Malware Analysis Report

2024-11-30 11:59

Sample ID 231022-wwy2esea69
Target CsgoInjector.exe
SHA256 30e50be1bd61328662cd1796557a49099966409f8498edf403d61468a259d1f1
Tags
pyinstaller pysilon upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30e50be1bd61328662cd1796557a49099966409f8498edf403d61468a259d1f1

Threat Level: Known bad

The file CsgoInjector.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon upx persistence

Pysilon family

Detect Pysilon

Enumerates VirtualBox DLL files

Loads dropped DLL

Executes dropped EXE

UPX packed file

Adds Run key to start application

Detects Pyinstaller

Unsigned PE

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-22 18:17

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-22 18:16

Reported

2023-10-22 18:48

Platform

win7-20231020-en

Max time kernel

1795s

Max time network

1819s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe

"C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe"

C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe

"C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI19802\python310.dll

MD5 3f782cf7874b03c1d20ed90d370f4329
SHA1 08a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA256 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l2-1-0.dll

MD5 77493ca3fd4015b3900d4694715a92ad
SHA1 c72ab38bbe61717761800c54ac6c3cdb4a8a42ae
SHA256 69d2e82663ec1be7cec2d20b82b353a7a4ac2b71474aa549b5308464273285ca
SHA512 864c6fecb3c2ce8ef87ca28bc9a6c1e89262a2cff289cc47fc17e77f6775873578b986c3758c1f3e506b5462c9bafdc285ee0f5d0c2fd69ae4814fe9f9294e11

C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l2-1-0.dll

MD5 77493ca3fd4015b3900d4694715a92ad
SHA1 c72ab38bbe61717761800c54ac6c3cdb4a8a42ae
SHA256 69d2e82663ec1be7cec2d20b82b353a7a4ac2b71474aa549b5308464273285ca
SHA512 864c6fecb3c2ce8ef87ca28bc9a6c1e89262a2cff289cc47fc17e77f6775873578b986c3758c1f3e506b5462c9bafdc285ee0f5d0c2fd69ae4814fe9f9294e11

\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-timezone-l1-1-0.dll

MD5 0e1dc487712e10bdda37fc16a78a42e9
SHA1 ec36402f6036eb909bb6ad0becd40070655254df
SHA256 6c1c6936309f16a42801b3e69567269e3faf9f97455d7d1ca1aeac22d963b135
SHA512 bc316e30ddfa0ec32d7d68d7e4ecaab7a3ed87fe3f9bf0b4fad123476005e218f39d2814777f183142f5e99445b5dfb0005ed6b93767b0c31af9b54cdccdc186

C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-timezone-l1-1-0.dll

MD5 0e1dc487712e10bdda37fc16a78a42e9
SHA1 ec36402f6036eb909bb6ad0becd40070655254df
SHA256 6c1c6936309f16a42801b3e69567269e3faf9f97455d7d1ca1aeac22d963b135
SHA512 bc316e30ddfa0ec32d7d68d7e4ecaab7a3ed87fe3f9bf0b4fad123476005e218f39d2814777f183142f5e99445b5dfb0005ed6b93767b0c31af9b54cdccdc186

\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l1-2-0.dll

MD5 e0645fddef558dfdf2d89a2312d62ce5
SHA1 11187c5bd67cec3a4c0043f3119fabe5b3fd0b80
SHA256 55565231aaefb87e36e20e8bc9e5f57a6ce60a91ffe2cc29711fb2df70f17560
SHA512 181c821c4e392bbcad94475c9fe09d59bc7512ff1d17ef5eeae552d7df3d41f36dbfb919e7bf0733a218244ad5e5ddb9cff51d9835c16726fec7b0d4decf8de1

C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l1-2-0.dll

MD5 e0645fddef558dfdf2d89a2312d62ce5
SHA1 11187c5bd67cec3a4c0043f3119fabe5b3fd0b80
SHA256 55565231aaefb87e36e20e8bc9e5f57a6ce60a91ffe2cc29711fb2df70f17560
SHA512 181c821c4e392bbcad94475c9fe09d59bc7512ff1d17ef5eeae552d7df3d41f36dbfb919e7bf0733a218244ad5e5ddb9cff51d9835c16726fec7b0d4decf8de1

\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-processthreads-l1-1-1.dll

MD5 e41d2e7e4144709eba47a22c238ce10e
SHA1 2981f224dbd565dc4ea7594ad17f9ff01db87b8b
SHA256 2756035ca5105caf7ab63ea7284c68403adc912bd08906bf5c18c7ff3b47ab5b
SHA512 b8d08e80bfc3675699c32897c9803a1f986167717cc2ec9d46582cf4c530d65deae5c608e69d86b8e6aa3f518d47d1fa09b9d0eb0db3397ac5d31568409aa5bc

C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-processthreads-l1-1-1.dll

MD5 e41d2e7e4144709eba47a22c238ce10e
SHA1 2981f224dbd565dc4ea7594ad17f9ff01db87b8b
SHA256 2756035ca5105caf7ab63ea7284c68403adc912bd08906bf5c18c7ff3b47ab5b
SHA512 b8d08e80bfc3675699c32897c9803a1f986167717cc2ec9d46582cf4c530d65deae5c608e69d86b8e6aa3f518d47d1fa09b9d0eb0db3397ac5d31568409aa5bc

\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-localization-l1-2-0.dll

MD5 8745258d2ce63c13082fd5176647435f
SHA1 08b1bfcd46c32842f593242e1f5ca24a386838a1
SHA256 89faf112c004bf34f240b3b4fae6941316d3e9844d14cddbdfce4964ff410239
SHA512 0240d8bc7300411433bd93a8177f3b99d13fab039b6074061770a0fa99fbf04a1179a2d9b0b8742be2c4e2d05e546edf7f706a08effb20f43adbbf7137020760

C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-localization-l1-2-0.dll

MD5 8745258d2ce63c13082fd5176647435f
SHA1 08b1bfcd46c32842f593242e1f5ca24a386838a1
SHA256 89faf112c004bf34f240b3b4fae6941316d3e9844d14cddbdfce4964ff410239
SHA512 0240d8bc7300411433bd93a8177f3b99d13fab039b6074061770a0fa99fbf04a1179a2d9b0b8742be2c4e2d05e546edf7f706a08effb20f43adbbf7137020760

\Users\Admin\AppData\Local\Temp\_MEI19802\ucrtbase.dll

MD5 c9441142696e8bb09bc70b9605e3a39b
SHA1 f172463c4fa5e8692274cd41ef608519bfde38f7
SHA256 a8f9a12b1b6374f84380090eb396630a3409c7ec3bdeee3930ac6ca6cebe423e
SHA512 53dc0f88e0c180ccd67d3da51bb6a79a5000407bf1a7a48c8d70e0138df2f90c8fca138548408b3e9b6f520346d4be26b3cfe815719e3f581c068f4a025734dd

C:\Users\Admin\AppData\Local\Temp\_MEI19802\ucrtbase.dll

MD5 c9441142696e8bb09bc70b9605e3a39b
SHA1 f172463c4fa5e8692274cd41ef608519bfde38f7
SHA256 a8f9a12b1b6374f84380090eb396630a3409c7ec3bdeee3930ac6ca6cebe423e
SHA512 53dc0f88e0c180ccd67d3da51bb6a79a5000407bf1a7a48c8d70e0138df2f90c8fca138548408b3e9b6f520346d4be26b3cfe815719e3f581c068f4a025734dd

\Users\Admin\AppData\Local\Temp\_MEI19802\python310.dll

MD5 3f782cf7874b03c1d20ed90d370f4329
SHA1 08a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA256 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

memory/2580-1302-0x000007FEF59E0000-0x000007FEF5E46000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-22 18:16

Reported

2023-10-22 18:49

Platform

win10v2004-20231020-en

Max time kernel

1843s

Max time network

1853s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\CsgoInjector\CsgoInjector.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\CsgoInjector\\CsgoInjector.exe" C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe
PID 2804 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe
PID 2648 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe C:\Windows\system32\cmd.exe
PID 4684 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\CsgoInjector\CsgoInjector.exe
PID 4684 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\CsgoInjector\CsgoInjector.exe
PID 4684 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4684 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe

"C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe"

C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe

"C:\Users\Admin\AppData\Local\Temp\CsgoInjector.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x500 0x318

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\CsgoInjector\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\CsgoInjector\activate.bat

C:\Users\Admin\CsgoInjector\CsgoInjector.exe

"CsgoInjector.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "CsgoInjector.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI28042\ucrtbase.dll

MD5 c9441142696e8bb09bc70b9605e3a39b
SHA1 f172463c4fa5e8692274cd41ef608519bfde38f7
SHA256 a8f9a12b1b6374f84380090eb396630a3409c7ec3bdeee3930ac6ca6cebe423e
SHA512 53dc0f88e0c180ccd67d3da51bb6a79a5000407bf1a7a48c8d70e0138df2f90c8fca138548408b3e9b6f520346d4be26b3cfe815719e3f581c068f4a025734dd

C:\Users\Admin\AppData\Local\Temp\_MEI28042\ucrtbase.dll

MD5 c9441142696e8bb09bc70b9605e3a39b
SHA1 f172463c4fa5e8692274cd41ef608519bfde38f7
SHA256 a8f9a12b1b6374f84380090eb396630a3409c7ec3bdeee3930ac6ca6cebe423e
SHA512 53dc0f88e0c180ccd67d3da51bb6a79a5000407bf1a7a48c8d70e0138df2f90c8fca138548408b3e9b6f520346d4be26b3cfe815719e3f581c068f4a025734dd

C:\Users\Admin\AppData\Local\Temp\_MEI28042\python310.dll

MD5 3f782cf7874b03c1d20ed90d370f4329
SHA1 08a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA256 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

C:\Users\Admin\AppData\Local\Temp\_MEI28042\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI28042\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI28042\python310.dll

MD5 3f782cf7874b03c1d20ed90d370f4329
SHA1 08a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA256 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

memory/2648-1294-0x00007FF85FC10000-0x00007FF860076000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28042\_ctypes.pyd

MD5 48ce90022e97f72114a95630ba43b8fb
SHA1 f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA256 5998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA512 7e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8

C:\Users\Admin\AppData\Local\Temp\_MEI28042\base_library.zip

MD5 3a2908eb8c7ab77e462a7882c622b26c
SHA1 0221da0d19a99dc701b3c2fa33246b4d0a079824
SHA256 c0a3bd786f81c3e8a0bdf61fc63e3c365bc74d578a294843d3c78742591c9497
SHA512 e1ab3e147b016a5768ea74b2711aec3388ffc5cc74dc24746514f5aae387518e859b01efd922be00da590984a0ffdf24a4a809553366d0be92040ff7a841efc9

C:\Users\Admin\AppData\Local\Temp\_MEI28042\python3.DLL

MD5 24f4d5a96cd4110744766ea2da1b8ffa
SHA1 b12a2205d3f70f5c636418811ab2f8431247da15
SHA256 73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53
SHA512 bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

C:\Users\Admin\AppData\Local\Temp\_MEI28042\python3.dll

MD5 24f4d5a96cd4110744766ea2da1b8ffa
SHA1 b12a2205d3f70f5c636418811ab2f8431247da15
SHA256 73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53
SHA512 bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

C:\Users\Admin\AppData\Local\Temp\_MEI28042\_ctypes.pyd

MD5 48ce90022e97f72114a95630ba43b8fb
SHA1 f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA256 5998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA512 7e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8

memory/2648-1304-0x00007FF878F50000-0x00007FF878F5F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28042\_lzma.pyd

MD5 7c66f33a67fbb4d99041f085ef3c6428
SHA1 e1384891df177b45b889459c503985b113e754a3
SHA256 32f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866
SHA512 d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d

C:\Users\Admin\AppData\Local\Temp\_MEI28042\_lzma.pyd

MD5 7c66f33a67fbb4d99041f085ef3c6428
SHA1 e1384891df177b45b889459c503985b113e754a3
SHA256 32f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866
SHA512 d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d

C:\Users\Admin\AppData\Local\Temp\_MEI28042\_bz2.pyd

MD5 f6e387f20808828796e876682a328e98
SHA1 6679ae43b0634ac706218996bac961bef4138a02
SHA256 8886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b
SHA512 ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e

C:\Users\Admin\AppData\Local\Temp\_MEI28042\_bz2.pyd

MD5 f6e387f20808828796e876682a328e98
SHA1 6679ae43b0634ac706218996bac961bef4138a02
SHA256 8886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b
SHA512 ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e

C:\Users\Admin\AppData\Local\Temp\_MEI28042\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

memory/2648-1302-0x00007FF873FC0000-0x00007FF873FE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28042\python3.dll

MD5 24f4d5a96cd4110744766ea2da1b8ffa
SHA1 b12a2205d3f70f5c636418811ab2f8431247da15
SHA256 73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53
SHA512 bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

C:\Users\Admin\AppData\Local\Temp\_MEI28042\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

C:\Users\Admin\AppData\Local\Temp\_MEI28042\libogg-0.dll

MD5 6ffebd7d283079e9029c7f29d8ca7fba
SHA1 b470b09c8aa2f3e42bcff8392d95b6259cb87555
SHA256 0d9a915ea29ed4da271f86dbcfa90b52064a26b5136af590b2bb430d5dd6a67e
SHA512 2b9a9b5f298eefccf0a08af52d7c2c803db19ab9f3cedad2bb19df50466527c05e31f956b6018c9a337565448249465eba8952e9e8397b728b7f76e4f0561c68

memory/2648-1356-0x00007FF873F30000-0x00007FF873F48000-memory.dmp

memory/2648-1357-0x00007FF873E30000-0x00007FF873E45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28042\libmodplug-1.dll

MD5 072093b2671589d4ce465de2b92ebee4
SHA1 821d9827286271859640984df28e01b4a37341fb
SHA256 04d07b4dcae8d3998156d563df20881ba790c32389aca23ade91de9cf9f4a3d4
SHA512 522d5faa8d17017f1891374a23d6e653cd62b51818734bf1f7343248d09e1e314ae49821595818fe69af62c9e51debca4ae384e421ad8fa658aced95f977379e

C:\Users\Admin\AppData\Local\Temp\_MEI28042\libjpeg-9.dll

MD5 6e67e46f957f50215b7e68c9091db53f
SHA1 e969fa4858351c95c337352dd0578fe5a83403f0
SHA256 24b25fe9ebe303496973c4d11144b053a5f5a03eabf53f9d8eab0c15fdbfbffe
SHA512 86af5560269ef21490f5343ea3e0522f35e271d42e64f61a2f05471302856de79d34bf00658e1667d7145af48667627fa3897bca2fc479928ab9a62ecba81396

C:\Users\Admin\AppData\Local\Temp\_MEI28042\libcrypto-1_1.dll

MD5 e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1 b0a292065e1b3875f015277b90d183b875451450
SHA256 9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512 145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

C:\Users\Admin\AppData\Local\Temp\_MEI28042\freetype.dll

MD5 522257e451efcc3bfe980f56d3fed113
SHA1 f5e12321517f523842943ea7f3ba74d449dba1f4
SHA256 8c74376e7932eebcd084191b40774056b32525ba48e375d942754cdc4fc03c60
SHA512 d590cd813281278be4aec86af3713216dd306399b4910221a2447a3200accbca1b5f8d9495bf21f69ff8e09e5465a71c715a85ce0d87cdc26cbf27b0fae2cc4c

C:\Users\Admin\AppData\Local\Temp\_MEI28042\crypto_clipper.json

MD5 28ace1f269a7b6ddc508fe2ef995eb89
SHA1 fc25b159929682bff11e6d3b413acba80300418a
SHA256 8011959661b3c6efee432bdc16b358de1c371aaccdbec068c9e65004262f988e
SHA512 4c1172eead25d9c6037729ad372975d545153213dba99e7308308f1f1c6594bb1322b6c1332e44bd3677458160211046762a5dbf72564e4c7d36f7371177dcd2

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-utility-l1-1-0.dll

MD5 7bc9b892f7b206cd47ace5de1d5db0c0
SHA1 25a27d708857fe10b74ac1e47648ae0227e8b277
SHA256 9a9b6807f39a506f7141e80f8e2296856035c0c1a29da08c65c3faaf37da4749
SHA512 38be561bb519f49e7a4884881f89b191c7330712e5634aa667a64f5eb9702aba0f85d1274ec087cfc2c683474e9e992917a5614a7f24f29e8025980b961c85c3

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-time-l1-1-0.dll

MD5 42d69e69801f992eb45acb24824a96f6
SHA1 979e4d0bf6b37fa2bd03400024d0fb966c2efa24
SHA256 210ecbd606010a0858849736e044e8dcf58af15aa60abdc760161fa7546b3e31
SHA512 bdd019ad31cfeaa8ec39e4805ded663ea9d4490149ae7e3bd9ebbb0bccd0622933deb34a5c555e496428828f25884dc16744e40be6b4464595506282d78a19fb

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-string-l1-1-0.dll

MD5 99470194f5733e525936997d64975e8d
SHA1 8438b0ec1d6a407fdadbe7ae3a518932c99d28f9
SHA256 0cda38eff2cb37c29b100f3ba308db2db31b724d344d3dc2f843124dca42a2cd
SHA512 5d00a7e2e89b9979b77c7e01d237bf44010ac956164e9c9a709415f69a1393c12969cc93d4fdf12fd5b8157004d87730b54f8131371bb40b0315ca1980d9b7fa

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-stdio-l1-1-0.dll

MD5 f5bad743732599cfefa2688339bb7619
SHA1 3c35550270da64737b9ce9ba5349cad6fd0f4f34
SHA256 a6437d15c89236ed7690ee177972d7460a5add80d38b724070b94806716fbbf6
SHA512 bd3ceae59fa7fef6fbe8c39841dd9ad006c3912670d13ff3baf5d8db03d75a5b6d9acb9f4c657421b2d9dcfe1835267df83c274e630304e405dfd8705b3d9f75

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-runtime-l1-1-0.dll

MD5 02fb1320aad11d01758deff3719a5628
SHA1 21b7f1f41607af434e5e5414b7f500694dd368da
SHA256 4cd39202449369b8d70fe9f52f320567334252f8bf2e0369919fd2ff46c1f6d8
SHA512 fcd82d8f5e2255413c7f9cb03cd4476aa50ffc22da55ebc75e1713625966758ffbde0ec041c0a27b1fced97a0d151f5b1c4d37ad6e1c8032859b7ee7d1c1a1bd

memory/2648-1358-0x00007FF85F890000-0x00007FF85FC05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-process-l1-1-0.dll

MD5 1b78140a134c62a13ae8d080032c9e14
SHA1 eb66b7ea42775430b612959f0a33b68568fec5da
SHA256 a8edd81a2987222230f43c8bcca9805bee0d5591bc9960513e80c4f4c6b2a74c
SHA512 4065405d8dc90360c4b9a43a0425e6e9cdd3af39f125346d40450f58cda8a5cd8fe8824e2b431e3a61317617d8ce98bbeda5a5283094a6449e8a6a97ff456f90

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-private-l1-1-0.dll

MD5 882a113acbe2a67abb982ace9c5103cd
SHA1 66a3acc9dd59f03b2bd3c3b641c59c221387d4b8
SHA256 ae5d422c801b043492ead7465ffa3863777549e353fe990d7ab5f3635bd1f542
SHA512 45bebebe24fd56aade74ba286d7a94e196748d896765870435624f5c93b8adc5739bba08cc152d189d0e2083f9b497caae70ec910399439cda2c75d9b9fa2c90

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 c427f5c6ac359dada7fb7fe8d07d4cfd
SHA1 3a0e0ac03456c5c8375d4ab4502f070ae7b268da
SHA256 de7df0c80e65f79efe575d723da1daa9a6a98713b29d5fb88e5fc09f0c1d7e80
SHA512 e7edd94c18db8818bbb3521378f45ca4526a8ed7a01b3559ae3386691372618dc31c5ee73c663dd2374def10a53311f5ec6d9d2d50a3d215b39dc7c9a51c2eba

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-math-l1-1-0.dll

MD5 cdf12a8d36faac3ae8107e7198f17f68
SHA1 bda6276c119f12eb1e800c2410d4e364d7f2df7d
SHA256 351babc124c553726b2fdca523db7c8a60a881781c8bd67ac5d86e1c990e836f
SHA512 eac5ddd0f11c87b7034200682559d9d02ad2940384f7eeeb8dee9f35248d81a6c99d9924c540c178f07204d2ad8456aeb36b2dd2949db95f84681f258c385bfc

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-locale-l1-1-0.dll

MD5 3c9302d71b38c9c50640839ddc0475ec
SHA1 294e5ac708ca3fc6237cde1502fd0451d81e7688
SHA256 cd7550cdbcee182523fc011011a748da982b09777978aba5d213e9d9b0a369d1
SHA512 f9806cf523f02c3d70cf810766e26b956eb4d14c4d47168f0e4eec684842187b90881b4b78c1aca6369bfa06afb154488d62efbb7dbeae77f25dbf5110faece8

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-heap-l1-1-0.dll

MD5 2849f2428da4ae7add442b09ceeaa047
SHA1 0d855ac60c58a81d988a4f52b7e841e429e684cb
SHA256 2cacc87a19c4e86275835b89b0c58eb6f65bd1e1e1544c2827da92995d36b373
SHA512 bf9dea866506f00a448190c3c28312642cb140d30931884bbb4794ae5eba71c4d141ce76bfd0f9a1bfce81b0d5e502c550888b85ceab8febc12331e49ae7613e

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 a13ed90a4eb3ab0deae4414a389d6de9
SHA1 6f08f8d6fb721e2fe6864f39215be512d6b29211
SHA256 a698459f02100cc502e3a302b42e3ab5bcb082da81a1fade0c9ad2b55226a026
SHA512 a6388870bf600e31b65edeb65043bd07d5c64845a8708ed122f800f8e2c5f24d6e811da4529adc999a46589cf60781726ec5113352c2330d47f56c7f9d751c44

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-environment-l1-1-0.dll

MD5 8861dd3e18e22dd26a27a201fc53dbd4
SHA1 9f01e0440b9802cecc3f8fa4d67fdeb45b6ce549
SHA256 6a96fec28fa3b8442ec1ef0a53864f82a5821403335725274e66a01acf2a604f
SHA512 896e57482a0c4ad318c91a146d3cb8754556afb068cfd4e1baea66f060b4e76f13449dad0020b8eede7e916f266183854bd1ff7490a1a49d23295dfb90183eec

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-convert-l1-1-0.dll

MD5 5388e492d0017ce5c52eab15e6c39e79
SHA1 ed19c0de9f85e1d0034151b26b3b69ce96810641
SHA256 2f2141ea4acbdfb3a150814b291c7e056469446a2823c9f3375fa60e8ce46f9b
SHA512 cc89dcbb8a7f6d153c584e53fd7facfbe27b8dfa5e19f0a4494bfc7384b14f551d8f3df178b5ef17f4f85ef92a98bcbec7af0e24580df2dbca60d8191e3e1564

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-crt-conio-l1-1-0.dll

MD5 4572ee832cec234e7426eec667d58372
SHA1 2de749f79e1090fd4220c697d54a860809464969
SHA256 4654b500f5d0bde0f22ddf1aae84b5b8cbadf6c61e3c0ce2809c8e223ecbf96c
SHA512 22771154f8ac554bc347f475c5ec788a3be64c8466876d25eaa9f90cfc4768342c335d9e2bfc079f033d7b4027271499d9c95aa4dcc21eda91bed078d4a6be20

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-util-l1-1-0.dll

MD5 98c1388f4261ea98357b050696ec0515
SHA1 5fe5a8c6c1709b31f4908f80adb3f09313367cd8
SHA256 0bc65519bee8839501132032c55c8c4bb05bc662459343f82a00ab24d84d8fb0
SHA512 0a49ef060ced76197b0f812417660284695f9ef389fdde16e8880bbdda66dc37fc00bea75387ae8fc8db1379d31b131ca9958aa91e3b9be3ff1a7f7362640bf2

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-timezone-l1-1-0.dll

MD5 0e1dc487712e10bdda37fc16a78a42e9
SHA1 ec36402f6036eb909bb6ad0becd40070655254df
SHA256 6c1c6936309f16a42801b3e69567269e3faf9f97455d7d1ca1aeac22d963b135
SHA512 bc316e30ddfa0ec32d7d68d7e4ecaab7a3ed87fe3f9bf0b4fad123476005e218f39d2814777f183142f5e99445b5dfb0005ed6b93767b0c31af9b54cdccdc186

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 d1f9dd517ad1eb54523cece66c07dec8
SHA1 07f03072106451108fbc0b93536365bfa2b533f6
SHA256 16f0eea13aa8927d613b45843793ad400249acda2a9352551c23c197cb9f306c
SHA512 916bc79d2e3ede20bbc8b9bc7d27c8a1fcc989a6eabb11f8eea41a25548939f579871fb878766107207136ce39288f4662c6c1e27fbf81112fa251fc24dcacb8

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-synch-l1-2-0.dll

MD5 c780b4a165646fd4f01df025a9bc682a
SHA1 928979a3c4561bca6ba683715091020b0d0ab839
SHA256 7879f4360087a3eb4cbe84776446abf2cf25ea4a1f1a4900174159c2c5fbf973
SHA512 d8d8798e13cb8a1424b295ddde10d26846287ded8605e3ba4070956e8dc146c37b54172dd9ccfb6e0cf48729963ae32a22a07c64968ffa1a3d77ad0a3c33f5af

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-synch-l1-1-0.dll

MD5 4f6e77775fbac994a1c3409ae2ffe572
SHA1 ab639725bd5c82ed5169d3a6aca04eb3df614085
SHA256 4a8970c4961dc97da2646d9f6b9b453afbc5873ef79f2c5fd1d4e571427b67ff
SHA512 2d32105683c28c55e1dddfa93c60559d7fa08d8a5f42eebaf1fff1ebb1f85e755c8e126a9e3bbfd252839729c33b3bdd8b73beb8d6f59d35fcb645e6db4dcca7

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-string-l1-1-0.dll

MD5 fd9e1696d5745cd7809453861784164e
SHA1 b457dca596eb7387813e0a268965b56b517d36c1
SHA256 5da892f59cd33f7479a31d22b3d97df4227785312c019eea5cf5f3b3509d84ce
SHA512 c4c03d7c597e9cbc8f1c0d68eaa7c8d94747b94da0e5ae738f40e392df8929a13c7be2ef6cfdaf8ce9b9302743d427e88d7b12771a054355ebc45d7d94097033

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 795f9668b8ebdb0fdb42bab808854ee3
SHA1 2994242b34efc8c0a217dc570da1b52dc3c150a8
SHA256 7a7aa4fe6e8ea3e3fa60dda5def854805df5e64356fa96c227ae9f8f75fa345a
SHA512 c3844cae43e78fdace3c60def82e8a90e3feb9f2a2fb55e7c5cf18685cb1ef3de9c4d35105353fa485dc53f6ca7e068014771359c6ead15a1dcae82f298b72c9

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-profile-l1-1-0.dll

MD5 5f38bfdb75ab41dad9b8cee1a92136cc
SHA1 e7b515be6cc4e952094e31fd3aa1266d1a30dc58
SHA256 16fb96644f455cb9ed153b469f95243ad022ff1e9610e70bb035d5df7e171d6b
SHA512 8365e4bb1da5e6e47852654180b54728f79dd08fad2494133205f61901a1427f1a8449389250f9638706104a4eb7eecce2700be9a46d6064dd6c9eadb4ca9c65

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-processthreads-l1-1-1.dll

MD5 e41d2e7e4144709eba47a22c238ce10e
SHA1 2981f224dbd565dc4ea7594ad17f9ff01db87b8b
SHA256 2756035ca5105caf7ab63ea7284c68403adc912bd08906bf5c18c7ff3b47ab5b
SHA512 b8d08e80bfc3675699c32897c9803a1f986167717cc2ec9d46582cf4c530d65deae5c608e69d86b8e6aa3f518d47d1fa09b9d0eb0db3397ac5d31568409aa5bc

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-processthreads-l1-1-0.dll

MD5 622bf6e39fb6c04fe2eb628704c9d4c0
SHA1 b38e2a37d41f08e9d12bf341f40e59fe4e37be99
SHA256 c2d6f753a3b459d22342a81250b6870f50bec9c3010dd103a69e0982b4ab007b
SHA512 f5f6cd0cb4b6e2627107af24f5a64a6bd78f6266eb291fa78d490c830a4e04229fad060ace91c97a407646f236c53369703d7376e89880f0d483302e48218ffb

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 7cbdccf680cf716e29e0a85a659f4fad
SHA1 f86f38366628bb2f8d9ad6854c6ec9f31faea200
SHA256 00f1d49a578ace2b0501e7379a1796a8a4c8af83f4d4068b3e972b35cf78087f
SHA512 74e50f1c592bc0a71ed2080097767a47a4480e02202853b87708a7c148a6fd080e4780f7aa99b287ee18b5ae558be547be7e5040bb35862343e63700a03ce630

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 8954353e88db3d2326e219b24646c6d0
SHA1 aedd6b7850f88bc00787c5269ddb77e51def90e9
SHA256 66413f9a31bd8a1771560657774b657927f033a21d1245267b2cb54005d08329
SHA512 fe13851b17934777bdfc1d5d77462f05d8c0d52f8143d81a93e15589b35dc91fe3e5cd55f29280ae3157c2ede70fc8d567a4338ff8956dd5c4e338fac71c26f3

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-memory-l1-1-0.dll

MD5 04b1525a5e2593122549c29e8cf348dd
SHA1 7e3696a3dead74fd449f14204888183fea1504ff
SHA256 7d7e31d5535f56ef57d3c7638553a3a1bb5de8cb187822921b8cb6f528eff551
SHA512 45ef90641273980c00ddc3f9af8ad2854a6622e1f6121416733a4b8bbd10a5c011fc89350768afa7cf6c198d010a2d8e93d3273eb04f8076a0a6bb2eb6cbe9da

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-localization-l1-2-0.dll

MD5 8745258d2ce63c13082fd5176647435f
SHA1 08b1bfcd46c32842f593242e1f5ca24a386838a1
SHA256 89faf112c004bf34f240b3b4fae6941316d3e9844d14cddbdfce4964ff410239
SHA512 0240d8bc7300411433bd93a8177f3b99d13fab039b6074061770a0fa99fbf04a1179a2d9b0b8742be2c4e2d05e546edf7f706a08effb20f43adbbf7137020760

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 374d5091d1834e21b6439e309c579c97
SHA1 c4168b4bd4940f2f8ea46bc193e9ad21e02cf622
SHA256 8015281013e0b99d914676485f6f680dbb64a9b984b4aada2601764ce4f7cb67
SHA512 fc1dadbb654321e861e0e46328e04b9c9e5f591364ceceb7f9c1bd81a7fd89c6621111ad70d3d9b1ba18298fcf082c2aedc995dbea1f39f7cffe6f26977d0b95

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-interlocked-l1-1-0.dll

MD5 2051a091681569d91b015413db9b9da5
SHA1 27018a56191182e57faf6ec14aae1b2bf41c6183
SHA256 ffda53d869f4f9a24ef0bd894254131eda1661d6618a489211091b567d8afcc3
SHA512 45b57b28cbe40f84deb77d50628b327f738cb7b80e8c0e2b8532157141f518e1db0a765b4254c966e4ad7cda5f87ec1651b6103c928068c393e945286e6e3f72

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-heap-l1-1-0.dll

MD5 614ed0118d648fcf8d633b786ce09fe2
SHA1 350f0a9cf0a7fded3df497ef670e5f2771d9a838
SHA256 e4b33b4da7d6df7e5b22268e7a9e989c38ff82df6833952bae7ddcf24b207241
SHA512 5213f852994a440f4a5e20df0487d75e907f28fbbefc9290577909ad82a3d6e516b763ef1ee01140c2f4d316e076fe80817592d6dd159ac5c420d8b95f000765

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-handle-l1-1-0.dll

MD5 82beb9b2f933a657c26d309203f408cb
SHA1 0fd4dbbf03f5fe299dd16a6fa5535d82a34acb6f
SHA256 3b5fbf976aad4a3b7beb3caf9d19fefeff83cc6dae12de361821aea14fe5ba6c
SHA512 a6df1ee9d329b78beee858c0a901ca7159850e3226ef8a02f2dbf68f9396684924ab6f10e098e617a263f1f63dd2e17d0a91073e718b4509daab323dea64cf42

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-file-l2-1-0.dll

MD5 77493ca3fd4015b3900d4694715a92ad
SHA1 c72ab38bbe61717761800c54ac6c3cdb4a8a42ae
SHA256 69d2e82663ec1be7cec2d20b82b353a7a4ac2b71474aa549b5308464273285ca
SHA512 864c6fecb3c2ce8ef87ca28bc9a6c1e89262a2cff289cc47fc17e77f6775873578b986c3758c1f3e506b5462c9bafdc285ee0f5d0c2fd69ae4814fe9f9294e11

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-file-l1-2-0.dll

MD5 e0645fddef558dfdf2d89a2312d62ce5
SHA1 11187c5bd67cec3a4c0043f3119fabe5b3fd0b80
SHA256 55565231aaefb87e36e20e8bc9e5f57a6ce60a91ffe2cc29711fb2df70f17560
SHA512 181c821c4e392bbcad94475c9fe09d59bc7512ff1d17ef5eeae552d7df3d41f36dbfb919e7bf0733a218244ad5e5ddb9cff51d9835c16726fec7b0d4decf8de1

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-file-l1-1-0.dll

MD5 7d004ed75bb69059a2e5c8f72e616f27
SHA1 d802fbfeb318908b25394e7933fa6cecaca5e298
SHA256 1b580bcdd68c325aeb5852d811e926d8e35b0dcb080f7da5a8735c348b2bc8b4
SHA512 7f3095b916e55aa8a80bca830cb1cf56be9f58f00bd656b7fcc42fac42e4f41e1655aa30f913a2eb49aa7d0851106fe6782fcf6251000f354491a2197f78be41

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 eb8d19be72b2b895f6c87a2e22e53f5c
SHA1 6e7b718e926e623473099ce6890f00891b7218ac
SHA256 1b7f8add572d9cc81c2f5975230442240454dfa4ca047ba2b5b2b3ffb83a222d
SHA512 afafa01183429892a34fa7c45cafd471bb62f64310cbaef39b29948feb7a7381a4ab67c8a2d56adca574153cdacff5aafd52b432e055422da8451ca6bf1c89e6

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-debug-l1-1-0.dll

MD5 f57813d3b4b2669ee379c8d63d068507
SHA1 234cd4d936c40dd6d709e615e4934e0667d97869
SHA256 7009a34534c64708f00117345bf577611747351f723969b50db761defc9360f2
SHA512 4291c76a946bc66712fd1223de94a302f54e5ba7ca672729683a62167b20862a76706b44c5e0140aabc7d25c7deefe5353a760f2832d44c4aac7dcd0dee406d7

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-datetime-l1-1-0.dll

MD5 88870d5e29a3c5297f3b7e69b7ecd74d
SHA1 605aaede905f563d3b1ffd778fe08a2b49d0fda1
SHA256 9608c021164094322899e5799a86188891fa571a4e31b36888e256324c7d76bd
SHA512 218fabce9314dd5bbc45b2f0650eaa57016df1cd70a6bb581f44bb71185bf0dc7ba1b4493cb693e3e5b31b15d0e694d7a24ff90fd4a4735e65d7c0ccc23ab9a4

C:\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-console-l1-1-0.dll

MD5 a5d19084230a0a3cc3d8b28dd9105c30
SHA1 4e5df405e1dfca16679d4b3688a60fecdff4a1f9
SHA256 6439c3b78ee318397bb2ee2729a914826f9e58c8dec456ce74bc8cea1c41d060
SHA512 eae4331921a798389d50c34c266abf03254853f7a3ccaed460c25612cb731c85ea666ab564e6317242a48549a79b2873e24f160539d10078a70d96b535d708d9

memory/2648-1309-0x00007FF873F00000-0x00007FF873F2C000-memory.dmp

memory/2648-1359-0x00007FF8708F0000-0x00007FF870909000-memory.dmp

memory/2648-1360-0x00007FF870170000-0x00007FF87019E000-memory.dmp

memory/2648-1361-0x00007FF874180000-0x00007FF87418D000-memory.dmp

memory/2648-1362-0x00007FF85FC10000-0x00007FF860076000-memory.dmp

memory/2648-1363-0x00007FF873FC0000-0x00007FF873FE4000-memory.dmp

memory/2648-1364-0x00007FF873E30000-0x00007FF873E45000-memory.dmp

memory/2648-1365-0x00007FF85F890000-0x00007FF85FC05000-memory.dmp

memory/2648-1366-0x00007FF8708F0000-0x00007FF870909000-memory.dmp

memory/2648-1394-0x00007FF86F3F0000-0x00007FF86F4A8000-memory.dmp

memory/2648-1395-0x00007FF875720000-0x00007FF87572D000-memory.dmp

memory/2648-1396-0x00007FF86F3F0000-0x00007FF86F4A8000-memory.dmp

memory/2648-1397-0x00007FF85FC10000-0x00007FF860076000-memory.dmp

memory/2648-1404-0x00007FF8708F0000-0x00007FF870909000-memory.dmp

memory/2648-1406-0x00007FF870170000-0x00007FF87019E000-memory.dmp

memory/2648-1408-0x00007FF875720000-0x00007FF87572D000-memory.dmp

memory/2648-1409-0x00007FF8708E0000-0x00007FF8708EB000-memory.dmp

memory/2648-1410-0x00007FF870140000-0x00007FF870164000-memory.dmp

memory/2648-1411-0x00007FF86F2D0000-0x00007FF86F3E8000-memory.dmp

memory/2648-1412-0x00007FF870100000-0x00007FF870138000-memory.dmp

memory/2648-1413-0x00007FF873F70000-0x00007FF873F7B000-memory.dmp

memory/2648-1414-0x00007FF873F60000-0x00007FF873F6B000-memory.dmp

memory/2648-1415-0x00007FF8700E0000-0x00007FF8700EC000-memory.dmp

memory/2648-1416-0x00007FF86FD60000-0x00007FF86FD6B000-memory.dmp

memory/2648-1418-0x00007FF86FD40000-0x00007FF86FD4D000-memory.dmp

memory/2648-1417-0x00007FF86FD50000-0x00007FF86FD5C000-memory.dmp

memory/2648-1420-0x00007FF86FA80000-0x00007FF86FA8C000-memory.dmp

memory/2648-1419-0x00007FF86FD30000-0x00007FF86FD3E000-memory.dmp

memory/2648-1421-0x00007FF86FA70000-0x00007FF86FA7B000-memory.dmp

memory/2648-1422-0x00007FF86FA60000-0x00007FF86FA6B000-memory.dmp

memory/2648-1423-0x00007FF86FA50000-0x00007FF86FA5C000-memory.dmp

memory/2648-1424-0x00007FF86FA40000-0x00007FF86FA4C000-memory.dmp

memory/2648-1425-0x00007FF86F2A0000-0x00007FF86F2AD000-memory.dmp

memory/2648-1426-0x00007FF86BE90000-0x00007FF86BEA2000-memory.dmp

memory/2648-1427-0x00007FF86C7F0000-0x00007FF86C7FC000-memory.dmp

memory/2648-1428-0x00007FF860E80000-0x00007FF860E94000-memory.dmp

memory/2648-1429-0x00007FF873F50000-0x00007FF873F5C000-memory.dmp

memory/2648-1430-0x00007FF8700F0000-0x00007FF8700FB000-memory.dmp

memory/2648-1431-0x00007FF86FA90000-0x00007FF86FA9C000-memory.dmp

memory/2648-1433-0x00007FF86C0F0000-0x00007FF86C100000-memory.dmp

memory/2648-1432-0x00007FF86BE70000-0x00007FF86BE84000-memory.dmp

memory/2648-1434-0x00007FF860E60000-0x00007FF860E7C000-memory.dmp

memory/2648-1435-0x00007FF860A40000-0x00007FF860A53000-memory.dmp

memory/2648-1436-0x00007FF8708E0000-0x00007FF8708EB000-memory.dmp

memory/2648-1437-0x00007FF860A20000-0x00007FF860A35000-memory.dmp

memory/2648-1438-0x00007FF86BE60000-0x00007FF86BE6E000-memory.dmp

memory/2648-1439-0x00007FF860320000-0x00007FF86033C000-memory.dmp

memory/2648-1440-0x00007FF8609D0000-0x00007FF860A11000-memory.dmp

memory/2648-1441-0x00007FF870140000-0x00007FF870164000-memory.dmp

memory/2648-1442-0x00007FF8602C0000-0x00007FF86031D000-memory.dmp

memory/2648-1443-0x00007FF860290000-0x00007FF8602B9000-memory.dmp

memory/2648-1444-0x00007FF85F400000-0x00007FF85F42E000-memory.dmp

memory/2648-1445-0x00007FF85F180000-0x00007FF85F19F000-memory.dmp

memory/2648-1446-0x00007FF85F000000-0x00007FF85F17D000-memory.dmp

memory/2648-1447-0x00007FF86F2D0000-0x00007FF86F3E8000-memory.dmp

memory/2648-1448-0x00007FF85EF90000-0x00007FF85EFA8000-memory.dmp

memory/2648-1449-0x00007FF860E50000-0x00007FF860E5B000-memory.dmp

memory/2648-1450-0x00007FF85EF80000-0x00007FF85EF8C000-memory.dmp

memory/2648-1452-0x00007FF85EF60000-0x00007FF85EF6C000-memory.dmp

memory/2648-1453-0x00007FF85EF50000-0x00007FF85EF5B000-memory.dmp

memory/2648-1454-0x00007FF85EF40000-0x00007FF85EF4C000-memory.dmp

memory/2648-1451-0x00007FF85EF70000-0x00007FF85EF7B000-memory.dmp

memory/2648-1499-0x00007FF85FC10000-0x00007FF860076000-memory.dmp

memory/2648-1500-0x00007FF873FC0000-0x00007FF873FE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rhpnzqq.0gs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82