Malware Analysis Report

2024-11-13 15:20

Sample ID 240729-yyr21ayanl
Target Celery.exe
SHA256 395532c65dc8a2ecf47db85df7d362ba6170d39bbb98e2f844a3d3be25d32e7b
Tags
evasion execution persistence upx discovery pyinstaller pysilon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

395532c65dc8a2ecf47db85df7d362ba6170d39bbb98e2f844a3d3be25d32e7b

Threat Level: Known bad

The file Celery.exe was found to be: Known bad.

Malicious Activity Summary

evasion execution persistence upx discovery pyinstaller pysilon

Detect Pysilon

Pysilon family

Enumerates VirtualBox DLL files

Command and Scripting Interpreter: PowerShell

Sets file to hidden

UPX packed file

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 20:12

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:14

Platform

win10v2004-20240709-en

Max time kernel

92s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Celery.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\something\Something.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\something\Something.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\something\Something.exe N/A
N/A N/A C:\Users\Admin\something\Something.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registry = "C:\\Users\\Admin\\something\\Something.exe" C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\something\Something.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\something\Something.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe C:\Users\Admin\AppData\Local\Temp\Celery.exe
PID 1028 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe C:\Users\Admin\AppData\Local\Temp\Celery.exe
PID 3156 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\Celery.exe C:\Windows\system32\cmd.exe
PID 3248 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3248 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3248 wrote to memory of 6556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\something\Something.exe
PID 3248 wrote to memory of 6556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\something\Something.exe
PID 3248 wrote to memory of 6604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3248 wrote to memory of 6604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 6556 wrote to memory of 1068 N/A C:\Users\Admin\something\Something.exe C:\Users\Admin\something\Something.exe
PID 6556 wrote to memory of 1068 N/A C:\Users\Admin\something\Something.exe C:\Users\Admin\something\Something.exe
PID 1068 wrote to memory of 6048 N/A C:\Users\Admin\something\Something.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 6048 N/A C:\Users\Admin\something\Something.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 5684 N/A C:\Users\Admin\something\Something.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 5684 N/A C:\Users\Admin\something\Something.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Celery.exe

"C:\Users\Admin\AppData\Local\Temp\Celery.exe"

C:\Users\Admin\AppData\Local\Temp\Celery.exe

"C:\Users\Admin\AppData\Local\Temp\Celery.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\something\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\something\activate.bat

C:\Windows\system32\attrib.exe

attrib +s +h .

C:\Users\Admin\something\Something.exe

"Something.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "Celery.exe"

C:\Users\Admin\something\Something.exe

"Something.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\something\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 127.0.0.1:65361 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI10282\ucrtbase.dll

MD5 3b337c2d41069b0a1e43e30f891c3813
SHA1 ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256 c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512 fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

C:\Users\Admin\AppData\Local\Temp\_MEI10282\python311.dll

MD5 548809b87186356c7ac6421562015915
SHA1 8fa683eed7f916302c2eb1a548c12118bea414fa
SHA256 6c65da37cf6464507ad9d187a34f5b5d61544b83d831547642d17c01852599a1
SHA512 c0b63bf9908e23457cf6c2551219c7951bc1a164f3a585cde750b244fa628753ee43fde35f2aa76223fd9f90cf5ea582241ab510f7373a247eae0b26817198fc

C:\Users\Admin\AppData\Local\Temp\_MEI10282\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/3156-1206-0x00007FFB65F20000-0x00007FFB66512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI10282\base_library.zip

MD5 bec1bfd6f5c778536e45ff0208baeeb8
SHA1 c6d20582764553621880c695406e8028bab8d49e
SHA256 a9d7fa44e1cc77e53f453bf1ca8aba2a9582a842606a4e182c65b88b616b1a17
SHA512 1a684f5542693755e8ca1b7b175a11d8a75f6c79e02a20e2d6433b8803884f6910341555170441d2660364596491e5b54469cfd16cb04a3790128450cd2d48fe

C:\Users\Admin\AppData\Local\Temp\_MEI10282\_ctypes.pyd

MD5 2ba320791c95526c2fdb2adf011764bf
SHA1 f80c591acaab83e041d0756e5e7b2f4cb231fc41
SHA256 73a7c35c3146990295758152992efb2f012c2066a01878fabdfda7acd42b6565
SHA512 25ac02e5177ffd885799262c5dbaa319fe5ba6167b9134377fd321bc3dd37ba487c3167279e0365039f81a6f498d23ebb44f473304a1fc63be36304a6468ce3d

C:\Users\Admin\AppData\Local\Temp\_MEI10282\python3.DLL

MD5 7e07c63636a01df77cd31cfca9a5c745
SHA1 593765bc1729fdca66dd45bbb6ea9fcd882f42a6
SHA256 db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6
SHA512 8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

memory/3156-1214-0x00007FFB76B10000-0x00007FFB76B34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI10282\libffi-8.dll

MD5 013a0b2653aa0eb6075419217a1ed6bd
SHA1 1b58ff8e160b29a43397499801cf8ab0344371e7
SHA256 e9d8eb01bb9b02ce3859ba4527938a71b4668f98897d46f29e94b27014036523
SHA512 0bd13fa1d55133ee2a96387e0756f48133987bacd99d1f58bab3be7bffdf868092060c17ab792dcfbb4680f984f40d3f7cc24abdd657b756496aa8884b8f6099

memory/3156-1216-0x00007FFB7B990000-0x00007FFB7B99F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI10282\_bz2.pyd

MD5 4e37a3e1e62485fbbfb22250b1ec78fa
SHA1 c9c7adf208a2444531fd7508eb306d6f6f9181b2
SHA256 393249c5cb97e58251bc11e8aaae88294b6d5e9c94ed28ca0002b1958cb46570
SHA512 4b02bde981c77422d5c1230adefe46f70b67a20fbd2da7cc18e8a5dfaa028e110141caf164423b0c60057e6ede32144d000a2d8dd6af6f3f399597555640091b

memory/3156-1222-0x00007FFB76530000-0x00007FFB7655D000-memory.dmp

memory/3156-1221-0x00007FFB76AF0000-0x00007FFB76B09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI10282\_lzma.pyd

MD5 d1347e8f92d3add8eaf2b53294be9438
SHA1 3920bb7a621c13be46f53d1d86b3a06d56b4bd27
SHA256 f88748a9a677df9616ec492a02bae860ce5c5365c0e743d9e5a9fbf9198fc962
SHA512 b80542f8e61d6ac98efa244144e03c402a0aadfaa898b30a1b3964a0c800f384d7c1a174029c0b46bc697d0d724937c4a2e8e77b88aaf770fafe40b3017c57a3

C:\Users\Admin\AppData\Local\Temp\_MEI10282\libogg-0.dll

MD5 0d65168162287df89af79bb9be79f65b
SHA1 3e5af700b8c3e1a558105284ecd21b73b765a6dc
SHA256 2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24
SHA512 69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2

C:\Users\Admin\AppData\Local\Temp\_MEI10282\libmodplug-1.dll

MD5 2bb2e7fa60884113f23dcb4fd266c4a6
SHA1 36bbd1e8f7ee1747c7007a3c297d429500183d73
SHA256 9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b
SHA512 1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2

C:\Users\Admin\AppData\Local\Temp\_MEI10282\libjpeg-9.dll

MD5 c22b781bb21bffbea478b76ad6ed1a28
SHA1 66cc6495ba5e531b0fe22731875250c720262db1
SHA256 1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd
SHA512 9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

C:\Users\Admin\AppData\Local\Temp\_MEI10282\libcrypto-3.dll

MD5 8fed6a2bbb718bb44240a84662c79b53
SHA1 2cd169a573922b3a0e35d0f9f252b55638a16bca
SHA256 f8de79a5dd7eeb4b2a053315ab4c719cd48fe90b0533949f94b6a291e6bc70fd
SHA512 87787593e6a7d0556a4d05f07a276ffdbef551802eb2e4b07104362cb5af0b32bffd911fd9237799e10e0c8685e9e7a7345c3bce2ad966843c269b4c9bd83e03

C:\Users\Admin\AppData\Local\Temp\_MEI10282\freetype.dll

MD5 04a9825dc286549ee3fa29e2b06ca944
SHA1 5bed779bf591752bb7aa9428189ec7f3c1137461
SHA256 50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde
SHA512 0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-utility-l1-1-0.dll

MD5 32a39f85212e7a36aeb3c0c204a2d572
SHA1 5bfb547da2448c7be8f97f741d6e51c5d14a6426
SHA256 1d810e1c9398b98f9b2e717861b40672a57b4766edbee699f55160bab5b6106c
SHA512 56115301c1e9905cb16eb144ed8cd880d7aae31f0b200e5107719b0c323b27ca12315abef9a5aeb047db8d2672467df640324d243812b95de470afac69ccd026

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-time-l1-1-0.dll

MD5 48594ab2402a993a07848efc392863b8
SHA1 eb3ba3275f82f49559962563000005890d9e7000
SHA256 d71e7beb098561ad01017392a1af8de7f57fccb4f48a38c5126fcd993b55d54f
SHA512 56bffe407b00f197f2fc12d24a3a4aff68d7b7d1b19db516ba75df62f565df619aaef11fb531534a0729530ca6b4f51a58d9037183971ec921de9405108bb1b9

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-string-l1-1-0.dll

MD5 cc260826d5a6c97851f261b05fe7d415
SHA1 5e3fcf99beac2a1c89d3d64348a65b2b67b974a9
SHA256 5c9da56d4fa985984aaec0ee14d767adc475f279507bccdb3cfb3eb744e748cc
SHA512 e6741f1b0f4b9c9bde96231e40b3e3b3843d7a0f5a4e03679a3d3f543f0ab0cee3edb47462254f9e8ab8f0e00f24194118444960b8d888868202d2402fb5710b

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-stdio-l1-1-0.dll

MD5 0bd082256b5d2351a0f1e6cf904e0c1d
SHA1 ffd7b969db75652b4c9bbf99f2d3a68a3ca148e0
SHA256 b3a7a6a620067c69e14ff025e9bc96841614bebd3e994f59fbd8624e24cd7770
SHA512 77cf95e6531295780ebd4da4ecf81e12420d2e0f2181113afda733e8ed6b8fbf9293b5be102e918f210e364ca59a9d7f2a9bf90187b962b1d034257bc240ae46

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-runtime-l1-1-0.dll

MD5 77b38b2ca4cbed1fe89c4eb39bc3ef0b
SHA1 360a85605bdd7f7e958ac76919f77be8b8522378
SHA256 8f4b15d489045a4b0f3a5f01787bf7f3c61443a69b6f3f0ce324c896204fc562
SHA512 90119839dc7f9f2682c8010121357dfdacb5a815f8cfe3e4fa0f2c66f50228b649ec00bde76cb13fe8a99886dd850de98a32a6c2cabd218fa0de337b9a9b7d23

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-process-l1-1-0.dll

MD5 4481b45b4e9c1365ec934bdc75163985
SHA1 3e1327633c0251e5283d4169f4edfe0d7be36e3e
SHA256 155d4e951543c6c4a4ad4feabc077425b677b322cd2787e08506921b7e1bb589
SHA512 35a173de59f8b647af07ed5c977edb1c43b2a576e0f97f2a7b0d8e8eced5dd8adb1aaa3acb697119afb10cb7a7efc582f122091cb8031cd28e9792750b65ea65

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-private-l1-1-0.dll

MD5 36afcde5b923e86e508704b04eb4983a
SHA1 557ca0da0ff46a1792006757a34b5a43644e2559
SHA256 0a4bce028ca4d73c2227bc8698dbbe94d15ab31bd462f400308fff094f50e325
SHA512 42b3e0c3ead8b7fa24dc827698f8b17e4ad2a39645931da2b3f120bd2bf790efd81c956f83e5bcc3a8182d810da8e565e846b35f4ae4a3a223dcba5f5c1a4f0c

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 8a4b4e1b99c835fccd1839ab02cc13f3
SHA1 738a652f69e61c2ecbc1749925fee3f3a469be90
SHA256 25b8fdac32d1eda71528c89d4bfc04ca9b22d5cbb04cdad4f64ac38d70116b7b
SHA512 be0558f54210c5551ef562157295f3713b86f6a4995788bcd37a5203939fbde01b968804150f67da6441beb80f59236545242bd1d3a1692e2394f49e0d552194

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-math-l1-1-0.dll

MD5 22b131b67a5644fd950cf10781ed6bac
SHA1 a14221386b15b9085d9c4e3e8a3a11bca65e008c
SHA256 6f85ec9d03408413cdb657363d6aaddf69827e0abf795c2e6004310f9e415a88
SHA512 8c06562c5b64b4463bf25d2943d3f382ce55702b15467be5feeeb53b9c80dfdbb92463c0266de1bb73b1df9120831607580332082ce6d32ea57866d522f07c43

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-locale-l1-1-0.dll

MD5 bec0a8ba95b066f829af8765da261569
SHA1 c1987bbc26900ae68d870176606cd29823d6afd1
SHA256 dd2f0af84410a3ee3442053edfb5045853c397c58c816aaca39660f95ac9c56a
SHA512 899b7d85df1552d2e2565848ed7c038966c5988607cda4cc35bc9231a97330fa81e92e2029a05ba5921f2823142f00e44f65a378934cbc141030d9de287169b3

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-heap-l1-1-0.dll

MD5 2a9acb367dcb7487133dd890012af8d9
SHA1 efb267173b75b44f09516e3ebc043ef82d82d814
SHA256 ab3c513cab877a78d36d641208e8a99c1eb046378d94893d7eefc6ba292c9c5a
SHA512 b5ed97fbfcfef3ce2c34ec7a5af20680b66589e5b80c72f7cddb9cd8b4a4850c82772e2dace2474e6d3b952c4d9f0c5252076b5cff911fcab1c766ff88da6b72

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 b2a0c8ddc11935406424a8a6d00a879b
SHA1 f62b0afffcc139a4d7be311c0431efaa8a6ca01f
SHA256 88f026488aed6bec4045e068765e6cfbfeb19f2144ed0c85c02c519704514ada
SHA512 ed0e5c227434581e50bf0965100917874d4da770b8d33ea4d4a7e300255760bb32fc66a609934923de40f7cdcd9ae96817d47d6f0c9e172773b257b19be70679

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-environment-l1-1-0.dll

MD5 e769c5f2da36204400bb4c1d9ea0f499
SHA1 17937f31b1479d674ca8afd2d8e846dce4e1453b
SHA256 c203a28b63f6dbd3e8c48239d7b3d5568ddcc8e39020e1cf9baa9406ab33f5d8
SHA512 44aa1f4e0eef2946b1ced7a5e96cce5f31d2f657112463e9466fe7a9938b336e9db6758026b95f2c637367d992f87b267b955db2b3e63d3028ec8d2ae5df514b

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-convert-l1-1-0.dll

MD5 8a0ce4ec397ed435e89a451f70651938
SHA1 1c111441c5e4b2935754abe93628d9d6ac42213d
SHA256 b0fb32a918cd73af4ca99c8c76a776b5f9badc3706b6af9d313ae9fa8e9a56d2
SHA512 0c6ed34bb94511ac140eb9c6f6ce6b92d923c3cd271f83791f4737338759857abbe4db850c4d38e7e56bc7bb94ffec40526a4fc26d57fa928a40f59ce17e8e50

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-crt-conio-l1-1-0.dll

MD5 388b30c99b80d5c31f7632aacd70bd21
SHA1 bbb72fd5cfa6f581a43ba3e5af17f81279e00b84
SHA256 1ada8b82e603e745898baf781097545e6a87b432d64d0234db70022d6e85215a
SHA512 5f5c449f6ec8782314cf1c8515becc2aaad5c53bc20c846c378ea10fb153530687b5bedad450e4738c688aada2ee9c8081ddcd99a8447dab8aa1292297e5a72e

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-util-l1-1-0.dll

MD5 e0fa98ea4868e3e1a52c90f4baf0e94a
SHA1 e9cda377d75e4b6bf96dc7be0efd61e4fa9ca9d7
SHA256 d209bb0bfe4b132b072c169259120c6a2ae572879cd33a94533051eee0f15e2b
SHA512 445ffdfed9ff02bf376cf135a5bf30c4d83f3044f02aff02e2b82ded3cc904794cba081382b2bbecd764178262dbfa1dba19c3f79b10f79314d809961594b313

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-timezone-l1-1-0.dll

MD5 3f319e5743e66e32488529d75ec15981
SHA1 33f2ce75ede1df246703871331e7c4934790c639
SHA256 44704de5e39e481928088e5e3eab77498b1215ffb1ac10edb0568c0b29896232
SHA512 c8ac4fec1cd02851420480c379077af41f6cbb31fbeb66af114a7bef856b4e548aecc34ab816f0f7e3675ae3e0b35d789068e095241bc4e5fdcdbf6e55f1ded2

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 6da843077be16e4782a61c15d1842031
SHA1 d6bcb5993ac793622f1b32a7286fe673253ca465
SHA256 69fbb076e6afae2cc3fca2def16548d56e13fdd52be5a9d6519701c133415d00
SHA512 9b0f609c422154a9a1caa0b0c85b2bc1d6b722cff3a5feeedfbb6428024cb566694fa187c4627bc3693c62582775024c2bcbf75f01b945cdbc68f4f9d7c96a20

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-synch-l1-2-0.dll

MD5 ea0fa00fd9c00b6948e253818fef9d21
SHA1 c9c300cc929bd385c6b4b5bbfaf05564b782328d
SHA256 cbae4369dbd0e6475bb09188bcf17aff0ef3db85b97e4a47dce39a27b1c9ac67
SHA512 8494601d26382bdbfb86e29a0cad0aa429c535c1db75876f1dc95c282b27bb977a65d54b82bd45a6c80c506c80bda157d7daa6070e5ce3c7e174d9bb2aafa67e

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-synch-l1-1-0.dll

MD5 0fa9cd47bca089a7b09ec5f36cc140a0
SHA1 16075821c316b75815672286da3378a28bd8c846
SHA256 2c5640212e9701ae5adf9526581002955b97944e8083ad29649d3d4c0bb6a697
SHA512 ff6105308a3ba4db7f4eb0b86747c90c2f833c33f367c1fb139a80407ff49fce97bd3436819bdba2067979331b76be2632610e19637bf89a139d9f4e040f34fd

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-string-l1-1-0.dll

MD5 f4fad245fa306cf3deae5ceb5488d434
SHA1 15b7523d82fb02276fbbcd1861f8a9965e43b7df
SHA256 84ca2e76bcb74a4fd0e6a120b3eee185c1a52659dd386526c9c7979dc00de7a6
SHA512 e4aec2168246bdcb4a18705b2294ad31b66f07ee29a4827a138413b2a5e4f8fef8439b5817a35d13c60468fc907bf7eb35363051991bbdcb26914e8112cbc8f0

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 f720f4a7532f30e0e0eb5c7dc37ac4e6
SHA1 439656ecebb20f6b7f81bb22bd435f4e3ec58cae
SHA256 3e757024f876175e721daec634fc1eb55e77a3cbdbd9151afb2021d3a40184d8
SHA512 85c123cda9d6e79965a77294afd269140ac542576cb369bd62cc7538c3af6c213d0f39e32f8317228f2b465d43470692ee8098d11038fe89198444e4240bf3b7

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-profile-l1-1-0.dll

MD5 dc7901b72324d450a87820fd557c8bf6
SHA1 24479b94003e29b927a44f4c26d7ddfb773ce743
SHA256 92171947cac611031342383c05434f9fb145eaf26e1dcb7d8dcb297d90d0d588
SHA512 3c14d85520f8d8177fbfd12614faa3fe76f49408c295e7b8a1d8ead134ccf472a3891658f48f6e16083a222788545f268a3461356258ef79242868a10d18a719

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-processthreads-l1-1-1.dll

MD5 3d73a0d2988f2d91e8bf09f1df449bf0
SHA1 6ccd48cd3dc1c23700c3b8f4a3b9dfdf8c08ff08
SHA256 521340b666bd5e74b395d56b7886a795b95dea9997a2eb6ff198c16745b55f18
SHA512 22713e21375dd0c87881862c74bf1945265ef81e4f91bf6a7b1cc3727a923e113c8dc2b12bc538f2f0fe8c3224ce6b776284b42be075831478d2d1fc251fb32e

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-processthreads-l1-1-0.dll

MD5 843a4b7e5e8ac347e13436f533a7a093
SHA1 a1950940b3172b35c69f1318006e397f58f57daf
SHA256 4007922f3cdca2a988b2457417eb0c91c2129073a60f042a36dd14fb75a9cbc1
SHA512 cb51ba4b38b3fe723fbba99da32216b171246b5082a4f9b916355d6c08d48b5853d73a5d8626cb019ab835a76d9d425bed576e625ce0a99f35285f29e57114c0

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 61affca3f5a7ec936a628c6628a1dfdb
SHA1 bff4687957631b4d649b71f8c3320333ca4fde7e
SHA256 46c542dc9a89c658cc1e031562928ceed930baea1026a137918c72501d981ceb
SHA512 9ecaf2a1576b5c343345db80a335c62c0d11fe1096bbc9906080fbe4539289721cb7803fbbff030445da9a434dd77f427dcedd00ecb2783d047bac13770460b9

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 da9220819e9758efd9a80dabf831ac8d
SHA1 05d8b55bbd80e4566e1db528832117aab74004fd
SHA256 17111bba88ff9006a654235606d060e3f9ab4b1a936362977250a5ec3249ff41
SHA512 bc9eaa93ecb19ef176cf2f7db33562f980de61a29e90e52c9b2b023e7f3345af825a25382e3b5b788e198be58548a74be801a82cce8d35384a945205455d03b4

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-memory-l1-1-0.dll

MD5 12b68387528729984383425aea74709d
SHA1 31169043056af9bd4a8dc4996c0348bd8fdc0d6a
SHA256 8acc5759473d993c635070c571fb99c85baf0b296628cbdf79d89d4c48ff4a07
SHA512 c3062fdda993eadd1c80d34402cee00e304859174ee142d5f2dae270ee519eafe9292f59b6de1aff6c71c35b4d898bd7657d29476d5ea489c30a6566ee968ef3

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-localization-l1-2-0.dll

MD5 3e4e4b68179d85d2ef56d63cb6b4caa2
SHA1 5e75a9e9805ea454d9fb646b4cacff936357cbba
SHA256 897b716684eed10bd4214c9f518bbbbb8b5f76152a3f91355112873b0677d05c
SHA512 81e85262c3db997a021d4e73f80251783b9ec8fe022f4dce846e824252abd01fdc5f1f1084d6aad0b9cbbe30e08142a0d648816b856dc7068b2ce412399cef8b

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 ee949ca8c39b799f748f6dbac48c20e7
SHA1 d3dc6a75606f7e42ca9401be4ae7de0503a13dff
SHA256 536b0fec00dfb426d4bb429dd44a5365102cc8fbb7f3a7092cd007f2d38b4e4b
SHA512 63f21d3fce2350f03588add6800a5691b8c388b483451fedfb59300f3112b2c9730246e8c15095df0d53c15faddb52b670f77318e4ce92943e86593aeee6f72e

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-interlocked-l1-1-0.dll

MD5 365841fa667a98fd88c8fba61289b99c
SHA1 624fb6dcdd9f19b4ef336ea42b3f8eb9b5884b69
SHA256 5dd037beb5e561612610f2fe10be5affd1f027d04138bfb6dc62c63bfbec19f0
SHA512 36c2aaa235ac9072be097b40261a4d68a32766f8ed6ff2ae20bfd56ec530e1f765032f431b0c5c9c368607476ef58936c98a29eea8ab08d34d1d9a9a62b6d465

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-heap-l1-1-0.dll

MD5 8a5e8f5484f7bba8da1647baec188b74
SHA1 de61eaab40efdcc6dc13961d9276171496b5f906
SHA256 651e27c194ce5dd22ec316b3443d19353de984d2465e4cc9db30417a1326f741
SHA512 3efe03719eb23273046847f400c0275d343d08ab8c90941469505b8bf6b23d219cab80458bfe3902d60da538cafcf01dd00cb5289d72111c93b700a765e3e39a

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-handle-l1-1-0.dll

MD5 6c9b134a31005c3bc248f47cbf53c06b
SHA1 2e9b855898296d5a4bf9589eb2d8cd5f578712a2
SHA256 fc6c47e72647ba07184c09a856f61732bbf79a35582390c642a4a11d3e5670de
SHA512 c4794513faaa7caa80e721409c3b9f845c6c66b7583ff123ae2243709ae31943d9d6669f025da825ad63a9f1a1a734e53059855b43470aa2501b983f7ad9860c

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-file-l2-1-0.dll

MD5 50abf0a7ee67f00f247bada185a7661c
SHA1 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1
SHA256 f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7
SHA512 c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-file-l1-2-0.dll

MD5 e2a03fb652b3f3f2a39d305e0fc991f9
SHA1 49292471fb6b2a08a3b5ea4d55c7ba63d7c22df4
SHA256 6d6aa0c0de2e39580807b2996070033fdbae5b41c4fa9520a102479731ba1e29
SHA512 b2f4336c29a9b8b59d206b11ef39208f95abde83efee90fb12ae9cb9cd84b983d431eebfd2b9550bd2ad47ba0332b0e57f86699aa2198d0f94e615adcc3ea9bc

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-file-l1-1-0.dll

MD5 29bd7b49ef00c21a09ff3bd807160efe
SHA1 2a6585cbfbda22d834cae974d40a2949eb26be8e
SHA256 25409af2cc0a23641aab1d9d41539079dae80436d3ac7cb078f39c5925ecd7d4
SHA512 c012769374b2f6fae8c0a16990cadb428be611ef7088083c5d431745a32343134f01e1e702fef4b0fe53db39b6edecf3bab64176def71c44a34e947ff839bc7b

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-fibers-l1-1-0.dll

MD5 2b4520a1781259d4a52d896988e09092
SHA1 3982816f3befa4a9d713a72e713f0a8d68cb9033
SHA256 e2c2593c80cdc864a29bf5a66bc2beaf701282983029ae2c25bf460d6b1e026f
SHA512 04e97a70879304fcac364f9ab9e0040337cb5cb3db05c6736a88020125f6122f0b7664689b0600f0562e1238db739770f529915219a0f94db137b21b5805a396

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 c0039617182882f29150859df82615cd
SHA1 2fffbe36cd3f105e8cb76078b597efccfc020e31
SHA256 1c80f74b1f1f29af2fbae535b1daa7b730cbad65eb64a67786c95f743c2ef639
SHA512 13ed0bd6eed1e9242aa0e2ed820be525f0c8b46907d19ba1bb40b70c50e4049bac82d27ae9acf58cb5744e3d8c9ccd0940b721f4ff9224c7cbc8d6e6920610cb

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-debug-l1-1-0.dll

MD5 0f423cd96994e6a8d81f8339855d8fdf
SHA1 2a71d847e26e03a046e32c7e96f7a95c2d78aba5
SHA256 ff23b3466e2c47a6ed8287f34bb2ad535b859495a3a21d83b4dae13a871e1660
SHA512 99bd77ada2f2a3044987492528e8755ef15268177baca6b91c83a0e0ba5f5ed02c718572b9029b80fb7938d3e6441c1fe99f034e3583a59320c23d1150e4b436

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-datetime-l1-1-0.dll

MD5 55825bcfe90f8f2eb4cc1af0c6380e87
SHA1 504678568f30e7dca567d4efd4da64d2d284dcfe
SHA256 c318c6f25b36f462a04b1abf933f0a4c620abaefca76a48c6cc66676d64c6f1f
SHA512 49b1b523b0a8783f460b4ebb5a65ff23dd26df6d685bb3f5d1c867c4bcbf41d5fc23d10c75caa1d71d268210025dec4b6e97bb837fb8e0287e7650bca054607a

C:\Users\Admin\AppData\Local\Temp\_MEI10282\api-ms-win-core-console-l1-1-0.dll

MD5 4fbdc7cca50eb348b8bd98287bec0971
SHA1 33e51fe9c413315c4803dba6d7722543caaf72e4
SHA256 dffe0f14db34090348a9b3f14c45b4839d5cf5c7065f9153aac04bc19e089f43
SHA512 8127e4677e7b2554c9cc9548afa23ca7e716a0ccd41dd430bbc2f2431d9e2e0d22b2f89c43d473fadbfca31b36804070062e21024c5889dfbd35e02a7114c211

memory/3156-1270-0x00007FFB659F0000-0x00007FFB65F19000-memory.dmp

memory/3156-1269-0x00007FFB76AD0000-0x00007FFB76AE4000-memory.dmp

memory/3156-1273-0x00007FFB764D0000-0x00007FFB76503000-memory.dmp

memory/3156-1272-0x00007FFB7B980000-0x00007FFB7B98D000-memory.dmp

memory/3156-1271-0x00007FFB76510000-0x00007FFB76529000-memory.dmp

memory/3156-1274-0x00007FFB76100000-0x00007FFB761CD000-memory.dmp

memory/3156-1275-0x00007FFB78260000-0x00007FFB7826D000-memory.dmp

memory/3156-1276-0x00007FFB78200000-0x00007FFB7820B000-memory.dmp

memory/3156-1277-0x00007FFB760D0000-0x00007FFB760F6000-memory.dmp

memory/3156-1278-0x00007FFB65F20000-0x00007FFB66512000-memory.dmp

memory/3156-1279-0x00007FFB668D0000-0x00007FFB669EC000-memory.dmp

memory/3156-1281-0x00007FFB706A0000-0x00007FFB706D8000-memory.dmp

memory/3156-1280-0x00007FFB76B10000-0x00007FFB76B34000-memory.dmp

memory/3156-1290-0x00007FFB73680000-0x00007FFB7368B000-memory.dmp

memory/3156-1289-0x00007FFB73760000-0x00007FFB7376C000-memory.dmp

memory/3156-1288-0x00007FFB73820000-0x00007FFB7382E000-memory.dmp

memory/3156-1287-0x00007FFB73830000-0x00007FFB7383C000-memory.dmp

memory/3156-1286-0x00007FFB75CE0000-0x00007FFB75CEC000-memory.dmp

memory/3156-1285-0x00007FFB75CF0000-0x00007FFB75CFB000-memory.dmp

memory/3156-1284-0x00007FFB76000000-0x00007FFB7600C000-memory.dmp

memory/3156-1283-0x00007FFB76010000-0x00007FFB7601B000-memory.dmp

memory/3156-1282-0x00007FFB659F0000-0x00007FFB65F19000-memory.dmp

memory/3156-1297-0x00007FFB719A0000-0x00007FFB719AB000-memory.dmp

memory/3156-1299-0x00007FFB6FEA0000-0x00007FFB6FEB2000-memory.dmp

memory/3156-1303-0x00007FFB76AD0000-0x00007FFB76AE4000-memory.dmp

memory/3156-1302-0x00007FFB6FE90000-0x00007FFB6FE9C000-memory.dmp

memory/3156-1301-0x00007FFB6FE50000-0x00007FFB6FE62000-memory.dmp

memory/3156-1300-0x00007FFB6FE70000-0x00007FFB6FE85000-memory.dmp

memory/3156-1298-0x00007FFB76530000-0x00007FFB7655D000-memory.dmp

memory/3156-1296-0x00007FFB76840000-0x00007FFB7684C000-memory.dmp

memory/3156-1295-0x00007FFB76C20000-0x00007FFB76C2B000-memory.dmp

memory/3156-1294-0x00007FFB76F30000-0x00007FFB76F3B000-memory.dmp

memory/3156-1293-0x00007FFB6FEC0000-0x00007FFB6FECD000-memory.dmp

memory/3156-1292-0x00007FFB704E0000-0x00007FFB704EC000-memory.dmp

memory/3156-1291-0x00007FFB71990000-0x00007FFB7199C000-memory.dmp

memory/3156-1306-0x00007FFB6FE30000-0x00007FFB6FE44000-memory.dmp

memory/3156-1308-0x00007FFB6E5D0000-0x00007FFB6E5F2000-memory.dmp

memory/3156-1307-0x00007FFB76100000-0x00007FFB761CD000-memory.dmp

memory/3156-1305-0x00007FFB764D0000-0x00007FFB76503000-memory.dmp

memory/3156-1304-0x00007FFB76510000-0x00007FFB76529000-memory.dmp

memory/3156-1311-0x00007FFB657B0000-0x00007FFB657FD000-memory.dmp

memory/3156-1310-0x00007FFB6D280000-0x00007FFB6D299000-memory.dmp

memory/3156-1309-0x00007FFB6E590000-0x00007FFB6E5A7000-memory.dmp

memory/3156-1312-0x00007FFB67CD0000-0x00007FFB67CE1000-memory.dmp

memory/3156-1313-0x00007FFB67CB0000-0x00007FFB67CCE000-memory.dmp

memory/3156-1315-0x00007FFB65750000-0x00007FFB657AD000-memory.dmp

memory/3156-1314-0x00007FFB760D0000-0x00007FFB760F6000-memory.dmp

memory/3156-1316-0x00007FFB67B60000-0x00007FFB67B89000-memory.dmp

memory/3156-1318-0x00007FFB668A0000-0x00007FFB668C3000-memory.dmp

memory/3156-1317-0x00007FFB67B30000-0x00007FFB67B5E000-memory.dmp

memory/3156-1319-0x00007FFB706A0000-0x00007FFB706D8000-memory.dmp

memory/3156-1320-0x00007FFB65870000-0x00007FFB659EE000-memory.dmp

memory/3156-1321-0x00007FFB66880000-0x00007FFB66898000-memory.dmp

memory/3156-1323-0x00007FFB6CBD0000-0x00007FFB6CBDB000-memory.dmp

memory/3156-1322-0x00007FFB6E5B0000-0x00007FFB6E5BB000-memory.dmp

memory/3156-1332-0x00007FFB66830000-0x00007FFB6683C000-memory.dmp

memory/3156-1331-0x00007FFB657B0000-0x00007FFB657FD000-memory.dmp

memory/3156-1330-0x00007FFB6E590000-0x00007FFB6E5A7000-memory.dmp

memory/3156-1329-0x00007FFB66840000-0x00007FFB6684C000-memory.dmp

memory/3156-1328-0x00007FFB6E5D0000-0x00007FFB6E5F2000-memory.dmp

memory/3156-1327-0x00007FFB66850000-0x00007FFB6685B000-memory.dmp

memory/3156-1326-0x00007FFB66860000-0x00007FFB6686C000-memory.dmp

memory/3156-1325-0x00007FFB66870000-0x00007FFB6687B000-memory.dmp

memory/3156-1324-0x00007FFB67B20000-0x00007FFB67B2C000-memory.dmp

memory/3156-1339-0x00007FFB65830000-0x00007FFB6583D000-memory.dmp

memory/3156-1338-0x00007FFB65840000-0x00007FFB6584C000-memory.dmp

memory/3156-1337-0x00007FFB65850000-0x00007FFB6585C000-memory.dmp

memory/3156-1336-0x00007FFB65860000-0x00007FFB6586B000-memory.dmp

memory/3156-1335-0x00007FFB66800000-0x00007FFB6680B000-memory.dmp

memory/3156-1343-0x00007FFB65870000-0x00007FFB659EE000-memory.dmp

memory/3156-1342-0x00007FFB65800000-0x00007FFB6580C000-memory.dmp

memory/3156-1341-0x00007FFB65810000-0x00007FFB65822000-memory.dmp

memory/3156-1340-0x00007FFB668A0000-0x00007FFB668C3000-memory.dmp

memory/3156-1334-0x00007FFB66810000-0x00007FFB6681C000-memory.dmp

memory/3156-1333-0x00007FFB66820000-0x00007FFB6682E000-memory.dmp

memory/3156-1344-0x00007FFB656C0000-0x00007FFB656F6000-memory.dmp

memory/3156-1345-0x00007FFB65600000-0x00007FFB656BC000-memory.dmp

memory/3156-1346-0x00007FFB655D0000-0x00007FFB655FB000-memory.dmp

memory/3156-1347-0x00007FFB652F0000-0x00007FFB655CF000-memory.dmp

memory/3156-1348-0x00007FFB631F0000-0x00007FFB652E3000-memory.dmp

memory/3156-1350-0x00007FFB631A0000-0x00007FFB631C1000-memory.dmp

memory/3156-1349-0x00007FFB631D0000-0x00007FFB631E7000-memory.dmp

memory/3156-1351-0x00007FFB63170000-0x00007FFB63192000-memory.dmp

memory/3156-1352-0x00007FFB630D0000-0x00007FFB6316C000-memory.dmp

memory/3156-1354-0x00007FFB630A0000-0x00007FFB630D0000-memory.dmp

memory/3156-1355-0x00007FFB63010000-0x00007FFB63057000-memory.dmp

memory/3156-1353-0x00007FFB63060000-0x00007FFB63093000-memory.dmp

memory/3156-1359-0x00007FFB62F90000-0x00007FFB62FA3000-memory.dmp

memory/3156-1358-0x00007FFB62FB0000-0x00007FFB62FCD000-memory.dmp

memory/3156-1357-0x00007FFB62FD0000-0x00007FFB62FE9000-memory.dmp

memory/3156-1356-0x00007FFB62FF0000-0x00007FFB6300A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymyyknev.kw3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3156-1443-0x00007FFB76AD0000-0x00007FFB76AE4000-memory.dmp

memory/3156-1442-0x00007FFB76530000-0x00007FFB7655D000-memory.dmp

memory/3156-1441-0x00007FFB76AF0000-0x00007FFB76B09000-memory.dmp

memory/3156-1440-0x00007FFB7B990000-0x00007FFB7B99F000-memory.dmp

memory/3156-1439-0x00007FFB76B10000-0x00007FFB76B34000-memory.dmp

memory/3156-1452-0x00007FFB668D0000-0x00007FFB669EC000-memory.dmp

memory/3156-1447-0x00007FFB764D0000-0x00007FFB76503000-memory.dmp

memory/3156-1446-0x00007FFB7B980000-0x00007FFB7B98D000-memory.dmp

memory/3156-1445-0x00007FFB76510000-0x00007FFB76529000-memory.dmp

memory/3156-1438-0x00007FFB65F20000-0x00007FFB66512000-memory.dmp

memory/3156-1461-0x00007FFB67CD0000-0x00007FFB67CE1000-memory.dmp

memory/3156-1460-0x00007FFB657B0000-0x00007FFB657FD000-memory.dmp

memory/3156-1459-0x00007FFB6D280000-0x00007FFB6D299000-memory.dmp

memory/3156-1458-0x00007FFB6E590000-0x00007FFB6E5A7000-memory.dmp

memory/3156-1457-0x00007FFB6E5D0000-0x00007FFB6E5F2000-memory.dmp

memory/3156-1456-0x00007FFB6FE30000-0x00007FFB6FE44000-memory.dmp

memory/3156-1455-0x00007FFB6FE50000-0x00007FFB6FE62000-memory.dmp

memory/3156-1454-0x00007FFB6FE70000-0x00007FFB6FE85000-memory.dmp

memory/3156-1453-0x00007FFB706A0000-0x00007FFB706D8000-memory.dmp

memory/3156-1451-0x00007FFB760D0000-0x00007FFB760F6000-memory.dmp

memory/3156-1450-0x00007FFB78200000-0x00007FFB7820B000-memory.dmp

memory/3156-1449-0x00007FFB78260000-0x00007FFB7826D000-memory.dmp

memory/3156-1448-0x00007FFB76100000-0x00007FFB761CD000-memory.dmp

memory/3156-1444-0x00007FFB659F0000-0x00007FFB65F19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI65562\cryptography-43.0.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

memory/1068-3850-0x00007FFB76590000-0x00007FFB765C8000-memory.dmp

memory/1068-3874-0x00007FFB6E5B0000-0x00007FFB6E5FD000-memory.dmp

memory/1068-3869-0x00007FFB76140000-0x00007FFB76152000-memory.dmp

memory/1068-3868-0x00007FFB76160000-0x00007FFB76175000-memory.dmp

memory/1068-3841-0x00007FFB659F0000-0x00007FFB65F19000-memory.dmp

memory/1068-3835-0x00007FFB65F20000-0x00007FFB66512000-memory.dmp

memory/1068-3846-0x00007FFB78200000-0x00007FFB7820D000-memory.dmp

memory/1068-3844-0x00007FFB766D0000-0x00007FFB76703000-memory.dmp

memory/1068-3836-0x00007FFB76780000-0x00007FFB767A4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:16

Platform

win7-20240704-en

Max time kernel

104s

Max time network

19s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 abb1e29bcc93d59f195c401b9f17b414
SHA1 df1f305aaa3899b3e170fe88eea52d83a9da3e4f
SHA256 f0cf14e14cc2d03dae37f73e1b7f786868579c1716b84b96d508fddf975e6d5b
SHA512 405124d2f4cc3b51f10daa99518dff72f19bf66291698d9b3c51f1a4d6d5527d6b192e9c025eed3336b57dc6b69cb32c7e1bbf7f9f9d61115a1ce0a370fc9f7a

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:14

Platform

win10v2004-20240709-en

Max time kernel

37s

Max time network

41s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:16

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:15

Platform

win7-20240729-en

Max time kernel

102s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 60c1e56c372ddb298fd9bff8c2fd1a14
SHA1 c127d0e787704c588690d0f1f387353cff33f97f
SHA256 5315e9c98f7ccf3cc38005fb8535fcffb145eb09415d8ed165d2ef7b9d660f37
SHA512 fb8373bc1d0d2af8d1086f699111956f5cbe8a980c4910f37a654e8949a5fa63cbd6d0d0cc529b3366607d0b02279058a370b428469516f0d9326b153be6ebc7

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:15

Platform

win7-20240729-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\misc.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\misc.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 fca07cc184c1757bdb6d5648e32ff79c
SHA1 7bc0cfea2b9722c00313e5f259b5ee89ea2abd92
SHA256 abe02e47d92d3ad96dd399a8251d8554263c664501a20f3c05933ba20c55cb8b
SHA512 52bf74576fedee038d51d8cd56ab513262f626c460c72586ba362073a036ff6972a449966f60559214e7012998a133b86ec1e29cb0ae841e571932f01f9c8cc0

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:16

Platform

win10v2004-20240729-en

Max time kernel

1s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:16

Platform

win7-20240729-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 eefcbfed062b61c9b43bf42e24ce75a6
SHA1 1dadde0dd96f8615e577e824c7ef32d725a7b87a
SHA256 7afcc300737ca2906712ab65795a947ebe118e2e9878311481d8ef9218e8946b
SHA512 4f419dfb63c4d8a7d144e4c7c456a09b4184e93b2514769c32dd5c5ea0d031dc6e844f38ac0c369d5a19f4b5403fa8be80716e44f44a91606ac8b4a11544d8d5

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:13

Platform

win10v2004-20240709-en

Max time kernel

16s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:16

Platform

win7-20240729-en

Max time kernel

102s

Max time network

18s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 3a7f8ef03b3eaa4f7585abbb001d6d0a
SHA1 5c336af1dbf21f9e04c3e41454bba65e2746e44f
SHA256 c040219ad1a1c290937d3a5a8946104ce6ac76b0cb11c941a85831d00c79a6ac
SHA512 43655cdaffdb633955f93e9a1d1cae1b2c9a3e8581e0a5d3411a1d5e3e33211a9ffc385e5d0a6ec5a3f006e62847c01690133273a6730b6a1827cab10bba491b

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:16

Platform

win10v2004-20240709-en

Max time kernel

138s

Max time network

110s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 20:11

Reported

2024-07-29 20:13

Platform

win7-20240704-en

Max time kernel

13s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Celery.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Celery.exe

"C:\Users\Admin\AppData\Local\Temp\Celery.exe"

C:\Users\Admin\AppData\Local\Temp\Celery.exe

"C:\Users\Admin\AppData\Local\Temp\Celery.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI26802\ucrtbase.dll

MD5 3b337c2d41069b0a1e43e30f891c3813
SHA1 ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256 c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512 fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-localization-l1-2-0.dll

MD5 3e4e4b68179d85d2ef56d63cb6b4caa2
SHA1 5e75a9e9805ea454d9fb646b4cacff936357cbba
SHA256 897b716684eed10bd4214c9f518bbbbb8b5f76152a3f91355112873b0677d05c
SHA512 81e85262c3db997a021d4e73f80251783b9ec8fe022f4dce846e824252abd01fdc5f1f1084d6aad0b9cbbe30e08142a0d648816b856dc7068b2ce412399cef8b

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-processthreads-l1-1-1.dll

MD5 3d73a0d2988f2d91e8bf09f1df449bf0
SHA1 6ccd48cd3dc1c23700c3b8f4a3b9dfdf8c08ff08
SHA256 521340b666bd5e74b395d56b7886a795b95dea9997a2eb6ff198c16745b55f18
SHA512 22713e21375dd0c87881862c74bf1945265ef81e4f91bf6a7b1cc3727a923e113c8dc2b12bc538f2f0fe8c3224ce6b776284b42be075831478d2d1fc251fb32e

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-file-l1-2-0.dll

MD5 e2a03fb652b3f3f2a39d305e0fc991f9
SHA1 49292471fb6b2a08a3b5ea4d55c7ba63d7c22df4
SHA256 6d6aa0c0de2e39580807b2996070033fdbae5b41c4fa9520a102479731ba1e29
SHA512 b2f4336c29a9b8b59d206b11ef39208f95abde83efee90fb12ae9cb9cd84b983d431eebfd2b9550bd2ad47ba0332b0e57f86699aa2198d0f94e615adcc3ea9bc

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-timezone-l1-1-0.dll

MD5 3f319e5743e66e32488529d75ec15981
SHA1 33f2ce75ede1df246703871331e7c4934790c639
SHA256 44704de5e39e481928088e5e3eab77498b1215ffb1ac10edb0568c0b29896232
SHA512 c8ac4fec1cd02851420480c379077af41f6cbb31fbeb66af114a7bef856b4e548aecc34ab816f0f7e3675ae3e0b35d789068e095241bc4e5fdcdbf6e55f1ded2

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-file-l2-1-0.dll

MD5 50abf0a7ee67f00f247bada185a7661c
SHA1 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1
SHA256 f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7
SHA512 c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

C:\Users\Admin\AppData\Local\Temp\_MEI26802\python311.dll

MD5 548809b87186356c7ac6421562015915
SHA1 8fa683eed7f916302c2eb1a548c12118bea414fa
SHA256 6c65da37cf6464507ad9d187a34f5b5d61544b83d831547642d17c01852599a1
SHA512 c0b63bf9908e23457cf6c2551219c7951bc1a164f3a585cde750b244fa628753ee43fde35f2aa76223fd9f90cf5ea582241ab510f7373a247eae0b26817198fc

memory/1624-1214-0x000007FEF53D0000-0x000007FEF59C2000-memory.dmp