Malware Analysis Report

2024-11-30 12:44

Sample ID 240822-kt9vcsxgrg
Target RegService.exe
SHA256 c9216da9eaf8c561d6002f9de38cf1a261c84896f2091ae19c3a4209d7c3956e
Tags
pyinstaller pysilon upx evasion execution persistence discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9216da9eaf8c561d6002f9de38cf1a261c84896f2091ae19c3a4209d7c3956e

Threat Level: Known bad

The file RegService.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon upx evasion execution persistence discovery

Pysilon family

Detect Pysilon

Enumerates VirtualBox DLL files

Command and Scripting Interpreter: PowerShell

Sets file to hidden

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-22 08:54

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-22 08:54

Reported

2024-08-22 08:58

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-22 08:54

Reported

2024-08-22 08:58

Platform

win7-20240729-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RegService.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\RegService.exe

"C:\Users\Admin\AppData\Local\Temp\RegService.exe"

C:\Users\Admin\AppData\Local\Temp\RegService.exe

"C:\Users\Admin\AppData\Local\Temp\RegService.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21242\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI21242\setuptools\_vendor\jaraco.text-3.12.1.dist-info\LICENSE

MD5 141643e11c48898150daa83802dbc65f
SHA1 0445ed0f69910eeaee036f09a39a13c6e1f37e12
SHA256 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741
SHA512 ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

C:\Users\Admin\AppData\Local\Temp\_MEI21242\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

MD5 43136dde7dd276932f6197bb6d676ef4
SHA1 6b13c105452c519ea0b65ac1a975bd5e19c50122
SHA256 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714
SHA512 e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

C:\Users\Admin\AppData\Local\Temp\_MEI21242\ucrtbase.dll

MD5 988755316d0f77fc510923c2f7cd6917
SHA1 ccd23c30c38062c87bf730ab6933f928ee981419
SHA256 1854cd0f850da28835416e3b69ed6dae465df95f8d84e77adbbc001f6dbd9d78
SHA512 8c52210a919d9f2856f38bd6a59bbc039506650a7e30f5d100a5aa5008641707122ff79f6f88c268c9abc9f02ba2792eed6aad6a5c65891a9ce7d6d5f12c3b0a

C:\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-file-l1-2-0.dll

MD5 ac28edb5ad8eaa70ecbc64baf3e70bd4
SHA1 1a594e6cdc25a6e6be7904093f47f582e9c1fe4d
SHA256 fbd5e958f6efb4d78fd61ee9ee4b4d1b6f43c1210301668f654a880c65a1be86
SHA512 a25b812b9fa965af5f7de5552e2c2f4788a076af003ac0d94c3b2bc42dd9ab7e69af2438ce349b46a3387bf2bfcf27cec270d90ca6a44c9690861331c9e431e1

C:\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-localization-l1-2-0.dll

MD5 fd59ee6be2136782225dcd86f8177239
SHA1 494d20e04f69676c150944e24e4fa714a3f781ca
SHA256 1fd044fdbc424779b01b79d477ee79dfbb508a04e86c62e1c8fc4f6d22f6a16a
SHA512 2250d54c3b9e6aeb2f5406e1428536564357a48ceab51596b33ff0843086fb420ad886af61725b25a58e2f50a4c17ddee10696d6041db9b60891eff8e495775c

C:\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-processthreads-l1-1-1.dll

MD5 8ff0692d32f2fcb0b417220b98f30364
SHA1 5eeb1d781d44e4885284c8b535f051efca64aef8
SHA256 53cea73c248a49389bc2da01acac1d8e8022a7e034bcd522306e43a937200897
SHA512 f73249f70953c537da02b890308cb18a9c6676401975bf13aeb61b1db9dfa042e908c52ee266b404948a568b23b0cfb37ecd4b80379c398c15f56ce7a82cf7a5

C:\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-timezone-l1-1-0.dll

MD5 863ed806b4f16be984b4f1e279a1f99b
SHA1 b9a919216ef90064ac66b12ccde6b3bf1f334ee8
SHA256 171ca9df2b9ecfa545748af724c1c56ab396b299503a14c4da2197b0e5a44401
SHA512 fb8f195d9a1885c16aa2cc6eff38e627ea127b18978016d6046dc0120a19ab40cc4fe4b799c06f133b02f7cd6a634ae1665f05f9be5fcae609229dfaae0ce478

C:\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-file-l2-1-0.dll

MD5 b5832f1e3a18d94cd855c3d8c632b30d
SHA1 6315b40487078bbafb478786c42c3946647e8ef3
SHA256 9f096475d4ba1533f564dd4a1db5dfeb620248fe14518042094b922539dc13e3
SHA512 f3016ded97591e25a6d4c70d89251a331402455ab589604e55c486fec37ee8e96bd1be2d4e4e59ba102dad696b3e1f754b699f9ebe8ae462e8b958ed2d431a5b

C:\Users\Admin\AppData\Local\Temp\_MEI21242\python312.dll

MD5 36e9be7e881d1dc29295bf7599490241
SHA1 5b6746aedac80f0e6f16fc88136bcdcbd64b3c65
SHA256 ebef43e92267a17f44876c702c914aafa46b997b63223ff46b12149fd2a2616e
SHA512 090d4e9092b7fe00180164b6f84b4bd1d1a1e12dc8fea042eaa0e75cc08bb9994c91c3853bedec390208db4ef2e3447cd9be20d7dc20c14e6deb52a141d554cf

memory/2400-1413-0x000007FEF6380000-0x000007FEF6A45000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-22 08:54

Reported

2024-08-22 08:58

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RegService.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\.exe N/A
N/A N/A C:\Users\Admin\.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\\\.exe" C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe C:\Users\Admin\AppData\Local\Temp\RegService.exe
PID 4888 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe C:\Users\Admin\AppData\Local\Temp\RegService.exe
PID 3280 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3280 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3280 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe C:\Windows\system32\cmd.exe
PID 3280 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\RegService.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4564 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4564 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\.exe
PID 4564 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\.exe
PID 4564 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4564 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2712 wrote to memory of 6448 N/A C:\Users\Admin\.exe C:\Users\Admin\.exe
PID 2712 wrote to memory of 6448 N/A C:\Users\Admin\.exe C:\Users\Admin\.exe
PID 6448 wrote to memory of 6536 N/A C:\Users\Admin\.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6448 wrote to memory of 6536 N/A C:\Users\Admin\.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RegService.exe

"C:\Users\Admin\AppData\Local\Temp\RegService.exe"

C:\Users\Admin\AppData\Local\Temp\RegService.exe

"C:\Users\Admin\AppData\Local\Temp\RegService.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x490 0x4c4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\\\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\\activate.bat

C:\Windows\system32\attrib.exe

attrib +s +h .

C:\Users\Admin\.exe

".exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "RegService.exe"

C:\Users\Admin\.exe

".exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\\\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:64749 tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI48882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI48882\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

MD5 43136dde7dd276932f6197bb6d676ef4
SHA1 6b13c105452c519ea0b65ac1a975bd5e19c50122
SHA256 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714
SHA512 e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

C:\Users\Admin\AppData\Local\Temp\_MEI48882\setuptools\_vendor\jaraco.text-3.12.1.dist-info\LICENSE

MD5 141643e11c48898150daa83802dbc65f
SHA1 0445ed0f69910eeaee036f09a39a13c6e1f37e12
SHA256 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741
SHA512 ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

C:\Users\Admin\AppData\Local\Temp\_MEI48882\ucrtbase.dll

MD5 988755316d0f77fc510923c2f7cd6917
SHA1 ccd23c30c38062c87bf730ab6933f928ee981419
SHA256 1854cd0f850da28835416e3b69ed6dae465df95f8d84e77adbbc001f6dbd9d78
SHA512 8c52210a919d9f2856f38bd6a59bbc039506650a7e30f5d100a5aa5008641707122ff79f6f88c268c9abc9f02ba2792eed6aad6a5c65891a9ce7d6d5f12c3b0a

C:\Users\Admin\AppData\Local\Temp\_MEI48882\python312.dll

MD5 36e9be7e881d1dc29295bf7599490241
SHA1 5b6746aedac80f0e6f16fc88136bcdcbd64b3c65
SHA256 ebef43e92267a17f44876c702c914aafa46b997b63223ff46b12149fd2a2616e
SHA512 090d4e9092b7fe00180164b6f84b4bd1d1a1e12dc8fea042eaa0e75cc08bb9994c91c3853bedec390208db4ef2e3447cd9be20d7dc20c14e6deb52a141d554cf

C:\Users\Admin\AppData\Local\Temp\_MEI48882\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/3280-1405-0x00007FF965200000-0x00007FF9658C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\python3.DLL

MD5 8dbe9bbf7118f4862e02cd2aaf43f1ab
SHA1 935bc8c5cea4502d0facf0c49c5f2b9c138608ed
SHA256 29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db
SHA512 938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4

C:\Users\Admin\AppData\Local\Temp\_MEI48882\libffi-8.dll

MD5 013a0b2653aa0eb6075419217a1ed6bd
SHA1 1b58ff8e160b29a43397499801cf8ab0344371e7
SHA256 e9d8eb01bb9b02ce3859ba4527938a71b4668f98897d46f29e94b27014036523
SHA512 0bd13fa1d55133ee2a96387e0756f48133987bacd99d1f58bab3be7bffdf868092060c17ab792dcfbb4680f984f40d3f7cc24abdd657b756496aa8884b8f6099

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_bz2.pyd

MD5 075ae3a74a32bb5386c3524a19e3927e
SHA1 8d832da3344e5958358c24d4d31e51f6a8ddfd24
SHA256 d581bf9f92031f73ae75e21328597906db970714430e6dc44ce525cf04d5e77a
SHA512 455cbe95a369562e56bf76e2c287c52cc5327872151b1797ba3636196dc9231c6d73557d28ee1e3cf2d1c233edb61587cae41498f5d1d8b9cc9c0fdecfff3f1b

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_lzma.pyd

MD5 385a812072bc56d47823360908c2e5ca
SHA1 e8f758dfbd6ed8a82d614343116d9e9c164ce021
SHA256 4943f6912c4ddd1f6d11fa6ea7f619bf852569efe013558105e7a26518d466fd
SHA512 adc6ebda1eb2a51d5bb109c0019150827a3606399f450c250309fce50ae81a820a5a813657e8f4fa6eb7ccc7cb2a5f332aa23db6f12baec156ffc3dd1a32879d

C:\Users\Admin\AppData\Local\Temp\_MEI48882\libcrypto-3.dll

MD5 8fed6a2bbb718bb44240a84662c79b53
SHA1 2cd169a573922b3a0e35d0f9f252b55638a16bca
SHA256 f8de79a5dd7eeb4b2a053315ab4c719cd48fe90b0533949f94b6a291e6bc70fd
SHA512 87787593e6a7d0556a4d05f07a276ffdbef551802eb2e4b07104362cb5af0b32bffd911fd9237799e10e0c8685e9e7a7345c3bce2ad966843c269b4c9bd83e03

memory/3280-1468-0x00007FF9747F0000-0x00007FF974804000-memory.dmp

memory/3280-1467-0x00007FF974810000-0x00007FF97483D000-memory.dmp

memory/3280-1469-0x00007FF964CD0000-0x00007FF9651F9000-memory.dmp

memory/3280-1471-0x00007FF9754A0000-0x00007FF9754AD000-memory.dmp

memory/3280-1470-0x00007FF9747D0000-0x00007FF9747E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\libopus-0.dll

MD5 3fb9d9e8daa2326aad43a5fc5ddab689
SHA1 55523c665414233863356d14452146a760747165
SHA256 fd8de9169ccf53c5968eec0c90e9ff3a66fb451a5bf063868f3e82007106b491
SHA512 f263ea6e0fab84a65fe3a9b6c0fe860919eee828c84b888a5aa52dea540434248d1e810a883a2aff273cd9f22c607db966dd8776e965be6d2cfe1b50a1af1f57

memory/3280-1472-0x00007FF9702F0000-0x00007FF970323000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\libogg-0.dll

MD5 0d65168162287df89af79bb9be79f65b
SHA1 3e5af700b8c3e1a558105284ecd21b73b765a6dc
SHA256 2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24
SHA512 69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2

memory/3280-1476-0x00007FF975040000-0x00007FF975065000-memory.dmp

memory/3280-1475-0x00007FF975310000-0x00007FF97531D000-memory.dmp

memory/3280-1474-0x00007FF964C00000-0x00007FF964CCD000-memory.dmp

memory/3280-1479-0x00007FF9751A0000-0x00007FF9751AB000-memory.dmp

memory/3280-1478-0x00007FF964AE0000-0x00007FF964BFA000-memory.dmp

memory/3280-1477-0x00007FF973130000-0x00007FF973157000-memory.dmp

memory/3280-1473-0x00007FF965200000-0x00007FF9658C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\libmodplug-1.dll

MD5 2bb2e7fa60884113f23dcb4fd266c4a6
SHA1 36bbd1e8f7ee1747c7007a3c297d429500183d73
SHA256 9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b
SHA512 1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2

C:\Users\Admin\AppData\Local\Temp\_MEI48882\libjpeg-9.dll

MD5 c22b781bb21bffbea478b76ad6ed1a28
SHA1 66cc6495ba5e531b0fe22731875250c720262db1
SHA256 1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd
SHA512 9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

C:\Users\Admin\AppData\Local\Temp\_MEI48882\freetype.dll

MD5 04a9825dc286549ee3fa29e2b06ca944
SHA1 5bed779bf591752bb7aa9428189ec7f3c1137461
SHA256 50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde
SHA512 0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-utility-l1-1-0.dll

MD5 0f9c1208db419b09d30c4f7cb13805be
SHA1 bd54564d3d679480ad4be7e68ed9e3b228e167b9
SHA256 a614bcb61d620cec8a2f919037f55531f8648f6a2e4b711fa6635213593cf441
SHA512 4084cec138f3afd583ad565523937c018667e6cafc4ac47867b3e9b4f3ed6d22c8df6f465a984b182cc4b9ee779ee3f83d5d9e54090e1d14400d934e70654290

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-time-l1-1-0.dll

MD5 97b8fb791946d8937c3c44fd656080e4
SHA1 c21a787f736455cf5917b490b79818c927937da2
SHA256 e75df3e5edcee75d24323182c45cd4fbe76437e60f7fa33f15b8d7ad4698116e
SHA512 399c3744f604096eaeda1753ea1efd6fcc664768e2f09b42593860d5b34ce863e44b726db414a8c16fc94bd1ec177ed60a0ede72db405314a7ba1b3d02247855

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-string-l1-1-0.dll

MD5 a61502fa78ff8d7a24d9361129ae07c3
SHA1 5512da3cf6590e1537da51c3b72aea66476cdd07
SHA256 7c70b4c871b0a5ad05c7003f3a8359f8644cb208551db472ed09a59629080b2e
SHA512 ac0a4ed9e0239e3dcfb406b96acef3a2ec2fd3eb222be6f0a178c5a89fe22b55b7c22fc5cc06d5ed9e28b6c8b580a674fcc59a8987cc3c600e5b7ead19650c44

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-stdio-l1-1-0.dll

MD5 3031d77d1b8d238b41d3e196a5bf8671
SHA1 aaae7b68895b3abba3f8415bfb4506ea39c952cf
SHA256 fd81e42596789765052bae850bee4d17d711d0241ebe05f83c1f022f397e5dcf
SHA512 f9b61572b3d04d7aa5fd703f0e39df3784de1fe5926cf2c0f6a158be8eb0c330b950871a2ec20e3cea9919e958fcbc93465aebd98fbcd35eb5f790f0a5f290fa

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-runtime-l1-1-0.dll

MD5 ced121dc1b464f420444a1d0ba79eca0
SHA1 c1336130fc9cab6eaee49980853467cbb9ed867f
SHA256 f3fb05146adad6ab5501980557116baeecd3486fd34bbd737761891093ed94f8
SHA512 3d238c586ca1ddb2dbe6dbdffed6b6b3eed103d04f2015d37f000372cc0f17f944db4d71cb7228e498c1463a0cea97de071cb5a7c8e66a52a8e5a548d23b8daf

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-process-l1-1-0.dll

MD5 7114446ebc88ecb377c6001b3af10ed6
SHA1 7c25a4979146acb427ea3a8c5a708e1068c62124
SHA256 d8fa75707faa36c6096700f919ff838e81de6070b7a7e9225ae3755e5d728f2e
SHA512 3ae5bffdd1cfc400d399c99960552f3e31c10fd0f2c0a010231990bb844f5eb114a720ae3c5d24a5f670f2bfcebfbc7bd0431caac923ad70fdbbae3b94f3a933

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-private-l1-1-0.dll

MD5 c82aa01e723a26708090264dfb9dcb9e
SHA1 26b5f67e746dbcf8028a2ece6da5509bc02f2e6a
SHA256 91070fe0dd87cbbb555861b04a56a8d696d09d5e1b2cbba6798b8349ae29c24d
SHA512 5c7dfb49620f2e71b318e6989db75b7c76e585d88edf7376ad4f7dac4d90cc6151e51778962fc68f7066102e0ccc04ec4604ba0b170748e9c22ac0d7d43d754c

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-math-l1-1-0.dll

MD5 d0c2ee5f3fb39ec424ebda1f64b762f6
SHA1 5fabe4443de811e7fce11d467e5c1ff720ae8f56
SHA256 5ab428c62ab90056eb4d8e2fdf816851e78f69ee7fcfd198672c7948153be529
SHA512 745a0e24ef74011d8ad5df5853bea8c2826ca081c2a3cee1ba74561238436dccc0ec4051ac09575d3645d4a18439e777a1a9b1e4aaa6603f92fdbf1b9d17a024

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-locale-l1-1-0.dll

MD5 ba60c991c516d853f41b7fb481a39eab
SHA1 7578bebde38fbd4c5288003ce853a58d86fa4925
SHA256 91e314de4017473445b51c0ced5b73c1ecfbed3705cf1d00eaa943962531dbca
SHA512 0addee8938fa3bd3f65711c5a504ee1383f3db8d23764ff73c56205e976e243aa1a354fba4078196f4b2ff13a760aa1f893daaa70a5e3979fe0c3dcf771cc9d1

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-heap-l1-1-0.dll

MD5 02a69ea376f962127a049c6acbc53354
SHA1 1044f4d1368182a77a086a2aad7c91c822648537
SHA256 6dc3a055feacc23fa519f79c6b7b7184ec0fe498adfc05f02c0afb9afe34bd93
SHA512 fd4c809540c59a7031848a6ea3f14f10133f6d57770c8eee0012da7e3cc0b0f646ae4238cb9c0836bd6837130d7b11b0e3a64711e1f919caed4145ca0fe6f38f

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 b4f47d3687c6b9020670eb3d599f23e8
SHA1 163752317c8016d21c4cf544fec133831b9665a5
SHA256 a923525c86d4345a5324a76e5a5f6e8e2c634e3b012c8cb78e87945bf966deea
SHA512 d15815dd2ce4c9d9bf38ff0e930a54473dcfc8158ecb45cd29c700f62a1aac6b7e8126defa856b6541a1dcaa4c1f2fba4a92baa9efa89d8463c520f19928adf8

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-environment-l1-1-0.dll

MD5 33fc9f137f8fc2bc99e5d085388f3e58
SHA1 564287f41e5fa576c26baad8fcf285a3a5edf7cd
SHA256 527100daa26b386c064c2e99e84f2b99d87aecb66823475687727cf9df809221
SHA512 a601f2d7f4d4c2eb9a0f32824880220e5fe33ee2abdcfe4c11793a8fb4ab2374f43c3787a0bffcb79d6bb7941b182e7cdc47a319bdbc695cd0c260ba94ec3806

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-convert-l1-1-0.dll

MD5 661fe6801836492501a1b1ede1e90cab
SHA1 85782d99b4473b746a1d1449c23edec7d06ec310
SHA256 d01129b17ef28f4e674cfa4dcda0f82078bbbc140cad9a8ab31b384fc105628f
SHA512 61d4c9c6acaea6c38c86d2d0683f1eee9156a64c280dfac92127fcbd9e135d40779c205ca8473fb53f8a2f4f91f75d38d11556571dc2c48c8fb71c168bc4454a

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-crt-conio-l1-1-0.dll

MD5 0fba25ed6b6f8b676d2d6ad02554103c
SHA1 da6e0106eb4cce4fa2d17eb12da90bef5685fd5f
SHA256 43a91c96153ceb11a56dbaf3d9eb6464cba904da6952bd10649d2503fc6d484e
SHA512 6d8e3059ff42a44392fdae0fe6218cf77184493fd889ef7ad9aeeb05b67df6da084fb5c61776afc17d347bc6e1cdab35990bb5ebed4da0cb625050a93bd1f708

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-util-l1-1-0.dll

MD5 26484ca59ac50eef4a5b9886173cb389
SHA1 111e11b27c2df193d8aa3707aae45a9b78930e04
SHA256 56dbccf349622daee692a2a6feb846f7018d4d049ea4e972d5cd61a34e3b87b3
SHA512 4d1c7e179aea6bd8e258cc6720bdd8fb45f7ad0814dbd61b960f46d379146de35d8e28217b70d577de4189f778b89907f8075e2e480a2bc6530b00696dc479db

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-timezone-l1-1-0.dll

MD5 863ed806b4f16be984b4f1e279a1f99b
SHA1 b9a919216ef90064ac66b12ccde6b3bf1f334ee8
SHA256 171ca9df2b9ecfa545748af724c1c56ab396b299503a14c4da2197b0e5a44401
SHA512 fb8f195d9a1885c16aa2cc6eff38e627ea127b18978016d6046dc0120a19ab40cc4fe4b799c06f133b02f7cd6a634ae1665f05f9be5fcae609229dfaae0ce478

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 10b937bfe0a4b9759af343dbb9070596
SHA1 d9305a0015dbb8bdd28cf5898d943b4e2ed2f9f6
SHA256 4d499a6cb6f5bc31ac5d1ad25dd3283f888907c17aa6846da16d3761777986a6
SHA512 f5b0bf4418a64bec22316d16dc5f535caba9e4ede6790b555115af9089db647e7c36fbfeadb23d0aa9222059dadb4235bbec6029e99625d66d6e3a7da1aa6276

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-synch-l1-2-0.dll

MD5 5a9f2ce42bb237a8d25d2b8d3e905bd4
SHA1 f2eb1be1b6bbf48f09e3220cbcac85ce4c1a371c
SHA256 ef94c2a19bd9a30a7e099572402737c1b6bfcb60f3074d3dcda85de0ce6fb674
SHA512 2f986a8629f9b59e9d9a380aa65d42f2c9241c02a4050721add0cca3a4e16ea8b0b1ce1f81fa1c521c2f7810b9aa4642f37f5173d6ca53fc176ab3e91b5c5c29

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-synch-l1-1-0.dll

MD5 b84fb9322caa36fdf409f18e8304a5bf
SHA1 876721afbef99f771fe6db783f950602b8e9abea
SHA256 28e499c8ff5146fadb3799f88ba2cabc42d3a3fed0d2de43e6d194eb0a5e93a6
SHA512 4b65930cc152b9fd7acc5a3156487a2bf3a5d2d6731fa48189c47f65784797d224094fe56f8bd48a02aef3d1207d81ac09d747c251c6de2a93efb9afd7cfafb9

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-string-l1-1-0.dll

MD5 a7e6fd9da0b366256e39dc7a227af909
SHA1 068e54604e0cd8cc9e0149f9cf139cd8d6b6665f
SHA256 b1a9c3e26fc2dd6d701d624969a29a16e04681c057999b4773d9fd4f4d3bbbe7
SHA512 cdc7ed374cc4f109d84270981888ff9eafc21325ff85db9439a103f4a4d49e8f64d53f8b5d7ca2f983dd607fe765d80b3dfe321c2d22216924dbd3c8aa468720

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 3493376565524418af30afc7a97b0561
SHA1 abcfdcad703e05cbae97d004119b966920e04a5f
SHA256 8ed0ffbd5462ed7fa2a82efaa5f5de4cb3849699b6cf1be93ce5fe746ef7c58e
SHA512 01254e63ad3ae9194f74a6a992f8e236afc934b04e8568fcab4b6460f179d40641b1483c0a12463f004bd0b16909bcc2381a8996c96e151cae4ce2f287f00eaa

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-profile-l1-1-0.dll

MD5 59a815641390eeff6badaee84e8de7d0
SHA1 ca63e4696de7f5e913f942f1fd0b807959a8c972
SHA256 97f18741abb1d6d215503234b603755dec3d0e8d4c5f08060dababe7660a420d
SHA512 b91cedabc790aed85b9a1eed4241add1f73b1f890c1bb48efec750be7b59d44ca03d62cf1a011f23cdbf66bf80ef26ac01b7d8ef9e7ead3fa45306620aa1a056

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-processthreads-l1-1-1.dll

MD5 8ff0692d32f2fcb0b417220b98f30364
SHA1 5eeb1d781d44e4885284c8b535f051efca64aef8
SHA256 53cea73c248a49389bc2da01acac1d8e8022a7e034bcd522306e43a937200897
SHA512 f73249f70953c537da02b890308cb18a9c6676401975bf13aeb61b1db9dfa042e908c52ee266b404948a568b23b0cfb37ecd4b80379c398c15f56ce7a82cf7a5

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-processthreads-l1-1-0.dll

MD5 f3d59040c56520a117d3e7f0d4df50b0
SHA1 cde5fbc4cc283338bbc98b4c87ec21874369d98f
SHA256 6c2268cfc9b365e9683ed1f7b704d4fdc60938be8fcd2074ec3e1c35112b5785
SHA512 aba461363630ac9a429af794c9c43ad2ce23bafebb4902b5d40d370205fbe91dbf22a97aa4d355202d2d3c74721d3e6d547d84ac740ea24a1bdcbb8ee6a2c5b8

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 83dd9755271b3e32e9ccc44602b170c5
SHA1 a7c3cd5b6c0cce5d85e666cb181d6a0247521cb6
SHA256 9b6f3d134547f882f476173a857a865dd9373c9befcfac0c324f1be673a2c9b2
SHA512 f41e644feebe5b41320f0272b2106e62d9f835f710e4035bbe15bcc997dfc6d503a5a946ba1f2437e3c149c095f7fade7a7929393a1821290a27c6859c70150c

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 ff505a3c725c068f0177d27e3def4707
SHA1 72e5942aaebf0e942d71d7f2231fcc2243ac165d
SHA256 5b93dc92eee5dcc91aaa2a479cfd989c41a8ffaeb29e92959a730e7a632dce1b
SHA512 072d6e1d843af90e19d356773317df491a06b952673ed34c7731242796ad647716e2c7544a4ca0ee37a1c7e738462973201d57f20fc57705db8b8e8061badd26

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-memory-l1-1-0.dll

MD5 671bc514f0373f5775448215da9ecc19
SHA1 8a1ce5f0c482ff9b7adc9da0c4e7c5876df3dc57
SHA256 effb3bc6746e41e4139779aface86afc4e14454b95fc4a999dfdd07b03122a0f
SHA512 dad926d9046a73f46be7d52bc5df61ea7178f42ff18fcf57064d78d0f94bca4e7641cc467606891f69985b860e80ec028475ecefd17f3765763b51df256822fc

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-localization-l1-2-0.dll

MD5 fd59ee6be2136782225dcd86f8177239
SHA1 494d20e04f69676c150944e24e4fa714a3f781ca
SHA256 1fd044fdbc424779b01b79d477ee79dfbb508a04e86c62e1c8fc4f6d22f6a16a
SHA512 2250d54c3b9e6aeb2f5406e1428536564357a48ceab51596b33ff0843086fb420ad886af61725b25a58e2f50a4c17ddee10696d6041db9b60891eff8e495775c

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 cfb04fb6e6f578655b08a6d50054e4a5
SHA1 e9336808b24ebe24eff535f2a158ff65a693441d
SHA256 fb09d45296d3175e7cfcf5b0c284fe3bb3bfd5dea6e90c5c52c4f4c3aa1b0dc7
SHA512 1b9d752494f82075dc959b121dd0641418b5902a597c4427d792ffaea32f254cd7b5ee04f53cfaf20c36b5f0904242d6c0f2b67273ebac465aaa745d8daa470d

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-interlocked-l1-1-0.dll

MD5 a68eddda85e1c77ee3c316d05e215db0
SHA1 eef3809b52bdf0a8a42aa60040d1d0ec34b1c2aa
SHA256 d8e6d80a4fa4d0c3da6c179c551ce65f9e872db5625ae58b8bd69802c09c5d7b
SHA512 24c27a2894ac3ce764f0cb3225e80bf5f7637d3446b25a636917b4332814b9e7af9bdc8706ec6f8088529214367310a61df4bc2df4738ac06fec1f4e4a04e5d8

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-heap-l1-1-0.dll

MD5 8d01d04941918b5d5ddaa4a9d4b1a8c6
SHA1 27b1c293b58cd6af9a951127612857018da482a6
SHA256 2c93dddf2fc65c99565d104a1078d663ebe590ecb74a47bc2ecf1b2e658574ac
SHA512 1d902a947c79e9d7157a32ca0a8ac6da25ee7726ac996f17e060ec6fdf5aee6d717e9e6ea3b0f4539dc3aea632e484082303537e17248a26f7ff1b1db9e4e796

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-handle-l1-1-0.dll

MD5 3486de24e09bc08b324c1c3e9e03b35c
SHA1 85743f027ace6e7da355c420ab162ad4a88c20b1
SHA256 1e7a0823130ca36e2f061ed8c40554ceb5faa906e10b6c042628e8ee6c776b4a
SHA512 053ed4bc2867fbed924b8ff47fba2cf4c302c9f95fedad8dca450b26509c0f6bfdc33e0d19b1afa3cd09e8c218228d0e3475df0200180acbbe97ee6a72482d2f

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-file-l2-1-0.dll

MD5 b5832f1e3a18d94cd855c3d8c632b30d
SHA1 6315b40487078bbafb478786c42c3946647e8ef3
SHA256 9f096475d4ba1533f564dd4a1db5dfeb620248fe14518042094b922539dc13e3
SHA512 f3016ded97591e25a6d4c70d89251a331402455ab589604e55c486fec37ee8e96bd1be2d4e4e59ba102dad696b3e1f754b699f9ebe8ae462e8b958ed2d431a5b

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-file-l1-2-0.dll

MD5 ac28edb5ad8eaa70ecbc64baf3e70bd4
SHA1 1a594e6cdc25a6e6be7904093f47f582e9c1fe4d
SHA256 fbd5e958f6efb4d78fd61ee9ee4b4d1b6f43c1210301668f654a880c65a1be86
SHA512 a25b812b9fa965af5f7de5552e2c2f4788a076af003ac0d94c3b2bc42dd9ab7e69af2438ce349b46a3387bf2bfcf27cec270d90ca6a44c9690861331c9e431e1

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-file-l1-1-0.dll

MD5 3370535abeb8dc8ef37c2c5146d048f7
SHA1 b7a4d43b7948e93ded5b9a4a714ea69efd51cb26
SHA256 df372db5e119520d56f73c1733bdf7f6134c7209e375c7ba6a4c80f37565b35b
SHA512 75eb9a907af3b873787165589dd3505bf634c52e0826feb44f88019a6be385e4086d40f27330387497bda8f4917045833cd0859c8114f275f2416acfb8942608

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-fibers-l1-1-0.dll

MD5 2c2939389d78665ec3a34b1cfed44a8d
SHA1 c86a82c007be025baf8d02b15dc1d9277a1c49a5
SHA256 d4f607fbf213e9e036269574a904ab8868bba26fd42e4fb2c60a425f03934bdc
SHA512 698b6a4c036a1d812f82140fed33cb9039c8774aa75b0b63ec8122084b2fc5d24b99876c82b0207d2e8ee79c7ac5ac11029347fb1beec55282e72d528e179163

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 8c717ad4c92fc26b40ec6830fd9289c7
SHA1 c5ed74b59bcdca1e26639c245900444b894aa06d
SHA256 c119a34d7ac08eccb645a85415b4abfa5a8fb05afe20838eb6ffb558f01657fd
SHA512 b734de4228232b423595bf87bf3b26a5297c6829a1ac976064dea30289e6bd646ff15d6daf40b6885480c9a58e80de31b429f2d233f6294b603e91f72e99e130

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-debug-l1-1-0.dll

MD5 6e84207402f5cd66e00abb1689ded080
SHA1 72559bedd082049c79f2b9fa59b7875a0ddd4551
SHA256 301a110ed905f10243437c5bc2a92cdf7c8609c19cb8baff92c99d8645c8d6f0
SHA512 58cc81404b88e133524d7c62b51f1c0ff9cfbf600e01b912e181529f03af74300a5fec98f85a7303e1dc6ce1ddba519b01b296db8a94a234884ca493567bcf0b

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-datetime-l1-1-0.dll

MD5 5e43b4314980eb7f19506613d4523e63
SHA1 fc2788632181476092a5cb4aa63ef57e4106703a
SHA256 daaacd2fdf366e2c36b42398e850412c8be3093e5b7a8f608684a656d27e4d6e
SHA512 acc730e49b6f59d0e76fdff10d16d89c46ec6a7002af6dfd15407af40813e92e585074bb4bcc71c2b8d7ea44c3e7abaeac7b8a877609de0fdb72324417d7cfea

C:\Users\Admin\AppData\Local\Temp\_MEI48882\api-ms-win-core-console-l1-1-0.dll

MD5 815bd17033aa15f6937eff710101c784
SHA1 651f373b703cf3e02e77e26119a2a925ded509f0
SHA256 8f0188d00d062f3d650cb811607a64eb7a3b923397da473f38883d942f4f5184
SHA512 b836e6a83a21d32c2c61c98aae05490da2f77b8459c334e3959a02ec31639fb9ac190b53f08e2fa01a953e8c65038ed148f9fd4ea71b6369f7ef466c6ccfac54

memory/3280-1419-0x00007FF974840000-0x00007FF97485A000-memory.dmp

memory/3280-1416-0x00007FF97B360000-0x00007FF97B36F000-memory.dmp

memory/3280-1413-0x00007FF975040000-0x00007FF975065000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48882\_ctypes.pyd

MD5 1a546aaa7d44f48daef4750a679fe22f
SHA1 0aaa6657b15c79b3713229e61aec5d0e16e5b404
SHA256 b1ed56b8aab1dc0e4021bb08b53ac82fa9bf0c56f171287c55241617dd90bc5b
SHA512 338b6210bbde57ac6bbd032f8d65b90fe43d1509c74d138766a50490ee0ff93b5c94ec29fb8b8575f602304a342aa195dfff7b9bc22bb20e78545521ce0cd2e9

C:\Users\Admin\AppData\Local\Temp\_MEI48882\base_library.zip

MD5 763d1a751c5d47212fbf0caea63f46f5
SHA1 845eaa1046a47b5cf376b3dbefcf7497af25f180
SHA256 378a4b40f4fa4a8229c93e0afee819085251af03402ccefa3b469651e50e60b7
SHA512 bb356dd610e6035f4002671440ce96624addf9a89fd952a6419647a528a551a6ccd0eca0ee2eeb080d9aad683b5afc9415c721fa62c3bcddcb7f1923f59d9c45

memory/3280-1483-0x00007FF970C60000-0x00007FF970C6C000-memory.dmp

memory/3280-1484-0x00007FF9747F0000-0x00007FF974804000-memory.dmp

memory/3280-1500-0x00007FF966170000-0x00007FF966186000-memory.dmp

memory/3280-1499-0x00007FF96D620000-0x00007FF96D62C000-memory.dmp

memory/3280-1498-0x00007FF96D630000-0x00007FF96D63C000-memory.dmp

memory/3280-1497-0x00007FF96BCA0000-0x00007FF96BCAC000-memory.dmp

memory/3280-1496-0x00007FF96BCB0000-0x00007FF96BCC2000-memory.dmp

memory/3280-1495-0x00007FF96BCD0000-0x00007FF96BCDD000-memory.dmp

memory/3280-1494-0x00007FF96BCE0000-0x00007FF96BCEC000-memory.dmp

memory/3280-1493-0x00007FF96BCF0000-0x00007FF96BCFC000-memory.dmp

memory/3280-1492-0x00007FF96C340000-0x00007FF96C34B000-memory.dmp

memory/3280-1491-0x00007FF96C350000-0x00007FF96C35B000-memory.dmp

memory/3280-1490-0x00007FF96C360000-0x00007FF96C36C000-memory.dmp

memory/3280-1489-0x00007FF96D610000-0x00007FF96D61E000-memory.dmp

memory/3280-1488-0x00007FF96E3C0000-0x00007FF96E3CB000-memory.dmp

memory/3280-1487-0x00007FF96E580000-0x00007FF96E58C000-memory.dmp

memory/3280-1502-0x00007FF964AC0000-0x00007FF964AD4000-memory.dmp

memory/3280-1501-0x00007FF966150000-0x00007FF966162000-memory.dmp

memory/3280-1486-0x00007FF96E590000-0x00007FF96E59B000-memory.dmp

memory/3280-1504-0x00007FF964A90000-0x00007FF964AB2000-memory.dmp

memory/3280-1503-0x00007FF9702F0000-0x00007FF970323000-memory.dmp

memory/3280-1485-0x00007FF964CD0000-0x00007FF9651F9000-memory.dmp

memory/3280-1482-0x00007FF970C70000-0x00007FF970C7B000-memory.dmp

memory/3280-1481-0x00007FF970C80000-0x00007FF970C8B000-memory.dmp

memory/3280-1480-0x00007FF9747C0000-0x00007FF9747CF000-memory.dmp

memory/3280-1505-0x00007FF964C00000-0x00007FF964CCD000-memory.dmp

memory/3280-1506-0x00007FF964AE0000-0x00007FF964BFA000-memory.dmp

memory/3280-1509-0x00007FF9644A0000-0x00007FF9644B9000-memory.dmp

memory/3280-1508-0x00007FF973130000-0x00007FF973157000-memory.dmp

memory/3280-1507-0x00007FF9644C0000-0x00007FF9644D7000-memory.dmp

memory/3280-1510-0x00007FF964450000-0x00007FF96449D000-memory.dmp

memory/3280-1512-0x00007FF964430000-0x00007FF964441000-memory.dmp

memory/3280-1511-0x00007FF9747C0000-0x00007FF9747CF000-memory.dmp

memory/3280-1513-0x00007FF964410000-0x00007FF96442E000-memory.dmp

memory/3280-1514-0x00007FF9643B0000-0x00007FF96440D000-memory.dmp

memory/3280-1515-0x00007FF966170000-0x00007FF966186000-memory.dmp

memory/3280-1516-0x00007FF964370000-0x00007FF9643A8000-memory.dmp

memory/3280-1517-0x00007FF964340000-0x00007FF964369000-memory.dmp

memory/3280-1518-0x00007FF964310000-0x00007FF96433E000-memory.dmp

memory/3280-1520-0x00007FF9642E0000-0x00007FF964304000-memory.dmp

memory/3280-1519-0x00007FF964A90000-0x00007FF964AB2000-memory.dmp

memory/3280-1522-0x00007FF964160000-0x00007FF9642DF000-memory.dmp

memory/3280-1521-0x00007FF9644C0000-0x00007FF9644D7000-memory.dmp

memory/3280-1523-0x00007FF964030000-0x00007FF964048000-memory.dmp

memory/3280-1524-0x00007FF964450000-0x00007FF96449D000-memory.dmp

memory/3280-1545-0x00007FF963F20000-0x00007FF963F32000-memory.dmp

memory/3280-1544-0x00007FF964310000-0x00007FF96433E000-memory.dmp

memory/3280-1543-0x00007FF963F10000-0x00007FF963F1C000-memory.dmp

memory/3280-1542-0x00007FF964160000-0x00007FF9642DF000-memory.dmp

memory/3280-1541-0x00007FF963F40000-0x00007FF963F4D000-memory.dmp

memory/3280-1540-0x00007FF964340000-0x00007FF964369000-memory.dmp

memory/3280-1539-0x00007FF963F50000-0x00007FF963F5C000-memory.dmp

memory/3280-1538-0x00007FF963F60000-0x00007FF963F6C000-memory.dmp

memory/3280-1537-0x00007FF963F70000-0x00007FF963F7B000-memory.dmp

memory/3280-1536-0x00007FF9643B0000-0x00007FF96440D000-memory.dmp

memory/3280-1535-0x00007FF963F80000-0x00007FF963F8B000-memory.dmp

memory/3280-1534-0x00007FF963F90000-0x00007FF963F9C000-memory.dmp

memory/3280-1533-0x00007FF963FA0000-0x00007FF963FAE000-memory.dmp

memory/3280-1532-0x00007FF963FF0000-0x00007FF963FFB000-memory.dmp

memory/3280-1531-0x00007FF963FB0000-0x00007FF963FBC000-memory.dmp

memory/3280-1530-0x00007FF963FC0000-0x00007FF963FCC000-memory.dmp

memory/3280-1529-0x00007FF963FD0000-0x00007FF963FDB000-memory.dmp

memory/3280-1528-0x00007FF963FE0000-0x00007FF963FEC000-memory.dmp

memory/3280-1527-0x00007FF964000000-0x00007FF96400C000-memory.dmp

memory/3280-1526-0x00007FF964010000-0x00007FF96401B000-memory.dmp

memory/3280-1525-0x00007FF964020000-0x00007FF96402B000-memory.dmp

memory/3280-1547-0x00007FF963ED0000-0x00007FF963F06000-memory.dmp

memory/3280-1546-0x00007FF9642E0000-0x00007FF964304000-memory.dmp

memory/3280-1548-0x00007FF963BF0000-0x00007FF963ED0000-memory.dmp

memory/3280-1549-0x00007FF961AF0000-0x00007FF963BE3000-memory.dmp

memory/3280-1551-0x00007FF961AA0000-0x00007FF961AC1000-memory.dmp

memory/3280-1550-0x00007FF961AD0000-0x00007FF961AE7000-memory.dmp

memory/3280-1552-0x00007FF961A70000-0x00007FF961A92000-memory.dmp

memory/3280-1553-0x00007FF9619D0000-0x00007FF961A69000-memory.dmp

memory/3280-1556-0x00007FF961910000-0x00007FF961951000-memory.dmp

memory/3280-1555-0x00007FF961960000-0x00007FF961991000-memory.dmp

memory/3280-1554-0x00007FF9619A0000-0x00007FF9619D0000-memory.dmp

memory/3280-1558-0x00007FF9618B0000-0x00007FF9618CC000-memory.dmp

memory/3280-1557-0x00007FF961AF0000-0x00007FF963BE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vjskrbib.kcb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3280-1623-0x00007FF964AC0000-0x00007FF964AD4000-memory.dmp

memory/3280-1607-0x00007FF96E590000-0x00007FF96E59B000-memory.dmp

memory/3280-1628-0x00007FF964430000-0x00007FF964441000-memory.dmp

memory/3280-1627-0x00007FF964450000-0x00007FF96449D000-memory.dmp

memory/3280-1626-0x00007FF9644A0000-0x00007FF9644B9000-memory.dmp

memory/3280-1625-0x00007FF9644C0000-0x00007FF9644D7000-memory.dmp

memory/3280-1624-0x00007FF964A90000-0x00007FF964AB2000-memory.dmp

memory/3280-1622-0x00007FF966150000-0x00007FF966162000-memory.dmp

memory/3280-1621-0x00007FF966170000-0x00007FF966186000-memory.dmp

memory/3280-1620-0x00007FF96BCA0000-0x00007FF96BCAC000-memory.dmp

memory/3280-1619-0x00007FF96BCB0000-0x00007FF96BCC2000-memory.dmp

memory/3280-1618-0x00007FF96BCD0000-0x00007FF96BCDD000-memory.dmp

memory/3280-1617-0x00007FF96BCE0000-0x00007FF96BCEC000-memory.dmp

memory/3280-1616-0x00007FF96BCF0000-0x00007FF96BCFC000-memory.dmp

memory/3280-1615-0x00007FF96C340000-0x00007FF96C34B000-memory.dmp

memory/3280-1614-0x00007FF96C350000-0x00007FF96C35B000-memory.dmp

memory/3280-1613-0x00007FF96C360000-0x00007FF96C36C000-memory.dmp

memory/3280-1612-0x00007FF96D610000-0x00007FF96D61E000-memory.dmp

memory/3280-1611-0x00007FF96D620000-0x00007FF96D62C000-memory.dmp

memory/3280-1610-0x00007FF96D630000-0x00007FF96D63C000-memory.dmp

memory/3280-1609-0x00007FF96E3C0000-0x00007FF96E3CB000-memory.dmp

memory/3280-1608-0x00007FF96E580000-0x00007FF96E58C000-memory.dmp

memory/3280-1605-0x00007FF970C70000-0x00007FF970C7B000-memory.dmp

memory/3280-1606-0x00007FF970C60000-0x00007FF970C6C000-memory.dmp

memory/3280-1604-0x00007FF970C80000-0x00007FF970C8B000-memory.dmp

memory/3280-1603-0x00007FF9747C0000-0x00007FF9747CF000-memory.dmp

memory/3280-1602-0x00007FF964AE0000-0x00007FF964BFA000-memory.dmp

memory/3280-1601-0x00007FF973130000-0x00007FF973157000-memory.dmp

memory/3280-1594-0x00007FF964CD0000-0x00007FF9651F9000-memory.dmp

memory/3280-1588-0x00007FF965200000-0x00007FF9658C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI27122\setuptools\_vendor\importlib_resources-6.4.0.dist-info\LICENSE

MD5 3b83ef96387f14655fc854ddc3c6bd57
SHA1 2b8b815229aa8a61e483fb4ba0588b8b6c491890
SHA256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30
SHA512 98f6b79b778f7b0a15415bd750c3a8a097d650511cb4ec8115188e115c47053fe700f578895c097051c9bc3dfb6197c2b13a15de203273e1a3218884f86e90e8

C:\Users\Admin\AppData\Local\Temp\_MEI27122\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\top_level.txt

MD5 0ba8d736b7b4ab182687318b0497e61e
SHA1 311ba5ffd098689179f299ef20768ee1a29f586d
SHA256 d099cddcb7d71f82c845f5cbf9014e18227341664edc42f1e11d5dfe5a2ea103
SHA512 7cccbb4afa2fade40d529482301beae152e0c71ee3cc41736eb19e35cfc5ee3b91ef958cf5ca6b7330333b8494feb6682fd833d5aa16bf4a8f1f721fd859832c

C:\Users\Admin\AppData\Local\Temp\_MEI27122\setuptools\_vendor\packaging-24.1.dist-info\WHEEL

MD5 24019423ea7c0c2df41c8272a3791e7b
SHA1 aae9ecfb44813b68ca525ba7fa0d988615399c86
SHA256 1196c6921ec87b83e865f450f08d19b8ff5592537f4ef719e83484e546abe33e
SHA512 09ab8e4daa9193cfdee6cf98ccae9db0601f3dcd4944d07bf3ae6fa5bcb9dc0dcafd369de9a650a38d1b46c758db0721eba884446a8a5ad82bb745fd5db5f9b1

memory/6448-4274-0x00007FF965320000-0x00007FF9659E5000-memory.dmp

memory/6448-4296-0x00007FF974990000-0x00007FF97499C000-memory.dmp

memory/6448-4295-0x00007FF9749A0000-0x00007FF9749AB000-memory.dmp

memory/6448-4294-0x00007FF9749B0000-0x00007FF9749BC000-memory.dmp

memory/6448-4293-0x00007FF9749C0000-0x00007FF9749CB000-memory.dmp

memory/6448-4292-0x00007FF9749D0000-0x00007FF9749DC000-memory.dmp

memory/6448-4291-0x00007FF9749E0000-0x00007FF9749EB000-memory.dmp

memory/6448-4290-0x00007FF9749F0000-0x00007FF9749FB000-memory.dmp

memory/6448-4289-0x00007FF974A10000-0x00007FF974A1F000-memory.dmp

memory/6448-4288-0x00007FF964CD0000-0x00007FF964DEA000-memory.dmp

memory/6448-4287-0x00007FF974A20000-0x00007FF974A47000-memory.dmp

memory/6448-4286-0x00007FF975040000-0x00007FF97504B000-memory.dmp

memory/6448-4285-0x00007FF9751A0000-0x00007FF9751AD000-memory.dmp

memory/6448-4284-0x00007FF974A50000-0x00007FF974B1D000-memory.dmp

memory/6448-4283-0x00007FF974B20000-0x00007FF974B53000-memory.dmp

memory/6448-4282-0x00007FF9754A0000-0x00007FF9754AD000-memory.dmp

memory/6448-4281-0x00007FF974CD0000-0x00007FF974CE9000-memory.dmp

memory/6448-4280-0x00007FF964DF0000-0x00007FF965319000-memory.dmp

memory/6448-4279-0x00007FF974CF0000-0x00007FF974D04000-memory.dmp

memory/6448-4278-0x00007FF974D10000-0x00007FF974D3D000-memory.dmp

memory/6448-4277-0x00007FF974D40000-0x00007FF974D5A000-memory.dmp

memory/6448-4276-0x00007FF97B360000-0x00007FF97B36F000-memory.dmp

memory/6448-4275-0x00007FF974D60000-0x00007FF974D85000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-22 08:54

Reported

2024-08-22 08:58

Platform

win7-20240705-en

Max time kernel

102s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 3277e61df8e95ddd1c6b1e97d2fd4f44
SHA1 153f63687d492bac18e414ffba7509d9e1120228
SHA256 df7699d45a3c809a33dfaecc10a8f4fccbfbf373c729f5c1ab98f08073ec71b5
SHA512 82888ff63af800a7a538a56cb617b95624fb6d39aaa072dd4cfdb171ce207f46818de692fee0d07865ad6acc9358a968752e9b3e7485407eb0c2d43f05de604e