Malware Analysis Report

2025-01-22 20:39

Sample ID 241019-y32f8sydrr
Target decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6
SHA256 decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6
Tags
discovery evasion execution persistence privilege_escalation ransomware spyware stealer pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6

Threat Level: Known bad

The file decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6 was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution persistence privilege_escalation ransomware spyware stealer pyinstaller

Disables service(s)

Renames multiple (182) files with added filename extension

Modifies Windows Firewall

Drops file in Drivers directory

Stops running service(s)

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Launches sc.exe

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Opens file in notepad (likely ransom note)

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 20:19

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 20:19

Reported

2024-10-19 20:22

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe"

Signatures

Disables service(s)

evasion execution

Renames multiple (182) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Stops running service(s)

evasion execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyScript.lnk C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A

Reads user/profile data of web browsers

spyware stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe
PID 1396 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe
PID 1396 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe
PID 5004 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\taskkill.exe
PID 5004 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\notepad.exe
PID 5004 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\notepad.exe
PID 5004 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\notepad.exe
PID 5004 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\netsh.exe
PID 5004 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\netsh.exe
PID 5004 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\netsh.exe
PID 5004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe C:\Windows\SysWOW64\sc.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableResetOption = "1" C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe

"C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe"

C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe

"C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe C:\Temp\ransom_message.txt

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\sc.exe

sc config wuauserv start= disabled

C:\Windows\SysWOW64\sc.exe

sc stop wuauserv

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SysWOW64\sc.exe

sc config wscsvc start= disabled

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI13962\wheel-0.43.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI13962\python39.dll

MD5 2a9c5db70c6906571f2ca3a07521baa2
SHA1 765fa27bbee6a02b20b14b2b78c92a880e6627e5
SHA256 c69ce89b0487d86a63b64951207781f8051282afde67b20d3b8374c1a067f611
SHA512 fa4a677eaae2d258ac4f083a4e7009d985523b964ada93f53dc399a88c14970c7be2d2f39a7b38a922b58d134df2ede954554dcd00a4895e4273161867acac53

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_bz2.pyd

MD5 387725bc6de235719ae355dfaa81e67c
SHA1 428b74b0bf8acd04eb20dc5a016352042c812c7a
SHA256 a9de8848c95518434cb5c2a9cb9d648cba140021e49f2e5212becf13a329b5d0
SHA512 bed2d6902f2ddd7dc7c2043c210ce682df75616ca63d163b756559dc7d33e926733f96d5407dc856061fba711ce41de9b01bb7b9db3940fa359c32c40d9f8233

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_lzma.pyd

MD5 f6b74ac19fb0601a4e612a8dc0c916e3
SHA1 d4a77386caf7f70e66d5ec4543c8d9de0e4bc39f
SHA256 ce2ea2c96afd8c0cf97fc55130f835b6625a0772d86b259ea82bbc0b3def75e6
SHA512 0b60c51f76eb6872000d92bbec7fdabf687f5096fd12f1456cf26ad6033c22b998aee94842fda800288bef94790608204f97a7ed034544a1377cbf9722c6a826

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_socket.pyd

MD5 a9450642d8832893998bd213d98d509b
SHA1 3ef416ffaa438a2809cdffddd1b2717461ead7d4
SHA256 5407750d69d74318ec66bd1464558c07c06c6aa9edbc0641cd2dd7533378772b
SHA512 93027a694800d2d92ba773e8232ee016946ee9b36ba211537619df0508e9f50660b9a292d29dd4e90c2406b29bd3b1f8e4eb2226945b7163b2bd3227d4482323

C:\Users\Admin\AppData\Local\Temp\_MEI13962\select.pyd

MD5 1559cf3605d62c03d6ff2440ea3e175f
SHA1 26faec2bafd8523d1705021d06c56947b58cda1c
SHA256 b8da64fa424e5fb2bc8de93d2c0dcb55076cd9345452d3c624b3fcbbbe15644b
SHA512 1891a356ae98a09a7476697b6e7dd0de6b940043910a9aa414e17a523118d76dd0c55ea786d9bd2a77d792bdf95a75b272352eb813d928c429a707a78c09f05c

C:\Users\Admin\AppData\Local\Temp\_MEI13962\pywin32_system32\pythoncom39.dll

MD5 266bf47153d9ae3f8fccec73352469c0
SHA1 eaec57989150d326371a178bad5ca67f61c8d15f
SHA256 427eb21b7100e453d19f6c9a557beeba7f06097d0d33da78cdb2f970b2f16a96
SHA512 f110f827c7dac1a1cdcded7ddef804e4ff06768fdbe74e2da1aa7200a63ba9f53040b89094242b6635df37dcdc50768954601d04f9659bf0452833e5b2176d86

C:\Users\Admin\AppData\Local\Temp\_MEI13962\win32\win32api.pyd

MD5 9bd844254690f978884d24a4f2163184
SHA1 f41c8756f38becd7712bd7f5a4b956d1c682b2b1
SHA256 d18aac0acc64a5bb670d3dc4d82033a84d1411e0d32ed0c7f1819760f7b25425
SHA512 1453d6d233c8390edfcd4e4ccbdcb1c34a153555d0f8cc00d75c98e8e51791213c068227dc545ab7bc8046e3a5fa9df6ca83900ea50b042824286a683826450b

C:\Users\Admin\AppData\Local\Temp\_MEI13962\psutil\_psutil_windows.pyd

MD5 876371b620e310c22df0f7cb1cb28bf3
SHA1 86058ee41d3146610683829a9965fd82d000cf84
SHA256 5ce763af03f2d20859415f1af5f0bc489087e396a196caf0bacef36ceecf529a
SHA512 69b51090bfee360b3af027b4e98c6ac5b4454dbcc189d47f6b9c08938c5a54ee100c8988886fe3505fc809415e23a901937e5f678f73f775ecfc69e9950ce8bc

C:\Users\Admin\AppData\Local\Temp\_MEI13962\tcl86t.dll

MD5 30195aa599dd12ac2567de0815ade5e6
SHA1 aa2597d43c64554156ae7cdb362c284ec19668a7
SHA256 e79443e9413ba9a4442ca7db8ee91a920e61ac2fb55be10a6ab9a9c81f646dbb
SHA512 2373b31d15b39ba950c5dea4505c3eaa2952363d3a9bd7ae84e5ea38245320be8f862dba9e9ad32f6b5a1436b353b3fb07e684b7695724a01b30f5ac7ba56e99

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_ssl.pyd

MD5 620f8f46eed249f7a7881656ad22062d
SHA1 709c772808ff2e894cdf1066c28287e92fc643c5
SHA256 dbceda1c97bfc8f6a0d1d17df6a2d7e1d44c59718cd652e0a5975052b218c590
SHA512 2bc2674603db7e29005b84b5de9cefa98737ebbdab5f5a034856c26099872e6886c8b6a41f2cdb2bb52a84ae1a15ae21b6394e1fe6820ba4fe0c7d88f3b1511a

C:\Users\Admin\AppData\Local\Temp\_MEI13962\libcrypto-1_1.dll

MD5 aad424a6a0ae6d6e7d4c50a1d96a17fc
SHA1 4336017ae32a48315afe1b10ff14d6159c7923bc
SHA256 3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377
SHA512 aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_hashlib.pyd

MD5 fdfa235f58a04d19e1ce923ca0d8ae19
SHA1 4a1178ba7e9a56f8c68dc3391a169222c67237e9
SHA256 7ad484e99ea33e4eea2cbf09203fb9dbd0c2c325b96e6cf2ffd146156c93bf7a
SHA512 0fe187e1019c159c0ee90fbc8eea20e40a28ff05223321d04784e577b60a2c0a3a476fabc71bd81dd08e7a127bb6cb03edf5d604bfdda38516fb2c90148dd118

C:\Users\Admin\AppData\Local\Temp\_MEI13962\charset_normalizer\md__mypyc.cp39-win32.pyd

MD5 fc9ba355e60e727d1e3c78233c692c20
SHA1 05fa45db849cb4873df6717150c566f3642b7d8b
SHA256 52d473bee2cec8c7b207c74421c34faacf04e624c4db139e1c4ad02ea5fb915e
SHA512 6f665ea87a9fe6b62876040650dc537feb9b09ded4d8ece02fb6c26b68f89db1df21d3e1f28a923b4e36c9737ede1e7ade8e0cfc6b6fb550d3da4d091e33c504

C:\Users\Admin\AppData\Local\Temp\_MEI13962\certifi\cacert.pem

MD5 181ac9a809b1a8f1bc39c1c5c777cf2a
SHA1 9341e715cea2e6207329e7034365749fca1f37dc
SHA256 488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee
SHA512 e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

C:\Users\Admin\AppData\Local\Temp\_MEI13962\numpy\_core\_multiarray_umath.cp39-win32.pyd

MD5 587c67944f197c2aa28247aad9072084
SHA1 b63e3b063e73b3c4246cb6c88076dc69eac3f135
SHA256 d81fa1f11567159422f45c6dbf3d20cf79f7c58235686de11781c6605e8052f3
SHA512 26b81b2e88cde60cfb2af4757bb33599c4ae9811e6c5f8e84b74a0d886d30143184efbb325d1b369d9da215b23229ef12f9ec6c80e6cb7e6dfc89d20b5ad6e1b

C:\Users\Admin\AppData\Local\Temp\_MEI13962\MSVCP140.dll

MD5 c766ca0482dfe588576074b9ed467e38
SHA1 5ac975ccce81399218ab0dd27a3effc5b702005e
SHA256 85aa8c8ab4cbf1ff9ae5c7bde1bf6da2e18a570e36e2d870b88536b8658c5ba8
SHA512 ee36bc949d627b06f11725117d568f9cf1a4d345a939d9b4c46040e96c84159fa741637ef3d73ed2d01df988de59a573c3574308731402eb52bae2329d7bddac

C:\Users\Admin\AppData\Local\Temp\_MEI13962\charset_normalizer\md.cp39-win32.pyd

MD5 f84cc2e3ec261ebdb7ef28c58208c3ef
SHA1 de084eb05c747b393e4100abae3cb10fef81373f
SHA256 dab2ea82d0b35fd18e9f5369dab9ba24d72f3befb65408e001eecac7b68d1948
SHA512 d90fe6abe254d629f3413c6001084ab635b4f9c15e6e8a4d62080436f9e9b9336de3649ad12536994c5be909330dde865196e71546469b9cdcf3373f99f039c8

C:\Users\Admin\AppData\Local\Temp\_MEI13962\unicodedata.pyd

MD5 bd51c8fbb9bfc437e19cb19042bfeae8
SHA1 8e537acb5a5f421ae4290681ed7d295ac8e86ca2
SHA256 1ccf9fa395e963daf8aba5a2acd68c5b13ee04b6b689a601652bcf04e7f25f8a
SHA512 6dd7041ee42dc2f67eef5efb0eb519dfc79cb19293693d9fb6e60e4cff374e3f955f7e09c8d9526fb5e1a3014875bd09a712d397a7068ac0900c6f8b754d8e6d

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_queue.pyd

MD5 9cddd43f5b53ab8993e46b24b68d8424
SHA1 7327ed8baf41f86d122137c511656f98d99ff990
SHA256 fa262ab8fb1caf23abf125e1b9d69c78727be3d8274e13ebe83e71f1058406d3
SHA512 9661968a986af5495bb3632e0a658885933ed733d64785627597456a5cef9521359a078f64af78464675698aff8f4b3cf844a56a8adbe4d69d4abe8fba3ca542

C:\Users\Admin\AppData\Local\Temp\_MEI13962\libssl-1_1.dll

MD5 697766aba55f44bbd896cbd091a72b55
SHA1 d36492be46ea63ce784e4c1b0103ba21214a76fb
SHA256 44a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b
SHA512 206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d

C:\Users\Admin\AppData\Local\Temp\_MEI13962\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI13962\tk86t.dll

MD5 6cadec733f5be72697d7112860a0905b
SHA1 6a6beeef3b1bb7c85c63f4a3410e673fce73f50d
SHA256 19f70dc79994e46d3e1ef6be352f5933866de5736d761faa8839204136916b3f
SHA512 e6b3e52968c79d4bd700652c1f2ebd0366b492fcda4e05fc8b198791d1169b20f89b85ec69cefa7e099d06a78bf77ff9c3274905667f0c94071f47bafad46d79

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_tkinter.pyd

MD5 a475634789bb1284d75e55870462a74a
SHA1 af7bfe3ffeef7479549831c5cd0de487151a6c5f
SHA256 725a13950969db01ad20af1f36eb28d6011a2feb31bd8c112b6bed2d025bc761
SHA512 9ca2f331d9ca22732ab0cf12a42d1b221f5daf01b5a83c43a4ba0b48798289d52428ab17cdedfde9eb2daf5f12304fe28e2c4d2306399b7fa562acdc74487a19

C:\Users\Admin\AppData\Local\Temp\_MEI13962\pywin32_system32\pywintypes39.dll

MD5 50e4d0a4043f786f19d917f67c112d83
SHA1 cc88626016bd4facee38ed9adcd7cf1148cb0407
SHA256 98318db0bfaf550d99c9c122b47a97b1dcd2f6cb6eb59730cba0efb49f34af9c
SHA512 c340299da911a2e8d7401853c2442b6380590b7f9f02c31debd666af35797872eab4bfbfa77cfdd1f1c491c3419bc21ccad5dceabfd6600cf4a72e23e28893d1

C:\Users\Admin\AppData\Local\Temp\_MEI13962\pyexpat.pyd

MD5 3e43bcc2897f193512990e9e9024111b
SHA1 11dec8c9a1c4b45de9c980125eaef462038c1f2a
SHA256 0d8ac2a2b81176a06b0fb8663702428d2cdd5bedeab68b04210bf5cb6b49a475
SHA512 e629f23a9ad1274b57a47b170e598e47f28984dc2aaf4985ded9b217f4288222190eabe5a9fd4b11fa3eadb42040d8a532090544bf46be288b7310966d126aac

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_uuid.pyd

MD5 8f3020f3fc4ab65c2cf9191f38749d26
SHA1 61838e10f152fa7d1632fddf7646de4c669e9036
SHA256 f12a7102bcbb9ca5f57d13474f8da916ad42a9a4d8c8b22be24ee3b6916f54e3
SHA512 8113095d7e344bb163a7759e059db97671636a57fe008d2eb64aded4fe3d7c44403941ac36a520c17bf8cd9a8aab8d8324e138014249b23fad03b10140d7b8e1

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_overlapped.pyd

MD5 6ad0656b55a9a4d0544d295b8b54a5e5
SHA1 5b0ba4d95bb325aef33971ebceee0d86fee80df0
SHA256 dcf4ebaacf2fa99d9310bf21e1f18eb7fb6f4d02f7731b3542403ecab9748ac6
SHA512 86ad66151556a9ff882befb8c2fd2e51e846078b3e3b34b1e7bf5e5e43f74bee62e111b0c79f6a0580dc6e27b37d7f26aec91bc6240687e7fd8a70b9601f8b0e

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_multiprocessing.pyd

MD5 d165a01fe4f19ba9cb74b9aff5c79d80
SHA1 f78083226d6b37c7c3ecca55a0ab8f2227b5f6ef
SHA256 f87547427b693640e45b8fc51a2efbaca75e6f915e5516f8ea81ebe010e0f89d
SHA512 efa96cee1721ba2f374d31766d720f8bccd34fdec206849cb9ddcf1b149f0a6068ef23aecfa8e2a092d08f3b7db46c0e3e1cf2d891a999265110404f934ce226

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_decimal.pyd

MD5 680d0a29b8ad9cdb2ddd8d6b59e2fecd
SHA1 8ec37f37622d29d3025bc6007dfb11ff3ec31a07
SHA256 21034f441ffdea24ad10dbbce5ba440c2135bb809695dfbeb2d860325135bc61
SHA512 f2a96fb98f2c4ec544b3bc0d289139ecc08b8e53140380d8cfda335d367f6465a7557161a8ca18944d11b2b1fd3a1d1eaaa27ed8c003b0b0b57c5c960846b47b

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_cffi_backend.cp39-win32.pyd

MD5 296843bbbd173d0880fe441c88ad0f95
SHA1 f9e9323edb85f58ae1f75f1d83781de02889c4e6
SHA256 c08f2ba9bdbb6c958de74d05682a1d6eb513ed129cc795100b22a0cb7d815a8b
SHA512 c79b45e387539145b964af06cae27aa1087bf7c99ec82466b38daa02f5155c5d9d156c7dc0502f9c7b45441e8ca32d42956ed19e70e60393bbdd4b128ea4c21e

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_asyncio.pyd

MD5 87ec92f3a05fe07a087d5137d218386f
SHA1 840b88107ac72c5752c6db422a54fa3459f5a3b6
SHA256 c60416af400ee4a75b957de9c19f1e50af7287c89bbe0b3d6a3f0c0829daaf4a
SHA512 a0c1501bd19759ffd471edc5b92f48a7d3b69ec9e257e03f74f5ce574776c6d927c58a1f6460455ed096c0e538a673528a16723dfda6303fe831e2ca672bb1ef

C:\Users\Admin\AppData\Local\Temp\_MEI13962\libffi-7.dll

MD5 bc20614744ebf4c2b8acd28d1fe54174
SHA1 665c0acc404e13a69800fae94efd69a41bdda901
SHA256 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA512 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

C:\Users\Admin\AppData\Local\Temp\_MEI13962\_ctypes.pyd

MD5 aff88d04f5d45e739902084fce6da88a
SHA1 6ce6a89611069deaa7c74fa4fa86882dc21b5801
SHA256 34371eb9b24ba67ce6803d965cf5f0fe88ef4762af648ec2183e5bf21835d876
SHA512 8dd8f90ae1cc0fbc76f0039bc12e1aee7b2718017f4f9b09361001bed7b278b84f20d0fffceda4d5edd8744140cfdf1ca52497645d0480f5d42934f7df9808ba

C:\Users\Admin\AppData\Local\Temp\_MEI13962\python3.dll

MD5 dd07013785e2bb606293fc3ec6467fcf
SHA1 400a7f393708ccccc44e6348e88af0689afabb45
SHA256 34da45b57baec57d1193901d24e9dc9dd23eeccd0776b016072b311df1ff8379
SHA512 c06a280f89b172f91973954bb461fca1cfb6b0d0c654afe94ae1f801ff18abde36a436959979e98f41ca9dcaec2846f81279aab8701b7941f141367c2a080268

C:\Users\Admin\AppData\Local\Temp\_MEI13962\base_library.zip

MD5 c1b3b5cf32b9a0505be9af7bd59f410b
SHA1 2774e124e9dfe88597ecd98b64d5a905a44fda56
SHA256 15c4c5b53589aee564d00496ed3a88d21d5cd82f16324b258e9caaa34e3056e5
SHA512 5f36d50c5eb378cf53f1662bd552e5609459463cd90a1733bace113cd14c3b5bddb76f111e84d4c2a101f730add6bed0071cd375d6b094d3024d2feaa255db64

C:\Users\Admin\AppData\Local\Temp\_MEI13962\VCRUNTIME140.dll

MD5 55c8e69dab59e56951d31350d7a94011
SHA1 b6af2d245ae4d67c38eb1cd31e0c1cffb29b9b2c
SHA256 9d8d21022ff9d3f6b81a45209662a4f3481edc2befae0c73b83cf942eab8be25
SHA512 efb2ac1891724df16268480628eb230b6ee37ed47b56d2e02a260559865cdd48ee340ce445e58f625e0f4d6dbdc5bfb7ce2eeedf564b837cff255ef7d1dc58cd

memory/1612-1076-0x0000000002C10000-0x0000000002C46000-memory.dmp

memory/1612-1077-0x0000000005710000-0x0000000005D38000-memory.dmp

memory/1612-1078-0x0000000005670000-0x0000000005692000-memory.dmp

memory/1612-1079-0x0000000005D40000-0x0000000005DA6000-memory.dmp

memory/1612-1080-0x0000000005E60000-0x0000000005EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjhaz3il.0jk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1612-1090-0x00000000060E0000-0x0000000006434000-memory.dmp

memory/1612-1091-0x0000000006510000-0x000000000652E000-memory.dmp

memory/1612-1092-0x0000000006540000-0x000000000658C000-memory.dmp

memory/1612-1093-0x0000000006AF0000-0x0000000006B22000-memory.dmp

memory/1612-1094-0x000000006DCF0000-0x000000006DD3C000-memory.dmp

memory/1612-1104-0x00000000076F0000-0x000000000770E000-memory.dmp

memory/1612-1105-0x0000000007710000-0x00000000077B3000-memory.dmp

memory/1612-1106-0x0000000007E80000-0x00000000084FA000-memory.dmp

memory/1612-1107-0x0000000007840000-0x000000000785A000-memory.dmp

memory/1612-1108-0x00000000078B0000-0x00000000078BA000-memory.dmp

memory/1612-1109-0x0000000007AC0000-0x0000000007B56000-memory.dmp

memory/1612-1110-0x0000000007A40000-0x0000000007A51000-memory.dmp

memory/1612-1111-0x0000000007A70000-0x0000000007A7E000-memory.dmp

memory/1612-1112-0x0000000007A80000-0x0000000007A94000-memory.dmp

memory/1612-1113-0x0000000007B80000-0x0000000007B9A000-memory.dmp

memory/1612-1114-0x0000000007B60000-0x0000000007B68000-memory.dmp

C:\Temp\end_time.pkl

MD5 7bdcb0deaba70ed0bc21a4ac66fccdb4
SHA1 a84561a11cf1c2df13d67e9931c5aa38c6f7de07
SHA256 c1605b54a4988cdc62c5a4db97a261866dd708b7d6e8c8e1f047ea598e9e4c74
SHA512 784f0a9958aceda6d70480113ce50682ae4302e3b43829da88c7b0ce0f3ac4158a28f14adb9afabf2ced49fa103af9a7a2727a8a1066f82d82f89f5b4e339055

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 20:19

Reported

2024-10-19 20:22

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe

"C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe"

C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe

"C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22362\wheel-0.43.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI22362\python39.dll

MD5 2a9c5db70c6906571f2ca3a07521baa2
SHA1 765fa27bbee6a02b20b14b2b78c92a880e6627e5
SHA256 c69ce89b0487d86a63b64951207781f8051282afde67b20d3b8374c1a067f611
SHA512 fa4a677eaae2d258ac4f083a4e7009d985523b964ada93f53dc399a88c14970c7be2d2f39a7b38a922b58d134df2ede954554dcd00a4895e4273161867acac53