Malware Analysis Report

2024-11-30 11:49

Sample ID 231012-cfmhxabf44
Target source_prepared.exe
SHA256 8e1afb371f897a37dcd3e72ab0d1a7caaef5e932caf8598de9877dc60697f8e3
Tags
pyinstaller pysilon upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e1afb371f897a37dcd3e72ab0d1a7caaef5e932caf8598de9877dc60697f8e3

Threat Level: Known bad

The file source_prepared.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon upx persistence

Detect Pysilon

Pysilon family

Enumerates VirtualBox DLL files

UPX packed file

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Detects Pyinstaller

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 02:01

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 02:01

Reported

2023-10-13 03:12

Platform

win7-20230831-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI27242\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

\Users\Admin\AppData\Local\Temp\_MEI27242\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

\Users\Admin\AppData\Local\Temp\_MEI27242\python39.dll

MD5 770e2dc67e7dbf6e4dc9da97a8ff9d87
SHA1 ed08212c168900e95dfbc92a48a877b4ed5fa32c
SHA256 50bf9d3ea9999df15105a12ae80a90a0d6878dacbeeed211318a71f6b2ba9d15
SHA512 5ba9dd3816ea24aa6a5c2e12f6bbfffeae8d2ea74fcafef5361eea4f2ecc3387958fb3fcbb2ae55fa30422b425dc998eed8ae7dbae4c03db15977d2adb69af32

memory/2900-1293-0x000007FEF62D0000-0x000007FEF6751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI27242\python39.dll

MD5 770e2dc67e7dbf6e4dc9da97a8ff9d87
SHA1 ed08212c168900e95dfbc92a48a877b4ed5fa32c
SHA256 50bf9d3ea9999df15105a12ae80a90a0d6878dacbeeed211318a71f6b2ba9d15
SHA512 5ba9dd3816ea24aa6a5c2e12f6bbfffeae8d2ea74fcafef5361eea4f2ecc3387958fb3fcbb2ae55fa30422b425dc998eed8ae7dbae4c03db15977d2adb69af32

\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-timezone-l1-1-0.dll

MD5 b9a20c9223d3e3d3a0c359f001ce1046
SHA1 9710b9a8c393ba00c254cf693c7c37990c447cc8
SHA256 00d9a7353be0a54c17e4862b86196a8b2bc6a007899fa2fbe61afd9765548068
SHA512 a7d5611c0b3b53da6cac61e0374d54d27e6e8a1af90ef66cd7e1b052f906c8b3f6087f4c6de0db3ae0b099df7689ecde6c815a954b728d36d9d3b5d002ccf18e

C:\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-timezone-l1-1-0.dll

MD5 b9a20c9223d3e3d3a0c359f001ce1046
SHA1 9710b9a8c393ba00c254cf693c7c37990c447cc8
SHA256 00d9a7353be0a54c17e4862b86196a8b2bc6a007899fa2fbe61afd9765548068
SHA512 a7d5611c0b3b53da6cac61e0374d54d27e6e8a1af90ef66cd7e1b052f906c8b3f6087f4c6de0db3ae0b099df7689ecde6c815a954b728d36d9d3b5d002ccf18e

\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-file-l1-2-0.dll

MD5 2b36752a5157359da1c0e646ee9bec45
SHA1 708aeb7e945c9c709109cea359cb31bd7ac64889
SHA256 3e3eb284937b572d1d70ce27be77b5e02eb73704c8b50feb5eb933db1facd2fc
SHA512 fc56080362506e3f38f1b3eb9d3193cdb9e576613c2e672f0fe9df203862f8a0f31938fa48b4ff7115dfe6016fa1fd5c5422fdc1913df63b3fde5f478a8417a1

C:\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-file-l1-2-0.dll

MD5 2b36752a5157359da1c0e646ee9bec45
SHA1 708aeb7e945c9c709109cea359cb31bd7ac64889
SHA256 3e3eb284937b572d1d70ce27be77b5e02eb73704c8b50feb5eb933db1facd2fc
SHA512 fc56080362506e3f38f1b3eb9d3193cdb9e576613c2e672f0fe9df203862f8a0f31938fa48b4ff7115dfe6016fa1fd5c5422fdc1913df63b3fde5f478a8417a1

\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-processthreads-l1-1-1.dll

MD5 774aa9f9318880cb4ad3bf6f464da556
SHA1 3a5c07cf35009c98eb033e1cbde1900135d1abf8
SHA256 ba9fbd3a21879614c050c86a74ad2fffc0362266d6fa7be0ef359de393136346
SHA512 f7b57afb9810e3390d27a5469572fb29f0f1726f599403a180e685466237dff5dec4fdce40105ef1bb057e012d546308213e7cec73e0d7d3c5815eec8189a75d

C:\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-processthreads-l1-1-1.dll

MD5 774aa9f9318880cb4ad3bf6f464da556
SHA1 3a5c07cf35009c98eb033e1cbde1900135d1abf8
SHA256 ba9fbd3a21879614c050c86a74ad2fffc0362266d6fa7be0ef359de393136346
SHA512 f7b57afb9810e3390d27a5469572fb29f0f1726f599403a180e685466237dff5dec4fdce40105ef1bb057e012d546308213e7cec73e0d7d3c5815eec8189a75d

\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-localization-l1-2-0.dll

MD5 3589557535bba7641da3d76eefb0c73d
SHA1 6f63107c2212300c7cd1573059c08b43e5bd9b95
SHA256 642b01bb93d2cb529acf56070d65aae3202fd0b48d19fd40ec6763b627bcbee6
SHA512 7aedf3cf686b416f8b419f8af1d57675096ab2c2378c5a006f6ecbf2fe1ad701f28b7be8f08c9083230cf4d15d463371e92a6032178cd6c139d60b26fbd49b06

C:\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-localization-l1-2-0.dll

MD5 3589557535bba7641da3d76eefb0c73d
SHA1 6f63107c2212300c7cd1573059c08b43e5bd9b95
SHA256 642b01bb93d2cb529acf56070d65aae3202fd0b48d19fd40ec6763b627bcbee6
SHA512 7aedf3cf686b416f8b419f8af1d57675096ab2c2378c5a006f6ecbf2fe1ad701f28b7be8f08c9083230cf4d15d463371e92a6032178cd6c139d60b26fbd49b06

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 02:01

Reported

2023-10-13 03:11

Platform

win10v2004-20230915-en

Max time kernel

165s

Max time network

182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe N/A
N/A N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PySilonRatRegistry = "C:\\Users\\Admin\\PySilonRatFolder\\PySilonRatExe.exe" C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Legitimate hosting services abused for malware hosting/C2

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3776 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 3776 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 3772 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 3772 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 3772 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 3772 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe
PID 3644 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe
PID 3644 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3644 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4776 wrote to memory of 3360 N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe
PID 4776 wrote to memory of 3360 N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe
PID 3360 wrote to memory of 3616 N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe C:\Windows\system32\cmd.exe
PID 3360 wrote to memory of 3616 N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe C:\Windows\system32\cmd.exe
PID 3360 wrote to memory of 1660 N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 1660 N/A C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x328 0x4e8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\PySilonRatFolder\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\PySilonRatFolder\activate.bat

C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe

"PySilonRatExe.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "source_prepared.exe"

C:\Users\Admin\PySilonRatFolder\PySilonRatExe.exe

"PySilonRatExe.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\PySilonRatFolder\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
N/A 127.0.0.1:56180 tcp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.134.234:443 gateway.discord.gg tcp
US 162.159.135.234:443 gateway.discord.gg tcp
US 162.159.133.234:443 gateway.discord.gg tcp
US 162.159.136.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 234.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 234.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 234.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 234.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 234.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI37762\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI37762\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI37762\python39.dll

MD5 770e2dc67e7dbf6e4dc9da97a8ff9d87
SHA1 ed08212c168900e95dfbc92a48a877b4ed5fa32c
SHA256 50bf9d3ea9999df15105a12ae80a90a0d6878dacbeeed211318a71f6b2ba9d15
SHA512 5ba9dd3816ea24aa6a5c2e12f6bbfffeae8d2ea74fcafef5361eea4f2ecc3387958fb3fcbb2ae55fa30422b425dc998eed8ae7dbae4c03db15977d2adb69af32

C:\Users\Admin\AppData\Local\Temp\_MEI37762\python39.dll

MD5 770e2dc67e7dbf6e4dc9da97a8ff9d87
SHA1 ed08212c168900e95dfbc92a48a877b4ed5fa32c
SHA256 50bf9d3ea9999df15105a12ae80a90a0d6878dacbeeed211318a71f6b2ba9d15
SHA512 5ba9dd3816ea24aa6a5c2e12f6bbfffeae8d2ea74fcafef5361eea4f2ecc3387958fb3fcbb2ae55fa30422b425dc998eed8ae7dbae4c03db15977d2adb69af32

C:\Users\Admin\AppData\Local\Temp\_MEI37762\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

C:\Users\Admin\AppData\Local\Temp\_MEI37762\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

memory/3772-1285-0x00007FFA81AD0000-0x00007FFA81F51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\base_library.zip

MD5 10f96009a71135643b86105e0407f228
SHA1 f300c46710cdb25d9b3990c012401d608263b3c9
SHA256 fb149dab5bdb437877fd01713462247d544784de7f476f3d1aec4c0142e788dc
SHA512 28cb5ea49040844514e0166e3b3e8e20b46877260cfa5e982053c724a3581fb60d19e346d672379c7c20e6cf215633453d94015479dd053306d9957329b3bbd8

C:\Users\Admin\AppData\Local\Temp\_MEI37762\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

memory/3772-1295-0x00007FFA91200000-0x00007FFA91227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\libcrypto-1_1.dll

MD5 eb33b1a0a12a1bfcb69fd2467f5c6b8c
SHA1 d30782a6bed3fd889846787d733d14519d757808
SHA256 e631bfe0b26a864f61311a03bf1f0819abdffc7bc00d14d263714f934a085069
SHA512 bee2412914003ad4697d6a22cfe7550de0e13c2a16dc5c8c1528ce361a84f987e8d43f58f0eabdacf6a09a01f7edf04b310dce41f02c4e809b04446d8dff40e2

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_lzma.pyd

MD5 290d8bd4d27bbd43a1e7b01aac828b38
SHA1 30d8b1ddc93502dc6dca42017ffcc2491afa3d27
SHA256 98e968305057ab4805f86bb69b5b3f1e200f7a7e44f131b7f783286233e8eb6c
SHA512 dcf604f9dcf9e1f74aacd353ef448fff081327eb18c5b09e72665ecfd04cd003c52100437c6a9389b6ae1969adc7a48e842f05bae10f3a4659011c0aed350553

memory/3772-1302-0x00007FFA91D40000-0x00007FFA91D4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\libcrypto-1_1.dll

MD5 eb33b1a0a12a1bfcb69fd2467f5c6b8c
SHA1 d30782a6bed3fd889846787d733d14519d757808
SHA256 e631bfe0b26a864f61311a03bf1f0819abdffc7bc00d14d263714f934a085069
SHA512 bee2412914003ad4697d6a22cfe7550de0e13c2a16dc5c8c1528ce361a84f987e8d43f58f0eabdacf6a09a01f7edf04b310dce41f02c4e809b04446d8dff40e2

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_hashlib.pyd

MD5 42a4aadc9320e60299d710d64294c324
SHA1 85e826f3e9c38cac4a2595c53e011b01f812d3ee
SHA256 4c6dd3b048c8352c4066e09e6032ca5df53111543333dbe344f311bb188d5c22
SHA512 8973aa09941415448e329500e9e1f19ea80d8170176339e0df9057519ec250581045b16fb8bd631b569924a6e643ad3f52553a7049a3bb4b018978ea6ebcaec8

memory/3772-1303-0x00007FFA8B8F0000-0x00007FFA8B907000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_lzma.pyd

MD5 290d8bd4d27bbd43a1e7b01aac828b38
SHA1 30d8b1ddc93502dc6dca42017ffcc2491afa3d27
SHA256 98e968305057ab4805f86bb69b5b3f1e200f7a7e44f131b7f783286233e8eb6c
SHA512 dcf604f9dcf9e1f74aacd353ef448fff081327eb18c5b09e72665ecfd04cd003c52100437c6a9389b6ae1969adc7a48e842f05bae10f3a4659011c0aed350553

memory/3772-1304-0x00007FFA81760000-0x00007FFA81ACF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\select.pyd

MD5 1250772f1d620d1905866630c7f975e7
SHA1 0ecd7101ea99525383b2d6c00864b204094e7228
SHA256 693c9c73e8fa70184f721e53f91fbb2358ada67b92293fa2ae00a5a0811fa8ba
SHA512 74c2a9066b8daa4b79ad75cd66fa9ec7b50a46570b3aab4bb0df587f4463cf617367db87ff53591be311791d3cbe26b34eb9fdd974faeeda95dbbbc5b18952e5

C:\Users\Admin\AppData\Local\Temp\_MEI37762\select.pyd

MD5 1250772f1d620d1905866630c7f975e7
SHA1 0ecd7101ea99525383b2d6c00864b204094e7228
SHA256 693c9c73e8fa70184f721e53f91fbb2358ada67b92293fa2ae00a5a0811fa8ba
SHA512 74c2a9066b8daa4b79ad75cd66fa9ec7b50a46570b3aab4bb0df587f4463cf617367db87ff53591be311791d3cbe26b34eb9fdd974faeeda95dbbbc5b18952e5

C:\Users\Admin\AppData\Local\Temp\_MEI37762\libssl-1_1.dll

MD5 88803aac099cccf4af3496bfabdc8865
SHA1 3eee4e685e0084f13935870be3e2c7dddb1975e4
SHA256 c524b961d036c9e95ae4d9e40e8b4f897a4f0772cf1d78ac0287af84fe918cad
SHA512 50bd41771e50e9c20ad871be9433f6e88c3cd799a6f64d7ad19265228468a8572904ec2d9b3b8ff053b23230ec1326a175df09cb0380e60d8efdd11ab446f8fd

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_queue.pyd

MD5 9695b733afae3c388be901e0609d41dd
SHA1 3c8b91166714baaff8fea0add0b1be0f9463c974
SHA256 a8e0b8163adc96d0a2ead54cd6342ee822c436168202b752f81ef3fe83f720bc
SHA512 9015a44a655f7434e9b098a9b1c189dd90b2fcc07688c4549af36734e896651b24ade7d2b135ee883b3612c4f520142fa6c3c000eb4b93fca4d07c6aa3b78bdd

C:\Users\Admin\AppData\Local\Temp\_MEI37762\charset_normalizer\md.cp39-win_amd64.pyd

MD5 d50f157ebb1eb957bec8e5af284dc00f
SHA1 5fecd7a517bfb665db45f810d3f93df1cb28f5aa
SHA256 8271ef31df63c2de9758676ab35b75ac648ef7e38e010ead4800ef0781eb13f0
SHA512 cfa41b48018e1a2109b6f2ee5f1299e817412ce16a69b15093333e98086bff1511c273553896b151d504e8c567f2ad00af71e46cb34da6883113ba463beceadc

memory/3772-1325-0x00007FFA8B8D0000-0x00007FFA8B8EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\unicodedata.pyd

MD5 94eb175845d1871cc098696a6400a76e
SHA1 f9d495d497327c63fc8c373687d31e34d5ce8866
SHA256 4afcc61afac4bd040b7a0b3dc2ec9db697268d65319358a81c6a9acf97202724
SHA512 0fd7bb95d01fa679e95c90f0f850172f930ccc44fdee9df358a6d66f73296ab9a52d037d8bfe386db7540bf724c6da55c2bcb2e1e3fffaa57e2fca5d1922ef40

C:\Users\Admin\AppData\Local\Temp\_MEI37762\unicodedata.pyd

MD5 94eb175845d1871cc098696a6400a76e
SHA1 f9d495d497327c63fc8c373687d31e34d5ce8866
SHA256 4afcc61afac4bd040b7a0b3dc2ec9db697268d65319358a81c6a9acf97202724
SHA512 0fd7bb95d01fa679e95c90f0f850172f930ccc44fdee9df358a6d66f73296ab9a52d037d8bfe386db7540bf724c6da55c2bcb2e1e3fffaa57e2fca5d1922ef40

C:\Users\Admin\AppData\Local\Temp\_MEI37762\charset_normalizer\md__mypyc.cp39-win_amd64.pyd

MD5 683cc2ada37473f3b8f200cc11195185
SHA1 4d7f78cd11aa43466df86d8538330ef62c293903
SHA256 5609c01c731d916d170425b5cff9276487e80bb8d642c9c556a82a4ecd8d07c8
SHA512 2ddf78d65dbb889f108395ee0e9d4c33fb5cf82a2164a7aeeb10ab7c6f4fa8b92e9b7807c77d946418884119999834fbad745dead75059ce786cbe7d9aa96235

C:\Users\Admin\AppData\Local\Temp\_MEI37762\charset_normalizer\md__mypyc.cp39-win_amd64.pyd

MD5 683cc2ada37473f3b8f200cc11195185
SHA1 4d7f78cd11aa43466df86d8538330ef62c293903
SHA256 5609c01c731d916d170425b5cff9276487e80bb8d642c9c556a82a4ecd8d07c8
SHA512 2ddf78d65dbb889f108395ee0e9d4c33fb5cf82a2164a7aeeb10ab7c6f4fa8b92e9b7807c77d946418884119999834fbad745dead75059ce786cbe7d9aa96235

C:\Users\Admin\AppData\Local\Temp\_MEI37762\charset_normalizer\md.cp39-win_amd64.pyd

MD5 d50f157ebb1eb957bec8e5af284dc00f
SHA1 5fecd7a517bfb665db45f810d3f93df1cb28f5aa
SHA256 8271ef31df63c2de9758676ab35b75ac648ef7e38e010ead4800ef0781eb13f0
SHA512 cfa41b48018e1a2109b6f2ee5f1299e817412ce16a69b15093333e98086bff1511c273553896b151d504e8c567f2ad00af71e46cb34da6883113ba463beceadc

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_queue.pyd

MD5 9695b733afae3c388be901e0609d41dd
SHA1 3c8b91166714baaff8fea0add0b1be0f9463c974
SHA256 a8e0b8163adc96d0a2ead54cd6342ee822c436168202b752f81ef3fe83f720bc
SHA512 9015a44a655f7434e9b098a9b1c189dd90b2fcc07688c4549af36734e896651b24ade7d2b135ee883b3612c4f520142fa6c3c000eb4b93fca4d07c6aa3b78bdd

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_cffi_backend.cp39-win_amd64.pyd

MD5 d93639ed827941644579e4c51ec8e7e4
SHA1 e69d433baefef1d0bafc068e001a4fe53611c183
SHA256 fbc68a503f5a81715a721a3eec143f91ee8b36db95cd5db456ea9225eb2c5263
SHA512 6e3e69b3eea65c276fcd8f2783a3914146d99e6e9306831bc5ad158ab534d23edfa4d8f75c5dd2a99f2c0286168d6ec7e04acb9085fc047fa6e27cd633970eb2

memory/3772-1327-0x00007FFA8B540000-0x00007FFA8B563000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_cffi_backend.cp39-win_amd64.pyd

MD5 d93639ed827941644579e4c51ec8e7e4
SHA1 e69d433baefef1d0bafc068e001a4fe53611c183
SHA256 fbc68a503f5a81715a721a3eec143f91ee8b36db95cd5db456ea9225eb2c5263
SHA512 6e3e69b3eea65c276fcd8f2783a3914146d99e6e9306831bc5ad158ab534d23edfa4d8f75c5dd2a99f2c0286168d6ec7e04acb9085fc047fa6e27cd633970eb2

memory/3772-1329-0x00007FFA81580000-0x00007FFA81698000-memory.dmp

memory/3772-1331-0x00007FFA918E0000-0x00007FFA918ED000-memory.dmp

memory/3772-1332-0x00007FFA91510000-0x00007FFA9151B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Hash\_SHA256.pyd

MD5 54271581f0d1794df6dbeb0f562d62d6
SHA1 179cb0f6bda013179f54196e3aa0104a2a06d047
SHA256 d807a0bdd2492ea58b53c55261b5ee7b388a05b2e1b120b868c283ce1d6b24e9
SHA512 2a987e6271dec0c40206064aa69429bd8e75f64d2ba04532230ab1f91030dc2d34774197210080062245552ff697603225e775a1180dcbc206e95f0f3516e1ea

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_ofb.pyd

MD5 574e8f9b5edee613993691842f8743f8
SHA1 f86009b26acd822ec573bbb3ee88e3c84b8431b9
SHA256 cb4fd9faa143a998766530ebe62b6cb0ecbb6bdfc95fb765261754c457df2984
SHA512 5daa110157f694646e0dacbf6a546381023b478d2e52f9e18ca94195647305c30e6bafe42a9425f90aa30f04b193b11609766b3552fbe4a49005a66e8378556a

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_ofb.pyd

MD5 574e8f9b5edee613993691842f8743f8
SHA1 f86009b26acd822ec573bbb3ee88e3c84b8431b9
SHA256 cb4fd9faa143a998766530ebe62b6cb0ecbb6bdfc95fb765261754c457df2984
SHA512 5daa110157f694646e0dacbf6a546381023b478d2e52f9e18ca94195647305c30e6bafe42a9425f90aa30f04b193b11609766b3552fbe4a49005a66e8378556a

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_cfb.pyd

MD5 8e1f017bc6219dd2bd265d04d32eeb62
SHA1 11a7858d2af2eb3235db5d79b04ba8f04efbe1b2
SHA256 e1e0337dec5512859ff5e0d3df094ea74b730270672d723c4385dec12c3c8adb
SHA512 2de71f8e06b7b7ce9077bd6f9942b5a5dd6d9ddb5cbe6487ccb45fdd946857c4ef264124a5f7e04fcd1b20a658b386e40eef7aa3ecfedabb871671e98e02428d

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_cfb.pyd

MD5 8e1f017bc6219dd2bd265d04d32eeb62
SHA1 11a7858d2af2eb3235db5d79b04ba8f04efbe1b2
SHA256 e1e0337dec5512859ff5e0d3df094ea74b730270672d723c4385dec12c3c8adb
SHA512 2de71f8e06b7b7ce9077bd6f9942b5a5dd6d9ddb5cbe6487ccb45fdd946857c4ef264124a5f7e04fcd1b20a658b386e40eef7aa3ecfedabb871671e98e02428d

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Util\_cpuid_c.pyd

MD5 017a3c5a8a4e1425f154fb67da5cf600
SHA1 13b4b65743fe53109796a51ea6c2d045d9dac101
SHA256 07f31504eb7375fff3377b65bdf5873c2d8df0f3c28f8430cbeb9b71c717aee6
SHA512 db5a35b602699baf8ee29a89b6149ee66b40dfbd86cf033dbebefd64eca32d70b431316b47ab0598bb911d786aea14177ad2e23b87e9994d039c216444dc5d12

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Protocol\_scrypt.pyd

MD5 220119804cb8ef914b49f3aee8249107
SHA1 d43458970973afc17ee9fd9fb594932493480869
SHA256 287a28df4d03543587b7e081f292262fe8b87451c7f014bef0f7e7ae6f33d16e
SHA512 de71323bdf31a1f44b9bc36fc1374a6d24fc7eab11c444ad6d90475e9b443f8c8ba7b08976c2ac059be93097d3be7acea7f522e81af810b57cbcc2e00fdf2be5

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Protocol\_scrypt.pyd

MD5 220119804cb8ef914b49f3aee8249107
SHA1 d43458970973afc17ee9fd9fb594932493480869
SHA256 287a28df4d03543587b7e081f292262fe8b87451c7f014bef0f7e7ae6f33d16e
SHA512 de71323bdf31a1f44b9bc36fc1374a6d24fc7eab11c444ad6d90475e9b443f8c8ba7b08976c2ac059be93097d3be7acea7f522e81af810b57cbcc2e00fdf2be5

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_Salsa20.pyd

MD5 343c805d12d3ced1d6b71a2853ecc2ab
SHA1 df01f3924d65040c8bd94bdc1a7a768e396a357d
SHA256 8f381af8ee21d276e0589909911777d1c5f848d1b1d3a797a1a7e5485d44e2e8
SHA512 2076dea8786bb265da46ad1dcd221990f21a4f8b74ff3e74b9926b40ecfabadd39fdc562cf837448009be713f75b6afe99e2e04b3a3c00e292843d5a645cc5f1

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_Salsa20.pyd

MD5 343c805d12d3ced1d6b71a2853ecc2ab
SHA1 df01f3924d65040c8bd94bdc1a7a768e396a357d
SHA256 8f381af8ee21d276e0589909911777d1c5f848d1b1d3a797a1a7e5485d44e2e8
SHA512 2076dea8786bb265da46ad1dcd221990f21a4f8b74ff3e74b9926b40ecfabadd39fdc562cf837448009be713f75b6afe99e2e04b3a3c00e292843d5a645cc5f1

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Hash\_MD5.pyd

MD5 5127f0f8b920547320f2ea29d088a5f5
SHA1 8230291220d99e8888a0d50de5cc1d559c3d5f92
SHA256 e63d9d41826287e127ca5a348fc882361e81018b62a05709920370a7545091db
SHA512 94cbf6b1790af0fbccea70f212fe1793c525c6bbb7bbad2266fd20e02b1ff91fa0932c3b22afa6cef590127b55b0245dd79b67189ca908aa74169ff3ce624c0f

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Hash\_MD5.pyd

MD5 5127f0f8b920547320f2ea29d088a5f5
SHA1 8230291220d99e8888a0d50de5cc1d559c3d5f92
SHA256 e63d9d41826287e127ca5a348fc882361e81018b62a05709920370a7545091db
SHA512 94cbf6b1790af0fbccea70f212fe1793c525c6bbb7bbad2266fd20e02b1ff91fa0932c3b22afa6cef590127b55b0245dd79b67189ca908aa74169ff3ce624c0f

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Hash\_SHA256.pyd

MD5 54271581f0d1794df6dbeb0f562d62d6
SHA1 179cb0f6bda013179f54196e3aa0104a2a06d047
SHA256 d807a0bdd2492ea58b53c55261b5ee7b388a05b2e1b120b868c283ce1d6b24e9
SHA512 2a987e6271dec0c40206064aa69429bd8e75f64d2ba04532230ab1f91030dc2d34774197210080062245552ff697603225e775a1180dcbc206e95f0f3516e1ea

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_cbc.pyd

MD5 ae7420ab8355ca21afb592109aa12b9b
SHA1 ef54263672ab9fdc35ddd1ea013b0845ec709658
SHA256 f4704d6c4aba9bb2b57440645635154ca377ace3fbad63de26bae59dfd003935
SHA512 3b381949b523add43fef8ed8987985e70f666d3238057a0aadd79fba206d75d58c7b5ca8aee0ae059a2cf0df4cd80a95c221d3281974b3290e647a2f1469a458

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_cbc.pyd

MD5 ae7420ab8355ca21afb592109aa12b9b
SHA1 ef54263672ab9fdc35ddd1ea013b0845ec709658
SHA256 f4704d6c4aba9bb2b57440645635154ca377ace3fbad63de26bae59dfd003935
SHA512 3b381949b523add43fef8ed8987985e70f666d3238057a0aadd79fba206d75d58c7b5ca8aee0ae059a2cf0df4cd80a95c221d3281974b3290e647a2f1469a458

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_ecb.pyd

MD5 7c57420aaf4db71c584b175f7937a6f6
SHA1 68ba922c9991c5e2c0ecefa0f474dda3cc02950d
SHA256 39f3408b235d286cf8ec33cb5f9bc194dd643ae7ce59b5d83fa17d79ccd37d57
SHA512 680e55ab64fd91a1d5612efb937bd6f28d644e048e7d00505945a0664ec0178b0667ccc78da626621d88e0bd4d0a2280b1aba43a984d76e103c4fb38281fb414

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_ecb.pyd

MD5 7c57420aaf4db71c584b175f7937a6f6
SHA1 68ba922c9991c5e2c0ecefa0f474dda3cc02950d
SHA256 39f3408b235d286cf8ec33cb5f9bc194dd643ae7ce59b5d83fa17d79ccd37d57
SHA512 680e55ab64fd91a1d5612efb937bd6f28d644e048e7d00505945a0664ec0178b0667ccc78da626621d88e0bd4d0a2280b1aba43a984d76e103c4fb38281fb414

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Hash\_SHA1.pyd

MD5 cd25891df326ee9d7e0895ebd0b68f5e
SHA1 e99f1b6fb140273168fdaa0f895a227f3d0f23f9
SHA256 5a0d0f2aa16046f2f72e773ff9b2aecf5ecac3941f790dec73d38ce470a9c565
SHA512 e259f24c441a2f0006768a5de3241f52368bdecd4c84de39654d6c67cd72643e2ddaa3bd380bf3c21f9f0cd84bb6c108670aa16bfae2c3cb29d5e53354f399da

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Hash\_SHA1.pyd

MD5 cd25891df326ee9d7e0895ebd0b68f5e
SHA1 e99f1b6fb140273168fdaa0f895a227f3d0f23f9
SHA256 5a0d0f2aa16046f2f72e773ff9b2aecf5ecac3941f790dec73d38ce470a9c565
SHA512 e259f24c441a2f0006768a5de3241f52368bdecd4c84de39654d6c67cd72643e2ddaa3bd380bf3c21f9f0cd84bb6c108670aa16bfae2c3cb29d5e53354f399da

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Hash\_BLAKE2s.pyd

MD5 bebf6aa1041bb611dfdc4b0659f51231
SHA1 7915d6bc787b4849c541d58cb42e3317a1b675a5
SHA256 78d827f7821fffd37a23a14a400eaa880acf5665bfddcc5110c2f7880f0f755e
SHA512 5b3d4a0a10c47b0e8d71c974764d2abb2c0f9f7580493abed6f00c61945b4fc772cd447ca8003e55feb2ceb316d8daa8ee77a712f3105cdd236bdfb2271b4bbb

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Hash\_BLAKE2s.pyd

MD5 bebf6aa1041bb611dfdc4b0659f51231
SHA1 7915d6bc787b4849c541d58cb42e3317a1b675a5
SHA256 78d827f7821fffd37a23a14a400eaa880acf5665bfddcc5110c2f7880f0f755e
SHA512 5b3d4a0a10c47b0e8d71c974764d2abb2c0f9f7580493abed6f00c61945b4fc772cd447ca8003e55feb2ceb316d8daa8ee77a712f3105cdd236bdfb2271b4bbb

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Util\_strxor.pyd

MD5 b4df0b72cd56c56d1710c75f75b10ed5
SHA1 2a659620aa24a191297cf3c16dc2e40f179df32f
SHA256 c0c8b217ad1d48e327a6574169b064cde58f43cb7c1483dbfd79c1fc3b0d06d4
SHA512 2364dac62ff651f205f32dfa23cc6d59c92feac5ff31490d99f22401d4a0c8a3ef188967848b90750b8c228936622ee6e11995970f7fd31b158a39ca0a1133d8

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Util\_strxor.pyd

MD5 b4df0b72cd56c56d1710c75f75b10ed5
SHA1 2a659620aa24a191297cf3c16dc2e40f179df32f
SHA256 c0c8b217ad1d48e327a6574169b064cde58f43cb7c1483dbfd79c1fc3b0d06d4
SHA512 2364dac62ff651f205f32dfa23cc6d59c92feac5ff31490d99f22401d4a0c8a3ef188967848b90750b8c228936622ee6e11995970f7fd31b158a39ca0a1133d8

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_ctr.pyd

MD5 ed45b538dd662c1ab91b7914b0239f3c
SHA1 e36e96010ef7bfacabd1aebbaa7cf6208932df91
SHA256 6d1401d2d1903cfd4437f4bf2485c4e43b4355947ffdd7ed1e53c706e37c00cb
SHA512 45055f73a9795720ca9c54c4ded6c0c8461883b9fb03a7aa2198c01a1870255dbd5a4d254bf60a0b69612f47e59c53c195b42eb513650490e0c53613032bcd29

C:\Users\Admin\AppData\Local\Temp\_MEI37762\Crypto\Cipher\_raw_ctr.pyd

MD5 ed45b538dd662c1ab91b7914b0239f3c
SHA1 e36e96010ef7bfacabd1aebbaa7cf6208932df91
SHA256 6d1401d2d1903cfd4437f4bf2485c4e43b4355947ffdd7ed1e53c706e37c00cb
SHA512 45055f73a9795720ca9c54c4ded6c0c8461883b9fb03a7aa2198c01a1870255dbd5a4d254bf60a0b69612f47e59c53c195b42eb513650490e0c53613032bcd29

memory/3772-1341-0x00007FFA8B500000-0x00007FFA8B538000-memory.dmp

memory/3772-1361-0x00007FFA8B860000-0x00007FFA8B86B000-memory.dmp

memory/3772-1359-0x00007FFA91170000-0x00007FFA9117B000-memory.dmp

memory/3772-1362-0x00007FFA8B380000-0x00007FFA8B38C000-memory.dmp

memory/3772-1360-0x00007FFA8C0C0000-0x00007FFA8C0CB000-memory.dmp

memory/3772-1326-0x00007FFA8B570000-0x00007FFA8B59D000-memory.dmp

memory/3772-1364-0x00007FFA88BA0000-0x00007FFA88BAE000-memory.dmp

memory/3772-1367-0x00007FFA884F0000-0x00007FFA884FB000-memory.dmp

memory/3772-1375-0x00007FFA814F0000-0x00007FFA81504000-memory.dmp

memory/3772-1376-0x00007FFA911B0000-0x00007FFA911BB000-memory.dmp

memory/3772-1379-0x00007FFA81530000-0x00007FFA81546000-memory.dmp

memory/3772-1378-0x00007FFA8BC00000-0x00007FFA8BC0C000-memory.dmp

memory/3772-1377-0x00007FFA8C2A0000-0x00007FFA8C2AC000-memory.dmp

memory/3772-1374-0x00007FFA81510000-0x00007FFA81522000-memory.dmp

memory/3772-1373-0x00007FFA81550000-0x00007FFA8155C000-memory.dmp

memory/3772-1372-0x00007FFA81560000-0x00007FFA81572000-memory.dmp

memory/3772-1371-0x00007FFA82B50000-0x00007FFA82B5D000-memory.dmp

memory/3772-1370-0x00007FFA88140000-0x00007FFA8814C000-memory.dmp

memory/3772-1369-0x00007FFA88150000-0x00007FFA8815C000-memory.dmp

memory/3772-1368-0x00007FFA88160000-0x00007FFA8816B000-memory.dmp

memory/3772-1366-0x00007FFA88500000-0x00007FFA8850C000-memory.dmp

memory/3772-1365-0x00007FFA88510000-0x00007FFA8851C000-memory.dmp

memory/3772-1363-0x00007FFA88BB0000-0x00007FFA88BBD000-memory.dmp

memory/3772-1315-0x00007FFA911E0000-0x00007FFA911FC000-memory.dmp

memory/3772-1319-0x00007FFA8C2B0000-0x00007FFA8C2DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\libssl-1_1.dll

MD5 88803aac099cccf4af3496bfabdc8865
SHA1 3eee4e685e0084f13935870be3e2c7dddb1975e4
SHA256 c524b961d036c9e95ae4d9e40e8b4f897a4f0772cf1d78ac0287af84fe918cad
SHA512 50bd41771e50e9c20ad871be9433f6e88c3cd799a6f64d7ad19265228468a8572904ec2d9b3b8ff053b23230ec1326a175df09cb0380e60d8efdd11ab446f8fd

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_ssl.pyd

MD5 ddcc64f9476dcff34534992a665e14af
SHA1 bc2e3de6eb6916e8a5baef356d5d33e64d75c6b7
SHA256 356eb8072d96b42b6d0ed8e90149ee2683c9a1c99937fd42e06b66cdb4ac9fdc
SHA512 8978d16addf1b1d7757ddf6b6d85cab0f489afb8a4a2827cab241255f60fd594c58652b24ed67c5c4a8b207fc560153a3030ea3b26623605266d7b1f38348b4d

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_ssl.pyd

MD5 ddcc64f9476dcff34534992a665e14af
SHA1 bc2e3de6eb6916e8a5baef356d5d33e64d75c6b7
SHA256 356eb8072d96b42b6d0ed8e90149ee2683c9a1c99937fd42e06b66cdb4ac9fdc
SHA512 8978d16addf1b1d7757ddf6b6d85cab0f489afb8a4a2827cab241255f60fd594c58652b24ed67c5c4a8b207fc560153a3030ea3b26623605266d7b1f38348b4d

memory/3772-1314-0x00007FFA816A0000-0x00007FFA81756000-memory.dmp

memory/3772-1309-0x00007FFA91D30000-0x00007FFA91D3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_socket.pyd

MD5 1bb7f80521dd41e79dd822647f200eac
SHA1 89e0eafbe7b873afc6592f0c1ff3123a7e0a9058
SHA256 1a469b061c205e40195f2ec1ebdbe9ef3ce28db54802a46bc3b88e40cb70a553
SHA512 0b4a8fc5a54b8c1bf4bbb66832a28548d0b4b3156268d7f9e1f73d66f2618cc69988a800d276324c9721f03bd8367e6a3e1065cdf4c95f06b7db7c8f61feaa60

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_socket.pyd

MD5 1bb7f80521dd41e79dd822647f200eac
SHA1 89e0eafbe7b873afc6592f0c1ff3123a7e0a9058
SHA256 1a469b061c205e40195f2ec1ebdbe9ef3ce28db54802a46bc3b88e40cb70a553
SHA512 0b4a8fc5a54b8c1bf4bbb66832a28548d0b4b3156268d7f9e1f73d66f2618cc69988a800d276324c9721f03bd8367e6a3e1065cdf4c95f06b7db7c8f61feaa60

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_bz2.pyd

MD5 1d7f423808dd1ac28ca3283d6e721871
SHA1 26b89fdb5affc406a0cb327ff640b9703b21bf79
SHA256 9e2cd44b08a34b06dfface57638ecfa0cd4bfd4b88f882fc761956433810f81c
SHA512 aae4cac83c4b809ee6ef2a135638eeac92f1274ad6358b36b231f74b895223352fd8ea02affe952dd95932810d8f23e477319c3ced81fb8c5b33b06694c89bc2

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_bz2.pyd

MD5 1d7f423808dd1ac28ca3283d6e721871
SHA1 26b89fdb5affc406a0cb327ff640b9703b21bf79
SHA256 9e2cd44b08a34b06dfface57638ecfa0cd4bfd4b88f882fc761956433810f81c
SHA512 aae4cac83c4b809ee6ef2a135638eeac92f1274ad6358b36b231f74b895223352fd8ea02affe952dd95932810d8f23e477319c3ced81fb8c5b33b06694c89bc2

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_hashlib.pyd

MD5 42a4aadc9320e60299d710d64294c324
SHA1 85e826f3e9c38cac4a2595c53e011b01f812d3ee
SHA256 4c6dd3b048c8352c4066e09e6032ca5df53111543333dbe344f311bb188d5c22
SHA512 8973aa09941415448e329500e9e1f19ea80d8170176339e0df9057519ec250581045b16fb8bd631b569924a6e643ad3f52553a7049a3bb4b018978ea6ebcaec8

C:\Users\Admin\AppData\Local\Temp\_MEI37762\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_ctypes.pyd

MD5 56e5e7341b6e97b9adae59bcf25c50f6
SHA1 5493b70e712cf7c72650bf3f02fb5727c9e52d13
SHA256 49c2e4f9924cfd59b07cc43ebd714f035b322776affabb46d8e0b0053625980d
SHA512 a210d2a5590f47eb9def9de1406cbecacad3cc314a58edad033b2c7fe29da3663608f770b3721abe0435359e97cbb3d50b2fe5f37bc6cebe546b5191042d5a07

C:\Users\Admin\AppData\Local\Temp\_MEI37762\python3.DLL

MD5 e438f5470c5c1cb5ddbe02b59e13ad2c
SHA1 ec58741bf0be7f97525f4b867869a3b536e68589
SHA256 1dc81d8066d44480163233f249468039d3de97e91937965e7a369ae1499013da
SHA512 bd8012b167dd37bd5b57521ca91ad2c9891a61866558f2cc8e80bb029d6f7d73c758fb5be7a181562640011e8b4b54afa3a12434ba00f445c1a87b52552429d3

C:\Users\Admin\AppData\Local\Temp\_MEI37762\_ctypes.pyd

MD5 56e5e7341b6e97b9adae59bcf25c50f6
SHA1 5493b70e712cf7c72650bf3f02fb5727c9e52d13
SHA256 49c2e4f9924cfd59b07cc43ebd714f035b322776affabb46d8e0b0053625980d
SHA512 a210d2a5590f47eb9def9de1406cbecacad3cc314a58edad033b2c7fe29da3663608f770b3721abe0435359e97cbb3d50b2fe5f37bc6cebe546b5191042d5a07

C:\Users\Admin\AppData\Local\Temp\_MEI37762\python3.dll

MD5 e438f5470c5c1cb5ddbe02b59e13ad2c
SHA1 ec58741bf0be7f97525f4b867869a3b536e68589
SHA256 1dc81d8066d44480163233f249468039d3de97e91937965e7a369ae1499013da
SHA512 bd8012b167dd37bd5b57521ca91ad2c9891a61866558f2cc8e80bb029d6f7d73c758fb5be7a181562640011e8b4b54afa3a12434ba00f445c1a87b52552429d3

memory/3772-1380-0x00007FFA814D0000-0x00007FFA814EC000-memory.dmp

memory/3772-1381-0x00007FFA814B0000-0x00007FFA814C3000-memory.dmp

memory/3772-1382-0x00007FFA81440000-0x00007FFA81482000-memory.dmp

memory/3772-1384-0x00007FFA81400000-0x00007FFA8141C000-memory.dmp

memory/3772-1383-0x00007FFA81430000-0x00007FFA8143E000-memory.dmp

memory/3772-1385-0x00007FFA81490000-0x00007FFA814A5000-memory.dmp

memory/3772-1386-0x00007FFA81420000-0x00007FFA8142C000-memory.dmp

memory/3772-1387-0x00007FFA81AD0000-0x00007FFA81F51000-memory.dmp

memory/3772-1388-0x00007FFA81760000-0x00007FFA81ACF000-memory.dmp

memory/3772-1389-0x00007FFA813A0000-0x00007FFA813FD000-memory.dmp

memory/3772-1391-0x00007FFA91200000-0x00007FFA91227000-memory.dmp

memory/3772-1390-0x00007FFA81340000-0x00007FFA8136E000-memory.dmp

memory/3772-1392-0x00007FFA91D30000-0x00007FFA91D3E000-memory.dmp

memory/3772-1393-0x00007FFA81370000-0x00007FFA81399000-memory.dmp

memory/3772-1394-0x00007FFA81310000-0x00007FFA8132D000-memory.dmp

memory/3772-1395-0x00007FFA8B8F0000-0x00007FFA8B907000-memory.dmp

memory/3772-1396-0x00007FFA81190000-0x00007FFA81310000-memory.dmp

memory/3772-1397-0x00007FFA81160000-0x00007FFA8116B000-memory.dmp

memory/3772-1399-0x00007FFA81130000-0x00007FFA8113B000-memory.dmp

memory/3772-1398-0x00007FFA81150000-0x00007FFA8115B000-memory.dmp

memory/3772-1400-0x00007FFA81120000-0x00007FFA8112C000-memory.dmp

memory/3772-1401-0x00007FFA81100000-0x00007FFA8110C000-memory.dmp

memory/3772-1402-0x00007FFA810F0000-0x00007FFA810FD000-memory.dmp

memory/3772-1403-0x00007FFA810E0000-0x00007FFA810EE000-memory.dmp

memory/3772-1404-0x00007FFA810D0000-0x00007FFA810DC000-memory.dmp

memory/3772-1407-0x00007FFA810C0000-0x00007FFA810CC000-memory.dmp

memory/3772-1408-0x00007FFA810B0000-0x00007FFA810BB000-memory.dmp

memory/3772-1472-0x00007FFA81AD0000-0x00007FFA81F51000-memory.dmp

memory/3772-1473-0x00007FFA91200000-0x00007FFA91227000-memory.dmp

memory/3772-1519-0x00007FFA81310000-0x00007FFA8132D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixbbryoz.50b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82