Malware Analysis Report

2024-11-30 12:28

Sample ID 231007-yap8haeh5t
Target source_prepared.exe
SHA256 4efa2108e611dab965df193b27f7c222d7dff5f909d3a7374b087eb73e00bab6
Tags
pyinstaller pysilon persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4efa2108e611dab965df193b27f7c222d7dff5f909d3a7374b087eb73e00bab6

Threat Level: Known bad

The file source_prepared.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon persistence

Detect Pysilon

Pysilon family

Enumerates VirtualBox DLL files

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Detects Pyinstaller

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 19:35

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 19:35

Reported

2023-10-07 19:38

Platform

win10v2004-20230915-en

Max time kernel

152s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\tactu\sugus.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\tactu\sugus.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mata = "C:\\Users\\Admin\\tactu\\sugus.exe" C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Legitimate hosting services abused for malware hosting/C2

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\tactu\sugus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\tactu\sugus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 3516 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 3156 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 5432 wrote to memory of 5892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\tactu\sugus.exe
PID 5432 wrote to memory of 5892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\tactu\sugus.exe
PID 5432 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5432 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5892 wrote to memory of 5808 N/A C:\Users\Admin\tactu\sugus.exe C:\Users\Admin\tactu\sugus.exe
PID 5892 wrote to memory of 5808 N/A C:\Users\Admin\tactu\sugus.exe C:\Users\Admin\tactu\sugus.exe
PID 5808 wrote to memory of 5636 N/A C:\Users\Admin\tactu\sugus.exe C:\Windows\system32\cmd.exe
PID 5808 wrote to memory of 5636 N/A C:\Users\Admin\tactu\sugus.exe C:\Windows\system32\cmd.exe
PID 5808 wrote to memory of 2676 N/A C:\Users\Admin\tactu\sugus.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 2676 N/A C:\Users\Admin\tactu\sugus.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4b4 0x500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\tactu\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\tactu\activate.bat

C:\Users\Admin\tactu\sugus.exe

"sugus.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "source_prepared.exe"

C:\Users\Admin\tactu\sugus.exe

"sugus.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\tactu\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
NL 104.110.240.91:443 www.bing.com tcp
DE 184.24.164.136:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 91.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 136.164.24.184.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.130.234:443 gateway.discord.gg tcp
N/A 127.0.0.1:60395 tcp
N/A 127.0.0.1:60399 tcp
N/A 127.0.0.1:60401 tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 234.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI35162\python311.dll

MD5 65e381a0b1bc05f71c139b0c7a5b8eb2
SHA1 7c4a3adf21ebcee5405288fc81fc4be75019d472
SHA256 53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA512 4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

C:\Users\Admin\AppData\Local\Temp\_MEI35162\python311.dll

MD5 65e381a0b1bc05f71c139b0c7a5b8eb2
SHA1 7c4a3adf21ebcee5405288fc81fc4be75019d472
SHA256 53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA512 4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

C:\Users\Admin\AppData\Local\Temp\_MEI35162\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI35162\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI35162\base_library.zip

MD5 d220b7e359810266fe6885a169448fa0
SHA1 556728b326318b992b0def059eca239eb14ba198
SHA256 ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d
SHA512 8f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_ctypes.pyd

MD5 22c4892caf560a3ee28cf7f210711f9e
SHA1 b30520fadd882b667ecef3b4e5c05dc92e08b95a
SHA256 e28d4e46e5d10b5fdcf0292f91e8fd767e33473116247cd5d577e4554d7a4c0c
SHA512 edb86b3694fff0b05318decf7fc42c20c348c1523892cce7b89cc9c5ab62925261d4dd72d9f46c9b2bda5ac1e6b53060b8701318b064a286e84f817813960b19

C:\Users\Admin\AppData\Local\Temp\_MEI35162\python3.dll

MD5 d8ba00c1d9fcc7c0abbffb5c214da647
SHA1 5fa9d5700b42a83bfcc125d1c45e0111b9d62035
SHA256 e45452efa356db874f2e5ff08c9cc0fe22528609e5d341f8fb67ba48885ab77d
SHA512 df1b714494856f618a742791eefbf470b2eee07b51d983256e4386ea7d48da5c7b1e896f222ea55a748c9413203886cde3a65ef9e7ea069014fa626f81d79cd3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\python3.dll

MD5 d8ba00c1d9fcc7c0abbffb5c214da647
SHA1 5fa9d5700b42a83bfcc125d1c45e0111b9d62035
SHA256 e45452efa356db874f2e5ff08c9cc0fe22528609e5d341f8fb67ba48885ab77d
SHA512 df1b714494856f618a742791eefbf470b2eee07b51d983256e4386ea7d48da5c7b1e896f222ea55a748c9413203886cde3a65ef9e7ea069014fa626f81d79cd3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\python3.DLL

MD5 d8ba00c1d9fcc7c0abbffb5c214da647
SHA1 5fa9d5700b42a83bfcc125d1c45e0111b9d62035
SHA256 e45452efa356db874f2e5ff08c9cc0fe22528609e5d341f8fb67ba48885ab77d
SHA512 df1b714494856f618a742791eefbf470b2eee07b51d983256e4386ea7d48da5c7b1e896f222ea55a748c9413203886cde3a65ef9e7ea069014fa626f81d79cd3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_bz2.pyd

MD5 28ede9ce9484f078ac4e52592a8704c7
SHA1 bcf8d6fe9f42a68563b6ce964bdc615c119992d0
SHA256 403e76fe18515a5ea3227cf5f919aa2f32ac3233853c9fb71627f2251c554d09
SHA512 8c372f9f6c4d27f7ca9028c6034c17deb6e98cfef690733465c1b44bd212f363625d9c768f8e0bd4c781ddde34ee4316256203ed18fa709d120f56df3cca108b

C:\Users\Admin\AppData\Local\Temp\_MEI35162\crypto_clipper.json

MD5 28ace1f269a7b6ddc508fe2ef995eb89
SHA1 fc25b159929682bff11e6d3b413acba80300418a
SHA256 8011959661b3c6efee432bdc16b358de1c371aaccdbec068c9e65004262f988e
SHA512 4c1172eead25d9c6037729ad372975d545153213dba99e7308308f1f1c6594bb1322b6c1332e44bd3677458160211046762a5dbf72564e4c7d36f7371177dcd2

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libcrypto-3.dll

MD5 51e8a5281c2092e45d8c97fbdbf39560
SHA1 c499c810ed83aaadce3b267807e593ec6b121211
SHA256 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA512 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_hashlib.pyd

MD5 c888ecc8298c36d498ff8919cebdb4e6
SHA1 f904e1832b9d9614fa1b8f23853b3e8c878d649d
SHA256 21d59958e2ad1b944c4811a71e88de08c05c5ca07945192ab93da5065fac8926
SHA512 7161065608f34d6de32f2c70b7485c4ee38cd3a41ef68a1beacee78e4c5b525d0c1347f148862cf59abd9a4ad0026c2c2939736f4fc4c93e6393b3b53aa7c377

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_socket.pyd

MD5 2c0ec225e35a0377ac1d0777631bffe4
SHA1 7e5d81a06ff8317af52284aedccac6ebace5c390
SHA256 301c47c4016dac27811f04f4d7232f24852ef7675e9a4500f0601703ed8f06af
SHA512 aea9d34d9e93622b01e702defd437d397f0e7642bc5f9829754d59860b345bbde2dd6d7fe21cc1d0397ff0a9db4ecfe7c38b649d33c5c6f0ead233cb201a73e0

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_uuid.pyd

MD5 3a09b6db7e4d6ff0f74c292649e4ba96
SHA1 1a515f98946a4dccc50579cbcedf959017f3a23c
SHA256 fc09e40e569f472dd4ba2ea93da48220a6b0387ec62bb0f41f13ef8fab215413
SHA512 8d5ea9f7eee3d75f0673cc7821a94c50f753299128f3d623e7a9c262788c91c267827c859c5d46314a42310c27699af5cdfc6f7821dd38bf03c0b35873d9730f

C:\Users\Admin\AppData\Local\Temp\_MEI35162\select.pyd

MD5 8472d39b9ee6051c961021d664c7447e
SHA1 b284e3566889359576d43e2e0e99d4acf068e4fb
SHA256 8a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f
SHA512 309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libssl-3.dll

MD5 bfc834bb2310ddf01be9ad9cff7c2a41
SHA1 fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA256 41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA512 6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\charset_normalizer\md.cp311-win_amd64.pyd

MD5 25e5dd43a30808f30857c6e46e6bc8df
SHA1 679cb7169813a9a0224f03624984645ea18aabe6
SHA256 62639a735008dd068142c0efca7f3d0f96f4959a52278fcf70012946e8552974
SHA512 904855da98f610a6ebe18ba76f7130a7f9a0ba5da0364fbc9ce79127728597c473aa85f8c0ccaf9f0af81da8f4e6ad7b722890839ee03f381e50177301661cc3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\charset_normalizer\md.cp311-win_amd64.pyd

MD5 25e5dd43a30808f30857c6e46e6bc8df
SHA1 679cb7169813a9a0224f03624984645ea18aabe6
SHA256 62639a735008dd068142c0efca7f3d0f96f4959a52278fcf70012946e8552974
SHA512 904855da98f610a6ebe18ba76f7130a7f9a0ba5da0364fbc9ce79127728597c473aa85f8c0ccaf9f0af81da8f4e6ad7b722890839ee03f381e50177301661cc3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_queue.pyd

MD5 50842ce7fcb1950b672d8a31c892a5d1
SHA1 d84c69fa2110b860da71785d1dbe868bd1a8320f
SHA256 06c36ec0749d041e6957c3cd7d2d510628b6abe28cee8c9728412d9ce196a8a2
SHA512 c1e686c112b55ab0a5e639399bd6c1d7adfe6aedc847f07c708bee9f6f2876a1d8f41ede9d5e5a88ac8a9fbb9f1029a93a83d1126619874e33d09c5a5e45a50d

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_ssl.pyd

MD5 66e78727c2da15fd2aac56571cd57147
SHA1 e93c9a5e61db000dee0d921f55f8507539d2df3d
SHA256 4727b60962efacfd742dca21341a884160cf9fcf499b9afa3d9fdbcc93fb75d0
SHA512 a6881f9f5827aceb51957aaed4c53b69fcf836f60b9fc66eeb2ed84aed08437a9f0b35ea038d4b1e3c539e350d9d343f8a6782b017b10a2a5157649abbca9f9a

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_tkinter.pyd

MD5 1f368e3a5152f09ba458422ea0aed125
SHA1 a39708057e1832e866314ccdb54a1ead3e5ecfa0
SHA256 ede5013c8b6ac68c05d5ac124fec7f94ecb2e445fd2f88c0c24eb3dc55c56bd8
SHA512 c26b92856355a4ccaff87f37cbdb342575478ef50c6e9f0a72524cef3ec8fd71f90924e1376023bd12a8101b88cf35e3959b5f74c3fff073060d049e8b72be1e

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_ssl.pyd

MD5 66e78727c2da15fd2aac56571cd57147
SHA1 e93c9a5e61db000dee0d921f55f8507539d2df3d
SHA256 4727b60962efacfd742dca21341a884160cf9fcf499b9afa3d9fdbcc93fb75d0
SHA512 a6881f9f5827aceb51957aaed4c53b69fcf836f60b9fc66eeb2ed84aed08437a9f0b35ea038d4b1e3c539e350d9d343f8a6782b017b10a2a5157649abbca9f9a

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_sqlite3.pyd

MD5 a70731ae2ca44b7292623ae8b0281549
SHA1 9e086c0753bb43e2876c33c4872e71808932a744
SHA256 55344349f9199aedad1737a0311cbe2c3a4bf9494b76982520bacad90f463c1b
SHA512 8334104df9837d32946965290bbc46ba0a0ada17bd2d03fc63380979f5fc86b26be245636718b4304dfd0d85a5b3f7170614f148e5c965cc5adf59d34465f7f1

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_socket.pyd

MD5 2c0ec225e35a0377ac1d0777631bffe4
SHA1 7e5d81a06ff8317af52284aedccac6ebace5c390
SHA256 301c47c4016dac27811f04f4d7232f24852ef7675e9a4500f0601703ed8f06af
SHA512 aea9d34d9e93622b01e702defd437d397f0e7642bc5f9829754d59860b345bbde2dd6d7fe21cc1d0397ff0a9db4ecfe7c38b649d33c5c6f0ead233cb201a73e0

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_queue.pyd

MD5 50842ce7fcb1950b672d8a31c892a5d1
SHA1 d84c69fa2110b860da71785d1dbe868bd1a8320f
SHA256 06c36ec0749d041e6957c3cd7d2d510628b6abe28cee8c9728412d9ce196a8a2
SHA512 c1e686c112b55ab0a5e639399bd6c1d7adfe6aedc847f07c708bee9f6f2876a1d8f41ede9d5e5a88ac8a9fbb9f1029a93a83d1126619874e33d09c5a5e45a50d

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_overlapped.pyd

MD5 d3be208dc5388225162b6f88ff1d4386
SHA1 8effdb606b6771d5fdf83145de0f289e8ad83b69
SHA256 ce48969ebebdc620f4313eba2a6b6cda568b663c09d5478fa93826d401abe674
SHA512 9e1c3b37e51616687eecf1f7b945003f6eb4291d8794fea5545b4a84c636007eb781c18f6436039df02a902223ac73efac9b2e44ddc8594db62feb9997475da3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_multiprocessing.pyd

MD5 622a0e73779c88fc430b69caf4a39789
SHA1 f6536137e4e2cd8ec181f09b7dba5e2e4d03b392
SHA256 edfa9ee414f41448f8ffabb79f3bb8db5c25e1cfd28facf88eb5fe2d1e1d7551
SHA512 fd8d6db53b630821845dfe22b09c4335565f848a421af271797efe272baaa1ef887d735d4d5cd7d1258f2dd8f523327a67c071f7d16fc1bf53aca39bae41dff2

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_hashlib.pyd

MD5 c888ecc8298c36d498ff8919cebdb4e6
SHA1 f904e1832b9d9614fa1b8f23853b3e8c878d649d
SHA256 21d59958e2ad1b944c4811a71e88de08c05c5ca07945192ab93da5065fac8926
SHA512 7161065608f34d6de32f2c70b7485c4ee38cd3a41ef68a1beacee78e4c5b525d0c1347f148862cf59abd9a4ad0026c2c2939736f4fc4c93e6393b3b53aa7c377

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_elementtree.pyd

MD5 98655937168f53efd903806c20591193
SHA1 027c9d7569fbcb052da7e5b8bf7d733f517b25c7
SHA256 f5a5bb4375cbf0ac05e31bbb21d18ff352e791d726bd331bb77838707ff50037
SHA512 5ec2c37f94d198f9ac9da5d46590a0cd8587a28dd6667f2737b88146b4a9cc09986ecb79b009aace99227da00a88015f28ab3677a11396ace28b43aea2a0f959

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_decimal.pyd

MD5 baaa9067639597e63b55794a757ddeff
SHA1 e8dd6b03ebef0b0a709e6cccff0e9f33c5142304
SHA256 6cd52b65e11839f417b212ba5a39f182b0151a711ebc7629dc260b532391db72
SHA512 7995c3b818764ad88db82148ea0ce560a0bbe9594ca333671b4c5e5c949f5932210edbd63d4a0e0dc2daf24737b99318e3d5daaee32a5478399a6aa1b9ee3719

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_cffi_backend.cp311-win_amd64.pyd

MD5 210def84bb2c35115a2b2ac25e3ffd8f
SHA1 0376b275c81c25d4df2be4789c875b31f106bd09
SHA256 59767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf
SHA512 cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_asyncio.pyd

MD5 cee78dc603d57cb2117e03b2c0813d84
SHA1 095c98ca409e364b8755dc9cfd12e6791bf6e2b8
SHA256 6306be660d87ffb2271dd5d783ee32e735a792556e0b5bd672dc0b1c206fdadc
SHA512 7258560aa557e3e211bb9580add604b5191c769594e17800b2793239df45225a82ce440a6b9dcf3f2228ed84712912affe9bf0b70b16498489832df2dee33e7e

C:\Users\Admin\AppData\Local\Temp\_MEI35162\zlib1.dll

MD5 5eac41b641e813f2a887c25e7c87a02e
SHA1 ec3f6cf88711ef8cfb3cc439cb75471a2bb9e1b5
SHA256 b1f58a17f3bfd55523e7bef685acf5b32d1c2a6f25abdcd442681266fd26ab08
SHA512 cad34a495f1d67c4d79ed88c5c52cf9f2d724a1748ee92518b8ece4e8f2fe1d443dfe93fb9dba8959c0e44c7973af41eb1471507ab8a5b1200a25d75287d5de5

C:\Users\Admin\AppData\Local\Temp\_MEI35162\VCRUNTIME140_1.dll

MD5 7e668ab8a78bd0118b94978d154c85bc
SHA1 dbac42a02a8d50639805174afd21d45f3c56e3a0
SHA256 e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f
SHA512 72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

C:\Users\Admin\AppData\Local\Temp\_MEI35162\unicodedata.pyd

MD5 57f8f40cf955561a5044ddffa4f2e144
SHA1 19218025bcae076529e49dde8c74f12e1b779279
SHA256 1a965c1904da88989468852fdc749b520cce46617b9190163c8df19345b59560
SHA512 db2a7a32e0b5bf0684a8c4d57a1d7df411d8eb1bc3828f44c95235dd3af40e50a198427350161dff2e79c07a82ef98e1536e0e013030a15bdf1116154f1d8338

C:\Users\Admin\AppData\Local\Temp\_MEI35162\tk86t.dll

MD5 499fa3dea045af56ee5356c0ce7d6ce2
SHA1 0444b7d4ecd25491245824c17b84916ee5b39f74
SHA256 20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94
SHA512 d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1

C:\Users\Admin\AppData\Local\Temp\_MEI35162\tcl86t.dll

MD5 ac6cd2fb2cd91780db186b8d6e447b7c
SHA1 b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a
SHA256 a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6
SHA512 45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6

C:\Users\Admin\AppData\Local\Temp\_MEI35162\sqlite3.dll

MD5 256224cc25d085663d4954be6cc8c5b5
SHA1 9931cc156642e2259dfabf0154fddf50d86e9334
SHA256 5ac6ee18cdca84c078b66055f5e9ffc6f8502e22eaf0fa54aeec92b75a3c463e
SHA512 a28abf03199f0ce9f044329f7eba2f1d8ecbc43674337aafbf173f567158ba9046036da91dc3e12c2bb1d7842953526edba14bc03f81ece63dcedcc9413213a7

C:\Users\Admin\AppData\Local\Temp\_MEI35162\select.pyd

MD5 8472d39b9ee6051c961021d664c7447e
SHA1 b284e3566889359576d43e2e0e99d4acf068e4fb
SHA256 8a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f
SHA512 309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\SDL2_ttf.dll

MD5 f187dfdccc102436e27704dc572a2c16
SHA1 be4d499e66b8c4eb92480e4f520ccd8eaaa39b04
SHA256 fcdfabdfce868eb33f7514025ff59c1bb6c418f1bcd6ace2300a9cd4053e1d63
SHA512 75002d96153dfd2bfdd6291f842fb553695ef3997012dae0b9a537c95c3f3a83b844a8d1162faefcddf9e1807f3db23b1a10c2789c95dd5f6fad2286bae91afb

C:\Users\Admin\AppData\Local\Temp\_MEI35162\SDL2_mixer.dll

MD5 201aa86dc9349396b83eed4c15abe764
SHA1 1a239c479e275aa7be93c5372b2d35e98d8d8cec
SHA256 2a0fc5e9f72c2eaec3240cb82b7594a58ccda609485981f256b94d0a4dd8d6f8
SHA512 bb2cd185d1d936ceca3cc20372c98a1b1542288ad5523ff8b823fb5e842205656ec2f615f076929c69987c7468245a452238b509d37109c9bec26be5f638f3b7

C:\Users\Admin\AppData\Local\Temp\_MEI35162\SDL2_image.dll

MD5 b8d249a5e394b4e6a954c557af1b80e6
SHA1 b03bb9d09447114a018110bfb91d56ef8d5ec3bb
SHA256 1e364af75fee0c83506fbdfd4d5b0e386c4e9c6a33ddbddac61ddb131e360194
SHA512 2f2e248c3963711f1a9f5d8baea5b8527d1df1748cd7e33bf898a380ae748f7a65629438711ff9a5343e64762ec0b5dc478cdf19fbf7111dac9d11a8427e0007

C:\Users\Admin\AppData\Local\Temp\_MEI35162\SDL2.dll

MD5 0293f98e4ae63f376f293c95f197b9ce
SHA1 6e6ae66a791001399d7dde625de50799decfbe9c
SHA256 2e4e823b46e95a29ad4ce4e7134417b0cd60145fefe606920ef6dc0ebcfb0021
SHA512 0f5f7537e414fbf04e54e744bd2c0d587c920e93ac8dcca58a15fbe041e53383b66bd7b2c1cd75f3584cab435e9ddb38354cfd7d4676dcf515642de601f3ed46

C:\Users\Admin\AppData\Local\Temp\_MEI35162\pyexpat.pyd

MD5 6527063f18e8d49d04e2cc216c2f0b27
SHA1 917c349c62689f9b782a314ce4b2311b6b826606
SHA256 5604f629523125904909547a97f3cdb5dbfe33b39878bad77534de0c3c034387
SHA512 67c87d11683a0f4e1bc4083ff05edee423155f829051c3fa66cc4f2cfb98cf7374b3a06eb37095e19f5f2a6c8da83f0c0e3f7eb964694992b525f81b1b00f423

C:\Users\Admin\AppData\Local\Temp\_MEI35162\portmidi.dll

MD5 df538704b8cd0b40096f009fd5d1b767
SHA1 d2399fbb69d237d43624e987445694ec7e0b8615
SHA256 c9f8d9043ac1570b10f104f2d00aec791f56261c84ee40773be73d0a3822e013
SHA512 408de3e99bc1bfb5b10e58ae621c0f9276530913ff26256135fe44ce78016de274cbe4c3e967457eb71870aad34dfeb362058afcebfa2d9e64f05604ab1517d4

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libwebp-7.dll

MD5 2c5aca898ff88eb2c9028bbeefebbd1e
SHA1 7a0048674ef614bebe6cc83b1228d670372076c9
SHA256 9a53563b6058f70f2725029b7dd2fe96f869c20e8090031cd303e994dfe07b50
SHA512 46fe8b151e3a13ab506c4fc8a9f3f0f47b21f64f37097a4f1f573b547443ed23e7b2f489807c1623fbc41015f7da11665d88690d8cd0ddd61aa53789586c5a13

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libtiff-5.dll

MD5 7d40a697ca6f21a8f09468b9fce565ad
SHA1 dc3b7f7fc0d9056af370e06f1451a65e77ff07f7
SHA256 ebfe97ac5ef26b94945af3db5ffd110a4b8e92dc02559bf81ccb33f0d5ebce95
SHA512 5a195e3123f7f17d92b7eca46b9afa1ea600623ad6929ac29197447bb4d474a068fd5f61fca6731a60514125d3b0b2cafe1ff6be3a0161251a366355b660d61a

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libssl-3.dll

MD5 bfc834bb2310ddf01be9ad9cff7c2a41
SHA1 fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA256 41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA512 6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libpng16-16.dll

MD5 3a26cd3f92436747d2285dcef1fae67f
SHA1 e3d1403be06beb32fc8dc7e8a58c31e18b586a70
SHA256 e688b4a4d18f4b6ccc99c6ca4980f51218cb825610775192d9b60b2f05eff2d5
SHA512 73d651f063246723807d837811ead30e3faca8cb0581603f264c28fea1b2bdb6d874a73c1288c7770e95463786d6945b065d4ca1cf553e08220aea4e78a6f37f

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libopusfile-0.dll

MD5 245498839af5a75cd034190fe805d478
SHA1 d164c38fd9690b8649afaef7c048f4aabb51dba8
SHA256 ccaaca81810bd2d1cab4692b4253a639f8d5516996db0e24d881efd3efdcc6a4
SHA512 4181dea590cbc7a9e06729b79201aa29e8349408cb922de8d4cda555fc099b3e10fee4f5a9ddf1a22eaec8f5ede12f9d6e37ed7ad0486beb12b7330cca51a79e

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libopus-0.x64.dll

MD5 0e078e75ab375a38f99245b3fefa384a
SHA1 b4c2fda3d4d72c3e3294beb8aa164887637ca22a
SHA256 c84da836e8d92421ac305842cfe5a724898ed09d340d46b129e210bdc9448131
SHA512 fa838dab0a8a07ee7c370dd617073a5f795838c3518a6f79ee17d5ebc48b78cebd680e9c8cbe54f912ceb0ae6112147fb40182bcfdcc194b73aa6bab21427bfd

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libopus-0.dll

MD5 e1adac219ec78b7b2ac9999d8c2e1c94
SHA1 6910ec9351bee5c355587e42bbb2d75a65ffc0cf
SHA256 771cae79410f7fcc4f993a105a18c4ed9e8cbddd6f807a42228d95f575808806
SHA512 da1912243491227168e23fb92def056b229f9f1d8c35ae122e1a0474b0be84ceb7167b138f2ee5fffd812b80c6aca719250aca6b25931585e224e27384f4cc67

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libogg-0.dll

MD5 307ef797fc1af567101afba8f6ce6a8c
SHA1 0023f520f874a0c3eb3dc1fe8df73e71bde5f228
SHA256 57abc4f6a9accdd08bf9a2b022a66640cc626a5bd4dac6c7c4f06a5df61ee1fe
SHA512 5b0b6049844c6fef0cd2b6b1267130bb6e4c17b26afc898cfc17499ef05e79096cd705007a74578f11a218786119be37289290c5c47541090d7b9dea2908688e

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libmodplug-1.dll

MD5 ead020db018b03e63a64ebff14c77909
SHA1 89bb59ae2b3b8ec56416440642076ae7b977080e
SHA256 0c1a9032812ec4c20003a997423e67b71ecb5e59d62cdc18a5bf591176a9010e
SHA512 c4742d657e5598c606ceff29c0abb19c588ba7976a7c4bff1df80a3109fe7df25e7d0dace962ec3962a94d2715a4848f2acc997a0552bf8d893ff6e7a78857e5

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libjpeg-9.dll

MD5 c540308d4a8e6289c40753fdd3e1c960
SHA1 1b84170212ca51970f794c967465ca7e84000d0e
SHA256 3a224af540c96574800f5e9acf64b2cdfb9060e727919ec14fbd187a9b5bfe69
SHA512 1dadc6b92de9af998f83faf216d2ab6483b2dea7cdea3387ac846e924adbf624f36f8093daf5cee6010fea7f3556a5e2fcac494dbc87b5a55ce564c9cd76f92b

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libcrypto-3.dll

MD5 51e8a5281c2092e45d8c97fbdbf39560
SHA1 c499c810ed83aaadce3b267807e593ec6b121211
SHA256 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA512 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

C:\Users\Admin\AppData\Local\Temp\_MEI35162\freetype.dll

MD5 236f879a5dd26dc7c118d43396444b1c
SHA1 5ed3e4e084471cf8600fb5e8c54e11a254914278
SHA256 1c487392d6d06970ba3c7b52705881f1fb069f607243499276c2f0c033c7df6f
SHA512 cc9326bf1ae8bf574a4715158eba889d7f0d5e3818e6f57395740a4b593567204d6eef95b6e99d2717128c3bffa34a8031c213ff3f2a05741e1eaf3ca07f2254

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_lzma.pyd

MD5 d386b7c4dcf589e026abfc7196cf1c4c
SHA1 c07ce47ce0e69d233c5bdd0bcac507057d04b2d4
SHA256 ad0440ca6998e18f5cc917d088af3fea2c0ff0febce2b5e2b6c0f1370f6e87b1
SHA512 78d79e2379761b054df1f9fd8c5b7de5c16b99af2d2de16a3d0ac5cb3f0bd522257579a49e91218b972a273db4981f046609fdcf2f31cf074724d544dac7d6c8

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_bz2.pyd

MD5 28ede9ce9484f078ac4e52592a8704c7
SHA1 bcf8d6fe9f42a68563b6ce964bdc615c119992d0
SHA256 403e76fe18515a5ea3227cf5f919aa2f32ac3233853c9fb71627f2251c554d09
SHA512 8c372f9f6c4d27f7ca9028c6034c17deb6e98cfef690733465c1b44bd212f363625d9c768f8e0bd4c781ddde34ee4316256203ed18fa709d120f56df3cca108b

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_ctypes.pyd

MD5 22c4892caf560a3ee28cf7f210711f9e
SHA1 b30520fadd882b667ecef3b4e5c05dc92e08b95a
SHA256 e28d4e46e5d10b5fdcf0292f91e8fd767e33473116247cd5d577e4554d7a4c0c
SHA512 edb86b3694fff0b05318decf7fc42c20c348c1523892cce7b89cc9c5ab62925261d4dd72d9f46c9b2bda5ac1e6b53060b8701318b064a286e84f817813960b19

C:\Users\Admin\AppData\Local\Temp\_MEI35162\_lzma.pyd

MD5 d386b7c4dcf589e026abfc7196cf1c4c
SHA1 c07ce47ce0e69d233c5bdd0bcac507057d04b2d4
SHA256 ad0440ca6998e18f5cc917d088af3fea2c0ff0febce2b5e2b6c0f1370f6e87b1
SHA512 78d79e2379761b054df1f9fd8c5b7de5c16b99af2d2de16a3d0ac5cb3f0bd522257579a49e91218b972a273db4981f046609fdcf2f31cf074724d544dac7d6c8

C:\Users\Admin\AppData\Local\Temp\_MEI35162\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

memory/3708-1313-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/3708-1314-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/3708-1315-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/3708-1320-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/3708-1319-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/3708-1322-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/3708-1321-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/3708-1323-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/3708-1325-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/3708-1324-0x0000026DC1030000-0x0000026DC1031000-memory.dmp

memory/4768-1326-0x0000015747E50000-0x0000015747E72000-memory.dmp

memory/4768-1327-0x00007FFF3F440000-0x00007FFF3FF01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oerzeyn1.nct.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4768-1337-0x0000015760170000-0x0000015760180000-memory.dmp

memory/4768-1338-0x0000015760170000-0x0000015760180000-memory.dmp

memory/4768-1339-0x0000015760170000-0x0000015760180000-memory.dmp

memory/4768-1341-0x00007FFF3F440000-0x00007FFF3FF01000-memory.dmp

memory/3156-1347-0x00007FFF48E40000-0x00007FFF4AEF6000-memory.dmp

memory/3156-1348-0x00007FFF58030000-0x00007FFF58047000-memory.dmp

memory/3156-1349-0x00007FFF45AD0000-0x00007FFF45EDC000-memory.dmp

memory/3156-1350-0x00007FFF4F400000-0x00007FFF4F48F000-memory.dmp

memory/3156-1351-0x00007FFF57FE0000-0x00007FFF58028000-memory.dmp

memory/3156-1352-0x00007FFF43C10000-0x00007FFF45ACD000-memory.dmp

memory/3156-1354-0x00007FFF48B20000-0x00007FFF48BC5000-memory.dmp

memory/3156-1356-0x00007FFF463C0000-0x00007FFF46436000-memory.dmp

memory/3156-1355-0x00007FFF479E0000-0x00007FFF47BFF000-memory.dmp

memory/3156-1357-0x00007FFF46330000-0x00007FFF463B3000-memory.dmp

memory/3156-1358-0x00007FFF4F3B0000-0x00007FFF4F3F3000-memory.dmp

memory/3156-1359-0x00007FFF4E960000-0x00007FFF4E99E000-memory.dmp

memory/3156-1360-0x00007FFF4EA40000-0x00007FFF4EA7D000-memory.dmp

memory/3156-1361-0x00007FFF4E9D0000-0x00007FFF4EA37000-memory.dmp

memory/3156-1364-0x00007FFF4E910000-0x00007FFF4E953000-memory.dmp

memory/3156-1366-0x00007FFF4E8B0000-0x00007FFF4E902000-memory.dmp

memory/3156-1368-0x00007FFF4E9B0000-0x00007FFF4E9CF000-memory.dmp

memory/3156-1369-0x00007FFF4E840000-0x00007FFF4E8AC000-memory.dmp

memory/3156-1371-0x00007FFF4E770000-0x00007FFF4E83C000-memory.dmp

memory/3156-1372-0x00007FFF4E520000-0x00007FFF4E591000-memory.dmp

memory/3156-1373-0x00007FFF4E4F0000-0x00007FFF4E51F000-memory.dmp

memory/3156-1374-0x00007FFF4E460000-0x00007FFF4E4E4000-memory.dmp

memory/3156-1375-0x00007FFF4E420000-0x00007FFF4E45B000-memory.dmp

memory/3156-1376-0x00007FFF4E3D0000-0x00007FFF4E41E000-memory.dmp

memory/3156-1378-0x00007FFF4E380000-0x00007FFF4E3CE000-memory.dmp

memory/3156-1380-0x00007FFF4E330000-0x00007FFF4E37A000-memory.dmp

memory/3156-1382-0x00007FFF48B00000-0x00007FFF48B13000-memory.dmp

memory/3156-1383-0x00007FFF462F0000-0x00007FFF46323000-memory.dmp

memory/3156-1387-0x00007FFF40CC0000-0x00007FFF40F2C000-memory.dmp

memory/3156-1389-0x000000006A880000-0x000000006A8A7000-memory.dmp

memory/3156-1386-0x00007FFF48AE0000-0x00007FFF48B00000-memory.dmp

memory/3156-1392-0x0000000068B40000-0x0000000068B7C000-memory.dmp

memory/3156-1394-0x0000000062E80000-0x0000000062EA4000-memory.dmp

memory/3156-1396-0x00007FFF40AC0000-0x00007FFF40C42000-memory.dmp

memory/3156-1398-0x00007FFF40A30000-0x00007FFF40A81000-memory.dmp

memory/2676-3720-0x00007FFF40420000-0x00007FFF40EE1000-memory.dmp

memory/2676-3721-0x000001B1EB010000-0x000001B1EB020000-memory.dmp

memory/2676-3722-0x000001B1EB010000-0x000001B1EB020000-memory.dmp

memory/2676-3732-0x000001B1EB010000-0x000001B1EB020000-memory.dmp

memory/2676-3734-0x00007FFF40420000-0x00007FFF40EE1000-memory.dmp