asyncrat | hxxps://mega[.]nz/file/0G9HXIbA#it017-DThH2oLeGLIDxTkc_RlucIv1ttbYzkYnskyng

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/0G9HXIbA#it017-DThH2oLeGLIDxTkc_RlucIv1ttbYzkYnskyng

Score

10^/10

asyncrat def credential_access discovery persistence privilege_escalation pyinstaller rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000023979-1473.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Unlock.exe	Unlock.exe

Executes dropped EXE 5 IoCs

pid	Process
3412	Unlock.exe
828	Unlock.exe
2760	RuntimeBroker.exe
4032	x86.exe
4080	sysfile32.exe

Loads dropped DLL 57 IoCs

pid	Process
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe
828	Unlock.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
75	discord.com
77	discord.com
65	raw.githubusercontent.com
66	raw.githubusercontent.com
70	raw.githubusercontent.com
74	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	api.ipify.org
72	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000023507-224.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2464	cmd.exe
3548	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4744	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675075222914604"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
3916	7zG.exe
2596	chrome.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2760	RuntimeBroker.exe
2760	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 540	2596	chrome.exe	83
PID 2596 wrote to memory of 540	2596	chrome.exe	83
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 1656	2596	chrome.exe	84
PID 2596 wrote to memory of 4392	2596	chrome.exe	85
PID 2596 wrote to memory of 4392	2596	chrome.exe	85
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86
PID 2596 wrote to memory of 3936	2596	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/0G9HXIbA#it017-DThH2oLeGLIDxTkc_RlucIv1ttbYzkYnskyng
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa1597cc40,0x7ffa1597cc4c,0x7ffa1597cc58
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,17524991310837591784,7352966558809153187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,17524991310837591784,7352966558809153187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,17524991310837591784,7352966558809153187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,17524991310837591784,7352966558809153187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,17524991310837591784,7352966558809153187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4912,i,17524991310837591784,7352966558809153187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4584,i,17524991310837591784,7352966558809153187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3864 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5108,i,17524991310837591784,7352966558809153187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:4612

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x2ec
1⤵
PID:1092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5104

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Unlock\" -spe -an -ai#7zMap17645:74:7zEvent3106
1⤵
- Suspicious use of FindShellTrayWindow
PID:3916

C:\Users\Admin\Downloads\Unlock\Unlock.exe
"C:\Users\Admin\Downloads\Unlock\Unlock.exe"
1⤵
- Executes dropped EXE
PID:3412
- C:\Users\Admin\Downloads\Unlock\Unlock.exe
  "C:\Users\Admin\Downloads\Unlock\Unlock.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    3⤵
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2760
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\windows\temp\h22i3qnc.inf
        5⤵
        
        PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\sysfile32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"
        5⤵
        Executes dropped EXE
        
        PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:4064
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2464
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3548

C:\Users\Admin\AppData\Local\Temp\x86.exe
C:\Users\Admin\AppData\Local\Temp\x86.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
PID:4744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
3dd13a5c0bd166d1bff60023de4f78b6

SHA1
a628dd081f71b7978970752f37556830569cfdbe

SHA256
0873e99839e430c13b8ba4a763d4e3a02eee0681ce0cb94b9534a1bd25fd499d

SHA512
6ddd81726ff6632fa9a500b80c01af51562353dd7543071248f52142dfb058383fa0b91f213ac931fbf8cfabcf3b2fb42dfdb0790e54838f169f41f1e3a0f563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d42b0f14c405b0590570c24d530433c1

SHA1
3179bbd557114d206f69186d98397766712f4f0f

SHA256
3343a1a54174fc7af63b2029df8793beedac038c856e028c684a6e5c175c6a6a

SHA512
7d82b41a2e954c6d7127659a512926dddb2fa36f49502a4e3c1383d489f2e8565d6102def9d97d0ce1d24db728dea530220371b0af5f3eff09516240225be25c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
8fe6743a264d8b7bb54e54e61c23bc46

SHA1
139fc2600a02dba1ef57bcc29e6e88b1ce832a99

SHA256
df4dc820b4311b7b382796980a8f4cda5e3207e7ff26d73a8c1b422f8053eb66

SHA512
a76dbab237bc0e783021a6ba670509ed5838dd9b83486e5c61e3835bc15c3947c3aa0f085bd906bafcbf696705fc8b87f285cc1ecd07a3e98fd29c7e805b78a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1b05833d59f2af006d4828abd3f02fa2

SHA1
625268d547cb960322a019638f587d15acc06e79

SHA256
f254d6004eab1d1ca47f6dd9d675cd3f834ce54f25d49515c9af1b39dff21f46

SHA512
b52848eacac569d91b6dc833e71bd19a277b51e78c2b00a0b401ac6f9327eb4895e19c1a285c6a9a3f6a4b303f9f983b92ce02e9d345a3b1ee33fff4d6cd87da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d088aeaa7d02a53d45f165439286866

SHA1
8539ff0b360c8fc3dfc0877cba04f2c0930501c2

SHA256
ae63fda4ef828394487888492bea02d8252b08b03602527a89a01360c49e2626

SHA512
a717fc6865314c7c846a6bfee4d52fd6e9712d5557dbf090ee571fcde937293e075ff4e4d8f70753684f9a7b9ed16526c476be8d78d2776f34a9b1886dc69827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9393cf6672f9b857e5b1618a75d53987

SHA1
f60bb88c0d0a4a2550707232d0965a7822864050

SHA256
e13a9f7570b97617c47f04a4bb9b0f9f9dcdd91f9b9d2a59fd3fc5d95f8f2338

SHA512
cb1485d7c607c71089d6a48125006835c12cfe71e908fdb5673da10943899dab98ce9454ddaa2028a9b11218ea7707ec37f4d8038eaf2c451a9c03888956b1e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
efe9ab865bbee66f73a74c0d76a5ff05

SHA1
f90bdee4dc51979650c7ac4a7d36ffa95c5d0982

SHA256
bf38aae4e5c464b7fa1768e06e6dba25d190fdb8f0609b70e9858cd258578650

SHA512
4151511d9a19929963622994bde1a1d6aebf74e0154c1d521d1aa9584e2f87e4f26a9a6a170cbdfb9d11758b928c86c6cbdf4a4f0a046821a798e3c72c6da037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
420381b9f58b5c4bd6e2e389e1306983

SHA1
eceb0da335d811fe58597e83ec85a6b4097debf2

SHA256
3836cb8d7c857154e4e1ca1bce80ae22e010955ff8812b334968da7933558429

SHA512
28a29e55ae5b685a77252dfc66d54206e9b0b381005ec6e5854d04f4a56d425019c457a62548bd9964becb2a562f4bdf31e4604e6b6dbb2bc9a25024626f0fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a8acb436475915023e1dfe75dc0c77c3

SHA1
c9298b4fe50cea945154e4ea685f9f41d96cf981

SHA256
138c643f42e3beb5f37c8e52647b179a258fa26553d116e4055bcaa4a93a03a9

SHA512
fa1ef6262433702a2f574c8f124f815860f1ccc76e287c5bdfee3dff5693dc1db819576e8210602c380b985e204bce8285bbc0b7d0caa914aff41fbeaa6ca563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a1cf00fbbf3018c62ab7fdf4cf747b2f

SHA1
6d62308a3d9c13577fdc8d871e8fc9a819c6b128

SHA256
b477c7b94a86d2df96726ce67d92b770ecf61eb5c9030f6d7d88beba03122875

SHA512
1796d3e647a9c7fc9a09ee370535426f83538ab9bb39c4899686c7871417f025184db0c430fe6358fb725cad3b36b36dc3e54d45c184b782a4108931a14bb0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
0ef55133a2be5203f32c3d3b1082ee32

SHA1
88933be5c426e2f4e0a433fd4d90c91e3e577a69

SHA256
cd16b31a2733870b63591f700256d08a99fee2f1d534a4a6c40a0babb6b3e881

SHA512
3acd654972a852967abfbc87fb68f87a41a818560997594c0c475275bd79b8432984c9876731557a24d26150a9bea91055846999bd91ba019ba5be5b374e1511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
6242f7ff822398a717f1518268f36eb9

SHA1
701ef122c6d23c913298f819fad93295cd20fe19

SHA256
95c53775c8f70220f8eda4957af2a13272ae4fb682183b3da5d7dd2fdb2be2ef

SHA512
380088fccaaf42ed79c00fe4dcdf25456c30a807b019d80500a997ad3162fabeb4fbbe6f7f292ae1554c7a0c89d14bd40349e07bbf7f2765b5bd2013745725f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_asyncio.pyd

Filesize
69KB

MD5
477dba4d6e059ea3d61fad7b6a7da10e

SHA1
1f23549e60016eeed508a30479886331b22f7a8b

SHA256
5bebeb765ab9ef045bc5515166360d6f53890d3ad6fc360c20222d61841410b6

SHA512
8119362c2793a4c5da25a63ca68aa3b144db7e4c08c80cbe8c8e7e8a875f1bd0c30e497208ce20961ddb38d3363d164b6e1651d3e030ed7b8ee5f386faf809d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_multiprocessing.pyd

Filesize
34KB

MD5
2bd43e8973882e32c9325ef81898ae62

SHA1
1e47b0420a2a1c1d910897a96440f1aeef5fa383

SHA256
3c34031b464e7881d8f9d182f7387a86b883581fd020280ec56c1e3ec6f4cc2d

SHA512
9d51bbd25c836f4f5d1fb9b42853476e13576126b8b521851948bdf08d53b8d4b4f66d2c8071843b01aa5631abdf13dc53c708dba195656a30f262dce30a88ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_overlapped.pyd

Filesize
54KB

MD5
7e4553ca5c269e102eb205585cc3f6b4

SHA1
73a60dbc7478877689c96c37107e66b574ba59c9

SHA256
d5f89859609371393d379b5ffd98e5b552078050e8b02a8e2900fa9b4ee8ff91

SHA512
65b72bc603e633596d359089c260ee3d8093727c4781bff1ec0b81c8244af68f69ff3141424c5de12355c668ae3366b4385a0db7455486c536a13529c47b54ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_queue.pyd

Filesize
31KB

MD5
b7e5fbd7ef3eefff8f502290c0e2b259

SHA1
9decba47b1cdb0d511b58c3146d81644e56e3611

SHA256
dbdabb5fe0ccbc8b951a2c6ec033551836b072cab756aaa56b6f22730080d173

SHA512
b7568b9df191347d1a8d305bd8ddd27cbfa064121c785fa2e6afef89ec330b60cafc366be2b22409d15c9434f5e46e36c5cbfb10783523fdcac82c30360d36f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_sqlite3.pyd

Filesize
122KB

MD5
c3a41d98c86cdf7101f8671d6cebefda

SHA1
a06fce1ac0aab9f2fe6047642c90b1dd210fe837

SHA256
ee0e9b0a0af6a98d5e8ad5b9878688d2089f35978756196222b9d45f49168a9d

SHA512
c088372afcfe4d014821b728e106234e556e00e5a6605f616745b93f345f9da3d8b3f69af20e94dbadfd19d3aa9991eb3c7466db5648ea452356af462203706c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_ssl.pyd

Filesize
174KB

MD5
c87c5890039c3bdb55a8bc189256315f

SHA1
84ef3c2678314b7f31246471b3300da65cb7e9de

SHA256
a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

SHA512
e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_testcapi.pyd

Filesize
276KB

MD5
268a17005280ad1fa4d26f7664449bb8

SHA1
5dd255fc229f6e8483aba2339d815500724c4c9b

SHA256
3f8a1a53b772a8230b69087d56e4287cc6f6271dc173ccc680f34a6771a28b95

SHA512
7cce1a73c589452270a6f0c6793394ea1970360f23bd1254b3db3a04c21fc1db8d07d8b0eb751750cbfcb4e4feba309eb149bd701d7a57992454eb9cebee3ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_testinternalcapi.pyd

Filesize
50KB

MD5
130759a21dc30cbc88c56b6e4c6f6ddf

SHA1
9f8b4990570a6f8d43b11ca766d91eb85faa229c

SHA256
6f928fe31da7f83d392572cca445b93dad91541735f90bd55b8e622e759feaf9

SHA512
a08cc2185d17b57dba7a01d0ee879ad1e515899a988574ec7cb433f2aaf9cf2962da75f9953d98b2605ff3b5eecca80989803916013066692ab76c954dcb7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_tkinter.pyd

Filesize
64KB

MD5
276791cca50a8b8a334d3f4f9ff520e2

SHA1
c0d73f309ef98038594c6338c81606a9947bd7f8

SHA256
a1c74836bad3d9b0aaec8dccd92e552b5ad583bfea7ef21cd40713a265d94f7e

SHA512
ef1ed2eacf86885531fc0963c84c1c99773d963d5a709030df6cfee5027604e1402a55b6fe26019a3ab922fd27895d0e2ef5572a50195372b1bfb1539eac0dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_uuid.pyd

Filesize
25KB

MD5
50521b577719195d7618a23b3103d8aa

SHA1
7020d2e107000eaf0eddde74bc3809df2c638e22

SHA256
acbf831004fb8b8d5340fe5debd9814c49bd282dd765c78faeb6bb5116288c78

SHA512
4ee950da8bbbd36932b488ec62fa046ac8fc35783a146edadbe063b8419a63d4dfb5bbd8c45e9e008fe708e6fc4a1fee1202fce92ffc95320547ba714fed95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_wmi.pyd

Filesize
36KB

MD5
8a9a59559c614fc2bcebb50073580c88

SHA1
4e4ced93f2cb5fe6a33c1484a705e10a31d88c4d

SHA256
752fb80edb51f45d3cc1c046f3b007802432b91aef400c985640d6b276a67c12

SHA512
9b17c81ff89a41307740371cb4c2f5b0cf662392296a7ab8e5a9eba75224b5d9c36a226dce92884591636c343b8238c19ef61c1fdf50cc5aa2da86b1959db413

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\base_library.zip

Filesize
1.3MB

MD5
68f96a1f0b49d240b392ebb7ea147939

SHA1
5d8aa0cccc0f744f17e546ef7120308016cb5438

SHA256
29556cc179d145e9f64d287f0455991bd62a8dc4304e20429f83a1a40959fd09

SHA512
b326d5feb4f9b3d76254240dc3b0d16cb60c0a47d75ab7a1742fe7bb0bdfafff00a9d24a4c84559f1b2b04d23fd4f53d3b8d654532cb7c57c60bb83041331d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\pyexpat.pyd

Filesize
197KB

MD5
958231414cc697b3c59a491cc79404a7

SHA1
3dec86b90543ea439e145d7426a91a7aca1eaab6

SHA256
efd6099b1a6efdadd988d08dce0d8a34bd838106238250bccd201dc7dcd9387f

SHA512
fd29d0aab59485340b68dc4552b9e059ffb705d4a64ff9963e1ee8a69d9d96593848d07be70528d1beb02bbbbd69793ee3ea764e43b33879f5c304d8a912c3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\python3.dll

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\sqlite3.dll

Filesize
1.5MB

MD5
e52f6b9bd5455d6f4874f12065a7bc39

SHA1
8a3cb731e9c57fd8066d6dad6b846a5f857d93c8

SHA256
7ef475d27f9634f6a75e88959e003318d7eb214333d25bdf9be1270fa0308c82

SHA512
764bfb9ead13361be7583448b78f239964532fd589e8a2ad83857192bf500f507260b049e1eb7522dedadc81ac3dfc76a90ddeb0440557844abed6206022da96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\tcl86t.dll

Filesize
1.7MB

MD5
108d97000657e7b1b95626350784ed23

SHA1
3814e6e5356b26e6e538f2c1803418eb83941e30

SHA256
3d2769e69d611314d517fc9aad688a529670af94a7589f728107180ae105218f

SHA512
9475cd1c8fe2e769ed0e8469d1f19cdf808f930cccc3baf581888a705f195c9be02652168d9c1c25ba850502f94e7eb87687c2c75f0f699c38309bc92b9004a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\tk86t.dll

Filesize
1.5MB

MD5
4cdd92e60eb291053d2ad12bf0710749

SHA1
31424e8d35459ba43672f05abba1e37c23f74536

SHA256
b30576b60aee548838243601952a05b70a9fc937f5a607f6b1413cd5ed04d900

SHA512
80c3bb58817578708e14ba173bfbe8f62fb54efa22feb8ff08b9eefa4462b74062654f956f965c7caa8aa16295229b58ef9eea8d2c4c94652bde1e61038e6ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\wheel-0.43.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\zlib1.dll

Filesize
143KB

MD5
fa87d95aa4f9348d3f3b75d62a23658d

SHA1
b8829e2ec83b1950ae013be60ed3e7616ce2ed80

SHA256
21feea753a6f991f01bcf9d30afada06eca3a105e97d5d81998ef359c4fc86a3

SHA512
cb965cfc905b7c588bd2009d4915973a004de658b6153de9fe2ae8b27c5612b56de14b95499ec050b70d16f89f0313cd81a3afa827a30c38aa206e44c11ef283

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xhoa3pko.3jc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe

Filesize
52KB

MD5
0c2d61d64f4325ca752202e5bf792e9e

SHA1
e7655910a124dd10beb774a693f7caccf849b438

SHA256
d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1

SHA512
1205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46

Download Submit
C:\Users\Admin\Downloads\Unlock.rar

Filesize
26.4MB

MD5
8be73a76726f8e394014ba821bf453b9

SHA1
5b6cc54ccc09d611958ee05a06a751c8042b8724

SHA256
6cb0f044765c99f1c74e2f6d4e1548fe6d5a5a640404366f7288849746503239

SHA512
c92e0c6c8610ccc9657f99b9fd7d29ec6982b49de466a3175be46d5da3b34d64a0d2693724e2ec56a9c24237aca3077fa05638340c6e009d85dd8fc189bc19bc

Download Submit
C:\Users\Admin\Downloads\Unlock\Unlock.exe

Filesize
27.4MB

MD5
e6d4a680b24fa19e9dd7c1c7cf2caf01

SHA1
bd6061698b1bf477ccd35407a50464186010dfea

SHA256
be4b69bfc69797ab282a236ca5f2cb5c9dc443f77264e7264bb0b90d3d947b56

SHA512
729794607b5e080dfd37357741d507c0f2c9430bef6b08cb111e4dba2e020e756b95e726752cd8067f6201f6266e87da59b5efc4e768223e79c5590cd3c55f4e

Download Submit
memory/2760-1340-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/2760-1350-0x000000001BF70000-0x000000001BF92000-memory.dmp

Filesize
136KB

Download
memory/2760-1456-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/4032-1458-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/4080-1479-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/5044-2513-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download
memory/5044-2514-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download
memory/5044-2515-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download
memory/5044-2525-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download
memory/5044-2524-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download
memory/5044-2523-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download
memory/5044-2522-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download
memory/5044-2521-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download
memory/5044-2520-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download
memory/5044-2519-0x000001E72E770000-0x000001E72E771000-memory.dmp

Filesize
4KB

Download