Malware Analysis Report

2025-05-05 21:53

Sample ID 250419-dapxhsssgx
Target 2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex
SHA256 aa4e772b706e39b6675bda9d19f7fdf6218c96c3a52552eb7db79987552b756b
Tags
pyinstaller mercurialgrabber discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa4e772b706e39b6675bda9d19f7fdf6218c96c3a52552eb7db79987552b756b

Threat Level: Known bad

The file 2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex was found to be: Known bad.

Malicious Activity Summary

pyinstaller mercurialgrabber discovery spyware stealer

Mercurial Grabber Stealer

Mercurialgrabber family

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-19 02:48

Signatures

Mercurialgrabber family

mercurialgrabber

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-19 02:48

Reported

2025-04-19 02:51

Platform

win10v2004-20250314-en

Max time kernel

104s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5520 wrote to memory of 6008 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe
PID 5520 wrote to memory of 6008 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe
PID 5520 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe
PID 5520 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe
PID 3360 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe
PID 3360 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe
PID 848 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe C:\Windows\system32\cmd.exe
PID 848 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe C:\Windows\system32\cmd.exe
PID 848 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe C:\Windows\system32\cmd.exe
PID 848 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe

"C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe"

C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe

MD5 7a30cb97048660dce94b1556d82b2df1
SHA1 5eeb39457c93c7332b7fd238e301d26b601fc3bd
SHA256 c492cc3907eb62582e30b0b45dee68b6efdc52f0dc0df4b9fc55da18901fa7f9
SHA512 6ea1d4b6fe819dcb1ba5d676a67cddb5b7498772ba7027355f5ec837a301fb1737535a6e4e08ce4f70cdf6ff3ef9a80fbd07ea5705bc5211054f79ca1df2b7c4

C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe

MD5 cea77c76938d443b37b3372d36af6cd1
SHA1 20d7fd6c87087f1459471d564b8bf398ce210359
SHA256 3cd434f1d12a2d5da1efb1b15a5ff896aced3e1ca9d94605933696585d25b1af
SHA512 4a6d9f2a20588da2e1bd2d446e624f3c82dd73e33cbbe54820fcdc457a77b35d3753b95bc1d1909024bfb69b9623e6ffe61ab76b2c45922b73c805ec3cda78cb

memory/6008-16-0x0000000000510000-0x0000000000520000-memory.dmp

memory/6008-17-0x00007FFB30EA3000-0x00007FFB30EA5000-memory.dmp

memory/6008-19-0x00007FFB30EA0000-0x00007FFB31961000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33602\python311.dll

MD5 d06da79bfd21bb355dc3e20e17d3776c
SHA1 610712e77f80d2507ffe85129bfeb1ff72fa38bf
SHA256 2835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1
SHA512 e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a

C:\Users\Admin\AppData\Local\Temp\_MEI33602\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI33602\base_library.zip

MD5 842d8d9e0cabf825bf7ba04a0d6f4d0c
SHA1 7df7e7dbc17f5ac8057ff3af81e6ad7762c13bd8
SHA256 01b8cef75f9df12e1b0efc967704f1f48d524fc52ef393a73f4d62b0d6b59cf1
SHA512 a9181483ff26ba518bdaa27be2561dcfa4672b64b6a9b1677102844b9cc0790845d673d8a9f128586258c4d3bfdcb1c1e91ad877848b08c787d848373d9e85a7

C:\Users\Admin\AppData\Local\Temp\_MEI33602\python3.DLL

MD5 35da4143951c5354262a28dee569b7b2
SHA1 b07cb6b28c08c012eecb9fd7d74040163cdf4e0e
SHA256 920350a7c24c46339754e38d0db34ab558e891da0b3a389d5230a0d379bee802
SHA512 2976667732f9ee797b7049d86fd9beeb05409adb7b89e3f5b1c875c72a4076cf65c762632b7230d7f581c052fce65bb91c1614c9e3a52a738051c3bc3d167a23

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_ctypes.pyd

MD5 a25cdcf630c024047a47a53728dc87cd
SHA1 8555ae488e0226a272fd7db9f9bdbb7853e61a21
SHA256 3d43869a4507ed8ece285ae85782d83bb16328cf636170acb895c227ebb142ac
SHA512 f6a4272deddc5c5c033a06e80941a16f688e28179eab3dbc4f7a9085ea4ad6998b89fc9ac501c5bf6fea87e0ba1d9f2eda819ad183b6fa7b6ddf1e91366c12af

C:\Users\Admin\AppData\Local\Temp\_MEI33602\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_lzma.pyd

MD5 3273720ddf2c5b75b072a1fb13476751
SHA1 5fe0a4f98e471eb801a57b8c987f0feb1781ca8b
SHA256 663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948
SHA512 919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_asyncio.pyd

MD5 41806866d74e5edce05edc0ad47752b9
SHA1 c3d603c029fdac45bac37bb2f449fab86b8845dd
SHA256 76db93bd64cb4a36edb37694456f89bb588db98cf2733eb436f000b309eec3b2
SHA512 2a019efaf3315b8b98be93ac4bea15cec8b9ecc6eab298fa93d3947bad2422b5a126d52cb4998363bdc82641fba9b8f42d589afe52d02914e55a5a6116989fde

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_uuid.pyd

MD5 b21b864e357ccd72f35f2814bd1e6012
SHA1 2ff0740c26137c6a81b96099c1f5209db33ac56a
SHA256 ce9e2a30c20e6b83446d9ba83bb83c5570e1b1da0e87ff467d1b4fc090da6c53
SHA512 29667eb0e070063ef28b7f8cc39225136065340ae358ad0136802770b2f48ac4bda5e60f2e2083f588859b7429b9ea3bad1596a380601e3b2b4bb74791df92a3

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_ssl.pyd

MD5 e5b1a076e9828985ea8ea07d22c6abd0
SHA1 2a2827938a490cd847ea4e67e945deb4eef8cbb1
SHA256 591589dadc659d1ad4856d16cd25dc8e57eaa085bf68eb2929f8f93aba69db1b
SHA512 0afd20f581efb08a7943a1984e469f1587c96252e44b3a05ca3dfb6c7b8b9d1b9fd609e03a292de6ec63b6373aeacc822e30d550b2f2d35bf7bf8dd6fc11f54f

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_socket.pyd

MD5 485d998a2de412206f04fa028fe6ba90
SHA1 286e29d4f91a46171ba1e3c8229e6de94b499f1d
SHA256 8f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76
SHA512 68591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f

C:\Users\Admin\AppData\Local\Temp\_MEI33602\select.pyd

MD5 e07ae2f7f28305b81adfd256716ae8c6
SHA1 9222cd34c14a116e7b9b70a82f72fc523ef2b2f6
SHA256 fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c
SHA512 acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4

C:\Users\Admin\AppData\Local\Temp\_MEI33602\pyexpat.pyd

MD5 d7ecc2746314fec5ca46b64c964ea93e
SHA1 39fc49d4058a65f0aa4fbdc3d3bcc8c7beecaa01
SHA256 58b95f03a2d7ec49f5260e3e874d2b9fb76e95ecc80537e27abef0c74d03cb00
SHA512 d5a595aaf3c7603804deae4d4cc34130876a4c38ccd9f9f29d8b8b11906fa1a03dd9a1f8f5dbde9dc2c62b89fe52dfe5b4ee409a8d336edf7b5b8141d12e82d2

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_queue.pyd

MD5 284fbc1b32f0282fc968045b922a4ee2
SHA1 7ccea7a48084f2c8463ba30ddae8af771538ae82
SHA256 ac3b144d7d7c8ee39f29d8749c5a35c4314b5365198821605c883fd11807e766
SHA512 baa75f7553cf595ad78c84cbb0f2a50917c93596ece1ff6221e64272adc6facdd8376e00918c6c3246451211d9dfc66442d31759bd52c26985c7f133cf011065

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_overlapped.pyd

MD5 e2a301b3fd3bdfec3bf6ca006189b2ac
SHA1 86b29ee1a42de70135a6786cdce69987f1f61193
SHA256 4990f62e11c0a5ab15a9ffce9d054f06d0bc9213aea0c2a414a54fa01a5eb6dc
SHA512 4e5493cc4061be923b253164fd785685d5eccf16fd3acb246b9d840f6f7d9ed53555f53725af7956157d89eaa248a3505c30bd88c26e04aabdae62e4774ffa4e

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_multiprocessing.pyd

MD5 758128e09779a4baa28e68a8b9ee2476
SHA1 4e81c682cf18e2a4b46e50f037799c43c6075f11
SHA256 3c5b0823e30810aee47fdfad567491bc33dd640c37e35c8600e75c5a8d05ce2a
SHA512 5096f0daacf72012a7ad08b177c366b4fe1ded3a18aebfe438820b79c7cb735350ef831a7fb7d10482eefd4c0b8a41511042bb41f4507bbc0332c52df9288088

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_hashlib.pyd

MD5 ba682dfcdd600a4bb43a51a0d696a64c
SHA1 df85ad909e9641f8fcaa0f8f5622c88d904e9e20
SHA256 2ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd
SHA512 79c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_decimal.pyd

MD5 e4e032221aca4033f9d730f19dc3b21a
SHA1 584a3b4bc26a323ce268a64aad90c746731f9a48
SHA256 23bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c
SHA512 4a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_cffi_backend.cp311-win_amd64.pyd

MD5 739d352bd982ed3957d376a9237c9248
SHA1 961cf42f0c1bb9d29d2f1985f68250de9d83894d
SHA256 9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980
SHA512 585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

C:\Users\Admin\AppData\Local\Temp\_MEI33602\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI33602\unicodedata.pyd

MD5 5cc36a5de45a2c16035ade016b4348eb
SHA1 35b159110e284b83b7065d2cff0b5ef4ccfa7bf1
SHA256 f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20
SHA512 9cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1

C:\Users\Admin\AppData\Local\Temp\_MEI33602\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI33602\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI33602\_bz2.pyd

MD5 37eace4b806b32f829de08db3803b707
SHA1 8a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9
SHA256 1be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b
SHA512 1591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d

C:\Users\Admin\AppData\Local\Temp\_MEI33602\pywin32_system32\pywintypes311.dll

MD5 3d9895aa25e1f493f38f08f4717a0d67
SHA1 459ed374dd8568c4f364d021c2283fb86c16e0e6
SHA256 074a73db77cbd9a8a1eed34dbfeddcea2d5772d34f8761b94957ae463c9a16ae
SHA512 e0a95f11e1076e25b24421d5b8cbdc8d8fa10d4cb366e1e9416222a739d893e7d60026e0fb55983c954e73881f37b5f27fdbfc58dfaee83f42272266bdcab3af

C:\Users\Admin\AppData\Local\Temp\_MEI33602\pywin32_system32\pythoncom311.dll

MD5 6c19942383f17f4e771d18cf8fe54104
SHA1 cdb183411114716b4e73dbf6e5abeff916d974cf
SHA256 1b1663859d7ee7ca0fcd5328a9d9a57b0d7f03e2a82a026e4749aeed97bac119
SHA512 5bd1d44990860110f3c819f605e061a8b45578b1c3213404e72ea995e91e05cec5c94f8d1856962c175feee74426013cdcd9e1df7d564e3113869c7fa715e8af

C:\Users\Admin\AppData\Local\Temp\_MEI33602\win32\win32api.pyd

MD5 a8ee4d01df3cde6a0fed85c278b5ebb8
SHA1 dc2ae0fbcc0e92e073e5224466690b95012ac761
SHA256 6ba86018ac060effa78e1597310c83408eb5c9f9cacdf86511c442a6f7bc5464
SHA512 b12dad7d5dafb80b075e8af5058ada076d5f12664cc3635d3cd7f39a763f5b58cfaceba60b3dfe282311b867526930cf686c0704fab9ace220c0695cff38c389

C:\Users\Admin\AppData\Local\Temp\_MEI33602\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 bd18f35f8a56415ec604d97bd3dd44c4
SHA1 63f51eb5dafeb24327e3bcb63828336c920b4fcd
SHA256 f3501ebce24205f3dc54192cd917eab9a899fe936570650253d4c1466383eff1
SHA512 3c1c268005f494413cd2f9409b64ed3a2c9af558c0f317447af2c27776406c61dcb28ae6720af156145078ec565a14a3e12d409e57389bb3d4d10f8d7a92a7d1

C:\Users\Admin\AppData\Local\Temp\_MEI33602\charset_normalizer\md.cp311-win_amd64.pyd

MD5 e3d495cf14d857349554a3606a8e7210
SHA1 db0843b89a84fb37efd3c76168bcb303174aac29
SHA256 e21f4c40c29be0b115463e7bb8a365946a4afc152b9fff602abd41c6e0ce68a2
SHA512 8f69a16042e88bc51d30ad4c78d8240e2619104324e79e5f382975486bfb39b4e0a3c35976d08399300d7823d6a358104658374daf36a513ce0774f3611d4d6e

C:\Users\Admin\AppData\Local\Temp\_MEI33602\certifi\cacert.pem

MD5 234d271ecb91165aaec148ad6326dd39
SHA1 d7fccec47f7a5fbc549222a064f3053601400b6f
SHA256 c55b21f907f7f86d48add093552fb5651749ff5f860508ccbb423d6c1fbd80c7
SHA512 69289a9b1b923d89ba6e914ab601c9aee4d03ff98f4ed8400780d4b88df5f4d92a8ca1a458abcfde00c8455d3676aca9ec03f7d0593c64b7a05ed0895701d7ed

memory/6008-142-0x00007FFB30EA0000-0x00007FFB31961000-memory.dmp

memory/6008-146-0x00007FFB30EA0000-0x00007FFB31961000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-19 02:48

Reported

2025-04-19 02:51

Platform

win11-20250410-en

Max time kernel

99s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip4.seeip.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\FB_9CAD.tmp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\FB_9CAD.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FB_9CAD.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe C:\Users\Admin\AppData\Local\Temp\FB_9CAD.tmp.exe
PID 4028 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe C:\Users\Admin\AppData\Local\Temp\FB_9CAD.tmp.exe
PID 4028 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe
PID 4028 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe
PID 2536 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe
PID 2536 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe
PID 2000 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe

"C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe"

C:\Users\Admin\AppData\Local\Temp\FB_9CAD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\FB_9CAD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\FB_9CAD.tmp.exe

MD5 7a30cb97048660dce94b1556d82b2df1
SHA1 5eeb39457c93c7332b7fd238e301d26b601fc3bd
SHA256 c492cc3907eb62582e30b0b45dee68b6efdc52f0dc0df4b9fc55da18901fa7f9
SHA512 6ea1d4b6fe819dcb1ba5d676a67cddb5b7498772ba7027355f5ec837a301fb1737535a6e4e08ce4f70cdf6ff3ef9a80fbd07ea5705bc5211054f79ca1df2b7c4

memory/5840-14-0x00007FF9B92F3000-0x00007FF9B92F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FB_9E25.tmp.exe

MD5 cea77c76938d443b37b3372d36af6cd1
SHA1 20d7fd6c87087f1459471d564b8bf398ce210359
SHA256 3cd434f1d12a2d5da1efb1b15a5ff896aced3e1ca9d94605933696585d25b1af
SHA512 4a6d9f2a20588da2e1bd2d446e624f3c82dd73e33cbbe54820fcdc457a77b35d3753b95bc1d1909024bfb69b9623e6ffe61ab76b2c45922b73c805ec3cda78cb

memory/5840-17-0x0000000000810000-0x0000000000820000-memory.dmp

memory/5840-18-0x00007FF9B92F0000-0x00007FF9B9DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25362\python311.dll

MD5 d06da79bfd21bb355dc3e20e17d3776c
SHA1 610712e77f80d2507ffe85129bfeb1ff72fa38bf
SHA256 2835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1
SHA512 e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a

C:\Users\Admin\AppData\Local\Temp\_MEI25362\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI25362\base_library.zip

MD5 842d8d9e0cabf825bf7ba04a0d6f4d0c
SHA1 7df7e7dbc17f5ac8057ff3af81e6ad7762c13bd8
SHA256 01b8cef75f9df12e1b0efc967704f1f48d524fc52ef393a73f4d62b0d6b59cf1
SHA512 a9181483ff26ba518bdaa27be2561dcfa4672b64b6a9b1677102844b9cc0790845d673d8a9f128586258c4d3bfdcb1c1e91ad877848b08c787d848373d9e85a7

C:\Users\Admin\AppData\Local\Temp\_MEI25362\python3.DLL

MD5 35da4143951c5354262a28dee569b7b2
SHA1 b07cb6b28c08c012eecb9fd7d74040163cdf4e0e
SHA256 920350a7c24c46339754e38d0db34ab558e891da0b3a389d5230a0d379bee802
SHA512 2976667732f9ee797b7049d86fd9beeb05409adb7b89e3f5b1c875c72a4076cf65c762632b7230d7f581c052fce65bb91c1614c9e3a52a738051c3bc3d167a23

C:\Users\Admin\AppData\Local\Temp\_MEI25362\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_ctypes.pyd

MD5 a25cdcf630c024047a47a53728dc87cd
SHA1 8555ae488e0226a272fd7db9f9bdbb7853e61a21
SHA256 3d43869a4507ed8ece285ae85782d83bb16328cf636170acb895c227ebb142ac
SHA512 f6a4272deddc5c5c033a06e80941a16f688e28179eab3dbc4f7a9085ea4ad6998b89fc9ac501c5bf6fea87e0ba1d9f2eda819ad183b6fa7b6ddf1e91366c12af

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_bz2.pyd

MD5 37eace4b806b32f829de08db3803b707
SHA1 8a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9
SHA256 1be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b
SHA512 1591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_lzma.pyd

MD5 3273720ddf2c5b75b072a1fb13476751
SHA1 5fe0a4f98e471eb801a57b8c987f0feb1781ca8b
SHA256 663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948
SHA512 919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_uuid.pyd

MD5 b21b864e357ccd72f35f2814bd1e6012
SHA1 2ff0740c26137c6a81b96099c1f5209db33ac56a
SHA256 ce9e2a30c20e6b83446d9ba83bb83c5570e1b1da0e87ff467d1b4fc090da6c53
SHA512 29667eb0e070063ef28b7f8cc39225136065340ae358ad0136802770b2f48ac4bda5e60f2e2083f588859b7429b9ea3bad1596a380601e3b2b4bb74791df92a3

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_ssl.pyd

MD5 e5b1a076e9828985ea8ea07d22c6abd0
SHA1 2a2827938a490cd847ea4e67e945deb4eef8cbb1
SHA256 591589dadc659d1ad4856d16cd25dc8e57eaa085bf68eb2929f8f93aba69db1b
SHA512 0afd20f581efb08a7943a1984e469f1587c96252e44b3a05ca3dfb6c7b8b9d1b9fd609e03a292de6ec63b6373aeacc822e30d550b2f2d35bf7bf8dd6fc11f54f

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_socket.pyd

MD5 485d998a2de412206f04fa028fe6ba90
SHA1 286e29d4f91a46171ba1e3c8229e6de94b499f1d
SHA256 8f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76
SHA512 68591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_queue.pyd

MD5 284fbc1b32f0282fc968045b922a4ee2
SHA1 7ccea7a48084f2c8463ba30ddae8af771538ae82
SHA256 ac3b144d7d7c8ee39f29d8749c5a35c4314b5365198821605c883fd11807e766
SHA512 baa75f7553cf595ad78c84cbb0f2a50917c93596ece1ff6221e64272adc6facdd8376e00918c6c3246451211d9dfc66442d31759bd52c26985c7f133cf011065

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_overlapped.pyd

MD5 e2a301b3fd3bdfec3bf6ca006189b2ac
SHA1 86b29ee1a42de70135a6786cdce69987f1f61193
SHA256 4990f62e11c0a5ab15a9ffce9d054f06d0bc9213aea0c2a414a54fa01a5eb6dc
SHA512 4e5493cc4061be923b253164fd785685d5eccf16fd3acb246b9d840f6f7d9ed53555f53725af7956157d89eaa248a3505c30bd88c26e04aabdae62e4774ffa4e

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_multiprocessing.pyd

MD5 758128e09779a4baa28e68a8b9ee2476
SHA1 4e81c682cf18e2a4b46e50f037799c43c6075f11
SHA256 3c5b0823e30810aee47fdfad567491bc33dd640c37e35c8600e75c5a8d05ce2a
SHA512 5096f0daacf72012a7ad08b177c366b4fe1ded3a18aebfe438820b79c7cb735350ef831a7fb7d10482eefd4c0b8a41511042bb41f4507bbc0332c52df9288088

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_hashlib.pyd

MD5 ba682dfcdd600a4bb43a51a0d696a64c
SHA1 df85ad909e9641f8fcaa0f8f5622c88d904e9e20
SHA256 2ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd
SHA512 79c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_decimal.pyd

MD5 e4e032221aca4033f9d730f19dc3b21a
SHA1 584a3b4bc26a323ce268a64aad90c746731f9a48
SHA256 23bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c
SHA512 4a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_cffi_backend.cp311-win_amd64.pyd

MD5 739d352bd982ed3957d376a9237c9248
SHA1 961cf42f0c1bb9d29d2f1985f68250de9d83894d
SHA256 9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980
SHA512 585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

C:\Users\Admin\AppData\Local\Temp\_MEI25362\_asyncio.pyd

MD5 41806866d74e5edce05edc0ad47752b9
SHA1 c3d603c029fdac45bac37bb2f449fab86b8845dd
SHA256 76db93bd64cb4a36edb37694456f89bb588db98cf2733eb436f000b309eec3b2
SHA512 2a019efaf3315b8b98be93ac4bea15cec8b9ecc6eab298fa93d3947bad2422b5a126d52cb4998363bdc82641fba9b8f42d589afe52d02914e55a5a6116989fde

C:\Users\Admin\AppData\Local\Temp\_MEI25362\select.pyd

MD5 e07ae2f7f28305b81adfd256716ae8c6
SHA1 9222cd34c14a116e7b9b70a82f72fc523ef2b2f6
SHA256 fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c
SHA512 acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4

C:\Users\Admin\AppData\Local\Temp\_MEI25362\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI25362\unicodedata.pyd

MD5 5cc36a5de45a2c16035ade016b4348eb
SHA1 35b159110e284b83b7065d2cff0b5ef4ccfa7bf1
SHA256 f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20
SHA512 9cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1

C:\Users\Admin\AppData\Local\Temp\_MEI25362\pyexpat.pyd

MD5 d7ecc2746314fec5ca46b64c964ea93e
SHA1 39fc49d4058a65f0aa4fbdc3d3bcc8c7beecaa01
SHA256 58b95f03a2d7ec49f5260e3e874d2b9fb76e95ecc80537e27abef0c74d03cb00
SHA512 d5a595aaf3c7603804deae4d4cc34130876a4c38ccd9f9f29d8b8b11906fa1a03dd9a1f8f5dbde9dc2c62b89fe52dfe5b4ee409a8d336edf7b5b8141d12e82d2

C:\Users\Admin\AppData\Local\Temp\_MEI25362\pywin32_system32\pywintypes311.dll

MD5 3d9895aa25e1f493f38f08f4717a0d67
SHA1 459ed374dd8568c4f364d021c2283fb86c16e0e6
SHA256 074a73db77cbd9a8a1eed34dbfeddcea2d5772d34f8761b94957ae463c9a16ae
SHA512 e0a95f11e1076e25b24421d5b8cbdc8d8fa10d4cb366e1e9416222a739d893e7d60026e0fb55983c954e73881f37b5f27fdbfc58dfaee83f42272266bdcab3af

C:\Users\Admin\AppData\Local\Temp\_MEI25362\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI25362\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI25362\pywin32_system32\pythoncom311.dll

MD5 6c19942383f17f4e771d18cf8fe54104
SHA1 cdb183411114716b4e73dbf6e5abeff916d974cf
SHA256 1b1663859d7ee7ca0fcd5328a9d9a57b0d7f03e2a82a026e4749aeed97bac119
SHA512 5bd1d44990860110f3c819f605e061a8b45578b1c3213404e72ea995e91e05cec5c94f8d1856962c175feee74426013cdcd9e1df7d564e3113869c7fa715e8af

C:\Users\Admin\AppData\Local\Temp\_MEI25362\win32\win32api.pyd

MD5 a8ee4d01df3cde6a0fed85c278b5ebb8
SHA1 dc2ae0fbcc0e92e073e5224466690b95012ac761
SHA256 6ba86018ac060effa78e1597310c83408eb5c9f9cacdf86511c442a6f7bc5464
SHA512 b12dad7d5dafb80b075e8af5058ada076d5f12664cc3635d3cd7f39a763f5b58cfaceba60b3dfe282311b867526930cf686c0704fab9ace220c0695cff38c389

C:\Users\Admin\AppData\Local\Temp\_MEI25362\charset_normalizer\md.cp311-win_amd64.pyd

MD5 e3d495cf14d857349554a3606a8e7210
SHA1 db0843b89a84fb37efd3c76168bcb303174aac29
SHA256 e21f4c40c29be0b115463e7bb8a365946a4afc152b9fff602abd41c6e0ce68a2
SHA512 8f69a16042e88bc51d30ad4c78d8240e2619104324e79e5f382975486bfb39b4e0a3c35976d08399300d7823d6a358104658374daf36a513ce0774f3611d4d6e

C:\Users\Admin\AppData\Local\Temp\_MEI25362\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 bd18f35f8a56415ec604d97bd3dd44c4
SHA1 63f51eb5dafeb24327e3bcb63828336c920b4fcd
SHA256 f3501ebce24205f3dc54192cd917eab9a899fe936570650253d4c1466383eff1
SHA512 3c1c268005f494413cd2f9409b64ed3a2c9af558c0f317447af2c27776406c61dcb28ae6720af156145078ec565a14a3e12d409e57389bb3d4d10f8d7a92a7d1

C:\Users\Admin\AppData\Local\Temp\_MEI25362\certifi\cacert.pem

MD5 234d271ecb91165aaec148ad6326dd39
SHA1 d7fccec47f7a5fbc549222a064f3053601400b6f
SHA256 c55b21f907f7f86d48add093552fb5651749ff5f860508ccbb423d6c1fbd80c7
SHA512 69289a9b1b923d89ba6e914ab601c9aee4d03ff98f4ed8400780d4b88df5f4d92a8ca1a458abcfde00c8455d3676aca9ec03f7d0593c64b7a05ed0895701d7ed

memory/5840-142-0x00007FF9B92F3000-0x00007FF9B92F5000-memory.dmp

memory/5840-143-0x00007FF9B92F0000-0x00007FF9B9DB2000-memory.dmp

memory/5840-147-0x00007FF9B92F0000-0x00007FF9B9DB2000-memory.dmp