Analysis Overview
SHA256
ff8000b2008b1c63d3d1395db9e496d96efd845e15d8a664214174459edc1577
Threat Level: Likely malicious
The file BestXineMenu.exe was found to be: Likely malicious.
Malicious Activity Summary
Disables Task Manager via registry modification
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Detects Pyinstaller
Browser Information Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 18:11
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 18:10
Reported
2025-07-04 18:11
Platform
win11-20250619-en
Max time kernel
28s
Max time network
33s
Command Line
Signatures
Disables Task Manager via registry modification
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | api.gofile.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | api.gofile.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Browser Information Discovery
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-625765727-1271952295-745797415-1000\{F327609A-6BC3-486D-A777-4742BBFDD839} | C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PickerHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe
"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"
C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe
"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_ComputerSystemProduct).UUID"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_BIOS).SerialNumber"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_BaseBoard).SerialNumber"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_Processor).ProcessorId"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_BIOS).OEMStringArray"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_SystemEnclosure).SMBIOSAssetTag"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown /s /t 15
C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\shutdown.exe
shutdown /s /t 15
C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1b055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| FR | 51.75.242.210:443 | api.gofile.io | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI13882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\python313.dll
| MD5 | 7387fe038ea75eb9a57b054fccfe37bf |
| SHA1 | 5c532cbdfd718b5e80afb2ee8dea991e84757712 |
| SHA256 | 69fd86ea29370697c203f7e12830084f920f490766a8e3045af52c036a9ad529 |
| SHA512 | c46c982b04079ed0b13617b81168598632d6c58d29e23fcbfa064b08e5836866b74880e1a9c01c12670531f13521a21177aafb10be0abb329a79291d7bff08bd |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\VCRUNTIME140.dll
| MD5 | 32da96115c9d783a0769312c0482a62d |
| SHA1 | 2ea840a5faa87a2fe8d7e5cb4367f2418077d66b |
| SHA256 | 052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4 |
| SHA512 | 616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\python3.dll
| MD5 | d6dfb6a9518a57e180980f7a07098d7d |
| SHA1 | 6026120461f5cbcd9255670b6a906fd8f5329073 |
| SHA256 | fdd54b6c495e9278e73d68203fff0c300e416e704852908cf5b06666cffead51 |
| SHA512 | 2a0195a5038d7530b64a506a70de3a6b9cb64ca9206006e03f726b4420304e3a76c10fdda12c8a51f4dbd63e7112fd7e7727a4ab94e7a111587e4248a6b26a62 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\base_library.zip
| MD5 | f2ea5aa1dfd6f0ec3c62b32623a14bac |
| SHA1 | bbc603e925c1f071661c81ae85124a8a220df1eb |
| SHA256 | 042acda399bb72a87dc7d37ce63d04470f6cb7d561e1f539f3be09fc9dd772ac |
| SHA512 | cd371cb282f9be0cadfec1d317c6e9d7720844d84ecb6254ab62e0b42df438b8e264bc4929f2b45fa8784a08378861cf7b81566c3f4061056d4de58ac39efccf |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_ctypes.pyd
| MD5 | 29873384e13b0a78ee9857604161514b |
| SHA1 | 110f60f74b06b3972acd5908937a40e078636479 |
| SHA256 | 5c0d5082fba1a2a3eb8d5e23073be25164c19f21304b09cecaab340dc7198815 |
| SHA512 | ca826ff5403700e6d8822634e364e43b14ef829095d8fe365b49731236f696fe86ffa3853cd1801dc3b7800d005a032fe23bbc25befe3952ef37790d56dee3c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_bz2.pyd
| MD5 | 684d656aada9f7d74f5a5bdcf16d0edb |
| SHA1 | f7586da90d101b5ee3fa24f131ee93ab89606919 |
| SHA256 | 449058efc99fccb9e24d640084d845c78f3f86dd34c5c126cf69e523d6320d75 |
| SHA512 | 27fb2eca382675316fb96d18a1aa6b2792077481bf899cbcc658d71f787876045c05c98abf129c9670b6a1d2654d57f59e17580139fa7f482ec27234e44d4235 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_lzma.pyd
| MD5 | d63e2e743ea103626d33b3c1d882f419 |
| SHA1 | af8a162b43f99b943d1c87c9a9e8088816263373 |
| SHA256 | 48f16b587c6faa44a9e073365b19599200b0f0a0ccb70121e76c2dac4ed53281 |
| SHA512 | d3f1450b5def3c21f47c5133073e76d2ec05787eb6ae88bb70d3a34be84f6025540ac017e9415bb22ef36c2ffbfcea38a28842eefe366325f3d3cf2cca1a3cb1 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\tk86t.dll
| MD5 | c644577350785b9a8e56c83bc7fe4a5a |
| SHA1 | 5fa4e6ec3b0d156c620971e14da30d1633263cf2 |
| SHA256 | ddc6b69c3897ddf3ea9fdfb4b4a6b9c3a667958d4dbf6b4bbcc50c93eb341370 |
| SHA512 | f96f9fa3673d5cbf1ed64092ef8d2433d47c1d48cb24c9087e5fd796c37a1546a61c8ed6760dc5e6739038e4336077544c522d00dd2c3fcf4f16205b6fc1d3b8 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_wmi.pyd
| MD5 | 47e6fd132f44a4feb595bd0fda3c4e1c |
| SHA1 | 37c6c2c1ff309db7273afc9324a37b716c5cbfdb |
| SHA256 | ebd252d21af9c84128fca04c994093a5bd6ee857f1581f06f4026fdd6a2c40e0 |
| SHA512 | 69c031d4ff2dac70739f9c188fca3c6969304f22782adf5a9c0ca303a3a712630541bda888ef25d3252b46d43df56f6e7e03c83d331840088c4224d1a1a512c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_socket.pyd
| MD5 | 566cb4d39b700c19dbd7175bd4f2b649 |
| SHA1 | bede896259b6d52d538c2182aef87c334fc9c73c |
| SHA256 | bced17d6f081d81ea7cd92f1e071e38f8840e61ee0fe1524221b776bcfa78650 |
| SHA512 | 6a26fd59e2c2ec34b673ef257a00d5577f52286d78525d05efc8a88760fb575be65c3e94e83396f4978c8734b513afe7f09d3c49474169144f98add406530367 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_uuid.pyd
| MD5 | 93730cb349b216114b444cc9e30932ca |
| SHA1 | 689e63330f48877478d428f0e410ac7d69e7150a |
| SHA256 | 17c7856bda73348ca541d01ba4881e4b327b15fb3d2cb90a92ca2bf0e6c4bafe |
| SHA512 | ab312a908256d55cf883e90501dcf88175cc145207d2da4e3cc8470e7fa3afdcfd889f0b5c4488ace6ca3b1f7bba943f2156e839eda80981ff592123c5777c34 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\PyQt5\Qt5\bin\Qt5Core.dll
| MD5 | 817520432a42efa345b2d97f5c24510e |
| SHA1 | fea7b9c61569d7e76af5effd726b7ff6147961e5 |
| SHA256 | 8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a |
| SHA512 | 8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\PyQt5\Qt5\bin\VCRUNTIME140_1.dll
| MD5 | 6bc084255a5e9eb8df2bcd75b4cd0777 |
| SHA1 | cf071ad4e512cd934028f005cabe06384a3954b6 |
| SHA256 | 1f0f5f2ce671e0f68cf96176721df0e5e6f527c8ca9cfa98aa875b5a3816d460 |
| SHA512 | b822538494d13bda947655af791fed4daa811f20c4b63a45246c8f3befa3ec37ff1aa79246c89174fe35d76ffb636fa228afa4bda0bd6d2c41d01228b151fd89 |
memory/2188-1254-0x00007FFEB06B0000-0x00007FFEB0913000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13882\PyQt5\Qt5\bin\MSVCP140_1.dll
| MD5 | 0fe6d52eb94c848fe258dc0ec9ff4c11 |
| SHA1 | 95cc74c64ab80785f3893d61a73b8a958d24da29 |
| SHA256 | 446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f |
| SHA512 | c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\PyQt5\Qt5\bin\MSVCP140.dll
| MD5 | 01b946a2edc5cc166de018dbb754b69c |
| SHA1 | dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46 |
| SHA256 | 88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5 |
| SHA512 | 65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\PyQt5\sip.cp313-win_amd64.pyd
| MD5 | c1ee7b155ad3fc4c7cc29999671ec2b9 |
| SHA1 | 25b7ede05a8c8904ac333a96e1e95766d1d1c5ba |
| SHA256 | e63580748533698abdafaff1210f5bb0247b36ee987d0180076eaaa46245c0d2 |
| SHA512 | 1e8f882403cf944b635049f7f7dbbd68353d62c06320f0aac0cb2cbc84568f6fadf849c447f9e41cc10dd61bd6cbd7cf7eafe516a955f20ce6a09d1992b2ce85 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\pyexpat.pyd
| MD5 | 4e6de7116d8c1c418080580c9795ac15 |
| SHA1 | ba948a3c17e12f113477639702a82e96298d1938 |
| SHA256 | 554bbc65bfe8c19ba9bbd94f18977a8131109c6a4d64306778bd12250c2c5c56 |
| SHA512 | 853e5cd9f753145cce9dd22f6e6a6e404fec7f0db322d2db4d7b18e9cfc065503ba4fab4adc33cbf7d1c2dc0d884413f73cbc28c290d5a41ce7f3f610dad99bc |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\PyQt5\QtCore.pyd
| MD5 | 678fa1496ffdea3a530fa146dedcdbcc |
| SHA1 | c80d8f1de8ae06ecf5750c83d879d2dcc2d6a4f8 |
| SHA256 | d6e45fd8c3b3f93f52c4d1b6f9e3ee220454a73f80f65f3d70504bd55415ea37 |
| SHA512 | 8d9e3fa49fb42f844d8df241786ea9c0f55e546d373ff07e8c89aac4f3027c62ec1bd0c9c639afeabc034cc39e424b21da55a1609c9f95397a66d5f0d834e88e |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\setuptools\_vendor\jaraco\text\Lorem ipsum.txt
| MD5 | 4ce7501f6608f6ce4011d627979e1ae4 |
| SHA1 | 78363672264d9cd3f72d5c1d3665e1657b1a5071 |
| SHA256 | 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b |
| SHA512 | a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\libssl-3.dll
| MD5 | 8d4805f0651186046c48d3e2356623db |
| SHA1 | 18c27c000384418abcf9c88a72f3d55d83beda91 |
| SHA256 | 007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe |
| SHA512 | 1c4895d912f7085d6e46f6776034c9e3d8d7bf934be858683bf6dedb13abca360ba816d8a5528ec7a3ac6e33010fdb6fc89b2699b5cfeedaabfdd5df143dffd1 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\psutil\_psutil_windows.pyd
| MD5 | d30149d319efcaecf0a5c5e71ef6cb39 |
| SHA1 | 99beeb17bfc69e8370036f9457edb4d6812b22e2 |
| SHA256 | 9c7fc855d9d1614e70705c7dcc6f4ac3cdcab5adfeb6a67d382f5ade09eadc15 |
| SHA512 | b6fb265f0efed56fdd3455ed620e1fb581d40d2b23b92544cccbf331e30dc29592c4297e3faaf437a9d1a33099e0b48d5b2344943fb7b581a448f6c5806acec6 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_ssl.pyd
| MD5 | 689f1abac772c9e4c2d3bad3758cb398 |
| SHA1 | fe829e05d9f7838d1426f6d4a2f97165c09fd0f7 |
| SHA256 | 3301ff340d26495c95108199b67fdf3402742d13070af8b6bf4eb2e0c5e13781 |
| SHA512 | 949404a76c731a92074b37ec0bba88d873e56327b335b6c300eff68c2b142e194b58df59158b9bb92a5984c768b474f5db5f80f6b610f6cca78763604041bd82 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\libcrypto-3.dll
| MD5 | ae5b2e9a3410839b31938f24b6fc5cd8 |
| SHA1 | 9f9a14efc15c904f408a0d364d55a144427e4949 |
| SHA256 | ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7 |
| SHA512 | 36ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_hashlib.pyd
| MD5 | 3e540ef568215561590df215801b0f59 |
| SHA1 | 3b6db31a97115c10c33266cce8ff80463763c7e6 |
| SHA256 | 52f29aebe9886e830dedc363cd64eb53b6830d84b26e14f1b6faa655a0900b5d |
| SHA512 | 21497a4d1d999a420ed0e146544f4149c72ad4aca4b869a0ee83267d92afa07609ece76a4e95ec706a21580d6544146d0a58c0baa01aa2c242474a4816108527 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_queue.pyd
| MD5 | cc0f4a77ccfe39efc8019fa8b74c06d0 |
| SHA1 | 77a713cd5880d5254dd0d1cbfe0d6a45dfc869ce |
| SHA256 | af8ac8ab8b39f53b5dc192fbf58ad704a709db34e69753b97b83d087202e3a36 |
| SHA512 | ffea0bd7f73b6c02df6ff37ef39b8e54e480a4cc734fb149adc5c7410f445effd1fdd4f24e4619f7158913a50c28cc73629524d1a7389101a75257d5652c7823 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\select.pyd
| MD5 | 715a098175d3ca1c1da2dc5756b31860 |
| SHA1 | 6b3ec06d679c48bfe4391535a822b58a02d79026 |
| SHA256 | 6393121130a3e85d0f6562948024d8614c4c144b84ab102af711c638344d1599 |
| SHA512 | e92edb98427f594badec592493469d45deab3b71e4598d544d0b9a1acffd5327a19c09029fb79d70971cb0ed0dba56056bef8455534d3f16ec35eac723062f3c |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_tkinter.pyd
| MD5 | c7ff6d22c46a2c9ca5f9f76ceaac1bf1 |
| SHA1 | 4c72cf5cb745c3f14d342b6143b66e1603a2d886 |
| SHA256 | 7d163581822bdcdb94cee24115c37a511cb6bd880b007fc7e5cc5099fac58506 |
| SHA512 | 7b52884f7c2360c1c1995d4a3ffac87f53324d3fc36b4246804a45f744a33912fbb93648cbe63e166029c1882fa790fc4718c486e7f356e36ce3b392e9497f47 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_sqlite3.pyd
| MD5 | 4541a93562390ae4e3611df24776fe20 |
| SHA1 | 791a32bdcca11d51d586a2407ee309a9def2286c |
| SHA256 | 8cba8b163393162e4a689d44488410d43b1d1b0a907499d0f01dbccf9c4ac10e |
| SHA512 | 6cd46e48b2e0fe9440eaf8cb6ea7e61be6203f02be8910f8e4fc6338df485f856a95907579d69f3f6054d6383b914f6a459cd92cdcc91d1718764048224fd0be |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_overlapped.pyd
| MD5 | 363409fbacb1867f2ce45e3c6922ddb4 |
| SHA1 | 045b1b90886f4b25d326ea3409a5f79570eae4b2 |
| SHA256 | 7983f811ccd9c99c6db34b653339605ea45eb384f5e88a8b23ccf9fa5f0170d9 |
| SHA512 | c89288dd76821a18e18ce3e67f01b1a9f6a55751832aa1a4b44882f2115474ca131f95f3545adb9c2d8ecaf3269837126135395c719581a7493affaa96ea0dfe |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_multiprocessing.pyd
| MD5 | 807dd90be59ea971dac06f3aab4f2a7e |
| SHA1 | c4bea9db94127ef30e929b395d38175dc74e4dc0 |
| SHA256 | 82253e2d6ec717b317e26ed7dd141aadaea6cb55a9d0fee022a67d52b404fd06 |
| SHA512 | 61b9cf8ac06506002d273b59e2fb66ad96751b10d10faff9128749538867d45d561c1cf8dcb8e787ca6afdc8a1d504cb7012135dfe3a1f3d1fc0b107e4e1a8f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_elementtree.pyd
| MD5 | ac10151b412bfb22ba9725bc9613c49e |
| SHA1 | 4152c799c6faa2a1606d40e1b9089e67efaec951 |
| SHA256 | fe09d0408aab3a6faa71467f78433df4c7f3ad0b033bb72ec43bde85abf6dcfb |
| SHA512 | bf0641606c45285c3f18454e8f855d12963f51d910f20419b76405cc80530c38e17a791c580a9db6d171a5e1b9999a6dea661e22a62360d804183f9c0210a107 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_decimal.pyd
| MD5 | 21fcb8e3d4310346a5dc1a216e7e23ca |
| SHA1 | aab11aef9075715733e0fcde9668c6a51654b9e1 |
| SHA256 | 4e27c06b84401039d10f800a0f06446b58508784ee366c7c8324d8fe9794e1a5 |
| SHA512 | c064550d1723e92512a42ce367ecef9331a81121305d66199abce6e0977152d927f7223f475e22c67e3f64b0f612c5553f112d8ce653c666a98d1980d200a599 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_cffi_backend.cp313-win_amd64.pyd
| MD5 | 5cba92e7c00d09a55f5cbadc8d16cd26 |
| SHA1 | 0300c6b62cd9db98562fdd3de32096ab194da4c8 |
| SHA256 | 0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85 |
| SHA512 | 7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_asyncio.pyd
| MD5 | 56f958eebbc62305b4bf690d61c78e28 |
| SHA1 | 68d1a227f8bef856469523364e37ae76b968162a |
| SHA256 | a5341a74bbec1ddc807c0236fcb6bfaceaf3b957eb69cdd9bca00657eb5e42b6 |
| SHA512 | 91b2a31835a5a0610856df1851c7bb1dea48a6740c63bd037971473706197e81e9904eaa6042a84fc15aa6aa74ac226463b67e2fa8370cbb8b0c987fed777169 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\zlib1.dll
| MD5 | ef398b5b1b901ce824c16c0af5b1d6f9 |
| SHA1 | ee6ab2f7f8aef41c3886a818418f86bca764c4d6 |
| SHA256 | f687e5dd99faab1023d036f09ef8ba3c09bd3464c8ced523341780e301bdf6a8 |
| SHA512 | 7ed4666a21153adb44d3f34f868d590f66ab0d917746b31684c84a600c48fcafdc69d7bd6535b4c9e4400e614ee6e2e9e3ee59021dcef5e7340b73f3ae2ac831 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\VCRUNTIME140_1.dll
| MD5 | c0c0b4c611561f94798b62eb43097722 |
| SHA1 | 523f515eed3af6d50e57a3eaeb906f4ccc1865fe |
| SHA256 | 6a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8 |
| SHA512 | 35db454dbcc7ed89842c0440b92ce0b0b0db41dbd5432a36a0b7e1eddf51704b1f0d6cff5e3a3b0c3ff5db3d8632fed000471180ad72e39d8dbe68a757ccdfb0 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\unicodedata.pyd
| MD5 | 503b3ffa6a5bf45ab34d6d74352f206b |
| SHA1 | cc13b85281e5d52413784e0b65a61b1d037c60cc |
| SHA256 | 071494856fdad0042964769aa2fb1de4ea95c2cfcbe27cc7132293c68d13d710 |
| SHA512 | d20b860974161caa60a62268968af353ad8063589f57d71f57c91855eb83da78f40bae7aa745cc7a945d92ebe08cf244c9560ae93449de45b20a8b8fff9f5010 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\tcl86t.dll
| MD5 | 3fba04c93cc59c04321970d123fd009c |
| SHA1 | e39ef4bb5b9d795e33793523447cad9cc476c362 |
| SHA256 | 137972bf582984df7ffe8983fa66d92dba6cc5887fe6784ffe1165bab57304b0 |
| SHA512 | 67b2ae06c3610ade78a7f470113acdb787010cfc2628d9b3fcb487761c6b4533883cdb46f16223ea943a5410df4a79ce96b047bce17aa8fb67bb3fa779b86072 |
C:\Users\Admin\AppData\Local\Temp\_MEI13882\sqlite3.dll
| MD5 | 090f55321224c4bb65d9b9d99045ac89 |
| SHA1 | e28591421fa4464ed4b31e31f66b6dd6db051c84 |
| SHA256 | 441363c5b15394ca4b117200800722d48042c04407d03aac0d1a0a967b7c68e4 |
| SHA512 | fbe3767f227289cb5e2e3cd81c83e6a75f6344c6d7f507403eab59a8ab0e742edc1289694445c30abd763625b26edb980d04bc30c4d330c88bd7315c31ca2420 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hwqtddb.xpn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4344-1280-0x000001B29C6E0000-0x000001B29C702000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 18:10
Reported
2025-07-04 18:12
Platform
win10v2004-20250619-en
Max time kernel
45s
Max time network
50s
Command Line
Signatures
Disables Task Manager via registry modification
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | api.gofile.io | N/A | N/A |
| N/A | api.gofile.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Browser Information Discovery
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4097847965-469305640-2969917343-1000\{FDB5D560-6AAC-4917-89C0-37CC431DA02B} | C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe
"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"
C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe
"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_ComputerSystemProduct).UUID"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_BIOS).SerialNumber"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_BaseBoard).SerialNumber"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_Processor).ProcessorId"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_BIOS).OEMStringArray"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-WmiObject -Class Win32_SystemEnclosure).SMBIOSAssetTag"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown /s /t 15
C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\shutdown.exe
shutdown /s /t 15
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa389d855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | redtiger.shop | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.75.242.210:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store4.gofile.io | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI50562\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\python313.dll
| MD5 | 7387fe038ea75eb9a57b054fccfe37bf |
| SHA1 | 5c532cbdfd718b5e80afb2ee8dea991e84757712 |
| SHA256 | 69fd86ea29370697c203f7e12830084f920f490766a8e3045af52c036a9ad529 |
| SHA512 | c46c982b04079ed0b13617b81168598632d6c58d29e23fcbfa064b08e5836866b74880e1a9c01c12670531f13521a21177aafb10be0abb329a79291d7bff08bd |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\VCRUNTIME140.dll
| MD5 | 32da96115c9d783a0769312c0482a62d |
| SHA1 | 2ea840a5faa87a2fe8d7e5cb4367f2418077d66b |
| SHA256 | 052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4 |
| SHA512 | 616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\base_library.zip
| MD5 | f2ea5aa1dfd6f0ec3c62b32623a14bac |
| SHA1 | bbc603e925c1f071661c81ae85124a8a220df1eb |
| SHA256 | 042acda399bb72a87dc7d37ce63d04470f6cb7d561e1f539f3be09fc9dd772ac |
| SHA512 | cd371cb282f9be0cadfec1d317c6e9d7720844d84ecb6254ab62e0b42df438b8e264bc4929f2b45fa8784a08378861cf7b81566c3f4061056d4de58ac39efccf |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\python3.DLL
| MD5 | d6dfb6a9518a57e180980f7a07098d7d |
| SHA1 | 6026120461f5cbcd9255670b6a906fd8f5329073 |
| SHA256 | fdd54b6c495e9278e73d68203fff0c300e416e704852908cf5b06666cffead51 |
| SHA512 | 2a0195a5038d7530b64a506a70de3a6b9cb64ca9206006e03f726b4420304e3a76c10fdda12c8a51f4dbd63e7112fd7e7727a4ab94e7a111587e4248a6b26a62 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_wmi.pyd
| MD5 | 47e6fd132f44a4feb595bd0fda3c4e1c |
| SHA1 | 37c6c2c1ff309db7273afc9324a37b716c5cbfdb |
| SHA256 | ebd252d21af9c84128fca04c994093a5bd6ee857f1581f06f4026fdd6a2c40e0 |
| SHA512 | 69c031d4ff2dac70739f9c188fca3c6969304f22782adf5a9c0ca303a3a712630541bda888ef25d3252b46d43df56f6e7e03c83d331840088c4224d1a1a512c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_uuid.pyd
| MD5 | 93730cb349b216114b444cc9e30932ca |
| SHA1 | 689e63330f48877478d428f0e410ac7d69e7150a |
| SHA256 | 17c7856bda73348ca541d01ba4881e4b327b15fb3d2cb90a92ca2bf0e6c4bafe |
| SHA512 | ab312a908256d55cf883e90501dcf88175cc145207d2da4e3cc8470e7fa3afdcfd889f0b5c4488ace6ca3b1f7bba943f2156e839eda80981ff592123c5777c34 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_tkinter.pyd
| MD5 | c7ff6d22c46a2c9ca5f9f76ceaac1bf1 |
| SHA1 | 4c72cf5cb745c3f14d342b6143b66e1603a2d886 |
| SHA256 | 7d163581822bdcdb94cee24115c37a511cb6bd880b007fc7e5cc5099fac58506 |
| SHA512 | 7b52884f7c2360c1c1995d4a3ffac87f53324d3fc36b4246804a45f744a33912fbb93648cbe63e166029c1882fa790fc4718c486e7f356e36ce3b392e9497f47 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_ssl.pyd
| MD5 | 689f1abac772c9e4c2d3bad3758cb398 |
| SHA1 | fe829e05d9f7838d1426f6d4a2f97165c09fd0f7 |
| SHA256 | 3301ff340d26495c95108199b67fdf3402742d13070af8b6bf4eb2e0c5e13781 |
| SHA512 | 949404a76c731a92074b37ec0bba88d873e56327b335b6c300eff68c2b142e194b58df59158b9bb92a5984c768b474f5db5f80f6b610f6cca78763604041bd82 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_sqlite3.pyd
| MD5 | 4541a93562390ae4e3611df24776fe20 |
| SHA1 | 791a32bdcca11d51d586a2407ee309a9def2286c |
| SHA256 | 8cba8b163393162e4a689d44488410d43b1d1b0a907499d0f01dbccf9c4ac10e |
| SHA512 | 6cd46e48b2e0fe9440eaf8cb6ea7e61be6203f02be8910f8e4fc6338df485f856a95907579d69f3f6054d6383b914f6a459cd92cdcc91d1718764048224fd0be |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_socket.pyd
| MD5 | 566cb4d39b700c19dbd7175bd4f2b649 |
| SHA1 | bede896259b6d52d538c2182aef87c334fc9c73c |
| SHA256 | bced17d6f081d81ea7cd92f1e071e38f8840e61ee0fe1524221b776bcfa78650 |
| SHA512 | 6a26fd59e2c2ec34b673ef257a00d5577f52286d78525d05efc8a88760fb575be65c3e94e83396f4978c8734b513afe7f09d3c49474169144f98add406530367 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_queue.pyd
| MD5 | cc0f4a77ccfe39efc8019fa8b74c06d0 |
| SHA1 | 77a713cd5880d5254dd0d1cbfe0d6a45dfc869ce |
| SHA256 | af8ac8ab8b39f53b5dc192fbf58ad704a709db34e69753b97b83d087202e3a36 |
| SHA512 | ffea0bd7f73b6c02df6ff37ef39b8e54e480a4cc734fb149adc5c7410f445effd1fdd4f24e4619f7158913a50c28cc73629524d1a7389101a75257d5652c7823 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_overlapped.pyd
| MD5 | 363409fbacb1867f2ce45e3c6922ddb4 |
| SHA1 | 045b1b90886f4b25d326ea3409a5f79570eae4b2 |
| SHA256 | 7983f811ccd9c99c6db34b653339605ea45eb384f5e88a8b23ccf9fa5f0170d9 |
| SHA512 | c89288dd76821a18e18ce3e67f01b1a9f6a55751832aa1a4b44882f2115474ca131f95f3545adb9c2d8ecaf3269837126135395c719581a7493affaa96ea0dfe |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_multiprocessing.pyd
| MD5 | 807dd90be59ea971dac06f3aab4f2a7e |
| SHA1 | c4bea9db94127ef30e929b395d38175dc74e4dc0 |
| SHA256 | 82253e2d6ec717b317e26ed7dd141aadaea6cb55a9d0fee022a67d52b404fd06 |
| SHA512 | 61b9cf8ac06506002d273b59e2fb66ad96751b10d10faff9128749538867d45d561c1cf8dcb8e787ca6afdc8a1d504cb7012135dfe3a1f3d1fc0b107e4e1a8f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_hashlib.pyd
| MD5 | 3e540ef568215561590df215801b0f59 |
| SHA1 | 3b6db31a97115c10c33266cce8ff80463763c7e6 |
| SHA256 | 52f29aebe9886e830dedc363cd64eb53b6830d84b26e14f1b6faa655a0900b5d |
| SHA512 | 21497a4d1d999a420ed0e146544f4149c72ad4aca4b869a0ee83267d92afa07609ece76a4e95ec706a21580d6544146d0a58c0baa01aa2c242474a4816108527 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_elementtree.pyd
| MD5 | ac10151b412bfb22ba9725bc9613c49e |
| SHA1 | 4152c799c6faa2a1606d40e1b9089e67efaec951 |
| SHA256 | fe09d0408aab3a6faa71467f78433df4c7f3ad0b033bb72ec43bde85abf6dcfb |
| SHA512 | bf0641606c45285c3f18454e8f855d12963f51d910f20419b76405cc80530c38e17a791c580a9db6d171a5e1b9999a6dea661e22a62360d804183f9c0210a107 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_decimal.pyd
| MD5 | 21fcb8e3d4310346a5dc1a216e7e23ca |
| SHA1 | aab11aef9075715733e0fcde9668c6a51654b9e1 |
| SHA256 | 4e27c06b84401039d10f800a0f06446b58508784ee366c7c8324d8fe9794e1a5 |
| SHA512 | c064550d1723e92512a42ce367ecef9331a81121305d66199abce6e0977152d927f7223f475e22c67e3f64b0f612c5553f112d8ce653c666a98d1980d200a599 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_cffi_backend.cp313-win_amd64.pyd
| MD5 | 5cba92e7c00d09a55f5cbadc8d16cd26 |
| SHA1 | 0300c6b62cd9db98562fdd3de32096ab194da4c8 |
| SHA256 | 0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85 |
| SHA512 | 7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_asyncio.pyd
| MD5 | 56f958eebbc62305b4bf690d61c78e28 |
| SHA1 | 68d1a227f8bef856469523364e37ae76b968162a |
| SHA256 | a5341a74bbec1ddc807c0236fcb6bfaceaf3b957eb69cdd9bca00657eb5e42b6 |
| SHA512 | 91b2a31835a5a0610856df1851c7bb1dea48a6740c63bd037971473706197e81e9904eaa6042a84fc15aa6aa74ac226463b67e2fa8370cbb8b0c987fed777169 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\zlib1.dll
| MD5 | ef398b5b1b901ce824c16c0af5b1d6f9 |
| SHA1 | ee6ab2f7f8aef41c3886a818418f86bca764c4d6 |
| SHA256 | f687e5dd99faab1023d036f09ef8ba3c09bd3464c8ced523341780e301bdf6a8 |
| SHA512 | 7ed4666a21153adb44d3f34f868d590f66ab0d917746b31684c84a600c48fcafdc69d7bd6535b4c9e4400e614ee6e2e9e3ee59021dcef5e7340b73f3ae2ac831 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\VCRUNTIME140_1.dll
| MD5 | c0c0b4c611561f94798b62eb43097722 |
| SHA1 | 523f515eed3af6d50e57a3eaeb906f4ccc1865fe |
| SHA256 | 6a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8 |
| SHA512 | 35db454dbcc7ed89842c0440b92ce0b0b0db41dbd5432a36a0b7e1eddf51704b1f0d6cff5e3a3b0c3ff5db3d8632fed000471180ad72e39d8dbe68a757ccdfb0 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\unicodedata.pyd
| MD5 | 503b3ffa6a5bf45ab34d6d74352f206b |
| SHA1 | cc13b85281e5d52413784e0b65a61b1d037c60cc |
| SHA256 | 071494856fdad0042964769aa2fb1de4ea95c2cfcbe27cc7132293c68d13d710 |
| SHA512 | d20b860974161caa60a62268968af353ad8063589f57d71f57c91855eb83da78f40bae7aa745cc7a945d92ebe08cf244c9560ae93449de45b20a8b8fff9f5010 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\tk86t.dll
| MD5 | c644577350785b9a8e56c83bc7fe4a5a |
| SHA1 | 5fa4e6ec3b0d156c620971e14da30d1633263cf2 |
| SHA256 | ddc6b69c3897ddf3ea9fdfb4b4a6b9c3a667958d4dbf6b4bbcc50c93eb341370 |
| SHA512 | f96f9fa3673d5cbf1ed64092ef8d2433d47c1d48cb24c9087e5fd796c37a1546a61c8ed6760dc5e6739038e4336077544c522d00dd2c3fcf4f16205b6fc1d3b8 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\tcl86t.dll
| MD5 | 3fba04c93cc59c04321970d123fd009c |
| SHA1 | e39ef4bb5b9d795e33793523447cad9cc476c362 |
| SHA256 | 137972bf582984df7ffe8983fa66d92dba6cc5887fe6784ffe1165bab57304b0 |
| SHA512 | 67b2ae06c3610ade78a7f470113acdb787010cfc2628d9b3fcb487761c6b4533883cdb46f16223ea943a5410df4a79ce96b047bce17aa8fb67bb3fa779b86072 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\sqlite3.dll
| MD5 | 090f55321224c4bb65d9b9d99045ac89 |
| SHA1 | e28591421fa4464ed4b31e31f66b6dd6db051c84 |
| SHA256 | 441363c5b15394ca4b117200800722d48042c04407d03aac0d1a0a967b7c68e4 |
| SHA512 | fbe3767f227289cb5e2e3cd81c83e6a75f6344c6d7f507403eab59a8ab0e742edc1289694445c30abd763625b26edb980d04bc30c4d330c88bd7315c31ca2420 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\select.pyd
| MD5 | 715a098175d3ca1c1da2dc5756b31860 |
| SHA1 | 6b3ec06d679c48bfe4391535a822b58a02d79026 |
| SHA256 | 6393121130a3e85d0f6562948024d8614c4c144b84ab102af711c638344d1599 |
| SHA512 | e92edb98427f594badec592493469d45deab3b71e4598d544d0b9a1acffd5327a19c09029fb79d70971cb0ed0dba56056bef8455534d3f16ec35eac723062f3c |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\pyexpat.pyd
| MD5 | 4e6de7116d8c1c418080580c9795ac15 |
| SHA1 | ba948a3c17e12f113477639702a82e96298d1938 |
| SHA256 | 554bbc65bfe8c19ba9bbd94f18977a8131109c6a4d64306778bd12250c2c5c56 |
| SHA512 | 853e5cd9f753145cce9dd22f6e6a6e404fec7f0db322d2db4d7b18e9cfc065503ba4fab4adc33cbf7d1c2dc0d884413f73cbc28c290d5a41ce7f3f610dad99bc |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\libcrypto-3.dll
| MD5 | ae5b2e9a3410839b31938f24b6fc5cd8 |
| SHA1 | 9f9a14efc15c904f408a0d364d55a144427e4949 |
| SHA256 | ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7 |
| SHA512 | 36ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_lzma.pyd
| MD5 | d63e2e743ea103626d33b3c1d882f419 |
| SHA1 | af8a162b43f99b943d1c87c9a9e8088816263373 |
| SHA256 | 48f16b587c6faa44a9e073365b19599200b0f0a0ccb70121e76c2dac4ed53281 |
| SHA512 | d3f1450b5def3c21f47c5133073e76d2ec05787eb6ae88bb70d3a34be84f6025540ac017e9415bb22ef36c2ffbfcea38a28842eefe366325f3d3cf2cca1a3cb1 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_bz2.pyd
| MD5 | 684d656aada9f7d74f5a5bdcf16d0edb |
| SHA1 | f7586da90d101b5ee3fa24f131ee93ab89606919 |
| SHA256 | 449058efc99fccb9e24d640084d845c78f3f86dd34c5c126cf69e523d6320d75 |
| SHA512 | 27fb2eca382675316fb96d18a1aa6b2792077481bf899cbcc658d71f787876045c05c98abf129c9670b6a1d2654d57f59e17580139fa7f482ec27234e44d4235 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\libssl-3.dll
| MD5 | 8d4805f0651186046c48d3e2356623db |
| SHA1 | 18c27c000384418abcf9c88a72f3d55d83beda91 |
| SHA256 | 007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe |
| SHA512 | 1c4895d912f7085d6e46f6776034c9e3d8d7bf934be858683bf6dedb13abca360ba816d8a5528ec7a3ac6e33010fdb6fc89b2699b5cfeedaabfdd5df143dffd1 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\_ctypes.pyd
| MD5 | 29873384e13b0a78ee9857604161514b |
| SHA1 | 110f60f74b06b3972acd5908937a40e078636479 |
| SHA256 | 5c0d5082fba1a2a3eb8d5e23073be25164c19f21304b09cecaab340dc7198815 |
| SHA512 | ca826ff5403700e6d8822634e364e43b14ef829095d8fe365b49731236f696fe86ffa3853cd1801dc3b7800d005a032fe23bbc25befe3952ef37790d56dee3c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\PyQt5\Qt5\bin\VCRUNTIME140_1.dll
| MD5 | 6bc084255a5e9eb8df2bcd75b4cd0777 |
| SHA1 | cf071ad4e512cd934028f005cabe06384a3954b6 |
| SHA256 | 1f0f5f2ce671e0f68cf96176721df0e5e6f527c8ca9cfa98aa875b5a3816d460 |
| SHA512 | b822538494d13bda947655af791fed4daa811f20c4b63a45246c8f3befa3ec37ff1aa79246c89174fe35d76ffb636fa228afa4bda0bd6d2c41d01228b151fd89 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\PyQt5\sip.cp313-win_amd64.pyd
| MD5 | c1ee7b155ad3fc4c7cc29999671ec2b9 |
| SHA1 | 25b7ede05a8c8904ac333a96e1e95766d1d1c5ba |
| SHA256 | e63580748533698abdafaff1210f5bb0247b36ee987d0180076eaaa46245c0d2 |
| SHA512 | 1e8f882403cf944b635049f7f7dbbd68353d62c06320f0aac0cb2cbc84568f6fadf849c447f9e41cc10dd61bd6cbd7cf7eafe516a955f20ce6a09d1992b2ce85 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\PyQt5\Qt5\bin\MSVCP140_1.dll
| MD5 | 0fe6d52eb94c848fe258dc0ec9ff4c11 |
| SHA1 | 95cc74c64ab80785f3893d61a73b8a958d24da29 |
| SHA256 | 446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f |
| SHA512 | c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\PyQt5\Qt5\bin\MSVCP140.dll
| MD5 | 01b946a2edc5cc166de018dbb754b69c |
| SHA1 | dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46 |
| SHA256 | 88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5 |
| SHA512 | 65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5 |
memory/4944-1254-0x00007FFAF2180000-0x00007FFAF23E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50562\PyQt5\Qt5\bin\Qt5Core.dll
| MD5 | 817520432a42efa345b2d97f5c24510e |
| SHA1 | fea7b9c61569d7e76af5effd726b7ff6147961e5 |
| SHA256 | 8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a |
| SHA512 | 8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\PyQt5\QtCore.pyd
| MD5 | 678fa1496ffdea3a530fa146dedcdbcc |
| SHA1 | c80d8f1de8ae06ecf5750c83d879d2dcc2d6a4f8 |
| SHA256 | d6e45fd8c3b3f93f52c4d1b6f9e3ee220454a73f80f65f3d70504bd55415ea37 |
| SHA512 | 8d9e3fa49fb42f844d8df241786ea9c0f55e546d373ff07e8c89aac4f3027c62ec1bd0c9c639afeabc034cc39e424b21da55a1609c9f95397a66d5f0d834e88e |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\setuptools\_vendor\jaraco\text\Lorem ipsum.txt
| MD5 | 4ce7501f6608f6ce4011d627979e1ae4 |
| SHA1 | 78363672264d9cd3f72d5c1d3665e1657b1a5071 |
| SHA256 | 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b |
| SHA512 | a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24 |
C:\Users\Admin\AppData\Local\Temp\_MEI50562\psutil\_psutil_windows.pyd
| MD5 | d30149d319efcaecf0a5c5e71ef6cb39 |
| SHA1 | 99beeb17bfc69e8370036f9457edb4d6812b22e2 |
| SHA256 | 9c7fc855d9d1614e70705c7dcc6f4ac3cdcab5adfeb6a67d382f5ade09eadc15 |
| SHA512 | b6fb265f0efed56fdd3455ed620e1fb581d40d2b23b92544cccbf331e30dc29592c4297e3faaf437a9d1a33099e0b48d5b2344943fb7b581a448f6c5806acec6 |
memory/4228-1278-0x000001536B0B0000-0x000001536B0D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3okuvzz.zrc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |