feae9fee56e3e88af695d437dd817395e9b1eb8c5fba0d287ce88cb96597d67a

Analysis

max time kernel
657s
max time network
1493s
platform
windows11_x64
resource
win11
submitted
29-10-2021 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chrome.exe
Size

712.9MB
MD5

551ea245f2fd84442ba030dfdd736504
SHA1

4fa2298fd34c148594e725dc4dfd8d008257b283
SHA256

feae9fee56e3e88af695d437dd817395e9b1eb8c5fba0d287ce88cb96597d67a
SHA512

4b27d81d5258fb595693d7238c3e42acb759bb944db555a4c8a4d772134104a1666f83f7a9943decb7de4359774ea83f27f7b460e8b9ceabdad8b2f71ec1902b

Score

8^/10

persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI7842\python39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\python39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\tinyaes.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\tinyaes.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pyexpat.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pyexpat.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pywintypes39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pywintypes39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pythoncom39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pythoncom39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32gui.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32gui.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32ui.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32ui.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\core\_multiarray_umath.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\core\_multiarray_umath.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\core\_multiarray_tests.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\core\_multiarray_tests.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\linalg\_umath_linalg.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\linalg\_umath_linalg.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\linalg\lapack_lite.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\linalg\lapack_lite.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\mtrand.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\mtrand.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\bit_generator.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\bit_generator.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\fft\_pocketfft_internal.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\fft\_pocketfft_internal.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\_common.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\_common.cp39-win_amd64.pyd	upx

Loads dropped DLL 64 IoCs

Processes:

chrome.exe

pid	process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

sihclient.exeWaaSMedicAgent.exesvchost.exeWaaSMedicAgent.exeWaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

chrome.exe

pid process

3664 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	2864	svchost.exe
Token: SeCreatePagefilePrivilege	2864	svchost.exe
Token: SeShutdownPrivilege	2864	svchost.exe
Token: SeCreatePagefilePrivilege	2864	svchost.exe
Token: SeShutdownPrivilege	2864	svchost.exe
Token: SeCreatePagefilePrivilege	2864	svchost.exe
Token: SeShutdownPrivilege	3568	svchost.exe
Token: SeCreatePagefilePrivilege	3568	svchost.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe
Token: SeSecurityPrivilege	4748	TiWorker.exe
Token: SeBackupPrivilege	4748	TiWorker.exe
Token: SeRestorePrivilege	4748	TiWorker.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

chrome.exe

pid process

3664 chrome.exe
3664 chrome.exe
3664 chrome.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

svchost.exechrome.exechrome.exe

description	pid	process	target process
PID 3568 wrote to memory of 1888	3568	svchost.exe	MoUsoCoreWorker.exe
PID 3568 wrote to memory of 1888	3568	svchost.exe	MoUsoCoreWorker.exe
PID 784 wrote to memory of 3664	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3664	784	chrome.exe	chrome.exe
PID 3664 wrote to memory of 1104	3664	chrome.exe	cmd.exe
PID 3664 wrote to memory of 1104	3664	chrome.exe	cmd.exe
PID 3568 wrote to memory of 5004	3568	svchost.exe	MoUsoCoreWorker.exe
PID 3568 wrote to memory of 5004	3568	svchost.exe	MoUsoCoreWorker.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:1104

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ce96af73b699a37a7db5490670bf3ec5 thrJA4HgGUaZoYFvcXmwuA.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
2⤵
PID:1888

C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
2⤵
PID:5004

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv thrJA4HgGUaZoYFvcXmwuA.0.2
1⤵
- Modifies data under HKEY_USERS
PID:2544

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ce96af73b699a37a7db5490670bf3ec5 thrJA4HgGUaZoYFvcXmwuA.0.1.0.3.0
1⤵
PID:4296

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ce96af73b699a37a7db5490670bf3ec5 thrJA4HgGUaZoYFvcXmwuA.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:1944

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ce96af73b699a37a7db5490670bf3ec5 thrJA4HgGUaZoYFvcXmwuA.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI7842\VCRUNTIME140.dll
MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\VCRUNTIME140.dll
MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_bz2.pyd
MD5
8b240f4865476b5d94dbf717d6459126

SHA1
4ed9af33b4a1d0ffe11668c4042600f73ac569b6

SHA256
956ccea610b2710bf1de6de74c382295f0f7e86bde1517757a9850e6d2229440

SHA512
4e118f083649eba173890eb4b376293143f89f6eb92486958d10bb5f44de5dd921351569b859dc9bbb339268f5efa5328552b573396bb7e0e084bdee1af21b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_bz2.pyd
MD5
8b240f4865476b5d94dbf717d6459126

SHA1
4ed9af33b4a1d0ffe11668c4042600f73ac569b6

SHA256
956ccea610b2710bf1de6de74c382295f0f7e86bde1517757a9850e6d2229440

SHA512
4e118f083649eba173890eb4b376293143f89f6eb92486958d10bb5f44de5dd921351569b859dc9bbb339268f5efa5328552b573396bb7e0e084bdee1af21b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_ctypes.pyd
MD5
b58a6bb7d50c91dd7569522105538b0f

SHA1
086607f51bc590ab42b54ecaa1021a0e53445468

SHA256
7964fcf0b3083176ba44f492d8c85f8e22914243c498446c8d49b8953c81537d

SHA512
3074c5fe090cbd6bee275c621a8c0ec12d1c2f2ad803a1ede34a22af50e7d92e7b2ee11bd4517f8d4b86e057d22d1e9e59ca8d947b540ee0b9dc833f60f717e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_ctypes.pyd
MD5
b58a6bb7d50c91dd7569522105538b0f

SHA1
086607f51bc590ab42b54ecaa1021a0e53445468

SHA256
7964fcf0b3083176ba44f492d8c85f8e22914243c498446c8d49b8953c81537d

SHA512
3074c5fe090cbd6bee275c621a8c0ec12d1c2f2ad803a1ede34a22af50e7d92e7b2ee11bd4517f8d4b86e057d22d1e9e59ca8d947b540ee0b9dc833f60f717e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_decimal.pyd
MD5
a65246b382d384633f73bc6483fa19a6

SHA1
fa02ce407a051ef3755bf87044bb36b666be0e0b

SHA256
acb9147fcd494e1a0be7d1fce9ac1fce962121eb3f6d715a94780e8c88b6b1b2

SHA512
7daa1ba0df4d82b4d31a1148b81eca76887769e265c954f6df623ec61849112a7772951afa6b0030cf5c3ab347f2aa0c63d6cfa8b398bbfb12d1ecd2e7bc9a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_decimal.pyd
MD5
a65246b382d384633f73bc6483fa19a6

SHA1
fa02ce407a051ef3755bf87044bb36b666be0e0b

SHA256
acb9147fcd494e1a0be7d1fce9ac1fce962121eb3f6d715a94780e8c88b6b1b2

SHA512
7daa1ba0df4d82b4d31a1148b81eca76887769e265c954f6df623ec61849112a7772951afa6b0030cf5c3ab347f2aa0c63d6cfa8b398bbfb12d1ecd2e7bc9a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_hashlib.pyd
MD5
9e8b2e07aceb6463d713d46b89d90e93

SHA1
59decd107c54fc286bacb94c67fc2a847fc3eda7

SHA256
198bea617a951c028578ec15330aaa901a0b9e6f233852556f261036925d1fb9

SHA512
0ca51acefb29823b8235c4788a4f55af109c3d2730a22ddeb38bde81b21e267cff4d644923ec61873858f4f390853181f620057a9ab3229c0ce7fae2186e91ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_lzma.pyd
MD5
eac27fa711fbc2d46590ee01897aeb1f

SHA1
29847fc053ed31e5f0547e0cc6d59e6d1b27ea18

SHA256
2816e030c2d7fe8e20140e930d2622fb2d44748af26704f79b70469389184539

SHA512
71cd36c533309850775f7b5847300ee84cc942a2f6568bfabe4cb01196aea1415aa23191374ac843bd6cbd72d1fbe6ba8814c4eb8ac04f8e3135b02b0e92a4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_lzma.pyd
MD5
eac27fa711fbc2d46590ee01897aeb1f

SHA1
29847fc053ed31e5f0547e0cc6d59e6d1b27ea18

SHA256
2816e030c2d7fe8e20140e930d2622fb2d44748af26704f79b70469389184539

SHA512
71cd36c533309850775f7b5847300ee84cc942a2f6568bfabe4cb01196aea1415aa23191374ac843bd6cbd72d1fbe6ba8814c4eb8ac04f8e3135b02b0e92a4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_queue.pyd
MD5
3026790fa5ae902688588d7b7affc850

SHA1
889df12269821e7e728ce40883a165b53e0f836e

SHA256
91c2d2fbde5fe0de6d4aaeaa1cb65ef3cdcef00c5abf9bfa06525168cb969906

SHA512
f26457479d5914ded05ef0cdaecefcdf6f4c50b9bd583e5121af1b41f428e195305d79f61f0da8b58462151245219506e59fa7c0c2c41f8b1a718e0ccea9a5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_queue.pyd
MD5
3026790fa5ae902688588d7b7affc850

SHA1
889df12269821e7e728ce40883a165b53e0f836e

SHA256
91c2d2fbde5fe0de6d4aaeaa1cb65ef3cdcef00c5abf9bfa06525168cb969906

SHA512
f26457479d5914ded05ef0cdaecefcdf6f4c50b9bd583e5121af1b41f428e195305d79f61f0da8b58462151245219506e59fa7c0c2c41f8b1a718e0ccea9a5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_socket.pyd
MD5
3b28f44c51c7519f878ec77bf8f17a33

SHA1
8bceadc0ec6a5331646efb7f05dcbb4cdd65b35b

SHA256
1c5ce7603d1aed3291d5ba6227fa1ac285d879d40371b2d8ae4bc7735cbbdc46

SHA512
f90a0d0ffdcd6d392325368f203b244691d314ab66bae22991ec8075124ad765c241b9592e77976ea4fb5473ceab986214617313e14f0f14935f0819ecf36587

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_socket.pyd
MD5
3b28f44c51c7519f878ec77bf8f17a33

SHA1
8bceadc0ec6a5331646efb7f05dcbb4cdd65b35b

SHA256
1c5ce7603d1aed3291d5ba6227fa1ac285d879d40371b2d8ae4bc7735cbbdc46

SHA512
f90a0d0ffdcd6d392325368f203b244691d314ab66bae22991ec8075124ad765c241b9592e77976ea4fb5473ceab986214617313e14f0f14935f0819ecf36587

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_ssl.pyd
MD5
bad32212e90cb32c181a5576feb7e663

SHA1
e81caa26276cf7bad78cbe9d897013d7ff155098

SHA256
fe4d4a9f4b8dc30e90d340f10e1805f1ce83a9a9b4ea26a3dfb8321fbe10ac1b

SHA512
4dda9951661300f6410466a3faf15acdd421677ea05aa8247769a4678a92d6a8163fec8105a0aa38e246061ab90d15c0485dfe503df2691933376439c9a778aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\_ssl.pyd
MD5
bad32212e90cb32c181a5576feb7e663

SHA1
e81caa26276cf7bad78cbe9d897013d7ff155098

SHA256
fe4d4a9f4b8dc30e90d340f10e1805f1ce83a9a9b4ea26a3dfb8321fbe10ac1b

SHA512
4dda9951661300f6410466a3faf15acdd421677ea05aa8247769a4678a92d6a8163fec8105a0aa38e246061ab90d15c0485dfe503df2691933376439c9a778aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\base_library.zip
MD5
935ecbb6c183daa81c0ac65c013afd67

SHA1
0d870c56a1a9be4ce0f2d07d5d4335e9239562d1

SHA256
7ae17d6eb5d9609dc8fc67088ab915097b4de375e286998166f931da5394d466

SHA512
a9aac82ab72c06cfff1f1e34bf0f13cbf0d7f0dc53027a9e984b551c602d58d785c374b02238e927e7b7d69c987b1e8ab34bfc734c773ef23d35b0bdb25e99cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libcrypto-1_1.dll
MD5
9b5b90724b0da5a07aef2c6ebe8c6d91

SHA1
375f24df4ee59488befef6d103747aa4ae2baa7e

SHA256
c782a52512461a4e0ea1f0a8d33d53b3d476e50a48dde79aab4a776e4eec6b1e

SHA512
9db722bd1f5ec6e25d03011c16595c2cad4847770d719ffea53ed05f77a23f0be54d82ae1bcd3b647ebc5cefac6a0e1184e52b198920a114b0cca6a59f2bd881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libcrypto-1_1.dll
MD5
9b5b90724b0da5a07aef2c6ebe8c6d91

SHA1
375f24df4ee59488befef6d103747aa4ae2baa7e

SHA256
c782a52512461a4e0ea1f0a8d33d53b3d476e50a48dde79aab4a776e4eec6b1e

SHA512
9db722bd1f5ec6e25d03011c16595c2cad4847770d719ffea53ed05f77a23f0be54d82ae1bcd3b647ebc5cefac6a0e1184e52b198920a114b0cca6a59f2bd881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libffi-7.dll
MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libffi-7.dll
MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll
MD5
5267b800d37db2b0b0cb15a44f31e7b4

SHA1
ab38805e74f5d246158c1d27c387433435d142e2

SHA256
a1b3d64c40018141b5310c3fb8e370c54ddf96bb72c85969712edd37434c79cf

SHA512
c2e0583ce0f56d74b4716b7a074967d7ae5c53c9500fbedaf5464a84df25a7d3f4b9ea744da2af01e898e0e87c600a13dc1df55da35b96518042a5a14912a686

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll
MD5
5267b800d37db2b0b0cb15a44f31e7b4

SHA1
ab38805e74f5d246158c1d27c387433435d142e2

SHA256
a1b3d64c40018141b5310c3fb8e370c54ddf96bb72c85969712edd37434c79cf

SHA512
c2e0583ce0f56d74b4716b7a074967d7ae5c53c9500fbedaf5464a84df25a7d3f4b9ea744da2af01e898e0e87c600a13dc1df55da35b96518042a5a14912a686

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libssl-1_1.dll
MD5
1c6c741a558039073d3c23251d8b06d8

SHA1
bf8743fe1651ddfe125ad9cfd1348b9a87e7c705

SHA256
280caa5ed8c94f62ff6ae8e0faec07477afa79e1f7766e913266d4b40b27fa37

SHA512
f1045642d1436db12340b324acc75e80555a1c61b3194e6ac0d9b3c9a162a1f1ff92f10d23a3392910be0139f55d301c2f0242b4f83e9c03ec289d1f4c7d8216

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\libssl-1_1.dll
MD5
1c6c741a558039073d3c23251d8b06d8

SHA1
bf8743fe1651ddfe125ad9cfd1348b9a87e7c705

SHA256
280caa5ed8c94f62ff6ae8e0faec07477afa79e1f7766e913266d4b40b27fa37

SHA512
f1045642d1436db12340b324acc75e80555a1c61b3194e6ac0d9b3c9a162a1f1ff92f10d23a3392910be0139f55d301c2f0242b4f83e9c03ec289d1f4c7d8216

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\mfc140u.dll
MD5
639db7fe67e2e15d069a62c0ef4a971c

SHA1
bdbf2517678f9066c4553e6fdace0a366929185c

SHA256
760308cf8bedaebc4500049622d08ddcaca0024acbd3b6bdca1618ec48a91597

SHA512
83cd3e89ddac3915686bceec25654f0a35fe66a1c27d95bcfd3b44bdc01ded0df9beb525e0604522f61d58183546af63ffdd60f90e5bffd648774169832d2335

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\mfc140u.dll
MD5
639db7fe67e2e15d069a62c0ef4a971c

SHA1
bdbf2517678f9066c4553e6fdace0a366929185c

SHA256
760308cf8bedaebc4500049622d08ddcaca0024acbd3b6bdca1618ec48a91597

SHA512
83cd3e89ddac3915686bceec25654f0a35fe66a1c27d95bcfd3b44bdc01ded0df9beb525e0604522f61d58183546af63ffdd60f90e5bffd648774169832d2335

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\core\_multiarray_tests.cp39-win_amd64.pyd
MD5
37895d5aade376e71b51deb3107647df

SHA1
d655c8e53caf3ca796ed82a81fb843aa6a57e80a

SHA256
732a6935d8cd1059c09e6a9d5f8644a55e98221e42d8ea288aba4fa4356f7119

SHA512
7a2e9973786926de7ffd08fde50d7a7c9ed32595696f2b6da37bc4717864a1b5ae708f8b28bc85dd2be834223fb40b50a5f7939a47453fdbec74f5b33a188913

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\core\_multiarray_tests.cp39-win_amd64.pyd
MD5
37895d5aade376e71b51deb3107647df

SHA1
d655c8e53caf3ca796ed82a81fb843aa6a57e80a

SHA256
732a6935d8cd1059c09e6a9d5f8644a55e98221e42d8ea288aba4fa4356f7119

SHA512
7a2e9973786926de7ffd08fde50d7a7c9ed32595696f2b6da37bc4717864a1b5ae708f8b28bc85dd2be834223fb40b50a5f7939a47453fdbec74f5b33a188913

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\core\_multiarray_umath.cp39-win_amd64.pyd
MD5
e7700a5ac2de7d3d75fbf90479dfcbf9

SHA1
4c023ac55ba9423ad54916b32f435166092e5531

SHA256
30e216e53e7d5adda6b395d896591c6e62e1591ed313fb7909071143eeea7825

SHA512
b4a53946f776f318392087a021e3ecebf3f452cd58bd289888e4734d7aa41d7b725a0d4a6152569c5190c1c7fe26a56ae0fcd83a43fd34aba5aecbcf90e7431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\core\_multiarray_umath.cp39-win_amd64.pyd
MD5
e7700a5ac2de7d3d75fbf90479dfcbf9

SHA1
4c023ac55ba9423ad54916b32f435166092e5531

SHA256
30e216e53e7d5adda6b395d896591c6e62e1591ed313fb7909071143eeea7825

SHA512
b4a53946f776f318392087a021e3ecebf3f452cd58bd289888e4734d7aa41d7b725a0d4a6152569c5190c1c7fe26a56ae0fcd83a43fd34aba5aecbcf90e7431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\fft\_pocketfft_internal.cp39-win_amd64.pyd
MD5
a287a83e4a1d9a597e1362c0065acd85

SHA1
821e270a51a70a649c091b27b79b1e6a4f69a6f0

SHA256
bb978f58e59719441b32f80dca8cf5b2ab4d657f68367a9743f74dcb8280d4f4

SHA512
c69ee18e7cde1647ae3d7b8800ce60092427eb1beca71772cae4d55fd2d3f531c266ec507fcf2a1fc4b936f71b1b246b35a7d7839a2814c3a7a5a95cfab4b882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\fft\_pocketfft_internal.cp39-win_amd64.pyd
MD5
a287a83e4a1d9a597e1362c0065acd85

SHA1
821e270a51a70a649c091b27b79b1e6a4f69a6f0

SHA256
bb978f58e59719441b32f80dca8cf5b2ab4d657f68367a9743f74dcb8280d4f4

SHA512
c69ee18e7cde1647ae3d7b8800ce60092427eb1beca71772cae4d55fd2d3f531c266ec507fcf2a1fc4b936f71b1b246b35a7d7839a2814c3a7a5a95cfab4b882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\linalg\_umath_linalg.cp39-win_amd64.pyd
MD5
f95c0d2f99fee994783abfa88cd3c4e1

SHA1
cba89bcef09e383a388bf5d3b7f68b2dfc5563ac

SHA256
41259efea39ab60596291d6dd3dcb15d897ed7fffe77986bc771e2515f7c8329

SHA512
f6a2c8314084bd5cc48ee3239b9bd4de4e52f16f6757fe68880bc8bcb161bddb238d23b92bb704f9925d39997a59f86b32b4743e9f02071ac444e7a660155a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\linalg\_umath_linalg.cp39-win_amd64.pyd
MD5
f95c0d2f99fee994783abfa88cd3c4e1

SHA1
cba89bcef09e383a388bf5d3b7f68b2dfc5563ac

SHA256
41259efea39ab60596291d6dd3dcb15d897ed7fffe77986bc771e2515f7c8329

SHA512
f6a2c8314084bd5cc48ee3239b9bd4de4e52f16f6757fe68880bc8bcb161bddb238d23b92bb704f9925d39997a59f86b32b4743e9f02071ac444e7a660155a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\linalg\lapack_lite.cp39-win_amd64.pyd
MD5
cea3a9b5d661d1f40a21372e3a093f9f

SHA1
8fd178b48c36fe445d9db2e1622c6d11567aa700

SHA256
30e51fdf917d16781ba6d02c1edc4a3c8a1b65151d8525cd735fd5f4cb8677bc

SHA512
8de83b7e44bc71b621ab22ba877f6eef7a153d884550fa7ff084932be0b487448c37a693b02db2a6ccdc389d85c68bc49fa3028a62310d80da223597fd3ede24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\linalg\lapack_lite.cp39-win_amd64.pyd
MD5
cea3a9b5d661d1f40a21372e3a093f9f

SHA1
8fd178b48c36fe445d9db2e1622c6d11567aa700

SHA256
30e51fdf917d16781ba6d02c1edc4a3c8a1b65151d8525cd735fd5f4cb8677bc

SHA512
8de83b7e44bc71b621ab22ba877f6eef7a153d884550fa7ff084932be0b487448c37a693b02db2a6ccdc389d85c68bc49fa3028a62310d80da223597fd3ede24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\_common.cp39-win_amd64.pyd
MD5
46e760f740b8c18d29327b30f2cb0f5f

SHA1
a96fe6fb92d5cfdf9c8052bcd63fb4f067e28d34

SHA256
c7b262902578bf96a4ee742cc09decc111b675ba02303cb12639bbe68eb9a58a

SHA512
d9f202e5655efcdbc020e300ae0cb9da3bd4659f0d61cbfea61cb4e5f53de71ba22a2ff4bb6465c0987f8501fe8608f3a9ec5ff928a454a6889b80f998f4d23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\_common.cp39-win_amd64.pyd
MD5
46e760f740b8c18d29327b30f2cb0f5f

SHA1
a96fe6fb92d5cfdf9c8052bcd63fb4f067e28d34

SHA256
c7b262902578bf96a4ee742cc09decc111b675ba02303cb12639bbe68eb9a58a

SHA512
d9f202e5655efcdbc020e300ae0cb9da3bd4659f0d61cbfea61cb4e5f53de71ba22a2ff4bb6465c0987f8501fe8608f3a9ec5ff928a454a6889b80f998f4d23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\bit_generator.cp39-win_amd64.pyd
MD5
7b5e8e1cfad693c99c65c56b296c4e30

SHA1
8dc47f182650ae40f31a55520173007e20fda008

SHA256
f09d6fa6feab98404393ec3ac8234b8e1aac0286fafb9ecc63516c0be7d1376f

SHA512
b56472e8ed32befafe83335cc10cbb192c8fd771d5991a0ffd4bf64f1bbffbea99bc07d5119fc865a24e1feadd923acc928a53b5674595ad76275f9e6c466969

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\bit_generator.cp39-win_amd64.pyd
MD5
7b5e8e1cfad693c99c65c56b296c4e30

SHA1
8dc47f182650ae40f31a55520173007e20fda008

SHA256
f09d6fa6feab98404393ec3ac8234b8e1aac0286fafb9ecc63516c0be7d1376f

SHA512
b56472e8ed32befafe83335cc10cbb192c8fd771d5991a0ffd4bf64f1bbffbea99bc07d5119fc865a24e1feadd923acc928a53b5674595ad76275f9e6c466969

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\mtrand.cp39-win_amd64.pyd
MD5
9977085b2a1880ce8760de1be4cb073f

SHA1
4c65d02c7be86231b35c01ef85ff5bd1eaecdbb0

SHA256
8f97386583dfe8985052dc5ee4b0ac24800292efd70461c3a69d730502132966

SHA512
f1b9f1dd25e9da7fe7b215ac35b3c59db6f513bed7db821d5fd345f93cadcb59055b6e1b7aeee54e7e3cb66d881fa3166893305e87e00c7c9674a929a6dee354

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\numpy\random\mtrand.cp39-win_amd64.pyd
MD5
9977085b2a1880ce8760de1be4cb073f

SHA1
4c65d02c7be86231b35c01ef85ff5bd1eaecdbb0

SHA256
8f97386583dfe8985052dc5ee4b0ac24800292efd70461c3a69d730502132966

SHA512
f1b9f1dd25e9da7fe7b215ac35b3c59db6f513bed7db821d5fd345f93cadcb59055b6e1b7aeee54e7e3cb66d881fa3166893305e87e00c7c9674a929a6dee354

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pyexpat.pyd
MD5
c3c2ea4e75244b7ee13e9c166d74cb7d

SHA1
b6f9ddcdd42e542ec69d4b19e8f4f004ffb1c7f5

SHA256
a29232e9eed2749e6e6253665193dd885e30ee2ca493a7f5337eb56e08d547cc

SHA512
980165041b8dfd332bd83fbc67aa51ec894ff95819f50a6e0c6c256a240ebc73c7235156eb70495c08b0f740c9db8997679be957f54aa56e77a1c1ea7bfab398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pyexpat.pyd
MD5
c3c2ea4e75244b7ee13e9c166d74cb7d

SHA1
b6f9ddcdd42e542ec69d4b19e8f4f004ffb1c7f5

SHA256
a29232e9eed2749e6e6253665193dd885e30ee2ca493a7f5337eb56e08d547cc

SHA512
980165041b8dfd332bd83fbc67aa51ec894ff95819f50a6e0c6c256a240ebc73c7235156eb70495c08b0f740c9db8997679be957f54aa56e77a1c1ea7bfab398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\python3.DLL
MD5
d188e47657686c51615075f56e7bbb92

SHA1
98dbd7e213fb63e851b76da018f5e4ae114b1a0c

SHA256
84cb29052734ec4ad5d0eac8a9156202a2077ee9bd43cabc68e44ee22a74910a

SHA512
96ca8c589ab5db5fde72d35559170e938ce283559b1b964c860629579d6a231e1c1a1952f3d08a8af35d1790228ac8d97140b25b9c96d43f45e3398459ae51bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\python3.dll
MD5
d188e47657686c51615075f56e7bbb92

SHA1
98dbd7e213fb63e851b76da018f5e4ae114b1a0c

SHA256
84cb29052734ec4ad5d0eac8a9156202a2077ee9bd43cabc68e44ee22a74910a

SHA512
96ca8c589ab5db5fde72d35559170e938ce283559b1b964c860629579d6a231e1c1a1952f3d08a8af35d1790228ac8d97140b25b9c96d43f45e3398459ae51bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\python39.dll
MD5
06839776cb721955965a1d5b51c3dea4

SHA1
ec878c311d241cd550bcdb26937f65b8cfaebf2f

SHA256
f5a9c00b23eb7d67ca7f356ca8c26556b767afe890710fe0fe8b837d4d00bf38

SHA512
18c72aa11b3a1d74a0c187d4c3cf538e8689cc5347aca601e49352507b96df36770fae238163fc82d095d160083ae15216b22f7b1e82a1f7d816aaf76fb7db46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\python39.dll
MD5
06839776cb721955965a1d5b51c3dea4

SHA1
ec878c311d241cd550bcdb26937f65b8cfaebf2f

SHA256
f5a9c00b23eb7d67ca7f356ca8c26556b767afe890710fe0fe8b837d4d00bf38

SHA512
18c72aa11b3a1d74a0c187d4c3cf538e8689cc5347aca601e49352507b96df36770fae238163fc82d095d160083ae15216b22f7b1e82a1f7d816aaf76fb7db46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pythoncom39.dll
MD5
384e425ed5d05db9b0d65f96c8272669

SHA1
08646cdeb67a903c018b57016b789f6a118505b7

SHA256
afcbd97e820d7aaf83d9626a2e44b2a5748545a8f062972eccf7d815a41b62d9

SHA512
064d409bd5574952ad2631c44460d9620e074f239ada5da1f5469cc942c1f4750366de4f83d9e2abb081303f96db4adbc92eca5043dbd376e096eef643d21e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pythoncom39.dll
MD5
384e425ed5d05db9b0d65f96c8272669

SHA1
08646cdeb67a903c018b57016b789f6a118505b7

SHA256
afcbd97e820d7aaf83d9626a2e44b2a5748545a8f062972eccf7d815a41b62d9

SHA512
064d409bd5574952ad2631c44460d9620e074f239ada5da1f5469cc942c1f4750366de4f83d9e2abb081303f96db4adbc92eca5043dbd376e096eef643d21e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pywintypes39.dll
MD5
1c5db28728548ea9538b7134672f5217

SHA1
9f13742cc4ab66ab21a97ae85588ef52b5e10c05

SHA256
86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55

SHA512
45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\pywintypes39.dll
MD5
1c5db28728548ea9538b7134672f5217

SHA1
9f13742cc4ab66ab21a97ae85588ef52b5e10c05

SHA256
86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55

SHA512
45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\select.pyd
MD5
9ea437352299ba77f20d9ad5c954b639

SHA1
ad2235b555264cf93dd1dba730151331c1fd85cb

SHA256
4068070f800e4ce564de57c06936d715524d7a4ce52d1452693b88c65849a230

SHA512
1e56bf656e161e77c90d66f97e12aa26176f0a4103ea91558606135d8d7b0e2fe8bf186311127811fd97551deec5000da3928577b166ffcf45765c14e0f825c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\select.pyd
MD5
9ea437352299ba77f20d9ad5c954b639

SHA1
ad2235b555264cf93dd1dba730151331c1fd85cb

SHA256
4068070f800e4ce564de57c06936d715524d7a4ce52d1452693b88c65849a230

SHA512
1e56bf656e161e77c90d66f97e12aa26176f0a4103ea91558606135d8d7b0e2fe8bf186311127811fd97551deec5000da3928577b166ffcf45765c14e0f825c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\tinyaes.cp39-win_amd64.pyd
MD5
d8b262be898be9a6d89bc3cc7e2ff282

SHA1
dd732fb2a6a3f6388ec6d804866a89fb8cbc7ac0

SHA256
3f657ba83d058c63629fcfc686e94fb9b29769a534e54435ca0aa0156053ea17

SHA512
5b59a914d4b83dfff673f21d65e13ae97e0df1f4e7e1a8002db3f3b45ce7e01899d4757443731eb88f43a443cbdebc1aa1c2854fcd83a45ee110be359c175df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\tinyaes.cp39-win_amd64.pyd
MD5
d8b262be898be9a6d89bc3cc7e2ff282

SHA1
dd732fb2a6a3f6388ec6d804866a89fb8cbc7ac0

SHA256
3f657ba83d058c63629fcfc686e94fb9b29769a534e54435ca0aa0156053ea17

SHA512
5b59a914d4b83dfff673f21d65e13ae97e0df1f4e7e1a8002db3f3b45ce7e01899d4757443731eb88f43a443cbdebc1aa1c2854fcd83a45ee110be359c175df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32api.pyd
MD5
e02581df32bf0391ecce421e9ff1c83a

SHA1
7b56170d64458cce26f447142dfb3e4f492d1ff2

SHA256
a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2

SHA512
f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32api.pyd
MD5
e02581df32bf0391ecce421e9ff1c83a

SHA1
7b56170d64458cce26f447142dfb3e4f492d1ff2

SHA256
a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2

SHA512
f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32gui.pyd
MD5
fbbbf04822867c5d07e5893fcf78587c

SHA1
b07ca4d68dae977d9dc7ea12d22689d63c4b1583

SHA256
be861e70634fe2916fc3c27bfc419f153e78b1b6df540958bfa2eb607a399f87

SHA512
c66be56b5b712473c50bfbd21c5db2dcbc70ce57ce7714b13ff12868d547fa8a7c3c1c95b45874cc4ebe45c7696f46f743b912a8989bb7217ab25e317941c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32gui.pyd
MD5
fbbbf04822867c5d07e5893fcf78587c

SHA1
b07ca4d68dae977d9dc7ea12d22689d63c4b1583

SHA256
be861e70634fe2916fc3c27bfc419f153e78b1b6df540958bfa2eb607a399f87

SHA512
c66be56b5b712473c50bfbd21c5db2dcbc70ce57ce7714b13ff12868d547fa8a7c3c1c95b45874cc4ebe45c7696f46f743b912a8989bb7217ab25e317941c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32ui.pyd
MD5
a2e75a93b2934071ee1459ba9fee4109

SHA1
1375b913e83c224638c9db8663d2c9dc8536e38e

SHA256
423f1970e20de1b00d6635b9ff8e1977b65ccdb225233af906d1d9199516c155

SHA512
b1c1bfe41f90de01e1c864f7ac488a65b3e2721f3eeb722149200f2449135efebaeb0dffe46f9eb5b92f473bf9e7cd81471daa556eccaa9510f848a7d5c2a93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7842\win32ui.pyd
MD5
a2e75a93b2934071ee1459ba9fee4109

SHA1
1375b913e83c224638c9db8663d2c9dc8536e38e

SHA256
423f1970e20de1b00d6635b9ff8e1977b65ccdb225233af906d1d9199516c155

SHA512
b1c1bfe41f90de01e1c864f7ac488a65b3e2721f3eeb722149200f2449135efebaeb0dffe46f9eb5b92f473bf9e7cd81471daa556eccaa9510f848a7d5c2a93d

Download Submit
memory/1104-188-0x0000000000000000-mapping.dmp

Download
memory/1888-149-0x0000000000000000-mapping.dmp

Download
memory/2864-148-0x00000288AF6B0000-0x00000288AF6B4000-memory.dmp

Filesize
16KB

Download
memory/2864-146-0x00000288ACF20000-0x00000288ACF30000-memory.dmp

Filesize
64KB

Download
memory/2864-147-0x00000288ACFA0000-0x00000288ACFB0000-memory.dmp

Filesize
64KB

Download
memory/2864-218-0x00000288AF6D0000-0x00000288AF6D4000-memory.dmp

Filesize
16KB

Download
memory/2864-219-0x00000288AF5F0000-0x00000288AF5F1000-memory.dmp

Filesize
4KB

Download
memory/2864-221-0x00000288AF5B0000-0x00000288AF5B1000-memory.dmp

Filesize
4KB

Download
memory/3664-150-0x0000000000000000-mapping.dmp

Download
memory/3664-216-0x0000029A840A0000-0x0000029A840B0000-memory.dmp

Filesize
64KB

Download
memory/5004-217-0x0000000000000000-mapping.dmp

Download