	cmd.exe	79
PID 1420 wrote to memory of 3376	1420	cmd.exe	79
PID 5036 wrote to memory of 1108	5036	free-fp-shop-external.exe	80
PID 5036 wrote to memory of 1108	5036	free-fp-shop-external.exe	80
PID 1108 wrote to memory of 956	1108	cmd.exe	82
PID 1108 wrote to memory of 956	1108	cmd.exe	82
PID 1108 wrote to memory of 2320	1108	cmd.exe	84
PID 1108 wrote to memory of 2320	1108	cmd.exe	84
PID 1108 wrote to memory of 2748	1108	cmd.exe	85
PID 1108 wrote to memory of 2748	1108	cmd.exe	85
PID 5036 wrote to memory of 5000	5036	free-fp-shop-external.exe	87
PID 5036 wrote to memory of 5000	5036	free-fp-shop-external.exe	87
PID 5000 wrote to memory of 2496	5000	cmd.exe	89
PID 5000 wrote to memory of 2496	5000	cmd.exe	89
PID 5036 wrote to memory of 2328	5036	free-fp-shop-external.exe	90
PID 5036 wrote to memory of 2328	5036	free-fp-shop-external.exe	90
PID 5036 wrote to memory of 2932	5036	free-fp-shop-external.exe	92
PID 5036 wrote to memory of 2932	5036	free-fp-shop-external.exe	92
PID 2932 wrote to memory of 4612	2932	cmd.exe	94
PID 2932 wrote to memory of 4612	2932	cmd.exe	94
PID 5036 wrote to memory of 4756	5036	free-fp-shop-external.exe	95
PID 5036 wrote to memory of 4756	5036	free-fp-shop-external.exe	95
PID 4756 wrote to memory of 692	4756	cmd.exe	97
PID 4756 wrote to memory of 692	4756	cmd.exe	97
PID 5036 wrote to memory of 2488	5036	free-fp-shop-external.exe	98
PID 5036 wrote to memory of 2488	5036	free-fp-shop-external.exe	98
PID 2488 wrote to memory of 1396	2488	cmd.exe	100
PID 2488 wrote to memory of 1396	2488	cmd.exe	100
PID 5036 wrote to memory of 4144	5036	free-fp-shop-external.exe	101
PID 5036 wrote to memory of 4144	5036	free-fp-shop-external.exe	101
PID 4144 wrote to memory of 4132	4144	cmd.exe	103
PID 4144 wrote to memory of 4132	4144	cmd.exe	103
PID 5036 wrote to memory of 2064	5036	free-fp-shop-external.exe	104
PID 5036 wrote to memory of 2064	5036	free-fp-shop-external.exe	104
PID 2064 wrote to memory of 5092	2064	cmd.exe	106
PID 2064 wrote to memory of 5092	2064	cmd.exe	106
PID 5036 wrote to memory of 4224	5036	free-fp-shop-external.exe	107
PID 5036 wrote to memory of 4224	5036	free-fp-shop-external.exe	107
PID 4224 wrote to memory of 1988	4224	cmd.exe	109
PID 4224 wrote to memory of 1988	4224	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\free-fp-shop-external.exe
"C:\Users\Admin\AppData\Local\Temp\free-fp-shop-external.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\free-fp-shop-external.exe
  "C:\Users\Admin\AppData\Local\Temp\free-fp-shop-external.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3376
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2496
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:4132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\free-fp-shop-external.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:1988

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\J1qMJpqQhK\Common Files\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J1qMJpqQhK\Common Files\AssertRestore.rtf

Filesize
1.2MB

MD5
ef2f868476ff59a66b9ebb1d11552b4b

SHA1
d0631c8bdc13abf964eb233e4073bb2ddcb5c2f8

SHA256
0ba5df1f7daba24488ca30da4621aa8f2bf7b5c2d522aeff693c9a797e13b0e4

SHA512
4e78553767f97cbf417583400fa84a95d9c1ed517bb43692b452d74ef24ac5fdb5c3bebfbd764a07c2241ce65a6eaa00ddd9928dbdc77d2ef592b22ac626aa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\J1qMJpqQhK\Common Files\BlockBackup.vstx

Filesize
826KB

MD5
24fc61bfeeeeb3af02ff6cf3470983fe

SHA1
0e3af3afd17a5fe871c4fe22aec0d96abf8bd86d

SHA256
55bf26755cdfa3cf3759d3987cb76d5cfb9cb0d93878ad9575c130bf7bb68ccd

SHA512
23dbf03880b72ffedac2353ebdc480d9fa0da36732b01af7d67c3cbc28c9c4c2fb8ac51be203235a985a06616a41b39b651544baf19791103cbb047098abe8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\J1qMJpqQhK\Common Files\ClearOptimize.docx

Filesize
1000KB

MD5
df8d5ca42e7f24fd9cfc03e48e5c146f

SHA1
9f34a0d94596c1a8bdb2e85f25a87e8d52699f55

SHA256
8c22a94bb447ba568ba8d2b2582dba59916d77e61881da45012538fe1c3686f9

SHA512
75a24dc64aa54db514f6838164632f21ab9121dbf11f93b26af5adf49801e52122e8124dc6901d39c5590bc3c21428a1c8b47f6f026f4f47f41515661de64d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\J1qMJpqQhK\Common Files\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
10KB

MD5
d9f0780e8df9e0adb12d1c4c39d6c9be

SHA1
2335d8d81c1a65d4f537553d66b70d37bc9a55b6

SHA256
e91c6bba58cf9dd76cb573f787c76f1da4481f4cbcdf5da3899cce4d3754bbe7

SHA512
7785aadb25cffdb736ce5f9ae4ca2d97b634bc969a0b0cb14815afaff4398a529a5f86327102b8005ace30c0d196b2c221384a54d7db040c08f0a01de3621d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_asyncio.pyd

Filesize
37KB

MD5
6880e3d5872fefa9810753e181cf3033

SHA1
e875467792bbe3c4117040f6cf935a7a60a21d55

SHA256
c7000207e8c406f3a18b006649248906963834ff901c7b8b9f627d534e31575b

SHA512
f501bfe8300b20a621d587d9a86e1228ab90da5f4cab8ed47a2822617ca5eeaf66691756228745ff24084ba481f6b3eedcddfc4a4869cd56334e8ca53a92148d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_bz2.pyd

Filesize
48KB

MD5
ab542da47a7745a2f588ca78d41734e0

SHA1
d8f1601548510333e35199e3b6bb4eaf994ca9ae

SHA256
4aba601dd528a85dad5975daf6aa394002c8a38582e4abb05a89684f52130084

SHA512
d80228ae846c562e08b08b92796e871e546760cd8ed92cbbe526675947ea2a5524ff4a93210e820c9f646912db24ff112ed2a354fc018a53a5161934c7fbd0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
5225e3fc11136d4ad314367fa911a8b1

SHA1
c2cfb71d867e59f29d394131e0e6c8a2e71dee32

SHA256
08005b24e71411fc4acdb312a4558339595b1d12c6917f8d50c6166a9f122abe

SHA512
87bdeacaca87dc465de92fe8dda425560c5e6e149883113f4541f2d5ecc59f57523cde41ad48fa0081f820678182648afbf73839c249fe3f7d493dcf94e76248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_ctypes.pyd

Filesize
59KB

MD5
fc609234e81821c069d54a7c8d4a7e05

SHA1
9aef96aa0276feb2df28ce0abf4ec1f2f766d011

SHA256
506cdca8f4cc4754a78edac3be230a5ec7ca4a0d61ef08fe0accab4080b2c69e

SHA512
bea687c1a9ed32db6c99be1c8689ac9e498f0ffce74c0c66c6c7653d58b6ee90e50df66c8a48b49854d47142fa9a930047f4828651193f7a500ae7fbc1882d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_decimal.pyd

Filesize
107KB

MD5
e3245ba10c125de02593c0a67669ab17

SHA1
6b846b98ee8f663aa39d3c6c960df8bc84d82193

SHA256
306cc1df8631d632e9831d6a710c8776784c4655b107424290338c385e743026

SHA512
26c4d7280a93dc004b0a92689c43b9bcb6c0afa282d24581051fd18d0037499c2c77431636ca20a9225af002f254526cf66ff466b3b7fad0d73b8096ce1594fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_lzma.pyd

Filesize
86KB

MD5
ed15089e3c0c1b2ab5b73354abf0087b

SHA1
f51ade203d249e27ebf9ae2159220fabdb8726c0

SHA256
02fe60ad99452d53294514e8c6b8d95d79cc013742e3a4cd74b36601fc3fb09b

SHA512
a9f869b2988057c37d14ee56495ecbf2ec688517203a7e2d1bc1488f4d37c6e3d3fb6fb439442c86679a9cebbbd5b2e7b11d42f64bdbce7212b6411cd27073ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_multiprocessing.pyd

Filesize
27KB

MD5
a2de86f88aad5c050f86d258b1f05617

SHA1
11824bbb09e5ee9865cadcbbfda1e0664c6d98ff

SHA256
f10fc80b19740eceb7fdce89c30d6670c9af7ed600fa7f881d27b8b5a054495f

SHA512
3662a8e6afa6b385a3e2682a49b0ae57f0f2aefc029eaaf841a228ec76c0f79c4e963b6f22eb345f4cad72b35bd72576a79a282d9816cf9b37b762773c10a80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_overlapped.pyd

Filesize
33KB

MD5
d2b3134bae2e401e1753aac8b9ca577e

SHA1
3b4c4fe61c724a6bc4ee423ee7a1efb007a1f515

SHA256
2386cf6ceaef4c6aa13974f913d6b3e6cde3b48e2fbb73f5c63ae6fe4384836f

SHA512
215609827121d9da6fa0bc884bd388391c46a799c22d54762775d591d9ae5e6bbce70011bc5f5237b6e526b79416c00f5daa8fc6baf70450ce37ced17fafa1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_queue.pyd

Filesize
26KB

MD5
6cff25f6eb2872a07d52591cffe97ed7

SHA1
1e51fc338bcf4e868a827c8dd2d3573a60ec9a73

SHA256
b58694a5585645827ce1f0aa285e176e9328584917a36434132fd71c3f017d8d

SHA512
e847437f88dfd473272ed89f06fc9939c2e58e71f309275afa89599b4d79365459f763815660499be69b93b2440f3ed0dec88192d7d5b2be6ac2b79009a6442a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_sqlite3.pyd

Filesize
57KB

MD5
435b49a7f84e7fbe0c6681932de37179

SHA1
a8a285579de10dacbfd053735c6f0ab930fe0fe2

SHA256
5321e5c26a9bcaebb58f11241121bd0d1e45f98dcfbb4d8457eae42f17b8328a

SHA512
13d7d7120a7a150d789b92964acbe6d2ea7ebb130d6cb1833456ea1cdd6654cdd1d8841165296b3f077935dbaec4a37ca7e45c395c0b72d9b6dc970dbb76136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_uuid.pyd

Filesize
25KB

MD5
50521b577719195d7618a23b3103d8aa

SHA1
7020d2e107000eaf0eddde74bc3809df2c638e22

SHA256
acbf831004fb8b8d5340fe5debd9814c49bd282dd765c78faeb6bb5116288c78

SHA512
4ee950da8bbbd36932b488ec62fa046ac8fc35783a146edadbe063b8419a63d4dfb5bbd8c45e9e008fe708e6fc4a1fee1202fce92ffc95320547ba714fed95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\base_library.zip

Filesize
1.3MB

MD5
55df3c98d18ec80bc37a6682ba0abcbb

SHA1
e3bf60cfecfee2473d4e0b07057af3c27afa6567

SHA256
d8de678c0ac0cecb7be261bda75511c47e6a565f0c6260eacf240c7c5039753b

SHA512
26368c9187155ee83c450bfc792938a2908c473ba60330ce95bcc3f780390043879bbff3949bd4a25b38343eac3c5c9ba709267959109c9c99a229809c97f3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\libcrypto-3.dll

Filesize
1.6MB

MD5
63eb76eccfe70cff3a3935c0f7e8ba0f

SHA1
a8dd05dce28b79047e18633aee5f7e68b2f89a36

SHA256
785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e

SHA512
8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\luna.aes

Filesize
4.5MB

MD5
322391e83c91299dece0e3b24ab33e50

SHA1
bcde261232e26c7ba564533864e093c10f521dc2

SHA256
11303b6aa0d180d6cb1d5c4c17ad2ffe1956429c2c350e674dfd2ca5781424bb

SHA512
437014db2fe7de14d7c2498f03481c3a715f21304d9dfe997121c1ba5147d72c5381fc92cac9ff8d1821b0dd1e14c9fd82c15809e52248adced4b37f689137eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
3adca2ff39adeb3567b73a4ca6d0253c

SHA1
ae35dde2348c8490f484d1afd0648380090e74fc

SHA256
92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3

SHA512
358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\pyexpat.pyd

Filesize
88KB

MD5
7291100352b163626455abf2252f2a96

SHA1
3c4d13bbf5fb69fe6f2af70f675ed2e437cea893

SHA256
01974148486d569e9f1ad62d36d4d54b5396b07c853bd50f358d5580fde331f4

SHA512
fc384703828bb7a38b51dcf1a131b49283808b5658395e1d1c5ee9a204f895da0c29b12a7b1fc9aa468babc5d6f03be638fecf519e41911bf015a481f95458bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\python3.DLL

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\python312.dll

Filesize
1.7MB

MD5
8f165bfadf970edafd59067ad45a3952

SHA1
16c1876f2233087156b49db35d4d935c6e17be6a

SHA256
22470af77229d53d9141823c12780db63c43703dd525940bc479730d2e43513d

SHA512
b3af95dc9a68e21e8eca98e451b935f72663c2552ebf26de299716f17193f238d55c292df953d641defcbcec3ea18eb37cd4b839800804efa8f40658427263ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\sqlite3.dll

Filesize
644KB

MD5
b26fa7619d82c7272b7279eb7aae801c

SHA1
fa6a3240a531615a0853306f3b3d66aed98a04d8

SHA256
74dc76a2a2d06d61f9f06bd3b0972bfb30ab57b0e5cb8c3011e79ce4a52924f0

SHA512
20b0d6cf3e07ca0d565f140c9f9c1e218406ed9bdaaf75433858acb250bfb71bb134a6479fdcf6d4d0e0252707b1fb14f9c9d3e4d6a40824c3fdc7a43dfad0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\unicodedata.pyd

Filesize
295KB

MD5
97f08bbcf9903c768668b1cd1e30aada

SHA1
84e2dc5c3662bd39ac09b5f682a59104ffec16d2

SHA256
c5c2997c3b16eb8b89fe230582a579a753efc8317ffd95d9795ec2762aa54ed9

SHA512
076ca0017ae252d62d4a3bd7a42af95800e39a164bda990a0ca651aa2f0df2736c0dfdc086d8328a1834ae89f17716c5f76e798460a90263d1d8b6f2c233c686

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\zstandard\backend_c.cp312-win_amd64.pyd

Filesize
174KB

MD5
4dd9c42a89ddf77fef7aa34a71c5b480

SHA1
fc4c03ffcf81fb255b54c4f16f6ed90d5a1f37d4

SHA256
f76dc6f9ace0d356dbfdea443c3d43232342f48384f4afc7293b2ace813477e7

SHA512
02c04fa2fa1d8136730f2596740049664a4f9343fb56de195988d80151cb38e67e7fee1c140d2c5d7c439f19df377cc6e253f5178711f72b821eae3076b4e142

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jyoi2lv4.3qz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
768559588eef33d33d9fa64ab5ed482b

SHA1
09be733f1deed8593c20afaf04042f8370e4e82f

SHA256
57d3efc53d8c4be726597a1f3068947b895b5b8aba47fd382c600d8e72125356

SHA512
3bf9cd35906e6e408089faea9ffcdf49cc164f58522764fe9e481d41b0e9c6ff14e13b0954d2c64bb942970bbf9d94d07fce0c0d5fdbd6ca045649675ecff0f2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\_hashlib.pyd

Filesize
35KB

MD5
fa6ae459e8a2c3071bd373da5a4cfe18

SHA1
dbf6462e952efe70f4ad72c0c8688456833462d5

SHA256
20af24170652420bc06adbb2fc159ae9e61e71f2cad5370b423c9ce4c57ad5e1

SHA512
9846f7fcf86fd67b03080a6ec270e4c6ecb0fee7bd0019fddd976c26e062c5d41f35691384a2307ca80289010f73cecf7326d7f446971639698b2948c4f67c08

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\_socket.pyd

Filesize
44KB

MD5
552d390e9c359bf460b87cfb9a24a48b

SHA1
d4920c3355b18087e9a392bea152cef90cc04a60

SHA256
f11b57f08a31e172cabae66830f9ef936e322a4df03ba5230d1621db4e7a24b6

SHA512
cfc59e43ab855f1c571db92c0df1258e88bc6db9d8569c2a5242b90d22f327503f4b4402f79f816f53f12a43f3d1ca84066231f0a3e719758340813f79528d8e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\_ssl.pyd

Filesize
66KB

MD5
318cfedf19856dbbc627e79ed9fd2b9c

SHA1
fb9b5565a033a8c6a4aee3f0a27de047714442d1

SHA256
efa7fef1f1456e19c44a787b62d047f5d73c6abb6a6d4201d125dc3d101fff09

SHA512
d5d616400fa33751bec6ce8786d4c29e6307f2042db0602907354734ff72387570201420290f5e99c375059ef7217159e254c44291b36f7f296574f506211e10

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\_wmi.pyd

Filesize
28KB

MD5
54ba74f0c557b0c0463c08b5d2439379

SHA1
8aa3f3f50501962f4a64ead15b24b6a77b06c5c5

SHA256
53d4c23bc2ba89ee5050bae9b498eebbcde5a1906e51389742780f0c976b861f

SHA512
fa4b6ca32a635f3a17d1e50b2b0a0c9e184cc104c2632b1d57c2a14db30272e6985a5665c567f49a5d4a6f36bfe80db9b5c591856d1667c024631a7050efb5fe

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
e4fad9ff1b85862a6afaca2495d9f019

SHA1
0e47d7c5d4de3a1d7e3bb31bd47ea22cc4ddeac4

SHA256
e5d362766e9806e7e64709de7e0cff40e03123d821c3f30cac5bac1360e08c18

SHA512
706fb033fc2079b0aabe969bc51ccb6ffaaf1863daf0e4a83d6f13adc0fedab61cee2b63efb40f033aea22bf96886834d36f50af36e6e25b455e941c1676a30a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
5c643741418d74c743ca128ff3f50646

SHA1
0b499a3228865a985d86c1199d14614096efd8a0

SHA256
2d86563fdfdc39894a53a293810744915192f3b3f40a47526551e66cdb9cb35c

SHA512
45d02b854557d8f9c25ca8136fa6d3daed24275cc77b1c98038752daed4318bd081c889ff1f4fa8a28e734c9167f477350a8fa863f61729c30c76e7a91d61a97

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\libssl-3.dll

Filesize
222KB

MD5
7e87c34b39f3a8c332df6e15fd83160b

SHA1
db712b55f23d8e946c2d91cbbeb7c9a78a92b484

SHA256
41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601

SHA512
eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\select.pyd

Filesize
25KB

MD5
3b214dfb6ec4ca67be55b3aa52922827

SHA1
f665ffeab25d2bab506b873be944280586eb50f6

SHA256
7507a92c4787e9e7936a0b4a8eeb0a3f24e5ee12ae58cd7988543581d99817ac

SHA512
de4e9b9d79b01d21aca74179c6a3e8fc6fe041f71cdd78910fd893cda90c2cfe7e54ade91064333f37ffc880d446879a64dd8bb790677039df56df1f80ec6b45

Download Submit
memory/3376-860-0x0000028B38860000-0x0000028B388D6000-memory.dmp

Filesize
472KB

Download
memory/3376-857-0x0000028B386B0000-0x0000028B386D2000-memory.dmp

Filesize
136KB

Download
memory/5036-825-0x00007FF86EB60000-0x00007FF86EB6C000-memory.dmp

Filesize
48KB

Download
memory/5036-1108-0x00007FF872230000-0x00007FF872248000-memory.dmp

Filesize
96KB

Download
memory/5036-786-0x00007FF872350000-0x00007FF872366000-memory.dmp

Filesize
88KB

Download
memory/5036-787-0x00007FF872330000-0x00007FF872342000-memory.dmp

Filesize
72KB

Download
memory/5036-763-0x00007FF873860000-0x00007FF87387A000-memory.dmp

Filesize
104KB

Download
memory/5036-792-0x00007FF8722A0000-0x00007FF872327000-memory.dmp

Filesize
540KB

Download
memory/5036-764-0x00007FF873830000-0x00007FF87385D000-memory.dmp

Filesize
180KB

Download
memory/5036-799-0x00007FF872260000-0x00007FF872287000-memory.dmp

Filesize
156KB

Download
memory/5036-798-0x00007FF872290000-0x00007FF87229B000-memory.dmp

Filesize
44KB

Download
memory/5036-773-0x00007FF875A30000-0x00007FF875A3F000-memory.dmp

Filesize
60KB

Download
memory/5036-809-0x00007FF873880000-0x00007FF8738A5000-memory.dmp

Filesize
148KB

Download
memory/5036-808-0x00007FF870CD0000-0x00007FF870CF4000-memory.dmp

Filesize
144KB

Download
memory/5036-807-0x00007FF86D1E0000-0x00007FF86D35F000-memory.dmp

Filesize
1.5MB

Download
memory/5036-806-0x00007FF872230000-0x00007FF872248000-memory.dmp

Filesize
96KB

Download
memory/5036-805-0x00007FF872770000-0x00007FF872E34000-memory.dmp

Filesize
6.8MB

Download
memory/5036-774-0x00007FF872730000-0x00007FF872766000-memory.dmp

Filesize
216KB

Download
memory/5036-819-0x00007FF8701D0000-0x00007FF8701DC000-memory.dmp

Filesize
48KB

Download
memory/5036-818-0x00007FF8701E0000-0x00007FF8701EB000-memory.dmp

Filesize
44KB

Download
memory/5036-817-0x00007FF8701F0000-0x00007FF8701FC000-memory.dmp

Filesize
48KB

Download
memory/5036-816-0x00007FF870200000-0x00007FF87020B000-memory.dmp

Filesize
44KB

Download
memory/5036-815-0x00007FF870CA0000-0x00007FF870CAC000-memory.dmp

Filesize
48KB

Download
memory/5036-814-0x00007FF870CB0000-0x00007FF870CBB000-memory.dmp

Filesize
44KB

Download
memory/5036-813-0x00007FF870CC0000-0x00007FF870CCB000-memory.dmp

Filesize
44KB

Download
memory/5036-775-0x00007FF872710000-0x00007FF872729000-memory.dmp

Filesize
100KB

Download
memory/5036-833-0x00007FF86EA20000-0x00007FF86EA3C000-memory.dmp

Filesize
112KB

Download
memory/5036-832-0x00007FF86EAD0000-0x00007FF86EADB000-memory.dmp

Filesize
44KB

Download
memory/5036-834-0x00007FF861DB0000-0x00007FF862195000-memory.dmp

Filesize
3.9MB

Download
memory/5036-831-0x00007FF86E2F0000-0x00007FF86E31E000-memory.dmp

Filesize
184KB

Download
memory/5036-830-0x00007FF86E420000-0x00007FF86E449000-memory.dmp

Filesize
164KB

Download
memory/5036-829-0x00007FF86EAE0000-0x00007FF86EAEC000-memory.dmp

Filesize
48KB

Download
memory/5036-828-0x00007FF86EAF0000-0x00007FF86EB02000-memory.dmp

Filesize
72KB

Download
memory/5036-827-0x00007FF86EB10000-0x00007FF86EB1D000-memory.dmp

Filesize
52KB

Download
memory/5036-826-0x00007FF86EB50000-0x00007FF86EB5C000-memory.dmp

Filesize
48KB

Download
memory/5036-776-0x00007FF873810000-0x00007FF87381D000-memory.dmp

Filesize
52KB

Download
memory/5036-824-0x00007FF8725D0000-0x00007FF87269D000-memory.dmp

Filesize
820KB

Download
memory/5036-823-0x00007FF870190000-0x00007FF87019B000-memory.dmp

Filesize
44KB

Download
memory/5036-822-0x00007FF8701B0000-0x00007FF8701BE000-memory.dmp

Filesize
56KB

Download
memory/5036-821-0x00007FF8701C0000-0x00007FF8701CC000-memory.dmp

Filesize
48KB

Download
memory/5036-820-0x00007FF8621A0000-0x00007FF8626C9000-memory.dmp

Filesize
5.2MB

Download
memory/5036-837-0x00007FF85FC80000-0x00007FF861DA6000-memory.dmp

Filesize
33.1MB

Download
memory/5036-842-0x00007FF86DA80000-0x00007FF86DA98000-memory.dmp

Filesize
96KB

Download
memory/5036-841-0x00007FF870180000-0x00007FF87018B000-memory.dmp

Filesize
44KB

Download
memory/5036-840-0x00007FF8701A0000-0x00007FF8701AC000-memory.dmp

Filesize
48KB

Download
memory/5036-843-0x00007FF86DA50000-0x00007FF86DA71000-memory.dmp

Filesize
132KB

Download
memory/5036-839-0x00007FF8726E0000-0x00007FF8726F4000-memory.dmp

Filesize
80KB

Download
memory/5036-838-0x00007FF875A30000-0x00007FF875A3F000-memory.dmp

Filesize
60KB

Download
memory/5036-777-0x00007FF872700000-0x00007FF87270D000-memory.dmp

Filesize
52KB

Download
memory/5036-781-0x00007FF8621A0000-0x00007FF8626C9000-memory.dmp

Filesize
5.2MB

Download
memory/5036-782-0x00007FF8725D0000-0x00007FF87269D000-memory.dmp

Filesize
820KB

Download
memory/5036-1057-0x00007FF870D50000-0x00007FF870E6B000-memory.dmp

Filesize
1.1MB

Download
memory/5036-783-0x00007FF8726A0000-0x00007FF8726D3000-memory.dmp

Filesize
204KB

Download
memory/5036-778-0x00007FF8726E0000-0x00007FF8726F4000-memory.dmp

Filesize
80KB

Download
memory/5036-738-0x00007FF876880000-0x00007FF87688F000-memory.dmp

Filesize
60KB

Download
memory/5036-736-0x00007FF873880000-0x00007FF8738A5000-memory.dmp

Filesize
148KB

Download
memory/5036-728-0x00007FF872770000-0x00007FF872E34000-memory.dmp

Filesize
6.8MB

Download
memory/5036-789-0x00007FF870D50000-0x00007FF870E6B000-memory.dmp

Filesize
1.1MB

Download
memory/5036-1110-0x00007FF86D1E0000-0x00007FF86D35F000-memory.dmp

Filesize
1.5MB

Download
memory/5036-1109-0x00007FF870CD0000-0x00007FF870CF4000-memory.dmp

Filesize
144KB

Download
memory/5036-1088-0x00007FF872770000-0x00007FF872E34000-memory.dmp

Filesize
6.8MB

Download
memory/5036-1100-0x00007FF8726A0000-0x00007FF8726D3000-memory.dmp

Filesize
204KB

Download
memory/5036-1089-0x00007FF873880000-0x00007FF8738A5000-memory.dmp

Filesize
148KB

Download
memory/5036-1140-0x00007FF872730000-0x00007FF872766000-memory.dmp

Filesize
216KB

Download
memory/5036-1144-0x00007FF8726E0000-0x00007FF8726F4000-memory.dmp

Filesize
80KB

Download
memory/5036-1163-0x00007FF86D1E0000-0x00007FF86D35F000-memory.dmp

Filesize
1.5MB

Download
memory/5036-1162-0x00007FF870180000-0x00007FF87018B000-memory.dmp

Filesize
44KB

Download
memory/5036-1161-0x00007FF8701A0000-0x00007FF8701AC000-memory.dmp

Filesize
48KB

Download
memory/5036-1160-0x00007FF870200000-0x00007FF87020B000-memory.dmp

Filesize
44KB

Download
memory/5036-1159-0x00007FF870CA0000-0x00007FF870CAC000-memory.dmp

Filesize
48KB

Download
memory/5036-1158-0x00007FF870CB0000-0x00007FF870CBB000-memory.dmp

Filesize
44KB

Download
memory/5036-1157-0x00007FF870CC0000-0x00007FF870CCB000-memory.dmp

Filesize
44KB

Download
memory/5036-1155-0x00007FF870CD0000-0x00007FF870CF4000-memory.dmp

Filesize
144KB

Download
memory/5036-1154-0x00007FF872230000-0x00007FF872248000-memory.dmp

Filesize
96KB

Download
memory/5036-1153-0x00007FF872260000-0x00007FF872287000-memory.dmp

Filesize
156KB

Download
memory/5036-1152-0x00007FF872290000-0x00007FF87229B000-memory.dmp

Filesize
44KB

Download
memory/5036-1178-0x00007FF86EA20000-0x00007FF86EA3C000-memory.dmp

Filesize
112KB

Download
memory/5036-1177-0x00007FF86EAD0000-0x00007FF86EADB000-memory.dmp

Filesize
44KB

Download
memory/5036-1176-0x00007FF86E2F0000-0x00007FF86E31E000-memory.dmp

Filesize
184KB

Download
memory/5036-1175-0x00007FF86E420000-0x00007FF86E449000-memory.dmp

Filesize
164KB

Download
memory/5036-1174-0x00007FF86EAE0000-0x00007FF86EAEC000-memory.dmp

Filesize
48KB

Download
memory/5036-1173-0x00007FF86EAF0000-0x00007FF86EB02000-memory.dmp

Filesize
72KB

Download
memory/5036-1172-0x00007FF86EB10000-0x00007FF86EB1D000-memory.dmp

Filesize
52KB

Download
memory/5036-1171-0x00007FF86EB50000-0x00007FF86EB5C000-memory.dmp

Filesize
48KB

Download
memory/5036-1170-0x00007FF86EB60000-0x00007FF86EB6C000-memory.dmp

Filesize
48KB

Download
memory/5036-1169-0x00007FF870190000-0x00007FF87019B000-memory.dmp

Filesize
44KB

Download
memory/5036-1168-0x00007FF8701D0000-0x00007FF8701DC000-memory.dmp

Filesize
48KB

Download
memory/5036-1167-0x00007FF8701B0000-0x00007FF8701BE000-memory.dmp

Filesize
56KB

Download
memory/5036-1166-0x00007FF8701E0000-0x00007FF8701EB000-memory.dmp

Filesize
44KB

Download
memory/5036-1165-0x00007FF8701F0000-0x00007FF8701FC000-memory.dmp

Filesize
48KB

Download
memory/5036-1164-0x00007FF8701C0000-0x00007FF8701CC000-memory.dmp

Filesize
48KB

Download
memory/5036-1151-0x00007FF8722A0000-0x00007FF872327000-memory.dmp

Filesize
540KB

Download
memory/5036-1150-0x00007FF870D50000-0x00007FF870E6B000-memory.dmp

Filesize
1.1MB

Download
memory/5036-1149-0x00007FF872330000-0x00007FF872342000-memory.dmp

Filesize
72KB

Download
memory/5036-1148-0x00007FF872350000-0x00007FF872366000-memory.dmp

Filesize
88KB

Download
memory/5036-1147-0x00007FF8725D0000-0x00007FF87269D000-memory.dmp

Filesize
820KB

Download
memory/5036-1145-0x00007FF8621A0000-0x00007FF8626C9000-memory.dmp

Filesize
5.2MB

Download
memory/5036-1143-0x00007FF872700000-0x00007FF87270D000-memory.dmp

Filesize
52KB

Download
memory/5036-1142-0x00007FF873810000-0x00007FF87381D000-memory.dmp

Filesize
52KB

Download
memory/5036-1141-0x00007FF872710000-0x00007FF872729000-memory.dmp

Filesize
100KB

Download
memory/5036-1134-0x00007FF872770000-0x00007FF872E34000-memory.dmp

Filesize
6.8MB

Download
memory/5036-1137-0x00007FF873860000-0x00007FF87387A000-memory.dmp

Filesize
104KB

Download
memory/5036-1136-0x00007FF876880000-0x00007FF87688F000-memory.dmp

Filesize
60KB

Download
memory/5036-1135-0x00007FF873880000-0x00007FF8738A5000-memory.dmp

Filesize
148KB

Download
memory/5036-1146-0x00007FF8726A0000-0x00007FF8726D3000-memory.dmp

Filesize
204KB

Download
memory/5036-1139-0x00007FF875A30000-0x00007FF875A3F000-memory.dmp

Filesize
60KB

Download
memory/5036-1138-0x00007FF873830000-0x00007FF87385D000-memory.dmp

Filesize
180KB

Download
memory/5036-1180-0x00007FF86DA80000-0x00007FF86DA98000-memory.dmp

Filesize
96KB

Download
memory/5036-1179-0x00007FF861DB0000-0x00007FF862195000-memory.dmp

Filesize
3.9MB

Download
memory/5036-1181-0x00007FF85FC80000-0x00007FF861DA6000-memory.dmp

Filesize
33.1MB

Download
memory/5036-1182-0x00007FF86DA50000-0x00007FF86DA71000-memory.dmp

Filesize
132KB

Download