Analysis Overview
SHA256
cd7e762aa31fecae08ef0b371abb7c38f2f4778faf60a688c11ade2a606080c3
Threat Level: Likely malicious
The file d14d.dll.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Drops startup file
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
UPX packed file
Hide Artifacts: Hidden Files and Directories
System Network Configuration Discovery: Internet Connection Discovery
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Suspicious use of WriteProcessMemory
Runs ping.exe
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 16:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 16:33
Reported
2024-10-14 16:36
Platform
win7-20241010-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2188 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe |
| PID 2188 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe |
| PID 2188 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe
"C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe"
C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe
"C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21882\setuptools\_vendor\backports.tarfile-1.2.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI21882\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE
| MD5 | 141643e11c48898150daa83802dbc65f |
| SHA1 | 0445ed0f69910eeaee036f09a39a13c6e1f37e12 |
| SHA256 | 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741 |
| SHA512 | ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f |
C:\Users\Admin\AppData\Local\Temp\_MEI21882\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL
| MD5 | 43136dde7dd276932f6197bb6d676ef4 |
| SHA1 | 6b13c105452c519ea0b65ac1a975bd5e19c50122 |
| SHA256 | 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714 |
| SHA512 | e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1 |
C:\Users\Admin\AppData\Local\Temp\_MEI21882\python312.dll
| MD5 | ca67f0baf3cc3b7dbb545cda57ba3d81 |
| SHA1 | 5b4e36aef877307af8a8f78f3054d068d1a9ce89 |
| SHA256 | f804ed205e82003da6021ee6d2270733ca00992816e7e89ba13617c96dd0fba3 |
| SHA512 | a9f07dd02714c3efba436326425d443969018ace7ebd7cc33c39d43e3d45480a4fcd4c46c09ad132b4f273888f13e9f598de257130429fcb2519c000e4fab6f7 |
memory/2912-825-0x000007FEF60F0000-0x000007FEF67B5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 16:33
Reported
2024-10-14 16:36
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr | C:\Windows\system32\attrib.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe
"C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe"
C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe
"C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
C:\Windows\SYSTEM32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
C:\Windows\System32\Wbem\WMIC.exe
wmic path softwarelicensingservice get OA3xOriginalProductKey
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\d14d.dll.exe""
C:\Windows\system32\PING.EXE
ping localhost -n 3
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.179.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI22042\setuptools\_vendor\backports.tarfile-1.2.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE
| MD5 | 141643e11c48898150daa83802dbc65f |
| SHA1 | 0445ed0f69910eeaee036f09a39a13c6e1f37e12 |
| SHA256 | 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741 |
| SHA512 | ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL
| MD5 | 43136dde7dd276932f6197bb6d676ef4 |
| SHA1 | 6b13c105452c519ea0b65ac1a975bd5e19c50122 |
| SHA256 | 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714 |
| SHA512 | e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\python312.dll
| MD5 | ca67f0baf3cc3b7dbb545cda57ba3d81 |
| SHA1 | 5b4e36aef877307af8a8f78f3054d068d1a9ce89 |
| SHA256 | f804ed205e82003da6021ee6d2270733ca00992816e7e89ba13617c96dd0fba3 |
| SHA512 | a9f07dd02714c3efba436326425d443969018ace7ebd7cc33c39d43e3d45480a4fcd4c46c09ad132b4f273888f13e9f598de257130429fcb2519c000e4fab6f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/4896-827-0x00007FF8CE140000-0x00007FF8CE805000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22042\base_library.zip
| MD5 | 763d1a751c5d47212fbf0caea63f46f5 |
| SHA1 | 845eaa1046a47b5cf376b3dbefcf7497af25f180 |
| SHA256 | 378a4b40f4fa4a8229c93e0afee819085251af03402ccefa3b469651e50e60b7 |
| SHA512 | bb356dd610e6035f4002671440ce96624addf9a89fd952a6419647a528a551a6ccd0eca0ee2eeb080d9aad683b5afc9415c721fa62c3bcddcb7f1923f59d9c45 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\python3.dll
| MD5 | 8dbe9bbf7118f4862e02cd2aaf43f1ab |
| SHA1 | 935bc8c5cea4502d0facf0c49c5f2b9c138608ed |
| SHA256 | 29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db |
| SHA512 | 938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\libffi-8.dll
| MD5 | be8ceb4f7cb0782322f0eb52bc217797 |
| SHA1 | 280a7cc8d297697f7f818e4274a7edd3b53f1e4d |
| SHA256 | 7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676 |
| SHA512 | 07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571 |
memory/4896-837-0x00007FF8E5560000-0x00007FF8E556F000-memory.dmp
memory/4896-835-0x00007FF8DD480000-0x00007FF8DD4A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_ctypes.pyd
| MD5 | 78f5225e986641eaebfe2bef27865603 |
| SHA1 | 118ac80fdf764f5bfbaad2d803420087b854817d |
| SHA256 | ae55ad9ad1f4cbc398cd0c87556f1f263505cde025c7c7f2c43ce4ae818eb183 |
| SHA512 | 70e18ea660120d60d6bfa17883c2aced276aa858c5da4dca1e1d56203891d996da4f349596c911cb16497db81b42af4ad85e473c3e80f8932557d967c9dad0e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_bz2.pyd
| MD5 | 9da23eb807a43a954d40048b53a98e6f |
| SHA1 | e639bd9a27409fc72f36b4ec3383eeecdacb9dc5 |
| SHA256 | 02d0d3c0163f69a7e6713742ab98e73321c5298976089fe9a03b6d91d3293ebb |
| SHA512 | c8d164c8d4722dcd04f13aa11307fddd655e73fd03b15c8056b34252bce925ca679b48032313b8587369500d03574213da20e513c3b4c155099a84de9ac0bba8 |
memory/4896-841-0x00007FF8E3690000-0x00007FF8E36AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_lzma.pyd
| MD5 | 24a598b2caa17caee2e24d2bb97b445d |
| SHA1 | 262f07406e170284fea0c1e41093bfe1c4a25eab |
| SHA256 | af4ae25b17c7cf23d06e1f37fdefe903a840073266d4314e410a4acec2af6270 |
| SHA512 | 7bdf0a599c488436c118523a67ab154a37ffc5aab0ecec95c463bd068d1121b197c0ebb91dc7db3cf2a3db913abaffd0a60aedb373c0e670c63cd8d85f716f3a |
memory/4896-843-0x00007FF8DD450000-0x00007FF8DD47D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22042\VCRUNTIME140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\unicodedata.pyd
| MD5 | 3d5cb46d212da9843d199f6989b37cd5 |
| SHA1 | ce5e427d49ea1adba9c941140f3502c969b6819e |
| SHA256 | 50a55bc145b1f43e5125ef0b09e508946221d02d5fea1b7550a43d8c8c41c970 |
| SHA512 | c52014c96578db4c7f97878a13ca8c2a4574cc6671689bb554382ad0e593eb87fac55961c7c11ef82b04627fb851ac44848bac9ec91fca0afaa965e4f1f24aa5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\sqlite3.dll
| MD5 | 132614956f138f3594d1053e3fac4779 |
| SHA1 | 95115f866a87db308ff00af0273e04e31a3fdaae |
| SHA256 | 2a4ae8ca681fa6f8de3b6dbcc3d32652ea3ab3ee7e2be80b7aff822a382ca8ff |
| SHA512 | 5b12b51c78bd72f410e2f53c086322557591d9d66b6d473264fa731763ec2317470009c13cbb9d0985c9006c7f62c4eed14c263295bd7ef11db0bc492c2ca5a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\select.pyd
| MD5 | 6c123b56f3a37c129eff6fc816868b25 |
| SHA1 | ac6b6e3bdc53870ba044a38b9ae9a067b70e7641 |
| SHA256 | 99687f9b1648ac684dfb7937c75e3e50dc16704abd4c4c19601c40ec6971c5ee |
| SHA512 | b840871278a6cc32d5ab0cc6d9c129da0ba2d08b93c3c6c000e3989fe1ab8b09ed82ca547a1057690f52f22e44b203f424e2ccd9655be82a1094547a94ddc3c2 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\pyexpat.pyd
| MD5 | cfcb1a1159cc2aadba3c62ac44dc2363 |
| SHA1 | e19df1a6c3dfa545c6b2c20355b24584933d7f9f |
| SHA256 | 279aac95d765000d7b3b09b75e66a311a03833a0e28361683cf41161f37e3331 |
| SHA512 | f7f42bc3eb6a2db706f784e2b772c3ce5d0f87b4b3ff6bda6d2f934aecce0174d52623aad0a082dd1efc0f70c990a07fa9768ac96d42ddb52ea5be594198b447 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\luna.aes
| MD5 | 2afc407a00afb15da0dce63704c2dda0 |
| SHA1 | ab02b385dc0098a6f29639e1e94f119823249408 |
| SHA256 | 1d0184dfacc1233d846ac305e6794e047ec44fbe0e4bb7730f4f588813953994 |
| SHA512 | 015171299d372fd974f14f0c53681e72b1c2e655dcd2a75bce47b1dde11449baa3da33b46d1344b58973235ed1de59e8deff8b6947e813db3270d6b1db72d674 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\libssl-3.dll
| MD5 | 7e87c34b39f3a8c332df6e15fd83160b |
| SHA1 | db712b55f23d8e946c2d91cbbeb7c9a78a92b484 |
| SHA256 | 41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601 |
| SHA512 | eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\libcrypto-3.dll
| MD5 | 63eb76eccfe70cff3a3935c0f7e8ba0f |
| SHA1 | a8dd05dce28b79047e18633aee5f7e68b2f89a36 |
| SHA256 | 785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e |
| SHA512 | 8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_wmi.pyd
| MD5 | 9ba21832765a278dfc220426e9c6a2e3 |
| SHA1 | b82716b165f3094b70e41a01b4785ca1b1e2c2de |
| SHA256 | aa23361fc26c1b91fcc458156eeca0ee869c6f9eca30182ceb2b83c810cfaab4 |
| SHA512 | a9232b7593c29543091c0f7d1043cc1b39ff0b7c324362fe860d3ee0674ca069c93a85d0a8c2bb6133904318f67e448c1fd99e491f0ddda57d8d9f984ed106a3 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_uuid.pyd
| MD5 | 8f5402bb6aac9c4ff9b4ce5ac3f0f147 |
| SHA1 | 87207e916d0b01047b311d78649763d6e001c773 |
| SHA256 | 793e44c75e7d746af2bb5176e46c454225f07cb27b1747f1b83d1748d81ad9ac |
| SHA512 | 65fdef32aeba850aa818a8c8bf794100725a9831b5242350e6c04d0bca075762e1b650f19c437a17b150e9fca6ad344ec4141a041fa12b5a91652361053c7e81 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_ssl.pyd
| MD5 | e5353f0aa2c35efd5b4a1a0805a6978c |
| SHA1 | d92f1066fe79dc1a1afe7ca3c0b9e803aced7e9f |
| SHA256 | 908a3938b962132f3f4429badad0e26a8b138de192a060ca1c1067e2b2ce128a |
| SHA512 | 11c632e69c982a77053fefb22e764dfdb30f6d10abe6c88e2512aa7daf26a0ef59dcc109d262cdb58875f2fba46312027b6e180dc7f0fa24ddc02b78a55c0c28 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_sqlite3.pyd
| MD5 | 4381c00145ed565ed992f415aa4e33da |
| SHA1 | 378be370c2290e9d6a9dee406f989c211cf0efe2 |
| SHA256 | d81d61074ed8a476af01a46eefb32a908eb8ab34f7cf7d4f53dcfd8274a163be |
| SHA512 | 57b527e0a2f55c45e1aaee147adb67933b6f6acd5f8eebe6efe97fc5f8c23f20a1303972b45076565d0bff880b751fc039a85673ee88a77a17f969e17ec0a3a7 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_socket.pyd
| MD5 | 886d68f020a8a2232fbcb8ab431ff9f8 |
| SHA1 | 65db84d574e9e38281475cb6d86acb94c74ce5b9 |
| SHA256 | 199c490b67f4364a78c6ba7df595e13e483e110345d067bf57b3826d3bf06715 |
| SHA512 | bb33bb67ee0204817282373f72a2666aa32e8e47a717e443247bd493853f804949bb59ae3b4a213fcad306d1ced123cd1377e05df3e353400120928597ed34da |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_queue.pyd
| MD5 | 52e8135f08c61f94b536d1a1c787bf23 |
| SHA1 | 6ea0d2bd42d3293273b27ea5fb64abef3361ba3f |
| SHA256 | fdcd6416bcbaddc8d0e3b029d2c5f621956066cb95c5fa06c948e7eec25152b8 |
| SHA512 | 06e75181a0831d1493ecc28a02f2f52fd30c1b53a4053e94a974b577ace6cdc912f1cb7223059cdacecf5fabfff1f2fff2955b1ba8f54ce5b15b7a6eec77c452 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_overlapped.pyd
| MD5 | ab8d1617e9c0c43c1683a567498c1441 |
| SHA1 | 69ee6500c1bb30b437693283075165dec0861433 |
| SHA256 | 7779b8fc61da810db720956b3d49c0d1c8cd4e05cc662f767fc8f0088cf923d4 |
| SHA512 | f1f79c4499b135c56eef659b82fc46e3869519c1adf0704c0e5fab34f593c741549c236c0c62610f4c9ee2ea10e9acbccb39474a518b66f41c84b3466c133b01 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_multiprocessing.pyd
| MD5 | 3cba83d3acab104d0237ca3fd0fda954 |
| SHA1 | 6fd08494729a6f3bef6b908365268bdac1e170f1 |
| SHA256 | a50471d9a065b2e4f0fa61fb88c2dcaa04b7f104fae9ea4bc981d0f6fe39e5fc |
| SHA512 | 09105f6e6ad13d8d89ef81f9d8c6273c0c540d29227d653d3e3a86d210030b1737f3779839088bc3ea1e08aaf2de70cf55d5288f34b7441bfbd8999a33b6e2d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_hashlib.pyd
| MD5 | 121f21e4c072b1307ec96e26dbb54f48 |
| SHA1 | fd7ffeb22377db68bd6abce8ea526afa14faad0f |
| SHA256 | 8dac9aa352bfcb960501682d412a9eeebea5d1cdde3771ba9b70a0ae2e08e883 |
| SHA512 | bec606d0b9c4cabc263a4eda3b8cd403e2486a4e3369fe99117386c4d1969248c54d762b465ab5bdf87fdcc7a08bf90aa873064c65063db8cd4dc437e7e1e6c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_decimal.pyd
| MD5 | c67548fec576c79aa4c7d829ebbcb8fd |
| SHA1 | 3c1dd3daf407257ded9717dadcf017fdd8a2c07c |
| SHA256 | 31c2c5200f59969c7078a5a913067dfcdf326cb0d43754e38893239774286fab |
| SHA512 | 696d76f6baf739aa2a0d1d057df6d3f8cba1008c0528c8060bb3808a775393bf5e61578154e0d1bd0f3162195b108fbe51daf005d29d368447b5c8fe844a338b |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_cffi_backend.cp312-win_amd64.pyd
| MD5 | 27004b1f01511fd6743ee5535de8f570 |
| SHA1 | b97baa60d6c335670b8a923fa7e6411c8e602e55 |
| SHA256 | d2d3e9d9e5855a003e3d8c7502a9814191cf2b77b99ba67777ac170440dfdccf |
| SHA512 | bdcd7a9b9bea5a16186d1a4e097253008d5ecd37a8d8652ec21b034abafbc7e5ff9ca838c5c4cb5618d87b1aceda09e920878c403abafafa867e2d679d4d98d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_asyncio.pyd
| MD5 | d9f56d51d32bcbade2d954a9427337dc |
| SHA1 | d0e5cee77d5038193580335e3271bb5f1fb6bfc4 |
| SHA256 | 1b6c23b6f235ad58e4062b1dc4ce2c36f031f1469bf9e60c11e07603ca4656e3 |
| SHA512 | fc18968a319c11b2d9f20a376b93cc74503139506b1c9f9ee3dd226edc1ba753cad85c20368e162c14d26cf2f75f70ae7e82b2b9881088235f5eaca66e8dad66 |
memory/4896-865-0x00007FF8E1000000-0x00007FF8E1019000-memory.dmp
memory/4896-867-0x00007FF8E2AE0000-0x00007FF8E2AED000-memory.dmp
memory/4896-870-0x00007FF8E27D0000-0x00007FF8E27DF000-memory.dmp
memory/4896-872-0x00007FF8DD410000-0x00007FF8DD446000-memory.dmp
memory/4896-874-0x00007FF8E0CE0000-0x00007FF8E0CED000-memory.dmp
memory/4896-878-0x00007FF8DD3C0000-0x00007FF8DD3D4000-memory.dmp
memory/4896-880-0x00007FF8DD480000-0x00007FF8DD4A5000-memory.dmp
memory/4896-879-0x00007FF8CD820000-0x00007FF8CDD49000-memory.dmp
memory/4896-877-0x00007FF8CE140000-0x00007FF8CE805000-memory.dmp
memory/4896-882-0x00007FF8DC940000-0x00007FF8DC973000-memory.dmp
memory/4896-884-0x00007FF8CD3E0000-0x00007FF8CD4AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22042\setuptools\_vendor\jaraco\text\Lorem ipsum.txt
| MD5 | 4ce7501f6608f6ce4011d627979e1ae4 |
| SHA1 | 78363672264d9cd3f72d5c1d3665e1657b1a5071 |
| SHA256 | 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b |
| SHA512 | a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\zstandard\backend_c.cp312-win_amd64.pyd
| MD5 | 2f12da584a362bad45c6b9b3ddd2445c |
| SHA1 | 86adc05435a9a7dc0b0c676456b15f64d7df6f44 |
| SHA256 | da95d86762fb4ea6a479990e1b91591ccad7d0f88072a7805052cd71168db115 |
| SHA512 | 6113292936ea39c45764c240e04a92479403ef6c64aa959922e94f990f8d405299793acbdeb8a4c924d81857e12b3d83e7c8c93c261e8101f4eee44ab77dc92e |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\charset_normalizer\md.cp312-win_amd64.pyd
| MD5 | e7bc35f372642dd06c9d21a1db3ea4fc |
| SHA1 | e5ea4bf23ee6e21925ea0c19562b9ea586b06e9e |
| SHA256 | d28c01169a704d1ba33c7c650775b206af3d07abcd4168235bc2416d193985c1 |
| SHA512 | 3d294427b21ac6a4ecaa2a95d8cee097d2c7e74b4c0c85c03700c05ecc794df32a988af8d9a725afddca98b1f4eba3ed2b7f3155847330aefbc09214832d8e30 |
memory/4896-894-0x00007FF8DDC10000-0x00007FF8DDC1B000-memory.dmp
memory/4896-895-0x00007FF8DBC90000-0x00007FF8DBCB7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22042\charset_normalizer\md__mypyc.cp312-win_amd64.pyd
| MD5 | 044aa54c359f57f827647c7eee04d267 |
| SHA1 | 88b6e44d3c40173a06e9e3378494e0eb9b06d8e0 |
| SHA256 | f03556de88030fa893711275b4daeff39f1f14c30b1967ea3a9b140cc8632bb5 |
| SHA512 | d22cad7389020f0ed895ffcfa6cc17f3a6cb7f73ffebb5636df7b64d6ab3caf7c503e7d407f47f4250fd5981156789b2f7235eb49830b1d86a268ef2c53ed441 |
memory/4896-898-0x00007FF8CD070000-0x00007FF8CD18A000-memory.dmp
memory/4896-897-0x00007FF8E27D0000-0x00007FF8E27DF000-memory.dmp
memory/4896-889-0x00007FF8CD350000-0x00007FF8CD3D7000-memory.dmp
memory/4896-888-0x00007FF8DD450000-0x00007FF8DD47D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22042\certifi\cacert.pem
| MD5 | 50ea156b773e8803f6c1fe712f746cba |
| SHA1 | 2c68212e96605210eddf740291862bdf59398aef |
| SHA256 | 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47 |
| SHA512 | 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\psutil\_psutil_windows.pyd
| MD5 | 3adca2ff39adeb3567b73a4ca6d0253c |
| SHA1 | ae35dde2348c8490f484d1afd0648380090e74fc |
| SHA256 | 92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3 |
| SHA512 | 358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345 |
memory/4896-903-0x00007FF8DD410000-0x00007FF8DD446000-memory.dmp
memory/4896-906-0x00007FF8D9A70000-0x00007FF8D9A94000-memory.dmp
memory/4896-905-0x00007FF8DA2A0000-0x00007FF8DA2B8000-memory.dmp
memory/4896-909-0x00007FF8CD520000-0x00007FF8CD69F000-memory.dmp
memory/4896-908-0x00007FF8DD3C0000-0x00007FF8DD3D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22042\Cryptodome\Cipher\_raw_cbc.pyd
| MD5 | e116f8c6a7376154e6610a6b9bbd7d87 |
| SHA1 | 482465fd942b06a3149149b0a16b9ebadcd19065 |
| SHA256 | 6a44880996aeba9b04acf3383e9a5acc93682fe66644a9e2bc3ea5defc08e09b |
| SHA512 | eb5297b05c18f1dabb3426928d8431a7113390398c5d135c0da1e21b8f9cde3b0a3925deceacb68ab488e85aceca31660b49ebd8e67c991891cc93bb235ff7d5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22042\Cryptodome\Cipher\_raw_ecb.pyd
| MD5 | 5ca4837fc45cd28f290b54bd2e0a67f5 |
| SHA1 | 8aaee26a61a0945ddaffdbf9fd2a87272eeb8822 |
| SHA256 | 77ece4effae2152c6b2e70945ce0779b95b5ca8ecd29b3a6e857b95461399534 |
| SHA512 | d6f0d2b572cc770d8c452d4d2df575c3b988dc6490a506c5602ab4599e88502e1555f5c1af33582295380c9e56d46ff9ccde9a5dba61776958173ece4c1c64c6 |
memory/4896-923-0x00007FF8D4A50000-0x00007FF8D4A5C000-memory.dmp
memory/4896-922-0x00007FF8CD3E0000-0x00007FF8CD4AD000-memory.dmp
memory/4896-924-0x00007FF8DBC90000-0x00007FF8DBCB7000-memory.dmp
memory/4896-926-0x00007FF8D4A30000-0x00007FF8D4A3E000-memory.dmp
memory/4896-931-0x00007FF8D4A00000-0x00007FF8D4A0B000-memory.dmp
memory/4896-930-0x00007FF8D9A70000-0x00007FF8D9A94000-memory.dmp
memory/4896-934-0x00007FF8D4510000-0x00007FF8D451B000-memory.dmp
memory/4896-936-0x00007FF8D16C0000-0x00007FF8D16D2000-memory.dmp
memory/4896-938-0x00007FF8CDDE0000-0x00007FF8CDE0A000-memory.dmp
memory/4896-939-0x00007FF8CDDB0000-0x00007FF8CDDDF000-memory.dmp
memory/4896-937-0x00007FF8D16B0000-0x00007FF8D16BC000-memory.dmp
memory/4896-941-0x00007FF8CDD90000-0x00007FF8CDDAC000-memory.dmp
memory/4896-940-0x00007FF8CF230000-0x00007FF8CF23B000-memory.dmp
memory/4896-935-0x00007FF8D16E0000-0x00007FF8D16ED000-memory.dmp
memory/4896-933-0x00007FF8D49F0000-0x00007FF8D49FC000-memory.dmp
memory/4896-932-0x00007FF8CD520000-0x00007FF8CD69F000-memory.dmp
memory/4896-929-0x00007FF8D4A10000-0x00007FF8D4A1B000-memory.dmp
memory/4896-928-0x00007FF8D4A20000-0x00007FF8D4A2C000-memory.dmp
memory/4896-927-0x00007FF8CD070000-0x00007FF8CD18A000-memory.dmp
memory/4896-925-0x00007FF8D4A40000-0x00007FF8D4A4D000-memory.dmp
memory/4896-921-0x00007FF8D4A60000-0x00007FF8D4A6B000-memory.dmp
memory/4896-920-0x00007FF8DC940000-0x00007FF8DC973000-memory.dmp
memory/4896-919-0x00007FF8DCE80000-0x00007FF8DCE8B000-memory.dmp
memory/4896-918-0x00007FF8D6C10000-0x00007FF8D6C1C000-memory.dmp
memory/4896-917-0x00007FF8D9A60000-0x00007FF8D9A6B000-memory.dmp
memory/4896-916-0x00007FF8DC670000-0x00007FF8DC67C000-memory.dmp
memory/4896-915-0x00007FF8DD4F0000-0x00007FF8DD4FB000-memory.dmp
memory/4896-914-0x00007FF8CD820000-0x00007FF8CDD49000-memory.dmp
memory/4896-942-0x00007FF8CCC40000-0x00007FF8CD065000-memory.dmp
memory/4896-943-0x00007FF8CB7F0000-0x00007FF8CCB97000-memory.dmp
memory/4896-944-0x00007FF8CDD60000-0x00007FF8CDD82000-memory.dmp
memory/4896-945-0x00007FF8CB5A0000-0x00007FF8CB7E9000-memory.dmp
memory/4896-951-0x00007FF8CDDE0000-0x00007FF8CDE0A000-memory.dmp
memory/4544-950-0x00007FF8CA9B3000-0x00007FF8CA9B5000-memory.dmp
memory/4544-952-0x000001FB30F00000-0x000001FB30F22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxoxdcca.smc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4544-962-0x00007FF8CA9B0000-0x00007FF8CB471000-memory.dmp
memory/4544-963-0x00007FF8CA9B0000-0x00007FF8CB471000-memory.dmp
memory/4544-966-0x00007FF8CA9B0000-0x00007FF8CB471000-memory.dmp
memory/4896-1033-0x00007FF8CCC40000-0x00007FF8CD065000-memory.dmp
memory/4896-1034-0x00007FF8CB7F0000-0x00007FF8CCB97000-memory.dmp
memory/4896-1047-0x00007FF8DC940000-0x00007FF8DC973000-memory.dmp
memory/4896-1068-0x00007FF8CB5A0000-0x00007FF8CB7E9000-memory.dmp
memory/4896-1053-0x00007FF8DA2A0000-0x00007FF8DA2B8000-memory.dmp
memory/4896-1042-0x00007FF8E27D0000-0x00007FF8E27DF000-memory.dmp
memory/4896-1035-0x00007FF8CE140000-0x00007FF8CE805000-memory.dmp
memory/4896-1036-0x00007FF8DD480000-0x00007FF8DD4A5000-memory.dmp
memory/4896-1055-0x00007FF8CD520000-0x00007FF8CD69F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Common Files\ApproveMerge.docx
| MD5 | 0d1b70fbbce81a2ade65547137b6ad78 |
| SHA1 | d6f26f9f6368705d3455303f112744fda4c343a6 |
| SHA256 | 332a288cdbaeceaf1dea244e7b671f7af0bd2d9705a5c1068954596700233342 |
| SHA512 | 36c2eac78d52305c475a69c6d13d60ad2f903e6d9903d207d0998cac141ac70d7d762d9488bd44231e8076f601f3393fa8ad9e2f98aed08c2a8e98152da87abe |
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Browser\history.txt
| MD5 | 5638715e9aaa8d3f45999ec395e18e77 |
| SHA1 | 4e3dc4a1123edddf06d92575a033b42a662fe4ad |
| SHA256 | 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6 |
| SHA512 | 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b |
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Browser\cc's.txt
| MD5 | 5aa796b6950a92a226cc5c98ed1c47e8 |
| SHA1 | 6706a4082fc2c141272122f1ca424a446506c44d |
| SHA256 | c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c |
| SHA512 | 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad |
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Common Files\BlockSync.doc
| MD5 | 0101b384f108fba68391c0ac47c2cfb9 |
| SHA1 | cfdcb355c8721d3d393db577b8d72fc1667e1b3b |
| SHA256 | 2d92d1f439a66a196fcb4e8449860be112b4e3bd7faa4354f8f496f952b33f26 |
| SHA512 | e81b1e4c5c1d728a952e1f30767713feaae52c5598d53b35213bdebc3621fca7fa1ed8e702ba8e09f408b4b540a485d42525b2a55502f664b886a7f0b4120f8f |
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Common Files\ClearExpand.docx
| MD5 | fcae6349674f69477df3ffd5ffd6b009 |
| SHA1 | b721f807c2e4aee61a070ed1a541d1ce9b0fc3ad |
| SHA256 | 598bbd1722a787d5634f0966f93b92f1b83542960a1070233c8cb4792c85446b |
| SHA512 | fa22bd67ee40aba4f93e90f8c817957ae47fa5cafbf67a945cb7e5184662e6ba5f5ec2b8e1d603d6d97e4b37e4ab0f0e6fd94ec14711ad12befc5482ebc29222 |
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Common Files\ExportComplete.ods
| MD5 | 8d03e4761cbd1f770e47f1b5367ab57b |
| SHA1 | 5de8598866dda93857cf9ace42296b418c19e22f |
| SHA256 | 804e6d6c79f6eb9620088b9d9e78276721968b27781361af44bede027af28172 |
| SHA512 | 6bb2ceaf3686ece362629fc04b9716adc240ca8069b6afe91ee31ee24af22bbc4c8f03db69cd277ccd353860ecd1b26b48e1d98e5c84182634f004dc3cbcd825 |
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Common Files\CloseBackup.docx
| MD5 | f0d8427be1c1e3889c23cf4cf5e7a680 |
| SHA1 | cc289eab3842fc43dfbc44f9e7d61167adfd8e26 |
| SHA256 | 5698effb4be73bfdf577002270fbc310f0556e03ded41ed1a9b5f3a98d61fd80 |
| SHA512 | 10831e504e8a1b7ff851db20a3581a5839d505da8fa236988f56f948a9cfee282038a972480036d246e1699b8fcfc33f0604ef4abf915211190d2385b90a369c |
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Common Files\PingSelect.docx
| MD5 | ae3f084d4b1c4c19d3a157b0ad1b39a9 |
| SHA1 | 40bfe50198646865c35ef959fd036843191b997a |
| SHA256 | b65c925e983d94efaa972496811726ed4f8a9caad2dd1612b32b0d7646db3f45 |
| SHA512 | 5f333111209e1764d685b7c4578fb47ba24b72113fcf8ad17c756abb998d66a634923117fc9dc9b1f38dcf597bb318f515d858cd07613327df676fc496f560af |
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Common Files\GroupOpen.docx
| MD5 | e78d50b284757c9835bd21abef3a3cc2 |
| SHA1 | 8e91e302b31cd940950a87c36d539df311def416 |
| SHA256 | 5a0c3b8390d1abc7f3edc5deabb011069062a6f47898f7618940510238950eda |
| SHA512 | 36c72cebcf073c5975e11ca8e19ae912736a60c0e44831c0828e6fa8505a508579b3fe40f48d1a2fd733fcefe3d7de6e0ec567e08839dde3c8bb1b38006680e4 |
C:\Users\Admin\AppData\Local\Temp\tfhjaJeNoL\Common Files\TraceUnprotect.docx
| MD5 | feb5e864f456ea0d3f050d365a685f06 |
| SHA1 | 5d0d6e13bb6c88c53d6f2efab6dec085cbdf73b0 |
| SHA256 | d024af9341abda2d45c701ede1bf4f7c6128474f988d103426d5ba299298e54b |
| SHA512 | 9776ab840654ee671537827cf4d97e5be171e7765227b4eb71c98eaa572574e232c3eebfb47a5990f7ed9c7b3fb331fb47e85deb9e5849d87b5919c0e8a71d35 |
memory/4896-1109-0x00007FF8CE140000-0x00007FF8CE805000-memory.dmp
memory/4896-1148-0x00007FF8DD010000-0x00007FF8DD01F000-memory.dmp
memory/4896-1196-0x00007FF8DD3C0000-0x00007FF8DD3D4000-memory.dmp
memory/4896-1202-0x00007FF8DBC90000-0x00007FF8DBCB7000-memory.dmp
memory/4896-1205-0x00007FF8D4A10000-0x00007FF8D4A1B000-memory.dmp
memory/4896-1210-0x00007FF8D6C10000-0x00007FF8D6C1C000-memory.dmp
memory/4896-1209-0x00007FF8D9A60000-0x00007FF8D9A6B000-memory.dmp
memory/4896-1208-0x00007FF8DC670000-0x00007FF8DC67C000-memory.dmp
memory/4896-1207-0x00007FF8DD4F0000-0x00007FF8DD4FB000-memory.dmp
memory/4896-1206-0x00007FF8CD520000-0x00007FF8CD69F000-memory.dmp
memory/4896-1204-0x00007FF8D9A70000-0x00007FF8D9A94000-memory.dmp
memory/4896-1203-0x00007FF8CD070000-0x00007FF8CD18A000-memory.dmp
memory/4896-1201-0x00007FF8DDC10000-0x00007FF8DDC1B000-memory.dmp
memory/4896-1200-0x00007FF8CD350000-0x00007FF8CD3D7000-memory.dmp
memory/4896-1199-0x00007FF8D4A50000-0x00007FF8D4A5C000-memory.dmp
memory/4896-1198-0x00007FF8D4A60000-0x00007FF8D4A6B000-memory.dmp
memory/4896-1197-0x00007FF8CE140000-0x00007FF8CE805000-memory.dmp
memory/4896-1195-0x00007FF8E0CE0000-0x00007FF8E0CED000-memory.dmp
memory/4896-1194-0x00007FF8DD410000-0x00007FF8DD446000-memory.dmp
memory/4896-1193-0x00007FF8E27D0000-0x00007FF8E27DF000-memory.dmp
memory/4896-1192-0x00007FF8E2AE0000-0x00007FF8E2AED000-memory.dmp
memory/4896-1191-0x00007FF8E1000000-0x00007FF8E1019000-memory.dmp
memory/4896-1190-0x00007FF8DD450000-0x00007FF8DD47D000-memory.dmp
memory/4896-1189-0x00007FF8E3690000-0x00007FF8E36AA000-memory.dmp
memory/4896-1188-0x00007FF8E5560000-0x00007FF8E556F000-memory.dmp
memory/4896-1187-0x00007FF8DD480000-0x00007FF8DD4A5000-memory.dmp
memory/4896-1186-0x00007FF8DCE80000-0x00007FF8DCE8B000-memory.dmp
memory/4896-1211-0x00007FF8CD820000-0x00007FF8CDD49000-memory.dmp
memory/4896-1212-0x00007FF8DC940000-0x00007FF8DC973000-memory.dmp