Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-wxh2law1hz
Target BestXineMenu.exe
SHA256 ff8000b2008b1c63d3d1395db9e496d96efd845e15d8a664214174459edc1577
Tags
credential_access defense_evasion discovery execution spyware stealer ransomware pyinstaller
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ff8000b2008b1c63d3d1395db9e496d96efd845e15d8a664214174459edc1577

Threat Level: Likely malicious

The file BestXineMenu.exe was found to be: Likely malicious.

Malicious Activity Summary

credential_access defense_evasion discovery execution spyware stealer ransomware pyinstaller

Disables Task Manager via registry modification

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Browser Information Discovery

Detects Pyinstaller

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 18:18

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 18:17

Reported

2025-07-04 18:19

Platform

win11-20250619-en

Max time kernel

29s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"

Signatures

Disables Task Manager via registry modification

defense_evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A api.gofile.io N/A N/A
N/A discord.com N/A N/A
N/A api.gofile.io N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "91" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4024151881-1944119507-1574723210-1000\{4152D3F4-CF7B-4A8A-BBD9-ADDE8DF6ECAD} C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\PickerHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe
PID 1992 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe
PID 4660 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 4660 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 3840 wrote to memory of 5448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3840 wrote to memory of 5448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4660 wrote to memory of 5456 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 5456 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 4660 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 4660 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 4660 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 4972 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4972 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5020 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 5020 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe

"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"

C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe

"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_ComputerSystemProduct).UUID"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_BIOS).SerialNumber"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_BaseBoard).SerialNumber"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_Processor).ProcessorId"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_BIOS).OEMStringArray"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_SystemEnclosure).SMBIOSAssetTag"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown /s /t 15

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\shutdown.exe

shutdown /s /t 15

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a22855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 208.95.112.1:80 ip-api.com tcp
FR 51.75.242.210:443 api.gofile.io tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.138.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI19922\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI19922\python313.dll

MD5 7387fe038ea75eb9a57b054fccfe37bf
SHA1 5c532cbdfd718b5e80afb2ee8dea991e84757712
SHA256 69fd86ea29370697c203f7e12830084f920f490766a8e3045af52c036a9ad529
SHA512 c46c982b04079ed0b13617b81168598632d6c58d29e23fcbfa064b08e5836866b74880e1a9c01c12670531f13521a21177aafb10be0abb329a79291d7bff08bd

C:\Users\Admin\AppData\Local\Temp\_MEI19922\VCRUNTIME140.dll

MD5 32da96115c9d783a0769312c0482a62d
SHA1 2ea840a5faa87a2fe8d7e5cb4367f2418077d66b
SHA256 052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
SHA512 616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087

C:\Users\Admin\AppData\Local\Temp\_MEI19922\base_library.zip

MD5 f2ea5aa1dfd6f0ec3c62b32623a14bac
SHA1 bbc603e925c1f071661c81ae85124a8a220df1eb
SHA256 042acda399bb72a87dc7d37ce63d04470f6cb7d561e1f539f3be09fc9dd772ac
SHA512 cd371cb282f9be0cadfec1d317c6e9d7720844d84ecb6254ab62e0b42df438b8e264bc4929f2b45fa8784a08378861cf7b81566c3f4061056d4de58ac39efccf

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_ctypes.pyd

MD5 29873384e13b0a78ee9857604161514b
SHA1 110f60f74b06b3972acd5908937a40e078636479
SHA256 5c0d5082fba1a2a3eb8d5e23073be25164c19f21304b09cecaab340dc7198815
SHA512 ca826ff5403700e6d8822634e364e43b14ef829095d8fe365b49731236f696fe86ffa3853cd1801dc3b7800d005a032fe23bbc25befe3952ef37790d56dee3c5

C:\Users\Admin\AppData\Local\Temp\_MEI19922\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI19922\python3.dll

MD5 d6dfb6a9518a57e180980f7a07098d7d
SHA1 6026120461f5cbcd9255670b6a906fd8f5329073
SHA256 fdd54b6c495e9278e73d68203fff0c300e416e704852908cf5b06666cffead51
SHA512 2a0195a5038d7530b64a506a70de3a6b9cb64ca9206006e03f726b4420304e3a76c10fdda12c8a51f4dbd63e7112fd7e7727a4ab94e7a111587e4248a6b26a62

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_bz2.pyd

MD5 684d656aada9f7d74f5a5bdcf16d0edb
SHA1 f7586da90d101b5ee3fa24f131ee93ab89606919
SHA256 449058efc99fccb9e24d640084d845c78f3f86dd34c5c126cf69e523d6320d75
SHA512 27fb2eca382675316fb96d18a1aa6b2792077481bf899cbcc658d71f787876045c05c98abf129c9670b6a1d2654d57f59e17580139fa7f482ec27234e44d4235

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_lzma.pyd

MD5 d63e2e743ea103626d33b3c1d882f419
SHA1 af8a162b43f99b943d1c87c9a9e8088816263373
SHA256 48f16b587c6faa44a9e073365b19599200b0f0a0ccb70121e76c2dac4ed53281
SHA512 d3f1450b5def3c21f47c5133073e76d2ec05787eb6ae88bb70d3a34be84f6025540ac017e9415bb22ef36c2ffbfcea38a28842eefe366325f3d3cf2cca1a3cb1

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_wmi.pyd

MD5 47e6fd132f44a4feb595bd0fda3c4e1c
SHA1 37c6c2c1ff309db7273afc9324a37b716c5cbfdb
SHA256 ebd252d21af9c84128fca04c994093a5bd6ee857f1581f06f4026fdd6a2c40e0
SHA512 69c031d4ff2dac70739f9c188fca3c6969304f22782adf5a9c0ca303a3a712630541bda888ef25d3252b46d43df56f6e7e03c83d331840088c4224d1a1a512c4

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_socket.pyd

MD5 566cb4d39b700c19dbd7175bd4f2b649
SHA1 bede896259b6d52d538c2182aef87c334fc9c73c
SHA256 bced17d6f081d81ea7cd92f1e071e38f8840e61ee0fe1524221b776bcfa78650
SHA512 6a26fd59e2c2ec34b673ef257a00d5577f52286d78525d05efc8a88760fb575be65c3e94e83396f4978c8734b513afe7f09d3c49474169144f98add406530367

C:\Users\Admin\AppData\Local\Temp\_MEI19922\select.pyd

MD5 715a098175d3ca1c1da2dc5756b31860
SHA1 6b3ec06d679c48bfe4391535a822b58a02d79026
SHA256 6393121130a3e85d0f6562948024d8614c4c144b84ab102af711c638344d1599
SHA512 e92edb98427f594badec592493469d45deab3b71e4598d544d0b9a1acffd5327a19c09029fb79d70971cb0ed0dba56056bef8455534d3f16ec35eac723062f3c

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_uuid.pyd

MD5 93730cb349b216114b444cc9e30932ca
SHA1 689e63330f48877478d428f0e410ac7d69e7150a
SHA256 17c7856bda73348ca541d01ba4881e4b327b15fb3d2cb90a92ca2bf0e6c4bafe
SHA512 ab312a908256d55cf883e90501dcf88175cc145207d2da4e3cc8470e7fa3afdcfd889f0b5c4488ace6ca3b1f7bba943f2156e839eda80981ff592123c5777c34

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_tkinter.pyd

MD5 c7ff6d22c46a2c9ca5f9f76ceaac1bf1
SHA1 4c72cf5cb745c3f14d342b6143b66e1603a2d886
SHA256 7d163581822bdcdb94cee24115c37a511cb6bd880b007fc7e5cc5099fac58506
SHA512 7b52884f7c2360c1c1995d4a3ffac87f53324d3fc36b4246804a45f744a33912fbb93648cbe63e166029c1882fa790fc4718c486e7f356e36ce3b392e9497f47

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_ssl.pyd

MD5 689f1abac772c9e4c2d3bad3758cb398
SHA1 fe829e05d9f7838d1426f6d4a2f97165c09fd0f7
SHA256 3301ff340d26495c95108199b67fdf3402742d13070af8b6bf4eb2e0c5e13781
SHA512 949404a76c731a92074b37ec0bba88d873e56327b335b6c300eff68c2b142e194b58df59158b9bb92a5984c768b474f5db5f80f6b610f6cca78763604041bd82

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_sqlite3.pyd

MD5 4541a93562390ae4e3611df24776fe20
SHA1 791a32bdcca11d51d586a2407ee309a9def2286c
SHA256 8cba8b163393162e4a689d44488410d43b1d1b0a907499d0f01dbccf9c4ac10e
SHA512 6cd46e48b2e0fe9440eaf8cb6ea7e61be6203f02be8910f8e4fc6338df485f856a95907579d69f3f6054d6383b914f6a459cd92cdcc91d1718764048224fd0be

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_queue.pyd

MD5 cc0f4a77ccfe39efc8019fa8b74c06d0
SHA1 77a713cd5880d5254dd0d1cbfe0d6a45dfc869ce
SHA256 af8ac8ab8b39f53b5dc192fbf58ad704a709db34e69753b97b83d087202e3a36
SHA512 ffea0bd7f73b6c02df6ff37ef39b8e54e480a4cc734fb149adc5c7410f445effd1fdd4f24e4619f7158913a50c28cc73629524d1a7389101a75257d5652c7823

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_overlapped.pyd

MD5 363409fbacb1867f2ce45e3c6922ddb4
SHA1 045b1b90886f4b25d326ea3409a5f79570eae4b2
SHA256 7983f811ccd9c99c6db34b653339605ea45eb384f5e88a8b23ccf9fa5f0170d9
SHA512 c89288dd76821a18e18ce3e67f01b1a9f6a55751832aa1a4b44882f2115474ca131f95f3545adb9c2d8ecaf3269837126135395c719581a7493affaa96ea0dfe

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_multiprocessing.pyd

MD5 807dd90be59ea971dac06f3aab4f2a7e
SHA1 c4bea9db94127ef30e929b395d38175dc74e4dc0
SHA256 82253e2d6ec717b317e26ed7dd141aadaea6cb55a9d0fee022a67d52b404fd06
SHA512 61b9cf8ac06506002d273b59e2fb66ad96751b10d10faff9128749538867d45d561c1cf8dcb8e787ca6afdc8a1d504cb7012135dfe3a1f3d1fc0b107e4e1a8f9

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_hashlib.pyd

MD5 3e540ef568215561590df215801b0f59
SHA1 3b6db31a97115c10c33266cce8ff80463763c7e6
SHA256 52f29aebe9886e830dedc363cd64eb53b6830d84b26e14f1b6faa655a0900b5d
SHA512 21497a4d1d999a420ed0e146544f4149c72ad4aca4b869a0ee83267d92afa07609ece76a4e95ec706a21580d6544146d0a58c0baa01aa2c242474a4816108527

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_elementtree.pyd

MD5 ac10151b412bfb22ba9725bc9613c49e
SHA1 4152c799c6faa2a1606d40e1b9089e67efaec951
SHA256 fe09d0408aab3a6faa71467f78433df4c7f3ad0b033bb72ec43bde85abf6dcfb
SHA512 bf0641606c45285c3f18454e8f855d12963f51d910f20419b76405cc80530c38e17a791c580a9db6d171a5e1b9999a6dea661e22a62360d804183f9c0210a107

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_decimal.pyd

MD5 21fcb8e3d4310346a5dc1a216e7e23ca
SHA1 aab11aef9075715733e0fcde9668c6a51654b9e1
SHA256 4e27c06b84401039d10f800a0f06446b58508784ee366c7c8324d8fe9794e1a5
SHA512 c064550d1723e92512a42ce367ecef9331a81121305d66199abce6e0977152d927f7223f475e22c67e3f64b0f612c5553f112d8ce653c666a98d1980d200a599

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_cffi_backend.cp313-win_amd64.pyd

MD5 5cba92e7c00d09a55f5cbadc8d16cd26
SHA1 0300c6b62cd9db98562fdd3de32096ab194da4c8
SHA256 0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85
SHA512 7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded

C:\Users\Admin\AppData\Local\Temp\_MEI19922\_asyncio.pyd

MD5 56f958eebbc62305b4bf690d61c78e28
SHA1 68d1a227f8bef856469523364e37ae76b968162a
SHA256 a5341a74bbec1ddc807c0236fcb6bfaceaf3b957eb69cdd9bca00657eb5e42b6
SHA512 91b2a31835a5a0610856df1851c7bb1dea48a6740c63bd037971473706197e81e9904eaa6042a84fc15aa6aa74ac226463b67e2fa8370cbb8b0c987fed777169

C:\Users\Admin\AppData\Local\Temp\_MEI19922\zlib1.dll

MD5 ef398b5b1b901ce824c16c0af5b1d6f9
SHA1 ee6ab2f7f8aef41c3886a818418f86bca764c4d6
SHA256 f687e5dd99faab1023d036f09ef8ba3c09bd3464c8ced523341780e301bdf6a8
SHA512 7ed4666a21153adb44d3f34f868d590f66ab0d917746b31684c84a600c48fcafdc69d7bd6535b4c9e4400e614ee6e2e9e3ee59021dcef5e7340b73f3ae2ac831

C:\Users\Admin\AppData\Local\Temp\_MEI19922\VCRUNTIME140_1.dll

MD5 c0c0b4c611561f94798b62eb43097722
SHA1 523f515eed3af6d50e57a3eaeb906f4ccc1865fe
SHA256 6a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8
SHA512 35db454dbcc7ed89842c0440b92ce0b0b0db41dbd5432a36a0b7e1eddf51704b1f0d6cff5e3a3b0c3ff5db3d8632fed000471180ad72e39d8dbe68a757ccdfb0

C:\Users\Admin\AppData\Local\Temp\_MEI19922\unicodedata.pyd

MD5 503b3ffa6a5bf45ab34d6d74352f206b
SHA1 cc13b85281e5d52413784e0b65a61b1d037c60cc
SHA256 071494856fdad0042964769aa2fb1de4ea95c2cfcbe27cc7132293c68d13d710
SHA512 d20b860974161caa60a62268968af353ad8063589f57d71f57c91855eb83da78f40bae7aa745cc7a945d92ebe08cf244c9560ae93449de45b20a8b8fff9f5010

C:\Users\Admin\AppData\Local\Temp\_MEI19922\tk86t.dll

MD5 c644577350785b9a8e56c83bc7fe4a5a
SHA1 5fa4e6ec3b0d156c620971e14da30d1633263cf2
SHA256 ddc6b69c3897ddf3ea9fdfb4b4a6b9c3a667958d4dbf6b4bbcc50c93eb341370
SHA512 f96f9fa3673d5cbf1ed64092ef8d2433d47c1d48cb24c9087e5fd796c37a1546a61c8ed6760dc5e6739038e4336077544c522d00dd2c3fcf4f16205b6fc1d3b8

C:\Users\Admin\AppData\Local\Temp\_MEI19922\tcl86t.dll

MD5 3fba04c93cc59c04321970d123fd009c
SHA1 e39ef4bb5b9d795e33793523447cad9cc476c362
SHA256 137972bf582984df7ffe8983fa66d92dba6cc5887fe6784ffe1165bab57304b0
SHA512 67b2ae06c3610ade78a7f470113acdb787010cfc2628d9b3fcb487761c6b4533883cdb46f16223ea943a5410df4a79ce96b047bce17aa8fb67bb3fa779b86072

C:\Users\Admin\AppData\Local\Temp\_MEI19922\sqlite3.dll

MD5 090f55321224c4bb65d9b9d99045ac89
SHA1 e28591421fa4464ed4b31e31f66b6dd6db051c84
SHA256 441363c5b15394ca4b117200800722d48042c04407d03aac0d1a0a967b7c68e4
SHA512 fbe3767f227289cb5e2e3cd81c83e6a75f6344c6d7f507403eab59a8ab0e742edc1289694445c30abd763625b26edb980d04bc30c4d330c88bd7315c31ca2420

C:\Users\Admin\AppData\Local\Temp\_MEI19922\pyexpat.pyd

MD5 4e6de7116d8c1c418080580c9795ac15
SHA1 ba948a3c17e12f113477639702a82e96298d1938
SHA256 554bbc65bfe8c19ba9bbd94f18977a8131109c6a4d64306778bd12250c2c5c56
SHA512 853e5cd9f753145cce9dd22f6e6a6e404fec7f0db322d2db4d7b18e9cfc065503ba4fab4adc33cbf7d1c2dc0d884413f73cbc28c290d5a41ce7f3f610dad99bc

C:\Users\Admin\AppData\Local\Temp\_MEI19922\libssl-3.dll

MD5 8d4805f0651186046c48d3e2356623db
SHA1 18c27c000384418abcf9c88a72f3d55d83beda91
SHA256 007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
SHA512 1c4895d912f7085d6e46f6776034c9e3d8d7bf934be858683bf6dedb13abca360ba816d8a5528ec7a3ac6e33010fdb6fc89b2699b5cfeedaabfdd5df143dffd1

C:\Users\Admin\AppData\Local\Temp\_MEI19922\libcrypto-3.dll

MD5 ae5b2e9a3410839b31938f24b6fc5cd8
SHA1 9f9a14efc15c904f408a0d364d55a144427e4949
SHA256 ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
SHA512 36ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc

C:\Users\Admin\AppData\Local\Temp\_MEI19922\PyQt5\QtCore.pyd

MD5 678fa1496ffdea3a530fa146dedcdbcc
SHA1 c80d8f1de8ae06ecf5750c83d879d2dcc2d6a4f8
SHA256 d6e45fd8c3b3f93f52c4d1b6f9e3ee220454a73f80f65f3d70504bd55415ea37
SHA512 8d9e3fa49fb42f844d8df241786ea9c0f55e546d373ff07e8c89aac4f3027c62ec1bd0c9c639afeabc034cc39e424b21da55a1609c9f95397a66d5f0d834e88e

C:\Users\Admin\AppData\Local\Temp\_MEI19922\PyQt5\sip.cp313-win_amd64.pyd

MD5 c1ee7b155ad3fc4c7cc29999671ec2b9
SHA1 25b7ede05a8c8904ac333a96e1e95766d1d1c5ba
SHA256 e63580748533698abdafaff1210f5bb0247b36ee987d0180076eaaa46245c0d2
SHA512 1e8f882403cf944b635049f7f7dbbd68353d62c06320f0aac0cb2cbc84568f6fadf849c447f9e41cc10dd61bd6cbd7cf7eafe516a955f20ce6a09d1992b2ce85

C:\Users\Admin\AppData\Local\Temp\_MEI19922\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

MD5 6bc084255a5e9eb8df2bcd75b4cd0777
SHA1 cf071ad4e512cd934028f005cabe06384a3954b6
SHA256 1f0f5f2ce671e0f68cf96176721df0e5e6f527c8ca9cfa98aa875b5a3816d460
SHA512 b822538494d13bda947655af791fed4daa811f20c4b63a45246c8f3befa3ec37ff1aa79246c89174fe35d76ffb636fa228afa4bda0bd6d2c41d01228b151fd89

C:\Users\Admin\AppData\Local\Temp\_MEI19922\PyQt5\Qt5\bin\MSVCP140_1.dll

MD5 0fe6d52eb94c848fe258dc0ec9ff4c11
SHA1 95cc74c64ab80785f3893d61a73b8a958d24da29
SHA256 446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f
SHA512 c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86

memory/4660-1254-0x00007FFFD02C0000-0x00007FFFD0523000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI19922\PyQt5\Qt5\bin\MSVCP140.dll

MD5 01b946a2edc5cc166de018dbb754b69c
SHA1 dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46
SHA256 88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5
SHA512 65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5

C:\Users\Admin\AppData\Local\Temp\_MEI19922\PyQt5\Qt5\bin\Qt5Core.dll

MD5 817520432a42efa345b2d97f5c24510e
SHA1 fea7b9c61569d7e76af5effd726b7ff6147961e5
SHA256 8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a
SHA512 8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441

C:\Users\Admin\AppData\Local\Temp\_MEI19922\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

MD5 4ce7501f6608f6ce4011d627979e1ae4
SHA1 78363672264d9cd3f72d5c1d3665e1657b1a5071
SHA256 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b
SHA512 a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

C:\Users\Admin\AppData\Local\Temp\_MEI19922\psutil\_psutil_windows.pyd

MD5 d30149d319efcaecf0a5c5e71ef6cb39
SHA1 99beeb17bfc69e8370036f9457edb4d6812b22e2
SHA256 9c7fc855d9d1614e70705c7dcc6f4ac3cdcab5adfeb6a67d382f5ade09eadc15
SHA512 b6fb265f0efed56fdd3455ed620e1fb581d40d2b23b92544cccbf331e30dc29592c4297e3faaf437a9d1a33099e0b48d5b2344943fb7b581a448f6c5806acec6

memory/5456-1273-0x000001EF541A0000-0x000001EF541C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vlkyea31.3hd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 42117cf9dc703d7046a487ca11117234
SHA1 7c19d1fb746ecf4d16ea6bce400b43d7e12079b5
SHA256 43def1e91ad56207e9343f800a88b83d8321830b298c510212f43a5cdda6fb15
SHA512 427d98bc7f2c156b56f81e2649c61d3489f6f24dbc314d688b38feb7ce434f30edcae43177169e7c3d4042350f8141dd2d9efc1869d2a7a75a291725a00b3c04

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 8f2e825169f462aab4c2ee951275923d
SHA1 0e9479aa9e134e2a546f8a700ac674aa919b8e8c
SHA256 10f348dcf03e25644fc4180671829a85aae1feab9d4c49656646ebf91ff18ebb
SHA512 09d25be88fb6ff2a4c5385cfb8d52bc71bd06d735946c9db91b6f379105e3920d1f5d4782203dc491a3e936ed9980a1862c709d38e002d82572279566d3e9863

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-04 18:17

Reported

2025-07-04 18:21

Platform

win10v2004-20250619-en

Max time kernel

104s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BestXineMenu.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 5064 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 2084 wrote to memory of 5064 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BestXineMenu.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BestXineMenu.pyc

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-04 18:17

Reported

2025-07-04 18:21

Platform

win11-20250619-en

Max time kernel

101s

Max time network

105s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BestXineMenu.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BestXineMenu.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 18:17

Reported

2025-07-04 18:19

Platform

win10v2004-20250610-en

Max time kernel

32s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"

Signatures

Disables Task Manager via registry modification

defense_evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A api.gofile.io N/A N/A
N/A api.gofile.io N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "116" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3001560346-2020497773-4190896137-1000\{4458691F-EC78-4D0A-B7A7-5E3DCE93C697} C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4380 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe
PID 4380 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe
PID 3484 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 3484 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4740 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3484 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 5608 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 5608 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 3484 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 3484 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 3484 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe C:\Windows\system32\cmd.exe
PID 4648 wrote to memory of 5160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4648 wrote to memory of 5160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4704 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 4704 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe

"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"

C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe

"C:\Users\Admin\AppData\Local\Temp\BestXineMenu.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_ComputerSystemProduct).UUID"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_BIOS).SerialNumber"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_BaseBoard).SerialNumber"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_Processor).ProcessorId"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_BIOS).OEMStringArray"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-WmiObject -Class Win32_SystemEnclosure).SMBIOSAssetTag"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown /s /t 15

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\shutdown.exe

shutdown /s /t 15

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3904855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 redtiger.shop udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store4.gofile.io udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI43802\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI43802\python313.dll

MD5 7387fe038ea75eb9a57b054fccfe37bf
SHA1 5c532cbdfd718b5e80afb2ee8dea991e84757712
SHA256 69fd86ea29370697c203f7e12830084f920f490766a8e3045af52c036a9ad529
SHA512 c46c982b04079ed0b13617b81168598632d6c58d29e23fcbfa064b08e5836866b74880e1a9c01c12670531f13521a21177aafb10be0abb329a79291d7bff08bd

C:\Users\Admin\AppData\Local\Temp\_MEI43802\VCRUNTIME140.dll

MD5 32da96115c9d783a0769312c0482a62d
SHA1 2ea840a5faa87a2fe8d7e5cb4367f2418077d66b
SHA256 052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
SHA512 616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087

C:\Users\Admin\AppData\Local\Temp\_MEI43802\base_library.zip

MD5 f2ea5aa1dfd6f0ec3c62b32623a14bac
SHA1 bbc603e925c1f071661c81ae85124a8a220df1eb
SHA256 042acda399bb72a87dc7d37ce63d04470f6cb7d561e1f539f3be09fc9dd772ac
SHA512 cd371cb282f9be0cadfec1d317c6e9d7720844d84ecb6254ab62e0b42df438b8e264bc4929f2b45fa8784a08378861cf7b81566c3f4061056d4de58ac39efccf

C:\Users\Admin\AppData\Local\Temp\_MEI43802\python3.dll

MD5 d6dfb6a9518a57e180980f7a07098d7d
SHA1 6026120461f5cbcd9255670b6a906fd8f5329073
SHA256 fdd54b6c495e9278e73d68203fff0c300e416e704852908cf5b06666cffead51
SHA512 2a0195a5038d7530b64a506a70de3a6b9cb64ca9206006e03f726b4420304e3a76c10fdda12c8a51f4dbd63e7112fd7e7727a4ab94e7a111587e4248a6b26a62

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_ctypes.pyd

MD5 29873384e13b0a78ee9857604161514b
SHA1 110f60f74b06b3972acd5908937a40e078636479
SHA256 5c0d5082fba1a2a3eb8d5e23073be25164c19f21304b09cecaab340dc7198815
SHA512 ca826ff5403700e6d8822634e364e43b14ef829095d8fe365b49731236f696fe86ffa3853cd1801dc3b7800d005a032fe23bbc25befe3952ef37790d56dee3c5

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_wmi.pyd

MD5 47e6fd132f44a4feb595bd0fda3c4e1c
SHA1 37c6c2c1ff309db7273afc9324a37b716c5cbfdb
SHA256 ebd252d21af9c84128fca04c994093a5bd6ee857f1581f06f4026fdd6a2c40e0
SHA512 69c031d4ff2dac70739f9c188fca3c6969304f22782adf5a9c0ca303a3a712630541bda888ef25d3252b46d43df56f6e7e03c83d331840088c4224d1a1a512c4

C:\Users\Admin\AppData\Local\Temp\_MEI43802\select.pyd

MD5 715a098175d3ca1c1da2dc5756b31860
SHA1 6b3ec06d679c48bfe4391535a822b58a02d79026
SHA256 6393121130a3e85d0f6562948024d8614c4c144b84ab102af711c638344d1599
SHA512 e92edb98427f594badec592493469d45deab3b71e4598d544d0b9a1acffd5327a19c09029fb79d70971cb0ed0dba56056bef8455534d3f16ec35eac723062f3c

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_socket.pyd

MD5 566cb4d39b700c19dbd7175bd4f2b649
SHA1 bede896259b6d52d538c2182aef87c334fc9c73c
SHA256 bced17d6f081d81ea7cd92f1e071e38f8840e61ee0fe1524221b776bcfa78650
SHA512 6a26fd59e2c2ec34b673ef257a00d5577f52286d78525d05efc8a88760fb575be65c3e94e83396f4978c8734b513afe7f09d3c49474169144f98add406530367

C:\Users\Admin\AppData\Local\Temp\_MEI43802\pyexpat.pyd

MD5 4e6de7116d8c1c418080580c9795ac15
SHA1 ba948a3c17e12f113477639702a82e96298d1938
SHA256 554bbc65bfe8c19ba9bbd94f18977a8131109c6a4d64306778bd12250c2c5c56
SHA512 853e5cd9f753145cce9dd22f6e6a6e404fec7f0db322d2db4d7b18e9cfc065503ba4fab4adc33cbf7d1c2dc0d884413f73cbc28c290d5a41ce7f3f610dad99bc

C:\Users\Admin\AppData\Local\Temp\_MEI43802\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

MD5 4ce7501f6608f6ce4011d627979e1ae4
SHA1 78363672264d9cd3f72d5c1d3665e1657b1a5071
SHA256 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b
SHA512 a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

C:\Users\Admin\AppData\Local\Temp\_MEI43802\libssl-3.dll

MD5 8d4805f0651186046c48d3e2356623db
SHA1 18c27c000384418abcf9c88a72f3d55d83beda91
SHA256 007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
SHA512 1c4895d912f7085d6e46f6776034c9e3d8d7bf934be858683bf6dedb13abca360ba816d8a5528ec7a3ac6e33010fdb6fc89b2699b5cfeedaabfdd5df143dffd1

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_ssl.pyd

MD5 689f1abac772c9e4c2d3bad3758cb398
SHA1 fe829e05d9f7838d1426f6d4a2f97165c09fd0f7
SHA256 3301ff340d26495c95108199b67fdf3402742d13070af8b6bf4eb2e0c5e13781
SHA512 949404a76c731a92074b37ec0bba88d873e56327b335b6c300eff68c2b142e194b58df59158b9bb92a5984c768b474f5db5f80f6b610f6cca78763604041bd82

C:\Users\Admin\AppData\Local\Temp\_MEI43802\libcrypto-3.dll

MD5 ae5b2e9a3410839b31938f24b6fc5cd8
SHA1 9f9a14efc15c904f408a0d364d55a144427e4949
SHA256 ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
SHA512 36ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_hashlib.pyd

MD5 3e540ef568215561590df215801b0f59
SHA1 3b6db31a97115c10c33266cce8ff80463763c7e6
SHA256 52f29aebe9886e830dedc363cd64eb53b6830d84b26e14f1b6faa655a0900b5d
SHA512 21497a4d1d999a420ed0e146544f4149c72ad4aca4b869a0ee83267d92afa07609ece76a4e95ec706a21580d6544146d0a58c0baa01aa2c242474a4816108527

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_queue.pyd

MD5 cc0f4a77ccfe39efc8019fa8b74c06d0
SHA1 77a713cd5880d5254dd0d1cbfe0d6a45dfc869ce
SHA256 af8ac8ab8b39f53b5dc192fbf58ad704a709db34e69753b97b83d087202e3a36
SHA512 ffea0bd7f73b6c02df6ff37ef39b8e54e480a4cc734fb149adc5c7410f445effd1fdd4f24e4619f7158913a50c28cc73629524d1a7389101a75257d5652c7823

C:\Users\Admin\AppData\Local\Temp\_MEI43802\PyQt5\sip.cp313-win_amd64.pyd

MD5 c1ee7b155ad3fc4c7cc29999671ec2b9
SHA1 25b7ede05a8c8904ac333a96e1e95766d1d1c5ba
SHA256 e63580748533698abdafaff1210f5bb0247b36ee987d0180076eaaa46245c0d2
SHA512 1e8f882403cf944b635049f7f7dbbd68353d62c06320f0aac0cb2cbc84568f6fadf849c447f9e41cc10dd61bd6cbd7cf7eafe516a955f20ce6a09d1992b2ce85

C:\Users\Admin\AppData\Local\Temp\_MEI43802\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

MD5 6bc084255a5e9eb8df2bcd75b4cd0777
SHA1 cf071ad4e512cd934028f005cabe06384a3954b6
SHA256 1f0f5f2ce671e0f68cf96176721df0e5e6f527c8ca9cfa98aa875b5a3816d460
SHA512 b822538494d13bda947655af791fed4daa811f20c4b63a45246c8f3befa3ec37ff1aa79246c89174fe35d76ffb636fa228afa4bda0bd6d2c41d01228b151fd89

C:\Users\Admin\AppData\Local\Temp\_MEI43802\PyQt5\Qt5\bin\MSVCP140_1.dll

MD5 0fe6d52eb94c848fe258dc0ec9ff4c11
SHA1 95cc74c64ab80785f3893d61a73b8a958d24da29
SHA256 446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f
SHA512 c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86

C:\Users\Admin\AppData\Local\Temp\_MEI43802\PyQt5\Qt5\bin\MSVCP140.dll

MD5 01b946a2edc5cc166de018dbb754b69c
SHA1 dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46
SHA256 88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5
SHA512 65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5

memory/3484-1254-0x00007FFD8CF10000-0x00007FFD8D173000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43802\PyQt5\Qt5\bin\Qt5Core.dll

MD5 817520432a42efa345b2d97f5c24510e
SHA1 fea7b9c61569d7e76af5effd726b7ff6147961e5
SHA256 8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a
SHA512 8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441

C:\Users\Admin\AppData\Local\Temp\_MEI43802\PyQt5\QtCore.pyd

MD5 678fa1496ffdea3a530fa146dedcdbcc
SHA1 c80d8f1de8ae06ecf5750c83d879d2dcc2d6a4f8
SHA256 d6e45fd8c3b3f93f52c4d1b6f9e3ee220454a73f80f65f3d70504bd55415ea37
SHA512 8d9e3fa49fb42f844d8df241786ea9c0f55e546d373ff07e8c89aac4f3027c62ec1bd0c9c639afeabc034cc39e424b21da55a1609c9f95397a66d5f0d834e88e

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_uuid.pyd

MD5 93730cb349b216114b444cc9e30932ca
SHA1 689e63330f48877478d428f0e410ac7d69e7150a
SHA256 17c7856bda73348ca541d01ba4881e4b327b15fb3d2cb90a92ca2bf0e6c4bafe
SHA512 ab312a908256d55cf883e90501dcf88175cc145207d2da4e3cc8470e7fa3afdcfd889f0b5c4488ace6ca3b1f7bba943f2156e839eda80981ff592123c5777c34

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_tkinter.pyd

MD5 c7ff6d22c46a2c9ca5f9f76ceaac1bf1
SHA1 4c72cf5cb745c3f14d342b6143b66e1603a2d886
SHA256 7d163581822bdcdb94cee24115c37a511cb6bd880b007fc7e5cc5099fac58506
SHA512 7b52884f7c2360c1c1995d4a3ffac87f53324d3fc36b4246804a45f744a33912fbb93648cbe63e166029c1882fa790fc4718c486e7f356e36ce3b392e9497f47

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_sqlite3.pyd

MD5 4541a93562390ae4e3611df24776fe20
SHA1 791a32bdcca11d51d586a2407ee309a9def2286c
SHA256 8cba8b163393162e4a689d44488410d43b1d1b0a907499d0f01dbccf9c4ac10e
SHA512 6cd46e48b2e0fe9440eaf8cb6ea7e61be6203f02be8910f8e4fc6338df485f856a95907579d69f3f6054d6383b914f6a459cd92cdcc91d1718764048224fd0be

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_overlapped.pyd

MD5 363409fbacb1867f2ce45e3c6922ddb4
SHA1 045b1b90886f4b25d326ea3409a5f79570eae4b2
SHA256 7983f811ccd9c99c6db34b653339605ea45eb384f5e88a8b23ccf9fa5f0170d9
SHA512 c89288dd76821a18e18ce3e67f01b1a9f6a55751832aa1a4b44882f2115474ca131f95f3545adb9c2d8ecaf3269837126135395c719581a7493affaa96ea0dfe

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_multiprocessing.pyd

MD5 807dd90be59ea971dac06f3aab4f2a7e
SHA1 c4bea9db94127ef30e929b395d38175dc74e4dc0
SHA256 82253e2d6ec717b317e26ed7dd141aadaea6cb55a9d0fee022a67d52b404fd06
SHA512 61b9cf8ac06506002d273b59e2fb66ad96751b10d10faff9128749538867d45d561c1cf8dcb8e787ca6afdc8a1d504cb7012135dfe3a1f3d1fc0b107e4e1a8f9

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_elementtree.pyd

MD5 ac10151b412bfb22ba9725bc9613c49e
SHA1 4152c799c6faa2a1606d40e1b9089e67efaec951
SHA256 fe09d0408aab3a6faa71467f78433df4c7f3ad0b033bb72ec43bde85abf6dcfb
SHA512 bf0641606c45285c3f18454e8f855d12963f51d910f20419b76405cc80530c38e17a791c580a9db6d171a5e1b9999a6dea661e22a62360d804183f9c0210a107

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_decimal.pyd

MD5 21fcb8e3d4310346a5dc1a216e7e23ca
SHA1 aab11aef9075715733e0fcde9668c6a51654b9e1
SHA256 4e27c06b84401039d10f800a0f06446b58508784ee366c7c8324d8fe9794e1a5
SHA512 c064550d1723e92512a42ce367ecef9331a81121305d66199abce6e0977152d927f7223f475e22c67e3f64b0f612c5553f112d8ce653c666a98d1980d200a599

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_cffi_backend.cp313-win_amd64.pyd

MD5 5cba92e7c00d09a55f5cbadc8d16cd26
SHA1 0300c6b62cd9db98562fdd3de32096ab194da4c8
SHA256 0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85
SHA512 7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_asyncio.pyd

MD5 56f958eebbc62305b4bf690d61c78e28
SHA1 68d1a227f8bef856469523364e37ae76b968162a
SHA256 a5341a74bbec1ddc807c0236fcb6bfaceaf3b957eb69cdd9bca00657eb5e42b6
SHA512 91b2a31835a5a0610856df1851c7bb1dea48a6740c63bd037971473706197e81e9904eaa6042a84fc15aa6aa74ac226463b67e2fa8370cbb8b0c987fed777169

C:\Users\Admin\AppData\Local\Temp\_MEI43802\zlib1.dll

MD5 ef398b5b1b901ce824c16c0af5b1d6f9
SHA1 ee6ab2f7f8aef41c3886a818418f86bca764c4d6
SHA256 f687e5dd99faab1023d036f09ef8ba3c09bd3464c8ced523341780e301bdf6a8
SHA512 7ed4666a21153adb44d3f34f868d590f66ab0d917746b31684c84a600c48fcafdc69d7bd6535b4c9e4400e614ee6e2e9e3ee59021dcef5e7340b73f3ae2ac831

C:\Users\Admin\AppData\Local\Temp\_MEI43802\VCRUNTIME140_1.dll

MD5 c0c0b4c611561f94798b62eb43097722
SHA1 523f515eed3af6d50e57a3eaeb906f4ccc1865fe
SHA256 6a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8
SHA512 35db454dbcc7ed89842c0440b92ce0b0b0db41dbd5432a36a0b7e1eddf51704b1f0d6cff5e3a3b0c3ff5db3d8632fed000471180ad72e39d8dbe68a757ccdfb0

C:\Users\Admin\AppData\Local\Temp\_MEI43802\unicodedata.pyd

MD5 503b3ffa6a5bf45ab34d6d74352f206b
SHA1 cc13b85281e5d52413784e0b65a61b1d037c60cc
SHA256 071494856fdad0042964769aa2fb1de4ea95c2cfcbe27cc7132293c68d13d710
SHA512 d20b860974161caa60a62268968af353ad8063589f57d71f57c91855eb83da78f40bae7aa745cc7a945d92ebe08cf244c9560ae93449de45b20a8b8fff9f5010

C:\Users\Admin\AppData\Local\Temp\_MEI43802\tk86t.dll

MD5 c644577350785b9a8e56c83bc7fe4a5a
SHA1 5fa4e6ec3b0d156c620971e14da30d1633263cf2
SHA256 ddc6b69c3897ddf3ea9fdfb4b4a6b9c3a667958d4dbf6b4bbcc50c93eb341370
SHA512 f96f9fa3673d5cbf1ed64092ef8d2433d47c1d48cb24c9087e5fd796c37a1546a61c8ed6760dc5e6739038e4336077544c522d00dd2c3fcf4f16205b6fc1d3b8

C:\Users\Admin\AppData\Local\Temp\_MEI43802\tcl86t.dll

MD5 3fba04c93cc59c04321970d123fd009c
SHA1 e39ef4bb5b9d795e33793523447cad9cc476c362
SHA256 137972bf582984df7ffe8983fa66d92dba6cc5887fe6784ffe1165bab57304b0
SHA512 67b2ae06c3610ade78a7f470113acdb787010cfc2628d9b3fcb487761c6b4533883cdb46f16223ea943a5410df4a79ce96b047bce17aa8fb67bb3fa779b86072

C:\Users\Admin\AppData\Local\Temp\_MEI43802\sqlite3.dll

MD5 090f55321224c4bb65d9b9d99045ac89
SHA1 e28591421fa4464ed4b31e31f66b6dd6db051c84
SHA256 441363c5b15394ca4b117200800722d48042c04407d03aac0d1a0a967b7c68e4
SHA512 fbe3767f227289cb5e2e3cd81c83e6a75f6344c6d7f507403eab59a8ab0e742edc1289694445c30abd763625b26edb980d04bc30c4d330c88bd7315c31ca2420

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_lzma.pyd

MD5 d63e2e743ea103626d33b3c1d882f419
SHA1 af8a162b43f99b943d1c87c9a9e8088816263373
SHA256 48f16b587c6faa44a9e073365b19599200b0f0a0ccb70121e76c2dac4ed53281
SHA512 d3f1450b5def3c21f47c5133073e76d2ec05787eb6ae88bb70d3a34be84f6025540ac017e9415bb22ef36c2ffbfcea38a28842eefe366325f3d3cf2cca1a3cb1

C:\Users\Admin\AppData\Local\Temp\_MEI43802\_bz2.pyd

MD5 684d656aada9f7d74f5a5bdcf16d0edb
SHA1 f7586da90d101b5ee3fa24f131ee93ab89606919
SHA256 449058efc99fccb9e24d640084d845c78f3f86dd34c5c126cf69e523d6320d75
SHA512 27fb2eca382675316fb96d18a1aa6b2792077481bf899cbcc658d71f787876045c05c98abf129c9670b6a1d2654d57f59e17580139fa7f482ec27234e44d4235

C:\Users\Admin\AppData\Local\Temp\_MEI43802\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI43802\psutil\_psutil_windows.pyd

MD5 d30149d319efcaecf0a5c5e71ef6cb39
SHA1 99beeb17bfc69e8370036f9457edb4d6812b22e2
SHA256 9c7fc855d9d1614e70705c7dcc6f4ac3cdcab5adfeb6a67d382f5ade09eadc15
SHA512 b6fb265f0efed56fdd3455ed620e1fb581d40d2b23b92544cccbf331e30dc29592c4297e3faaf437a9d1a33099e0b48d5b2344943fb7b581a448f6c5806acec6

memory/1236-1278-0x000002B4FC490000-0x000002B4FC4B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zqenn12v.uab.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7