Malware Analysis Report

2025-01-18 04:37

Sample ID 230919-k56xvaab65
Target NumChai.exe
SHA256 23541c3d4d3c91c51335895d912cf2a62d7f50ec4cf1b3caf1c10bb8c4961497
Tags
revengerat persistence pyinstaller stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23541c3d4d3c91c51335895d912cf2a62d7f50ec4cf1b3caf1c10bb8c4961497

Threat Level: Known bad

The file NumChai.exe was found to be: Known bad.

Malicious Activity Summary

revengerat persistence pyinstaller stealer trojan

RevengeRAT

RevengeRat Executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

Detects Pyinstaller

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-19 09:12

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-19 09:12

Reported

2023-09-19 09:14

Platform

win7-20230831-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NumChai.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1940 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 1940 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 1940 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 1308 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1308 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1308 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2644 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 2644 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 2644 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 1452 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1452 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1452 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NumChai.exe

"C:\Users\Admin\AppData\Local\Temp\NumChai.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

"C:\Users\Admin\AppData\Local\Temp\NumChai .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

"C:\Users\Admin\AppData\Local\Temp\NumChai .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 proxy-cheap.blogspot.com udp
NL 142.251.36.33:443 proxy-cheap.blogspot.com tcp
US 8.8.8.8:53 amazonhost.thedreamsop.com udp
US 107.180.2.24:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 ucpanel.hackcrack.io udp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp

Files

memory/1940-0-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/1940-1-0x00000000003F0000-0x0000000001590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 6d5ad2adce366350200958c37f08a994
SHA1 3cc290b3684d9667ab729708a0803236ba2c6c3b
SHA256 c0b6c7b060ba8b898777ce72e4a2d0b0a9df4591dddd10037762da40e6887fc2
SHA512 dc5f7a54c31451377a48fb3e16b23b27a269f8ffd91d1a6a11a7c64b3c53dddaab8cdf7932a1a7776e74a6985b83370ac5e067f03401cd1343dc0ebd3b388196

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 6d5ad2adce366350200958c37f08a994
SHA1 3cc290b3684d9667ab729708a0803236ba2c6c3b
SHA256 c0b6c7b060ba8b898777ce72e4a2d0b0a9df4591dddd10037762da40e6887fc2
SHA512 dc5f7a54c31451377a48fb3e16b23b27a269f8ffd91d1a6a11a7c64b3c53dddaab8cdf7932a1a7776e74a6985b83370ac5e067f03401cd1343dc0ebd3b388196

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 6d5ad2adce366350200958c37f08a994
SHA1 3cc290b3684d9667ab729708a0803236ba2c6c3b
SHA256 c0b6c7b060ba8b898777ce72e4a2d0b0a9df4591dddd10037762da40e6887fc2
SHA512 dc5f7a54c31451377a48fb3e16b23b27a269f8ffd91d1a6a11a7c64b3c53dddaab8cdf7932a1a7776e74a6985b83370ac5e067f03401cd1343dc0ebd3b388196

memory/2176-9-0x0000000000210000-0x0000000000288000-memory.dmp

memory/2176-10-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 6d5ad2adce366350200958c37f08a994
SHA1 3cc290b3684d9667ab729708a0803236ba2c6c3b
SHA256 c0b6c7b060ba8b898777ce72e4a2d0b0a9df4591dddd10037762da40e6887fc2
SHA512 dc5f7a54c31451377a48fb3e16b23b27a269f8ffd91d1a6a11a7c64b3c53dddaab8cdf7932a1a7776e74a6985b83370ac5e067f03401cd1343dc0ebd3b388196

memory/1308-12-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/2176-13-0x000000001AED0000-0x000000001AF50000-memory.dmp

memory/1308-14-0x0000000001F00000-0x0000000001F80000-memory.dmp

\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

memory/1940-56-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/1308-83-0x0000000000340000-0x000000000036A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

MD5 2e61d2054323e30210dafceb99bd9578
SHA1 0b24d2997cbf28bad3e164d83c898df2584ab550
SHA256 153ecbe60ebe02ac0d92221b2df398873ab94b74b75894ebcc1b420e16541c11
SHA512 064f06c38aa158331cfe53a2a77f5ed6be5b7ada798d4d559523be2431416ee78a5cb359fe3a4b6e4b009be55a76b57b93d95378d15b28bb2ffd87cce04855ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

MD5 2e61d2054323e30210dafceb99bd9578
SHA1 0b24d2997cbf28bad3e164d83c898df2584ab550
SHA256 153ecbe60ebe02ac0d92221b2df398873ab94b74b75894ebcc1b420e16541c11
SHA512 064f06c38aa158331cfe53a2a77f5ed6be5b7ada798d4d559523be2431416ee78a5cb359fe3a4b6e4b009be55a76b57b93d95378d15b28bb2ffd87cce04855ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 5e24e97bbc8354e13ee3ab70da2f3af6
SHA1 b52c0f3b18600e472d848d028af60c1c4860bf64
SHA256 69d3cf6c83d6b21abbe13ea46f6fa0462c564712ddad17b9151ac36db85486fe
SHA512 137ee2c034d5c6cb8b504412a73fb143fc4ce9bedd069b3d50f974fe7cc84c01e24f056793961d66c187d7369cbd8e422a5500a0a3d908fc0ba7e4f2c2ffdce4

memory/2176-140-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 5e24e97bbc8354e13ee3ab70da2f3af6
SHA1 b52c0f3b18600e472d848d028af60c1c4860bf64
SHA256 69d3cf6c83d6b21abbe13ea46f6fa0462c564712ddad17b9151ac36db85486fe
SHA512 137ee2c034d5c6cb8b504412a73fb143fc4ce9bedd069b3d50f974fe7cc84c01e24f056793961d66c187d7369cbd8e422a5500a0a3d908fc0ba7e4f2c2ffdce4

memory/1452-282-0x00000000011B0000-0x0000000001206000-memory.dmp

memory/1452-288-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/1452-287-0x0000000000B80000-0x0000000000B88000-memory.dmp

memory/1452-289-0x000000001AFA0000-0x000000001B020000-memory.dmp

memory/1308-446-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

C:\Users\Admin\AppData\Local\Temp\_MEI26442\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

\Users\Admin\AppData\Local\Temp\_MEI26442\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-localization-l1-2-0.dll

MD5 54d2f426bc91ecf321908d133b069b20
SHA1 78892ea2873091f016daa87d2c0070b6c917131f
SHA256 646b28a20208be68439d73efa21be59e12ed0a5fe9e63e5d3057ca7b84bc6641
SHA512 6b1b095d5e3cc3d5909ebda4846568234b9bc43784919731dd906b6fa62aa1fdf723ac0d18bca75d74616e2c54c82d1402cc8529d75cb1d7744f91622ac4ec06

\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d1b3cc23127884d9eff1940f5b98e7aa
SHA1 d1b108e9fce8fba1c648afaad458050165502878
SHA256 51a73fbfa2afe5e45962031618ec347aaa0857b11f3cf273f4c218354bfe70cb
SHA512 ee5e0d546190e8ba9884ab887d11bb18fc71d3878983b544cd9ab80b6dd18ad65e66fe49fe0f4b92cbc51992fb1c39de091cf789159625341a03f4911b968fa2

C:\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-file-l1-2-0.dll

MD5 b5060343583e6be3b3de33ccd40398e0
SHA1 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-timezone-l1-1-0.dll

MD5 36165a5050672b7b0e04cb1f3d7b1b8f
SHA1 ef17c4622f41ef217a16078e8135acd4e2cf9443
SHA256 d7ab47157bff1b2347e7ae945517b4fc256425939ba7b6288ff85a51931568a7
SHA512 da360ff716bb66dd1adb5d86866b4b81b08a6fe86362fded05430f833a96934ccdada1b3081b55766a4a30c16d0d62aa1715b8839ea5c405a40d9911715dae68

C:\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-file-l2-1-0.dll

MD5 2e8995e2320e313545c3ddb5c71dc232
SHA1 45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256 c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-file-l2-1-0.dll

MD5 2e8995e2320e313545c3ddb5c71dc232
SHA1 45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256 c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

C:\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-timezone-l1-1-0.dll

MD5 36165a5050672b7b0e04cb1f3d7b1b8f
SHA1 ef17c4622f41ef217a16078e8135acd4e2cf9443
SHA256 d7ab47157bff1b2347e7ae945517b4fc256425939ba7b6288ff85a51931568a7
SHA512 da360ff716bb66dd1adb5d86866b4b81b08a6fe86362fded05430f833a96934ccdada1b3081b55766a4a30c16d0d62aa1715b8839ea5c405a40d9911715dae68

\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-file-l1-2-0.dll

MD5 b5060343583e6be3b3de33ccd40398e0
SHA1 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

C:\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d1b3cc23127884d9eff1940f5b98e7aa
SHA1 d1b108e9fce8fba1c648afaad458050165502878
SHA256 51a73fbfa2afe5e45962031618ec347aaa0857b11f3cf273f4c218354bfe70cb
SHA512 ee5e0d546190e8ba9884ab887d11bb18fc71d3878983b544cd9ab80b6dd18ad65e66fe49fe0f4b92cbc51992fb1c39de091cf789159625341a03f4911b968fa2

\Users\Admin\AppData\Local\Temp\_MEI26442\api-ms-win-core-localization-l1-2-0.dll

MD5 54d2f426bc91ecf321908d133b069b20
SHA1 78892ea2873091f016daa87d2c0070b6c917131f
SHA256 646b28a20208be68439d73efa21be59e12ed0a5fe9e63e5d3057ca7b84bc6641
SHA512 6b1b095d5e3cc3d5909ebda4846568234b9bc43784919731dd906b6fa62aa1fdf723ac0d18bca75d74616e2c54c82d1402cc8529d75cb1d7744f91622ac4ec06

C:\Users\Admin\AppData\Local\Temp\_MEI26442\python310.dll

MD5 e9c0fbc99d19eeedad137557f4a0ab21
SHA1 8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA256 5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA512 74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

\Users\Admin\AppData\Local\Temp\_MEI26442\python310.dll

MD5 e9c0fbc99d19eeedad137557f4a0ab21
SHA1 8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA256 5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA512 74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

memory/1452-1074-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/1452-1075-0x000000001AFA0000-0x000000001B020000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 6d78acbcbb8d77547e8956bdd6b19e0e
SHA1 ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c
SHA256 bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3
SHA512 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118

memory/2920-2089-0x0000000000110000-0x0000000000138000-memory.dmp

memory/2920-2091-0x0000000000280000-0x000000000028E000-memory.dmp

memory/2920-2092-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/1452-2090-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 6d78acbcbb8d77547e8956bdd6b19e0e
SHA1 ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c
SHA256 bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3
SHA512 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 6d78acbcbb8d77547e8956bdd6b19e0e
SHA1 ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c
SHA256 bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3
SHA512 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118

memory/2920-2093-0x00000000002A0000-0x00000000002AC000-memory.dmp

memory/2920-2096-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/2920-2097-0x000000001AFB0000-0x000000001B030000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-19 09:12

Reported

2023-09-19 09:14

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NumChai.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NumChai.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2760 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2760 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2760 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2760 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 2760 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\NumChai.exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 1096 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1096 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 3088 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 3088 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 920 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 920 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe C:\Users\Admin\AppData\Local\Temp\NumChai .exe
PID 2296 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\NumChai .exe C:\Windows\system32\cmd.exe
PID 1080 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1080 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1444 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe \??\c:\windows\system32\cmstp.exe
PID 1444 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe \??\c:\windows\system32\cmstp.exe
PID 4504 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4504 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4884 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 4884 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 4504 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4504 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4504 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4504 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4504 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4504 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4504 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4504 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 3448 wrote to memory of 4832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3448 wrote to memory of 4832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4480 wrote to memory of 3092 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4480 wrote to memory of 3092 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4568 wrote to memory of 840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4568 wrote to memory of 840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 3820 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 3820 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NumChai.exe

"C:\Users\Admin\AppData\Local\Temp\NumChai.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

"C:\Users\Admin\AppData\Local\Temp\NumChai .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

"C:\Users\Admin\AppData\Local\Temp\NumChai .exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

\??\c:\windows\system32\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\zbdahnpc.inf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

C:\Windows\system32\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 proxy-cheap.blogspot.com udp
NL 142.251.36.33:443 proxy-cheap.blogspot.com tcp
US 8.8.8.8:53 amazonhost.thedreamsop.com udp
US 107.180.2.24:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 33.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 24.2.180.107.in-addr.arpa udp
NL 142.251.36.33:443 proxy-cheap.blogspot.com tcp
US 107.180.2.24:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 ucpanel.hackcrack.io udp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp
US 209.25.141.181:3914 ucpanel.hackcrack.io tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/2760-0-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/2760-1-0x0000000000640000-0x00000000017E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 6d5ad2adce366350200958c37f08a994
SHA1 3cc290b3684d9667ab729708a0803236ba2c6c3b
SHA256 c0b6c7b060ba8b898777ce72e4a2d0b0a9df4591dddd10037762da40e6887fc2
SHA512 dc5f7a54c31451377a48fb3e16b23b27a269f8ffd91d1a6a11a7c64b3c53dddaab8cdf7932a1a7776e74a6985b83370ac5e067f03401cd1343dc0ebd3b388196

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 6d5ad2adce366350200958c37f08a994
SHA1 3cc290b3684d9667ab729708a0803236ba2c6c3b
SHA256 c0b6c7b060ba8b898777ce72e4a2d0b0a9df4591dddd10037762da40e6887fc2
SHA512 dc5f7a54c31451377a48fb3e16b23b27a269f8ffd91d1a6a11a7c64b3c53dddaab8cdf7932a1a7776e74a6985b83370ac5e067f03401cd1343dc0ebd3b388196

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 6d5ad2adce366350200958c37f08a994
SHA1 3cc290b3684d9667ab729708a0803236ba2c6c3b
SHA256 c0b6c7b060ba8b898777ce72e4a2d0b0a9df4591dddd10037762da40e6887fc2
SHA512 dc5f7a54c31451377a48fb3e16b23b27a269f8ffd91d1a6a11a7c64b3c53dddaab8cdf7932a1a7776e74a6985b83370ac5e067f03401cd1343dc0ebd3b388196

memory/3088-15-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/3088-14-0x0000000000950000-0x00000000009C8000-memory.dmp

memory/3088-16-0x000000001B770000-0x000000001B780000-memory.dmp

memory/3088-17-0x000000001B4D0000-0x000000001B4FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 6d5ad2adce366350200958c37f08a994
SHA1 3cc290b3684d9667ab729708a0803236ba2c6c3b
SHA256 c0b6c7b060ba8b898777ce72e4a2d0b0a9df4591dddd10037762da40e6887fc2
SHA512 dc5f7a54c31451377a48fb3e16b23b27a269f8ffd91d1a6a11a7c64b3c53dddaab8cdf7932a1a7776e74a6985b83370ac5e067f03401cd1343dc0ebd3b388196

memory/1096-31-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

memory/1096-32-0x000000001B270000-0x000000001B280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 5e24e97bbc8354e13ee3ab70da2f3af6
SHA1 b52c0f3b18600e472d848d028af60c1c4860bf64
SHA256 69d3cf6c83d6b21abbe13ea46f6fa0462c564712ddad17b9151ac36db85486fe
SHA512 137ee2c034d5c6cb8b504412a73fb143fc4ce9bedd069b3d50f974fe7cc84c01e24f056793961d66c187d7369cbd8e422a5500a0a3d908fc0ba7e4f2c2ffdce4

memory/2760-37-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 5e24e97bbc8354e13ee3ab70da2f3af6
SHA1 b52c0f3b18600e472d848d028af60c1c4860bf64
SHA256 69d3cf6c83d6b21abbe13ea46f6fa0462c564712ddad17b9151ac36db85486fe
SHA512 137ee2c034d5c6cb8b504412a73fb143fc4ce9bedd069b3d50f974fe7cc84c01e24f056793961d66c187d7369cbd8e422a5500a0a3d908fc0ba7e4f2c2ffdce4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup.exe.log

MD5 7ca69c3a50dd1e107b36424371d545aa
SHA1 af96b7133f339588b8de9e29be762dd8fbe2da08
SHA256 fb56bfa6682034270cd833c70e9ab03a606372aef15b2e305da0318873394664
SHA512 bf3b5a590335e671cd44f244bf20fc30028a56c55f69f4f8b0a46aba787b248c343391998ed5267b5ca9aa0075697e169056120c18837ddc3ca97c5ace83c6fd

memory/3088-113-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/1080-105-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/1096-116-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/4884-115-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/4884-114-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 5e24e97bbc8354e13ee3ab70da2f3af6
SHA1 b52c0f3b18600e472d848d028af60c1c4860bf64
SHA256 69d3cf6c83d6b21abbe13ea46f6fa0462c564712ddad17b9151ac36db85486fe
SHA512 137ee2c034d5c6cb8b504412a73fb143fc4ce9bedd069b3d50f974fe7cc84c01e24f056793961d66c187d7369cbd8e422a5500a0a3d908fc0ba7e4f2c2ffdce4

memory/1080-95-0x0000000000430000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

MD5 7aab652d35430e2e1d729ecb05ea5ca9
SHA1 ee62209051edc6d7b28f96a6778a9adca1a2f002
SHA256 e73bff46b259d1ec50010187801abe32589d3e410b5c78178b3c8522361caeaa
SHA512 3015eb70ba6ea44cae0337a09081d00a162eb6e0d9d7f6be313e43035310116dad0ec658b1462368b33e33b9a6ff077c4363a2da509a79a6ae01708784dd2a19

C:\Users\Admin\AppData\Local\Temp\_MEI9202\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI9202\python310.dll

MD5 e9c0fbc99d19eeedad137557f4a0ab21
SHA1 8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA256 5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA512 74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

C:\Users\Admin\AppData\Local\Temp\_MEI9202\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\NumChai .exe

MD5 1c02b4003f07b44d5fb1f5742a4e97ef
SHA1 c68c50e2ca784c4be9e7735a68bca2c0fb4aa194
SHA256 dce88399b77de48a09c13d74b0bfe52df351b64ea2fbf29e607dbd4216d893ca
SHA512 4d93c20665b58c206108d6d077e0742a687cf8e61278082e7110fdca05a4adede6b19edd5d8f2eff9607201c7d3e6fbc11fed5521a99c4df4d8fa844db780ada

C:\Users\Admin\AppData\Local\Temp\_MEI9202\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI9202\base_library.zip

MD5 e9c4d669436f6cdfddfc1175e3e18dbe
SHA1 850c3f14cbe01ab7b7fe06bcd1733514a1eb5e20
SHA256 19ff6b5f37c1f654e9a15a411f7b9ba2bd7fcf00cc9637df3ebb640166d8eda3
SHA512 45a62bc2d618ab4ac0a4d7031742a4c4233fc370f43c322b25777157df7c7bb25a39e157cbf85b1397905e77337c9067b3eb78b7c5a84fd6ae101ebdee44e32f

C:\Users\Admin\AppData\Local\Temp\_MEI9202\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI9202\select.pyd

MD5 994a6348f53ceea82b540e2a35ca1312
SHA1 8d764190ed81fd29b554122c8d3ae6bf857e6e29
SHA256 149427a8d58373351955ee01a1d35b5ab7e4c6ac1a312daa9ba8c72b7e5ac8a4
SHA512 b3dfb4672f439fa43e29e5b1ababca74f6d53ea4bad39dfe91f59382e23dbb2a3aea2add544892e3fcd83e3c5357ee7f09fe8ab828571876f68d76f1b1fcee2f

C:\Users\Admin\AppData\Local\Temp\_MEI9202\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Local\Temp\_MEI9202\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_queue.pyd

MD5 c8a1f1dc297b6dd10c5f7bc64f907d38
SHA1 be0913621e5ae8b04dd0c440ee3907da9cf6eb72
SHA256 827a07b27121200ed9fb2e9efd13ccbf57ca7d32d9d9d1619f1c303fb4d607b7
SHA512 e5f07935248f8d57b1f61fe5de2105b1555c354dd8dd98f0cff21b08caba17b66272a093c185ca025edb503690ba81d5fa8b7443805a07338b25063e2f7ea1b1

C:\Users\Admin\AppData\Local\Temp\_MEI9202\unicodedata.pyd

MD5 c01a5ce36dd1c822749d8ade8a5e68ca
SHA1 a021d11e1eb7a63078cbc3d3e3360d6f7e120976
SHA256 0f27f26d1faa4f76d4b9d79ad572a3d4f3bbe8020e2208d2f3b9046e815b578a
SHA512 3d4e70a946f69633072a913fe86bada436d0c28aca322203aa5ec9d0d7ae111129516d7adb3fdeef6b1d30b50c86c1de2c23a1bc9fba388474b9d9131c1e5d38

C:\Users\Admin\AppData\Local\Temp\_MEI9202\unicodedata.pyd

MD5 c01a5ce36dd1c822749d8ade8a5e68ca
SHA1 a021d11e1eb7a63078cbc3d3e3360d6f7e120976
SHA256 0f27f26d1faa4f76d4b9d79ad572a3d4f3bbe8020e2208d2f3b9046e815b578a
SHA512 3d4e70a946f69633072a913fe86bada436d0c28aca322203aa5ec9d0d7ae111129516d7adb3fdeef6b1d30b50c86c1de2c23a1bc9fba388474b9d9131c1e5d38

C:\Users\Admin\AppData\Local\Temp\_MEI9202\tcl86t.dll

MD5 75909678c6a79ca2ca780a1ceb00232e
SHA1 39ddbeb1c288335abe910a5011d7034345425f7d
SHA256 fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860
SHA512 91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

C:\Users\Admin\AppData\Local\Temp\_MEI9202\tk86t.dll

MD5 4b6270a72579b38c1cc83f240fb08360
SHA1 1a161a014f57fe8aa2fadaab7bc4f9faaac368de
SHA256 cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08
SHA512 0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

C:\Users\Admin\AppData\Local\Temp\_MEI9202\tcl\encoding\cp1252.enc

MD5 e9117326c06fee02c478027cb625c7d8
SHA1 2ed4092d573289925a5b71625cf43cc82b901daf
SHA256 741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e
SHA512 d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

C:\Users\Admin\AppData\Local\Temp\_MEI9202\lxml\etree.cp310-win_amd64.pyd

MD5 da566fba4cc4371446fbd2a210b14d91
SHA1 f6b1718cad1249182c495b540adf5f1cfa2418aa
SHA256 5be41a4d5d0b2991408a4e987703c8c666b7f1d50797f0149dbfba02dc2e43c6
SHA512 b661133fba0509d70f625e9dddb908732d3a326411f68b20c7cafd86d33093d312a95eee750b57693cb349781d2dd4176be76ee4d715920d3d6d292ae51779f7

C:\Users\Admin\AppData\Local\Temp\_MEI9202\lxml\_elementpath.cp310-win_amd64.pyd

MD5 3c211c05c085c100fc3fae1e7d983abc
SHA1 fdf9ffac4af54541eedbe46b9f733b513be03157
SHA256 13ce41b1370dfa90be90691b1fcbab186172d90573a6aaf73e4068d9a17b95bf
SHA512 2e196fb09e6608e9e81e224a0c2ff903870170fb31ed67e76805ba1badf288dcb85aeacf5241016df1e9c9682fed5ead7cb42586735b912653219c2540ac814e

C:\Users\Admin\AppData\Local\Temp\_MEI9202\lxml\_elementpath.cp310-win_amd64.pyd

MD5 3c211c05c085c100fc3fae1e7d983abc
SHA1 fdf9ffac4af54541eedbe46b9f733b513be03157
SHA256 13ce41b1370dfa90be90691b1fcbab186172d90573a6aaf73e4068d9a17b95bf
SHA512 2e196fb09e6608e9e81e224a0c2ff903870170fb31ed67e76805ba1badf288dcb85aeacf5241016df1e9c9682fed5ead7cb42586735b912653219c2540ac814e

C:\Users\Admin\AppData\Local\Temp\_MEI9202\lxml\etree.cp310-win_amd64.pyd

MD5 da566fba4cc4371446fbd2a210b14d91
SHA1 f6b1718cad1249182c495b540adf5f1cfa2418aa
SHA256 5be41a4d5d0b2991408a4e987703c8c666b7f1d50797f0149dbfba02dc2e43c6
SHA512 b661133fba0509d70f625e9dddb908732d3a326411f68b20c7cafd86d33093d312a95eee750b57693cb349781d2dd4176be76ee4d715920d3d6d292ae51779f7

C:\Users\Admin\AppData\Local\Temp\_MEI9202\pyexpat.pyd

MD5 4cb923b0d757fe2aceebf378949a50e7
SHA1 688bbbae6253f0941d52faa92dedd4af6f1dfc3b
SHA256 e41cff213307b232e745d9065d057bcf36508f3a7150c877359800f2c5f97cfc
SHA512 9e88542d07bd91202fcf13b7d8c3a2bbd3d78e60985b45f4fa76c6cd2a2abdee2a0487990bea0713f2ad2a762f120411c3fbbfaa71ef040774512da8f6328047

C:\Users\Admin\AppData\Local\Temp\_MEI9202\pyexpat.pyd

MD5 4cb923b0d757fe2aceebf378949a50e7
SHA1 688bbbae6253f0941d52faa92dedd4af6f1dfc3b
SHA256 e41cff213307b232e745d9065d057bcf36508f3a7150c877359800f2c5f97cfc
SHA512 9e88542d07bd91202fcf13b7d8c3a2bbd3d78e60985b45f4fa76c6cd2a2abdee2a0487990bea0713f2ad2a762f120411c3fbbfaa71ef040774512da8f6328047

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_elementtree.pyd

MD5 48bb37c91df6f86179885582dabd1c4c
SHA1 94f50a9a2a401dc0aa2fb3dde03e05fb887a40ee
SHA256 fecc11695287d3972ab854530fc83445eee323f82074e2bef7f86ab4949b6497
SHA512 bdecf79bcdb692d887593ebc3d8280458709b53b728b6c641fbf113738a552aedf05513a41a9a23c4971a428b7a3028f9e02dbf12d774e0e510e13e435f8132e

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_elementtree.pyd

MD5 48bb37c91df6f86179885582dabd1c4c
SHA1 94f50a9a2a401dc0aa2fb3dde03e05fb887a40ee
SHA256 fecc11695287d3972ab854530fc83445eee323f82074e2bef7f86ab4949b6497
SHA512 bdecf79bcdb692d887593ebc3d8280458709b53b728b6c641fbf113738a552aedf05513a41a9a23c4971a428b7a3028f9e02dbf12d774e0e510e13e435f8132e

C:\Users\Admin\AppData\Local\Temp\_MEI9202\tcl86t.dll

MD5 75909678c6a79ca2ca780a1ceb00232e
SHA1 39ddbeb1c288335abe910a5011d7034345425f7d
SHA256 fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860
SHA512 91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

C:\Users\Admin\AppData\Local\Temp\_MEI9202\tk86t.dll

MD5 4b6270a72579b38c1cc83f240fb08360
SHA1 1a161a014f57fe8aa2fadaab7bc4f9faaac368de
SHA256 cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08
SHA512 0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_tkinter.pyd

MD5 5954a0102a4c2e6e0f71ceb2f6259fc9
SHA1 99b96da37baee75f0ab2d2165c8f194f26aa2041
SHA256 3ddcdec7a7a9b01f1af5a57f3cd66ae68883416fa7fb6aa7fa51b9cf1c24bf07
SHA512 5a986b2d931ea09048bce1d5816e9c8aaa63aeae48e4b5d844013e16a0229207553b4aabb4a790f55bcc5f5e0fabc5c819045b22d1d2e0eec9fe7ddcf1cba94d

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_tkinter.pyd

MD5 5954a0102a4c2e6e0f71ceb2f6259fc9
SHA1 99b96da37baee75f0ab2d2165c8f194f26aa2041
SHA256 3ddcdec7a7a9b01f1af5a57f3cd66ae68883416fa7fb6aa7fa51b9cf1c24bf07
SHA512 5a986b2d931ea09048bce1d5816e9c8aaa63aeae48e4b5d844013e16a0229207553b4aabb4a790f55bcc5f5e0fabc5c819045b22d1d2e0eec9fe7ddcf1cba94d

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_lzma.pyd

MD5 afff5db126034438405debadb4b38f08
SHA1 fad8b25d9fe1c814ed307cdfddb5cd6fe778d364
SHA256 75d450e973cd1ccbd0f9a35ba0d7e6d644125eb311cc432bb424a299d9a52ee0
SHA512 3334d2ad9811e3be70b5a9fd84bc725c717a3ac59e2fd87e178cb39ac9172db7f9ec793011c4e613a89773b4f2425be66d44a21145a9051bed35f55a483759cc

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_lzma.pyd

MD5 afff5db126034438405debadb4b38f08
SHA1 fad8b25d9fe1c814ed307cdfddb5cd6fe778d364
SHA256 75d450e973cd1ccbd0f9a35ba0d7e6d644125eb311cc432bb424a299d9a52ee0
SHA512 3334d2ad9811e3be70b5a9fd84bc725c717a3ac59e2fd87e178cb39ac9172db7f9ec793011c4e613a89773b4f2425be66d44a21145a9051bed35f55a483759cc

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_bz2.pyd

MD5 d61719bf7f3d7cdebdf6c846c32ddaca
SHA1 eda22e90e602c260834303bdf7a3c77ab38477d0
SHA256 31dd9bfb64b1bee8faf925296028e2af907e6d933a83ddc570ebc82d11c43cfb
SHA512 e6c7eab95c18921439f63a30f76313d8380e66bd715afc44a89d386ae4e80c980c2632c170a445bad7446ee5f2c3ee233ccc7333757358340d551e664204e21f

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_bz2.pyd

MD5 d61719bf7f3d7cdebdf6c846c32ddaca
SHA1 eda22e90e602c260834303bdf7a3c77ab38477d0
SHA256 31dd9bfb64b1bee8faf925296028e2af907e6d933a83ddc570ebc82d11c43cfb
SHA512 e6c7eab95c18921439f63a30f76313d8380e66bd715afc44a89d386ae4e80c980c2632c170a445bad7446ee5f2c3ee233ccc7333757358340d551e664204e21f

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_queue.pyd

MD5 c8a1f1dc297b6dd10c5f7bc64f907d38
SHA1 be0913621e5ae8b04dd0c440ee3907da9cf6eb72
SHA256 827a07b27121200ed9fb2e9efd13ccbf57ca7d32d9d9d1619f1c303fb4d607b7
SHA512 e5f07935248f8d57b1f61fe5de2105b1555c354dd8dd98f0cff21b08caba17b66272a093c185ca025edb503690ba81d5fa8b7443805a07338b25063e2f7ea1b1

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_hashlib.pyd

MD5 0d75220cf4691af4f97ebcbd9a481c62
SHA1 dadc3d5476c83668a715750ed80176dbbb536ec7
SHA256 9da79abfed52c7432a25a513f14134f3782c73ec7142e2d90223610eaef54303
SHA512 c00bd7a768e2eef7956d05f10330f3669b279866221085f9e9b97c4e553bb44356d041e29fd4337142ccbdf4e200769d69a235c1c5ddeb6fc64d537629eac112

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_hashlib.pyd

MD5 0d75220cf4691af4f97ebcbd9a481c62
SHA1 dadc3d5476c83668a715750ed80176dbbb536ec7
SHA256 9da79abfed52c7432a25a513f14134f3782c73ec7142e2d90223610eaef54303
SHA512 c00bd7a768e2eef7956d05f10330f3669b279866221085f9e9b97c4e553bb44356d041e29fd4337142ccbdf4e200769d69a235c1c5ddeb6fc64d537629eac112

C:\Users\Admin\AppData\Local\Temp\_MEI9202\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI9202\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip

MD5 686d03fbc624a93390efef9bc330e279
SHA1 63b48615b42558000a04795d3499b91df174d9b6
SHA256 b29ffc1e59fdf31f3a95e79499623d9ec856186f204b3b2340baf69a4bd70d70
SHA512 bbbf62784b951a60553fbad0a903f22e442a015171daaa7d7ac8499ef86a4522af29bb57a7ad96cc1c6f9ae3bf22daafad24a27521bf80e48ab85733237e3e69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 6d78acbcbb8d77547e8956bdd6b19e0e
SHA1 ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c
SHA256 bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3
SHA512 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 6d78acbcbb8d77547e8956bdd6b19e0e
SHA1 ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c
SHA256 bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3
SHA512 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118

C:\Users\Admin\AppData\Local\Temp\_MEI9202\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_ssl.pyd

MD5 80f2475d92ad805439d92cba6e657215
SHA1 20aa5f43ca83b3ff07e38b00d5fbd0cf3d7dbbab
SHA256 41278e309382c79356c1a4daf6dbb5819441d0c6e64981d031cda077bb6f1f79
SHA512 618cd6ca973a0b04159a7c83f1f0cda5db126a807982983fea68f343c21e606a3cdb60b95a2b07f4d9379149d844755b9767fea0a64dd1d4451ab894a1f865b5

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_ssl.pyd

MD5 80f2475d92ad805439d92cba6e657215
SHA1 20aa5f43ca83b3ff07e38b00d5fbd0cf3d7dbbab
SHA256 41278e309382c79356c1a4daf6dbb5819441d0c6e64981d031cda077bb6f1f79
SHA512 618cd6ca973a0b04159a7c83f1f0cda5db126a807982983fea68f343c21e606a3cdb60b95a2b07f4d9379149d844755b9767fea0a64dd1d4451ab894a1f865b5

C:\Users\Admin\AppData\Local\Temp\_MEI9202\select.pyd

MD5 994a6348f53ceea82b540e2a35ca1312
SHA1 8d764190ed81fd29b554122c8d3ae6bf857e6e29
SHA256 149427a8d58373351955ee01a1d35b5ab7e4c6ac1a312daa9ba8c72b7e5ac8a4
SHA512 b3dfb4672f439fa43e29e5b1ababca74f6d53ea4bad39dfe91f59382e23dbb2a3aea2add544892e3fcd83e3c5357ee7f09fe8ab828571876f68d76f1b1fcee2f

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_socket.pyd

MD5 f59ddb8b1eeac111d6a003f60e45b389
SHA1 e4e411a10c0ad4896f8b8153b826214ed8fe3caa
SHA256 9558dda6a3f6ad0c3091d643e2d3bf5bf20535904f691d2bdb2ce78edf46c2da
SHA512 873c6841ebf38b217465f1ead02b46a8823ef1de67d6608701e30faf5024ed00ab3c4cc4aa8c4836552ecdb16c7470fe965cf76f26ee88615746d456ff6a2bcf

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_socket.pyd

MD5 f59ddb8b1eeac111d6a003f60e45b389
SHA1 e4e411a10c0ad4896f8b8153b826214ed8fe3caa
SHA256 9558dda6a3f6ad0c3091d643e2d3bf5bf20535904f691d2bdb2ce78edf46c2da
SHA512 873c6841ebf38b217465f1ead02b46a8823ef1de67d6608701e30faf5024ed00ab3c4cc4aa8c4836552ecdb16c7470fe965cf76f26ee88615746d456ff6a2bcf

C:\Users\Admin\AppData\Local\Temp\_MEI9202\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_ctypes.pyd

MD5 3fc444a146f7d667169dcb4f48760f49
SHA1 350a1300abc33aa7ca077daba5a883878a3bca19
SHA256 b545db2339ae74c523363b38835e8324799720f744c64e7142ddd48e4b619b68
SHA512 1609f792583c6293abddf7f7376ffa0d33a7a895de4d8b2ecebaede74e8850b225b3bf0998b056e40e4ebffb5c97babccf52d3184b2b05072c0dbb5dcb1866f8

C:\Users\Admin\AppData\Local\Temp\_MEI9202\python3.dll

MD5 704d647d6921dbd71d27692c5a92a5fa
SHA1 6f0552ce789dc512f183b565d9f6bf6bf86c229d
SHA256 a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769
SHA512 6b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4

C:\Users\Admin\AppData\Local\Temp\_MEI9202\python3.dll

MD5 704d647d6921dbd71d27692c5a92a5fa
SHA1 6f0552ce789dc512f183b565d9f6bf6bf86c229d
SHA256 a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769
SHA512 6b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4

C:\Users\Admin\AppData\Local\Temp\_MEI9202\python3.DLL

MD5 704d647d6921dbd71d27692c5a92a5fa
SHA1 6f0552ce789dc512f183b565d9f6bf6bf86c229d
SHA256 a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769
SHA512 6b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4

C:\Users\Admin\AppData\Local\Temp\_MEI9202\_ctypes.pyd

MD5 3fc444a146f7d667169dcb4f48760f49
SHA1 350a1300abc33aa7ca077daba5a883878a3bca19
SHA256 b545db2339ae74c523363b38835e8324799720f744c64e7142ddd48e4b619b68
SHA512 1609f792583c6293abddf7f7376ffa0d33a7a895de4d8b2ecebaede74e8850b225b3bf0998b056e40e4ebffb5c97babccf52d3184b2b05072c0dbb5dcb1866f8

C:\Users\Admin\AppData\Local\Temp\_MEI9202\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI9202\python310.dll

MD5 e9c0fbc99d19eeedad137557f4a0ab21
SHA1 8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA256 5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA512 74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

memory/1080-1128-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/4884-1129-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 6d78acbcbb8d77547e8956bdd6b19e0e
SHA1 ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c
SHA256 bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3
SHA512 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118

memory/1080-1133-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/1444-1134-0x0000000000AA0000-0x0000000000AC8000-memory.dmp

memory/1444-1132-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/1444-1136-0x0000000001070000-0x000000000107E000-memory.dmp

memory/1444-1135-0x000000001B920000-0x000000001B930000-memory.dmp

memory/1444-1140-0x000000001B920000-0x000000001B930000-memory.dmp

memory/1444-1141-0x000000001B920000-0x000000001B930000-memory.dmp

memory/1444-1142-0x0000000002D20000-0x0000000002D2C000-memory.dmp

memory/4504-1145-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/4504-1144-0x00000000006D0000-0x00000000006DA000-memory.dmp

memory/4884-1147-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/1888-1146-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/1888-1148-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/4504-1150-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/4420-1152-0x0000027EB72C0000-0x0000027EB72D0000-memory.dmp

memory/4420-1153-0x0000027EB72C0000-0x0000027EB72D0000-memory.dmp

memory/4420-1151-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/3092-1154-0x0000025E27130000-0x0000025E27140000-memory.dmp

memory/3092-1155-0x0000025E27130000-0x0000025E27140000-memory.dmp

memory/840-1157-0x0000026EF7720000-0x0000026EF7730000-memory.dmp

memory/840-1158-0x0000026EF7720000-0x0000026EF7730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4zwo1qxj.eh3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1444-1165-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/3092-1164-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/4420-1170-0x0000027EB7250000-0x0000027EB7272000-memory.dmp

memory/840-1171-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/3820-1190-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/3820-1191-0x00000153C5EE0000-0x00000153C5EF0000-memory.dmp

memory/4832-1210-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/4832-1211-0x00000193D5730000-0x00000193D5740000-memory.dmp

memory/4832-1212-0x00000193D5730000-0x00000193D5740000-memory.dmp

memory/4832-1213-0x00000193D5730000-0x00000193D5740000-memory.dmp

memory/3820-1214-0x00000153C5EE0000-0x00000153C5EF0000-memory.dmp

memory/4420-1215-0x0000027EB72C0000-0x0000027EB72D0000-memory.dmp

memory/840-1216-0x0000026EF7720000-0x0000026EF7730000-memory.dmp

memory/1888-1217-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/4420-1219-0x0000027EB72C0000-0x0000027EB72D0000-memory.dmp

memory/1888-1220-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/3820-1218-0x00000153C5EE0000-0x00000153C5EF0000-memory.dmp

memory/4420-1221-0x0000027EB72C0000-0x0000027EB72D0000-memory.dmp

memory/4420-1222-0x0000027EB72C0000-0x0000027EB72D0000-memory.dmp

memory/3092-1228-0x0000025E27130000-0x0000025E27140000-memory.dmp

memory/3092-1229-0x0000025E27130000-0x0000025E27140000-memory.dmp

memory/3820-1227-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/3092-1231-0x0000025E27130000-0x0000025E27140000-memory.dmp

memory/4832-1233-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp

memory/840-1232-0x0000026EF7720000-0x0000026EF7730000-memory.dmp

memory/4420-1226-0x00007FFDCA430000-0x00007FFDCAEF1000-memory.dmp