Malware Analysis Report

2024-11-13 15:09

Sample ID 231127-s1e8bshe6s
Target Agama.exe
SHA256 b049c8e7a483dd286321778344b4501e29dbb067003a701d09f07bf3e6a1d1d2
Tags
evasion persistence upx pyinstaller pysilon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b049c8e7a483dd286321778344b4501e29dbb067003a701d09f07bf3e6a1d1d2

Threat Level: Known bad

The file Agama.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence upx pyinstaller pysilon

Detect Pysilon

Pysilon family

Enumerates VirtualBox DLL files

Sets file to hidden

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Detects Pyinstaller

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-27 15:35

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-27 15:35

Reported

2023-11-27 15:38

Platform

win10-20231020-en

Max time kernel

123s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Agama.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Exol Service\Agama.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgamaUpdater = "C:\\Users\\Admin\\Exol Service\\Agama.exe" C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\810424605.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\system32\taskmgr.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3840 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Users\Admin\AppData\Local\Temp\Agama.exe
PID 3840 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Users\Admin\AppData\Local\Temp\Agama.exe
PID 1124 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\system32\cmd.exe
PID 1124 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\system32\cmd.exe
PID 1124 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\system32\cmd.exe
PID 1124 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 3756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3632 wrote to memory of 3756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3632 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Exol Service\Agama.exe
PID 3632 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Exol Service\Agama.exe
PID 3632 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3632 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Agama.exe

"C:\Users\Admin\AppData\Local\Temp\Agama.exe"

C:\Users\Admin\AppData\Local\Temp\Agama.exe

"C:\Users\Admin\AppData\Local\Temp\Agama.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Exol Service\""

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Exol Service\activate.bat""

C:\Windows\system32\attrib.exe

attrib +s +h .

C:\Users\Admin\Exol Service\Agama.exe

"Agama.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "Agama.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI38402\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

\Users\Admin\AppData\Local\Temp\_MEI38402\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Local\Temp\_MEI38402\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

\Users\Admin\AppData\Local\Temp\_MEI38402\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

memory/1124-1267-0x00007FFBC1F30000-0x00007FFBC2519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI38402\base_library.zip

MD5 611f3f285525f3c3354fd199140283a2
SHA1 8a0cf2dd234b0551e193c43f085115d5f0139620
SHA256 fe8ddb060df80f828b35d3ecae62a73d3105b493818385485f9428d7c6aad8e9
SHA512 bcb0d0c9816a266ac77e65476c18d3334f81114f1716c102a31d66a0098c483c6ecb712eb0967b920f15254ef6954e936a9d6d0ad33e7810fab6d06790ffba76

C:\Users\Admin\AppData\Local\Temp\_MEI38402\python3.DLL

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

\Users\Admin\AppData\Local\Temp\_MEI38402\python3.dll

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

memory/1124-1275-0x00007FFBC62B0000-0x00007FFBC62D3000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI38402\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/1124-1323-0x00007FFBC6240000-0x00007FFBC6254000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI38402\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

memory/1124-1324-0x00007FFBB2860000-0x00007FFBB2D80000-memory.dmp

memory/1124-1328-0x00007FFBC6220000-0x00007FFBC6239000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI38402\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

\Users\Admin\AppData\Local\Temp\_MEI38402\charset_normalizer\md.cp311-win_amd64.pyd

MD5 32062fd1796553acac7aa3d62ce4c4a5
SHA1 0c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA256 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA512 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758

C:\Users\Admin\AppData\Local\Temp\_MEI38402\charset_normalizer\md.cp311-win_amd64.pyd

MD5 32062fd1796553acac7aa3d62ce4c4a5
SHA1 0c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA256 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA512 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758

memory/1124-1335-0x00007FFBC2E90000-0x00007FFBC2EC3000-memory.dmp

memory/1124-1337-0x00007FFBC61E0000-0x00007FFBC61ED000-memory.dmp

memory/1124-1338-0x00007FFBC61D0000-0x00007FFBC61DB000-memory.dmp

memory/1124-1339-0x00007FFBC1D20000-0x00007FFBC1D46000-memory.dmp

memory/1124-1340-0x00007FFBC1C00000-0x00007FFBC1D1C000-memory.dmp

memory/1124-1342-0x00007FFBC61C0000-0x00007FFBC61CB000-memory.dmp

memory/1124-1343-0x00007FFBC2E80000-0x00007FFBC2E8B000-memory.dmp

memory/1124-1344-0x00007FFBC2E70000-0x00007FFBC2E7C000-memory.dmp

memory/1124-1347-0x00007FFBC1BB0000-0x00007FFBC1BBB000-memory.dmp

memory/1124-1346-0x00007FFBC1E40000-0x00007FFBC1E4C000-memory.dmp

memory/1124-1349-0x00007FFBC1B90000-0x00007FFBC1B9D000-memory.dmp

memory/1124-1351-0x00007FFBC1B70000-0x00007FFBC1B7C000-memory.dmp

memory/1124-1353-0x00007FFBC1B50000-0x00007FFBC1B5B000-memory.dmp

memory/1124-1352-0x00007FFBC1B60000-0x00007FFBC1B6C000-memory.dmp

memory/1124-1355-0x00007FFBC1B30000-0x00007FFBC1B3C000-memory.dmp

memory/1124-1354-0x00007FFBC1B40000-0x00007FFBC1B4B000-memory.dmp

memory/1124-1350-0x00007FFBC1B80000-0x00007FFBC1B8E000-memory.dmp

memory/1124-1348-0x00007FFBC1BA0000-0x00007FFBC1BAC000-memory.dmp

memory/1124-1345-0x00007FFBC1E50000-0x00007FFBC1E5B000-memory.dmp

memory/1124-1341-0x00007FFBC1BC0000-0x00007FFBC1BF8000-memory.dmp

memory/1124-1336-0x00007FFBC1E60000-0x00007FFBC1F2D000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI38402\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

\Users\Admin\AppData\Local\Temp\_MEI38402\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

\Users\Admin\AppData\Local\Temp\_MEI38402\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

\Users\Admin\AppData\Local\Temp\_MEI38402\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

memory/1124-1326-0x00007FFBC6260000-0x00007FFBC628D000-memory.dmp

memory/1124-1325-0x00007FFBC69C0000-0x00007FFBC69CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI38402\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_uuid.pyd

MD5 4faa479423c54d5be2a103b46ecb4d04
SHA1 011f6cdbd3badaa5c969595985a9ad18547dd7ec
SHA256 c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a
SHA512 92d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_tkinter.pyd

MD5 21e05294dd230deee50e5036efad282a
SHA1 689747aaac5e2ecb8852507805bc4ae1df63fe10
SHA256 1ae9a8d0d41abb9d793ef74c2d78079c12122c779a5403109e6599331d282377
SHA512 877be83ad0caa7f9f8b0efeea047c76efec86ed388ba63792d2ef40e257bc86504c84215ff8bd7d1500c5e3b6430b7d5d8d8b1ddd6abb3f50020101cf75bba83

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_sqlite3.pyd

MD5 1a8fdc36f7138edcc84ee506c5ec9b92
SHA1 e5e2da357fe50a0927300e05c26a75267429db28
SHA256 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_overlapped.pyd

MD5 ce4626159bf66ab04f0279bb2a9f4fad
SHA1 18d93c34132aee2bed9ad5928010d3f4f33bb477
SHA256 7b92710eaf825571d3f3b0443b7c5d0e7231df8f3cbb3ba69d90eedbc151edf0
SHA512 365ba4250eb58498c8c7f3398461c777f91e6ae9408213b373a0306d7c29b10515460160f15a37d6d311378e433cb4733d5107dfc0d4ecef5c5ed34da26bcd5b

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_multiprocessing.pyd

MD5 e3e3f86cc4c41edbaa5d30769d743d09
SHA1 c8df3eaf3e30b6cfb9891a5fbd595a03f831cfc7
SHA256 0d8203dba58573e4bf1ff3c3e89c331085ce25df11f2860d8d59203dd8b3faf8
SHA512 eedff332f82e1635d4d1f091061389612476612daf4cd9c1dcdbcb76a4cde45c84879bfa6b3b505b6bb4ce6030102999d6830573095fa1dc637fbdb8b02e37a4

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_elementtree.pyd

MD5 f7f00d7a8c8f9532b58360deb55f7fa0
SHA1 be5ba44bac538d892579b27f4cb8a5af054720d7
SHA256 f752a6e47532582a6469d65d774c358f575bba0ecffb2c268dca04f99f1548cd
SHA512 3cf9d2ae0dc5034add460efe1e687a75d31d4d46d37b13c1d800781f280a8f2b7be17416a102efff4e562e2877fa0aa728f3ef8b55124b43a6029fe92c24d02d

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_decimal.pyd

MD5 e3fb8bf23d857b1eb860923ccc47baa5
SHA1 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA256 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA512 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_cffi_backend.cp311-win_amd64.pyd

MD5 1518035a65a45c274f1557ff5655e2d7
SHA1 2676d452113c68aa316cba9a03565ec146088c3f
SHA256 9ca400d84a52ae61c5613403ba379d69c271e8e9e9c3f253f93434c9336bc6e8
SHA512 b5932a2eadd2981a3bbc0918643a9936c9aaafc606d833d5ef2758061e05a3148826060ed52a2d121fabfd719ad9736b3402683640a4c4846b6aaaa457366b66

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_asyncio.pyd

MD5 d776dbe9c3b432e7be82f61e491c598a
SHA1 f4b562ebdf18e60ae06d971cccc6108f3b2bc23d
SHA256 c3b2836defd08c6a5fac8bd375a7a7d4671d902af31011d60c463ac1100f3418
SHA512 c68070d2d33665ebb550df0eb4b512c86432fc79fec803bb4a6be8bc487a8b81fa5bdada6894c38944b7ac39603c965fda0e1b467edb1e2918c1bbf29faf0378

C:\Users\Admin\AppData\Local\Temp\_MEI38402\zlib1.dll

MD5 a35d7eeae683a35acb99e72e01cf132f
SHA1 cc37f1e0641f6afc821ef45a65986422eb853366
SHA256 c84547746f4c328daa9637414bbb252ec7124005d0cb7d4a8c62779cf641271c
SHA512 dd7996756a3aed62251f90cd0ae95feafa7bc1cfe7c51e7e2e09bfd30bf0bbb2775fe397a1963f63aed7ad49957b4dd75faed022c6ec4ed9576822f650612f2c

C:\Users\Admin\AppData\Local\Temp\_MEI38402\VCRUNTIME140_1.dll

MD5 cf0a1c4776ffe23ada5e570fc36e39fe
SHA1 2050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA256 6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512 d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

C:\Users\Admin\AppData\Local\Temp\_MEI38402\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

C:\Users\Admin\AppData\Local\Temp\_MEI38402\tk86t.dll

MD5 a3b28c19b23fddf32c8920a4d492be47
SHA1 2b9aedaf02d2ec7dbb36596b8ceeb10657480e43
SHA256 c611b2a311da589f93e83f0662dcb8b3bb3db8450c64084da4b067b36a52ecb2
SHA512 24d44d6ddde9d05eaabfa58aadeef85443be46c535d3f290b50f2208fd79f27215f65b099389a04381b6b44a812b17687886185b49eb94f7fd193114cf3c9436

C:\Users\Admin\AppData\Local\Temp\_MEI38402\tcl86t.dll

MD5 ad6e74d50f92edcdb4420750d190610c
SHA1 af6b5fae4d3d5a064df0e727bfd63e8ff82828bc
SHA256 6074ed09ce5ff856dd8f3b27a3207cf31d8f48fa1247853773609357b511068d
SHA512 18630348aa556a672bb1675f2cae3182929c3c4a6c3c5745dfda9865b17d19f895d5f1da98ec6b03ffe921abd34b16a90a56bfede64c351f307491a7f3df6e3e

C:\Users\Admin\AppData\Local\Temp\_MEI38402\sqlite3.dll

MD5 dbc64142944210671cca9d449dab62e6
SHA1 a2a2098b04b1205ba221244be43b88d90688334c
SHA256 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA512 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

C:\Users\Admin\AppData\Local\Temp\_MEI38402\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI38402\SDL2_ttf.dll

MD5 9f5ece4e13e42058fa5ea65215c41c5d
SHA1 eddcecb4f10f2bb9b61c57b88fb6bd1b1d560a07
SHA256 f5f2690285fc087376ff03edb8849ab5f24c6e9d60ae3661013bea621786582b
SHA512 09cf0927b7cdb84f9ddec465ba10874af6160f947e58e9ff9ead2aa6d10e7d164dd8c5e2df6314f0dd8a84d0b104b48dbac8cc96522f749d54041b3e8ec03400

C:\Users\Admin\AppData\Local\Temp\_MEI38402\SDL2_mixer.dll

MD5 1230b474eca2c4cefb13cf0aaa2fc5d0
SHA1 e23f9cf8cb7dd47e92a02f7508922f01d4d1364b
SHA256 6879a16d963159cb0666e654ea4d5e9a92abffd96cfc6fffe6b39ae81b4ffca3
SHA512 2520fdfbd1370bb9683c29fe1722f771e3d4c7df635987371190be5445237f9e96ae506bbeb79035f6f483ac116995b56bb1e9fc35b6f6a6d49bb940dbf72ead

C:\Users\Admin\AppData\Local\Temp\_MEI38402\SDL2_image.dll

MD5 7174d7a8eec42d7700c5f4adfff39b57
SHA1 b850f0814e77a67f0414a85aae88c9534ca857e5
SHA256 155eab85fe565f6dd1ecb29d6496425539c994bc0d14b52cabd850df5927f9bf
SHA512 9a79cc9661cdab7efeb096f1eb121807ba937b444546d46a321613f6d2792ebf09cc62ff067ece7cb0458b988d6081feadd33e93a52c24faac53dc1539bf32c9

C:\Users\Admin\AppData\Local\Temp\_MEI38402\SDL2.dll

MD5 9684069bb2b8892408ccb50d66abbeda
SHA1 7df5e8f28481c4e7aef128e017a53a36b86c3b7b
SHA256 123c8a0d647e5b866545f8e1cc4cfba5fdadf8c1a247692050355a609d81996b
SHA512 fbe493326da9b582c9c4fa1b16ba02e5befcf5787324116656e108527894f692c3fc21493419a419833ab37a5fa5fb5e38e2c04a8cbdbc3c8afeba08df390697

C:\Users\Admin\AppData\Local\Temp\_MEI38402\pyexpat.pyd

MD5 07c481d3ecdc06b1c5fd15c503490298
SHA1 656c79384d418de31b84c7b68b30a7e37251a475
SHA256 40672a3fc0931133fd74802ec34edc4a91fccf432d8fc1b63e693f64912f8284
SHA512 c7ed37aa552e72106d590206d77836f9e32f2285bc767e55579b17dd97d6e48a5201fb53fff4641a9a84c261343e8b00ec3899c16ccf50c707af858f4bf4e501

C:\Users\Admin\AppData\Local\Temp\_MEI38402\portmidi.dll

MD5 1b443fe9c75d57eedcf5fd67493573e2
SHA1 27504e51f5f19d3d73ed2a0ba473dc5cda787679
SHA256 96b2ba3d433b0e0a0ce72c72725e033ca35b570225b55b38fb7d71c716418ee3
SHA512 02f0ee765490d999ac621f54411b039ef42dddeba17d2edbb9970db20e481d29aed4d607d8330a7c5cd7133b214f13dcb427e89903f9baaef20ffc4a431bb0c4

memory/1124-1356-0x00007FFBC1B20000-0x00007FFBC1B2C000-memory.dmp

memory/1124-1357-0x00007FFBC1B10000-0x00007FFBC1B1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libwebp-7.dll

MD5 4276d3cb447a08644a2c1d3b7afb9fdf
SHA1 d63f34d0b4e8eb660a92a3843b695eda16294b80
SHA256 cc3831ce9ff18f5ebfde8b20d1ee237e2336e4d9ca6405392ac5ec9c8c948174
SHA512 d3a539176243e31a15877b0a6c40c295036ccac5c3ac13cd7b74a340c4183a661a630bbe6b5b0c0ff54b4b27fc72bc154883c7ba5167cb4baeb4b0a528f514bc

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libtiff-5.dll

MD5 f374796886d56c6c552f3a92a81c3338
SHA1 d61f0297386e9925a6ac0c6469ba40b86d3c98cd
SHA256 e2c5b370bcade6a167dba5dc9bb33107d4ed2612e7e8af8d1035be72f35f90d7
SHA512 b59cd888b41c67bf139c2c78d7968a33c84e9127752b9fa276b7b3b461a01cd71dc72936e51a334ddad7fa8e67dd4c250a3495ce544aa156efacb77e7f1dce9f

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libpng16-16.dll

MD5 8f3bf615136b7241204419fb24c8d5ad
SHA1 d107f0b405c566974c37be20e1abbd365ccbb750
SHA256 a9c4d2443d6de90091eff8a5adfd7a3c207b0c7aefb913b855320866e93f8039
SHA512 a2ced7974c086291e69dce39f841335c771088aecbbc52b049d7af51c81342bd1e8bd0d8c78e62529e2041d15d8f5317e5a41727e299c2d827027bcbb0382aa1

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libopusfile-0.dll

MD5 a729c1b14d695b00ae79472d3fe45339
SHA1 20cd334187fc7297138f014303e5c82b5f918c80
SHA256 57bb8b7dec2bd35ff1031f12c4ba3aa3cb2e8de2445e21ea29ffa3ad13e7be3a
SHA512 1da8060b1767bdf811b005e4a476c18f1c2f93186334aa40ca59937cec7aed37267c45a3b5aaeb8fa13d9b0639959d128d957e6d08fcb9787926df850e42fc22

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libopus-0.x64.dll

MD5 17bed62f3389d532d3dfc59071bbd214
SHA1 2b0894cc48dd3756f0ff6602bf8c1e24cb8b6642
SHA256 4fd26640721088ac31fdac941db6fa3c094ca17bd97d240992969aefae19ff91
SHA512 976c5e0dd50487eb5f88c195633805cccbf34566496065eaf8f3ecbbea0300653097bfbbf628dbb2c238a4d552460187794bcebcb8d41452a3f873f0244fc6a4

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libopus-0.dll

MD5 3c2e93c3d2b292a0f489449209f8e099
SHA1 751f18a79c6da4e7162439cef4d481189d17a242
SHA256 b6b32593c0bcecea7b31a900086870bbab039f25b29067170ac461cf2479dea5
SHA512 a0ec68d2a1c650720b4e3e437a5841e8d04d165fc920ce26a41cc20d6ddf4c761b05bbf3426e241c2ee13a9fbe146fc889aa45df70397600b2d962bdaa1bedbb

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libogg-0.dll

MD5 6ffebd7d283079e9029c7f29d8ca7fba
SHA1 b470b09c8aa2f3e42bcff8392d95b6259cb87555
SHA256 0d9a915ea29ed4da271f86dbcfa90b52064a26b5136af590b2bb430d5dd6a67e
SHA512 2b9a9b5f298eefccf0a08af52d7c2c803db19ab9f3cedad2bb19df50466527c05e31f956b6018c9a337565448249465eba8952e9e8397b728b7f76e4f0561c68

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libmodplug-1.dll

MD5 072093b2671589d4ce465de2b92ebee4
SHA1 821d9827286271859640984df28e01b4a37341fb
SHA256 04d07b4dcae8d3998156d563df20881ba790c32389aca23ade91de9cf9f4a3d4
SHA512 522d5faa8d17017f1891374a23d6e653cd62b51818734bf1f7343248d09e1e314ae49821595818fe69af62c9e51debca4ae384e421ad8fa658aced95f977379e

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libjpeg-9.dll

MD5 6e67e46f957f50215b7e68c9091db53f
SHA1 e969fa4858351c95c337352dd0578fe5a83403f0
SHA256 24b25fe9ebe303496973c4d11144b053a5f5a03eabf53f9d8eab0c15fdbfbffe
SHA512 86af5560269ef21490f5343ea3e0522f35e271d42e64f61a2f05471302856de79d34bf00658e1667d7145af48667627fa3897bca2fc479928ab9a62ecba81396

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI38402\freetype.dll

MD5 522257e451efcc3bfe980f56d3fed113
SHA1 f5e12321517f523842943ea7f3ba74d449dba1f4
SHA256 8c74376e7932eebcd084191b40774056b32525ba48e375d942754cdc4fc03c60
SHA512 d590cd813281278be4aec86af3713216dd306399b4910221a2447a3200accbca1b5f8d9495bf21f69ff8e09e5465a71c715a85ce0d87cdc26cbf27b0fae2cc4c

C:\Users\Admin\AppData\Local\Temp\_MEI38402\crypto_clipper.json

MD5 8bff94a9573315a9d1820d9bb710d97f
SHA1 e69a43d343794524b771d0a07fd4cb263e5464d5
SHA256 3f7446866f42bcbeb8426324d3ea58f386f3171abe94279ea7ec773a4adde7d7
SHA512 d5ece1ea9630488245c578cb22d6d9d902839e53b4550c6232b4fb9389ef6c5d5392426ea4a9e3c461979d6d6aa94ddf3b2755f48e9988864788b530cdfcf80f

\Users\Admin\AppData\Local\Temp\_MEI38402\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/1124-1358-0x00007FFBC1AF0000-0x00007FFBC1B02000-memory.dmp

memory/1124-1359-0x00007FFBC1A80000-0x00007FFBC1A8C000-memory.dmp

memory/1124-1360-0x00007FFBC19F0000-0x00007FFBC1A02000-memory.dmp

memory/1124-1279-0x00007FFBC6290000-0x00007FFBC62A9000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI38402\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

C:\Users\Admin\AppData\Local\Temp\_MEI38402\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

C:\Users\Admin\AppData\Local\Temp\_MEI38402\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

\Users\Admin\AppData\Local\Temp\_MEI38402\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

\Users\Admin\AppData\Local\Temp\_MEI38402\python3.dll

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

memory/1124-1362-0x00007FFBC18B0000-0x00007FFBC18FA000-memory.dmp

memory/1124-1364-0x00007FFBC17C0000-0x00007FFBC17E3000-memory.dmp

memory/1124-1361-0x00007FFBC1900000-0x00007FFBC1919000-memory.dmp

memory/1124-1363-0x00007FFBC17F0000-0x00007FFBC181E000-memory.dmp

memory/1124-1365-0x00007FFBBF790000-0x00007FFBBF907000-memory.dmp

memory/1124-1366-0x00007FFBC1730000-0x00007FFBC173B000-memory.dmp

memory/1124-1367-0x00007FFBC1720000-0x00007FFBC172C000-memory.dmp

memory/1124-1368-0x00007FFBC1700000-0x00007FFBC170C000-memory.dmp

memory/1124-1370-0x00007FFBC12D0000-0x00007FFBC12DC000-memory.dmp

memory/1124-1371-0x00007FFBC12C0000-0x00007FFBC12CD000-memory.dmp

memory/1124-1369-0x00007FFBC12E0000-0x00007FFBC12EB000-memory.dmp

memory/1124-1372-0x00007FFBC12B0000-0x00007FFBC12BE000-memory.dmp

memory/1124-1373-0x00007FFBC12A0000-0x00007FFBC12AC000-memory.dmp

memory/1124-1374-0x00007FFBC1000000-0x00007FFBC100C000-memory.dmp

memory/1124-1375-0x00007FFBC0FF0000-0x00007FFBC0FFB000-memory.dmp

memory/1124-1376-0x00007FFBC0F70000-0x00007FFBC0F7B000-memory.dmp

memory/1124-1379-0x00007FFBC0BF0000-0x00007FFBC0BFC000-memory.dmp

memory/1124-1380-0x00007FFBC0BE0000-0x00007FFBC0BEC000-memory.dmp

memory/1124-1381-0x00007FFBBD060000-0x00007FFBBD11C000-memory.dmp

memory/1124-1382-0x00007FFBC6210000-0x00007FFBC621D000-memory.dmp

memory/1124-1383-0x00007FFBC1A10000-0x00007FFBC1A25000-memory.dmp

memory/1124-1384-0x00007FFBC19D0000-0x00007FFBC19E4000-memory.dmp

memory/1124-1385-0x00007FFBC19A0000-0x00007FFBC19C2000-memory.dmp

memory/1124-1386-0x00007FFBC1920000-0x00007FFBC1937000-memory.dmp

memory/1124-1387-0x00007FFBC1980000-0x00007FFBC1991000-memory.dmp

memory/1124-1388-0x00007FFBC1950000-0x00007FFBC196C000-memory.dmp

memory/1124-1390-0x00007FFBC1820000-0x00007FFBC1849000-memory.dmp

memory/1124-1389-0x00007FFBC1850000-0x00007FFBC18AD000-memory.dmp

memory/1124-1392-0x00007FFBC1740000-0x00007FFBC174B000-memory.dmp

memory/1124-1391-0x00007FFBC17A0000-0x00007FFBC17B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apxhkcsp.0d2.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1124-1567-0x00007FFBC1F30000-0x00007FFBC2519000-memory.dmp

memory/1124-1568-0x00007FFBC62B0000-0x00007FFBC62D3000-memory.dmp

memory/1124-1580-0x00007FFBC6220000-0x00007FFBC6239000-memory.dmp

memory/1124-1582-0x00007FFBC2E90000-0x00007FFBC2EC3000-memory.dmp

memory/1124-1589-0x00007FFBC1D20000-0x00007FFBC1D46000-memory.dmp

memory/1124-1594-0x00007FFBC1BC0000-0x00007FFBC1BF8000-memory.dmp

memory/1124-1598-0x00007FFBC1F30000-0x00007FFBC2519000-memory.dmp

memory/1124-1600-0x00007FFBC62B0000-0x00007FFBC62D3000-memory.dmp

memory/1124-1602-0x00007FFBC69C0000-0x00007FFBC69CF000-memory.dmp

memory/1124-1605-0x00007FFBC6290000-0x00007FFBC62A9000-memory.dmp

memory/1124-1607-0x00007FFBC6260000-0x00007FFBC628D000-memory.dmp

memory/1124-1609-0x00007FFBC6240000-0x00007FFBC6254000-memory.dmp

memory/1124-1611-0x00007FFBB2860000-0x00007FFBB2D80000-memory.dmp

memory/1124-1613-0x00007FFBC6220000-0x00007FFBC6239000-memory.dmp

memory/1124-1614-0x00007FFBC6210000-0x00007FFBC621D000-memory.dmp

memory/1124-1616-0x00007FFBC2E90000-0x00007FFBC2EC3000-memory.dmp

memory/1124-1622-0x00007FFBC61D0000-0x00007FFBC61DB000-memory.dmp

memory/1124-1619-0x00007FFBC1E60000-0x00007FFBC1F2D000-memory.dmp

memory/1124-1623-0x00007FFBC1D20000-0x00007FFBC1D46000-memory.dmp

memory/1124-1621-0x00007FFBC61E0000-0x00007FFBC61ED000-memory.dmp

memory/1124-1625-0x00007FFBC1C00000-0x00007FFBC1D1C000-memory.dmp

memory/1124-1627-0x00007FFBC1BC0000-0x00007FFBC1BF8000-memory.dmp

memory/1124-1629-0x00007FFBC1A10000-0x00007FFBC1A25000-memory.dmp

memory/1124-1633-0x00007FFBC19D0000-0x00007FFBC19E4000-memory.dmp

memory/1124-1634-0x00007FFBC19A0000-0x00007FFBC19C2000-memory.dmp

memory/1124-1636-0x00007FFBC1920000-0x00007FFBC1937000-memory.dmp

memory/1124-1638-0x00007FFBC1900000-0x00007FFBC1919000-memory.dmp

memory/1124-1642-0x00007FFBC1980000-0x00007FFBC1991000-memory.dmp

memory/1124-1640-0x00007FFBC18B0000-0x00007FFBC18FA000-memory.dmp

memory/1124-1632-0x00007FFBC19F0000-0x00007FFBC1A02000-memory.dmp

memory/1124-1644-0x00007FFBC1950000-0x00007FFBC196C000-memory.dmp

memory/1124-1647-0x00007FFBC1850000-0x00007FFBC18AD000-memory.dmp

memory/1124-1650-0x00007FFBC1820000-0x00007FFBC1849000-memory.dmp

memory/1124-1652-0x00007FFBC17F0000-0x00007FFBC181E000-memory.dmp

memory/1124-1656-0x00007FFBBF790000-0x00007FFBBF907000-memory.dmp

memory/1124-1654-0x00007FFBC17C0000-0x00007FFBC17E3000-memory.dmp

memory/1124-1658-0x00007FFBC17A0000-0x00007FFBC17B8000-memory.dmp

memory/1124-1660-0x00007FFBC0B60000-0x00007FFBC0B96000-memory.dmp

memory/1124-1662-0x00007FFBBD060000-0x00007FFBBD11C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI26602\cryptography-41.0.5.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-27 15:35

Reported

2023-11-27 15:38

Platform

win10v2004-20231023-en

Max time kernel

134s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Agama.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Exol Service\Agama.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgamaUpdater = "C:\\Users\\Admin\\Exol Service\\Agama.exe" C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Users\Admin\AppData\Local\Temp\Agama.exe
PID 4224 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Users\Admin\AppData\Local\Temp\Agama.exe
PID 740 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 740 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 740 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\Agama.exe C:\Windows\system32\cmd.exe
PID 3896 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3896 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3896 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Exol Service\Agama.exe
PID 3896 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Exol Service\Agama.exe
PID 3896 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3896 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Agama.exe

"C:\Users\Admin\AppData\Local\Temp\Agama.exe"

C:\Users\Admin\AppData\Local\Temp\Agama.exe

"C:\Users\Admin\AppData\Local\Temp\Agama.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x518 0x520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Exol Service\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Exol Service\activate.bat""

C:\Windows\system32\attrib.exe

attrib +s +h .

C:\Users\Admin\Exol Service\Agama.exe

"Agama.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "Agama.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI42242\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

C:\Users\Admin\AppData\Local\Temp\_MEI42242\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Local\Temp\_MEI42242\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Local\Temp\_MEI42242\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

memory/740-1263-0x00007FF913CD0000-0x00007FF9142B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\base_library.zip

MD5 611f3f285525f3c3354fd199140283a2
SHA1 8a0cf2dd234b0551e193c43f085115d5f0139620
SHA256 fe8ddb060df80f828b35d3ecae62a73d3105b493818385485f9428d7c6aad8e9
SHA512 bcb0d0c9816a266ac77e65476c18d3334f81114f1716c102a31d66a0098c483c6ecb712eb0967b920f15254ef6954e936a9d6d0ad33e7810fab6d06790ffba76

C:\Users\Admin\AppData\Local\Temp\_MEI42242\python3.DLL

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI42242\python3.dll

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI42242\python3.dll

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libopus-0.x64.dll

MD5 17bed62f3389d532d3dfc59071bbd214
SHA1 2b0894cc48dd3756f0ff6602bf8c1e24cb8b6642
SHA256 4fd26640721088ac31fdac941db6fa3c094ca17bd97d240992969aefae19ff91
SHA512 976c5e0dd50487eb5f88c195633805cccbf34566496065eaf8f3ecbbea0300653097bfbbf628dbb2c238a4d552460187794bcebcb8d41452a3f873f0244fc6a4

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_uuid.pyd

MD5 4faa479423c54d5be2a103b46ecb4d04
SHA1 011f6cdbd3badaa5c969595985a9ad18547dd7ec
SHA256 c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a
SHA512 92d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

memory/740-1320-0x00007FF9132F0000-0x00007FF913810000-memory.dmp

memory/740-1321-0x00007FF9237D0000-0x00007FF9237FD000-memory.dmp

memory/740-1322-0x00007FF923960000-0x00007FF923974000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI42242\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

memory/740-1329-0x00007FF923770000-0x00007FF9237A3000-memory.dmp

memory/740-1326-0x00007FF924770000-0x00007FF92477D000-memory.dmp

memory/740-1330-0x00007FF913C00000-0x00007FF913CCD000-memory.dmp

memory/740-1324-0x00007FF9237B0000-0x00007FF9237C9000-memory.dmp

memory/740-1317-0x00007FF923CF0000-0x00007FF923D09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_tkinter.pyd

MD5 21e05294dd230deee50e5036efad282a
SHA1 689747aaac5e2ecb8852507805bc4ae1df63fe10
SHA256 1ae9a8d0d41abb9d793ef74c2d78079c12122c779a5403109e6599331d282377
SHA512 877be83ad0caa7f9f8b0efeea047c76efec86ed388ba63792d2ef40e257bc86504c84215ff8bd7d1500c5e3b6430b7d5d8d8b1ddd6abb3f50020101cf75bba83

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI42242\charset_normalizer\md.cp311-win_amd64.pyd

MD5 32062fd1796553acac7aa3d62ce4c4a5
SHA1 0c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA256 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA512 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758

C:\Users\Admin\AppData\Local\Temp\_MEI42242\charset_normalizer\md.cp311-win_amd64.pyd

MD5 32062fd1796553acac7aa3d62ce4c4a5
SHA1 0c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA256 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA512 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758

memory/740-1332-0x00007FF923740000-0x00007FF92374D000-memory.dmp

memory/740-1335-0x00007FF9234B0000-0x00007FF9234D6000-memory.dmp

memory/740-1336-0x00007FF913AE0000-0x00007FF913BFC000-memory.dmp

memory/740-1339-0x00007FF9231C0000-0x00007FF9231F8000-memory.dmp

memory/740-1338-0x00007FF9234E0000-0x00007FF9234EB000-memory.dmp

memory/740-1340-0x00007FF923490000-0x00007FF92349B000-memory.dmp

memory/740-1341-0x00007FF923480000-0x00007FF92348C000-memory.dmp

memory/740-1337-0x00007FF913CD0000-0x00007FF9142B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_sqlite3.pyd

MD5 1a8fdc36f7138edcc84ee506c5ec9b92
SHA1 e5e2da357fe50a0927300e05c26a75267429db28
SHA256 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_overlapped.pyd

MD5 ce4626159bf66ab04f0279bb2a9f4fad
SHA1 18d93c34132aee2bed9ad5928010d3f4f33bb477
SHA256 7b92710eaf825571d3f3b0443b7c5d0e7231df8f3cbb3ba69d90eedbc151edf0
SHA512 365ba4250eb58498c8c7f3398461c777f91e6ae9408213b373a0306d7c29b10515460160f15a37d6d311378e433cb4733d5107dfc0d4ecef5c5ed34da26bcd5b

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_multiprocessing.pyd

MD5 e3e3f86cc4c41edbaa5d30769d743d09
SHA1 c8df3eaf3e30b6cfb9891a5fbd595a03f831cfc7
SHA256 0d8203dba58573e4bf1ff3c3e89c331085ce25df11f2860d8d59203dd8b3faf8
SHA512 eedff332f82e1635d4d1f091061389612476612daf4cd9c1dcdbcb76a4cde45c84879bfa6b3b505b6bb4ce6030102999d6830573095fa1dc637fbdb8b02e37a4

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_elementtree.pyd

MD5 f7f00d7a8c8f9532b58360deb55f7fa0
SHA1 be5ba44bac538d892579b27f4cb8a5af054720d7
SHA256 f752a6e47532582a6469d65d774c358f575bba0ecffb2c268dca04f99f1548cd
SHA512 3cf9d2ae0dc5034add460efe1e687a75d31d4d46d37b13c1d800781f280a8f2b7be17416a102efff4e562e2877fa0aa728f3ef8b55124b43a6029fe92c24d02d

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_decimal.pyd

MD5 e3fb8bf23d857b1eb860923ccc47baa5
SHA1 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA256 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA512 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_cffi_backend.cp311-win_amd64.pyd

MD5 1518035a65a45c274f1557ff5655e2d7
SHA1 2676d452113c68aa316cba9a03565ec146088c3f
SHA256 9ca400d84a52ae61c5613403ba379d69c271e8e9e9c3f253f93434c9336bc6e8
SHA512 b5932a2eadd2981a3bbc0918643a9936c9aaafc606d833d5ef2758061e05a3148826060ed52a2d121fabfd719ad9736b3402683640a4c4846b6aaaa457366b66

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_asyncio.pyd

MD5 d776dbe9c3b432e7be82f61e491c598a
SHA1 f4b562ebdf18e60ae06d971cccc6108f3b2bc23d
SHA256 c3b2836defd08c6a5fac8bd375a7a7d4671d902af31011d60c463ac1100f3418
SHA512 c68070d2d33665ebb550df0eb4b512c86432fc79fec803bb4a6be8bc487a8b81fa5bdada6894c38944b7ac39603c965fda0e1b467edb1e2918c1bbf29faf0378

C:\Users\Admin\AppData\Local\Temp\_MEI42242\zlib1.dll

MD5 a35d7eeae683a35acb99e72e01cf132f
SHA1 cc37f1e0641f6afc821ef45a65986422eb853366
SHA256 c84547746f4c328daa9637414bbb252ec7124005d0cb7d4a8c62779cf641271c
SHA512 dd7996756a3aed62251f90cd0ae95feafa7bc1cfe7c51e7e2e09bfd30bf0bbb2775fe397a1963f63aed7ad49957b4dd75faed022c6ec4ed9576822f650612f2c

C:\Users\Admin\AppData\Local\Temp\_MEI42242\VCRUNTIME140_1.dll

MD5 cf0a1c4776ffe23ada5e570fc36e39fe
SHA1 2050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA256 6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512 d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

C:\Users\Admin\AppData\Local\Temp\_MEI42242\portmidi.dll

MD5 1b443fe9c75d57eedcf5fd67493573e2
SHA1 27504e51f5f19d3d73ed2a0ba473dc5cda787679
SHA256 96b2ba3d433b0e0a0ce72c72725e033ca35b570225b55b38fb7d71c716418ee3
SHA512 02f0ee765490d999ac621f54411b039ef42dddeba17d2edbb9970db20e481d29aed4d607d8330a7c5cd7133b214f13dcb427e89903f9baaef20ffc4a431bb0c4

memory/740-1342-0x00007FF9231B0000-0x00007FF9231BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libwebp-7.dll

MD5 4276d3cb447a08644a2c1d3b7afb9fdf
SHA1 d63f34d0b4e8eb660a92a3843b695eda16294b80
SHA256 cc3831ce9ff18f5ebfde8b20d1ee237e2336e4d9ca6405392ac5ec9c8c948174
SHA512 d3a539176243e31a15877b0a6c40c295036ccac5c3ac13cd7b74a340c4183a661a630bbe6b5b0c0ff54b4b27fc72bc154883c7ba5167cb4baeb4b0a528f514bc

memory/740-1344-0x00007FF91A740000-0x00007FF91A74C000-memory.dmp

memory/740-1343-0x00007FF91C7C0000-0x00007FF91C7CB000-memory.dmp

memory/740-1350-0x00007FF91A0A0000-0x00007FF91A0AB000-memory.dmp

memory/740-1354-0x00007FF914C70000-0x00007FF914C82000-memory.dmp

memory/740-1356-0x00007FF914960000-0x00007FF914974000-memory.dmp

memory/740-1360-0x00007FF914980000-0x00007FF914992000-memory.dmp

memory/740-1361-0x00007FF923290000-0x00007FF9232B2000-memory.dmp

memory/740-1359-0x00007FF9149A0000-0x00007FF9149B5000-memory.dmp

memory/740-1358-0x00007FF9230F0000-0x00007FF9230FC000-memory.dmp

memory/740-1357-0x00007FF9234A0000-0x00007FF9234AB000-memory.dmp

memory/740-1355-0x00007FF914C60000-0x00007FF914C6C000-memory.dmp

memory/740-1353-0x00007FF914C90000-0x00007FF914C9D000-memory.dmp

memory/740-1352-0x00007FF91A080000-0x00007FF91A08C000-memory.dmp

memory/740-1351-0x00007FF91A090000-0x00007FF91A09C000-memory.dmp

memory/740-1349-0x00007FF91A0B0000-0x00007FF91A0BB000-memory.dmp

memory/740-1348-0x00007FF91A0C0000-0x00007FF91A0CC000-memory.dmp

memory/740-1347-0x00007FF91A0D0000-0x00007FF91A0DC000-memory.dmp

memory/740-1346-0x00007FF91A0E0000-0x00007FF91A0EE000-memory.dmp

memory/740-1345-0x00007FF91A730000-0x00007FF91A73D000-memory.dmp

memory/740-1362-0x00007FF923980000-0x00007FF9239A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libtiff-5.dll

MD5 f374796886d56c6c552f3a92a81c3338
SHA1 d61f0297386e9925a6ac0c6469ba40b86d3c98cd
SHA256 e2c5b370bcade6a167dba5dc9bb33107d4ed2612e7e8af8d1035be72f35f90d7
SHA512 b59cd888b41c67bf139c2c78d7968a33c84e9127752b9fa276b7b3b461a01cd71dc72936e51a334ddad7fa8e67dd4c250a3495ce544aa156efacb77e7f1dce9f

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libpng16-16.dll

MD5 8f3bf615136b7241204419fb24c8d5ad
SHA1 d107f0b405c566974c37be20e1abbd365ccbb750
SHA256 a9c4d2443d6de90091eff8a5adfd7a3c207b0c7aefb913b855320866e93f8039
SHA512 a2ced7974c086291e69dce39f841335c771088aecbbc52b049d7af51c81342bd1e8bd0d8c78e62529e2041d15d8f5317e5a41727e299c2d827027bcbb0382aa1

memory/740-1363-0x00007FF923750000-0x00007FF923767000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libopusfile-0.dll

MD5 a729c1b14d695b00ae79472d3fe45339
SHA1 20cd334187fc7297138f014303e5c82b5f918c80
SHA256 57bb8b7dec2bd35ff1031f12c4ba3aa3cb2e8de2445e21ea29ffa3ad13e7be3a
SHA512 1da8060b1767bdf811b005e4a476c18f1c2f93186334aa40ca59937cec7aed37267c45a3b5aaeb8fa13d9b0639959d128d957e6d08fcb9787926df850e42fc22

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libopus-0.dll

MD5 3c2e93c3d2b292a0f489449209f8e099
SHA1 751f18a79c6da4e7162439cef4d481189d17a242
SHA256 b6b32593c0bcecea7b31a900086870bbab039f25b29067170ac461cf2479dea5
SHA512 a0ec68d2a1c650720b4e3e437a5841e8d04d165fc920ce26a41cc20d6ddf4c761b05bbf3426e241c2ee13a9fbe146fc889aa45df70397600b2d962bdaa1bedbb

memory/740-1364-0x00007FF923270000-0x00007FF923289000-memory.dmp

memory/740-1365-0x00007FF923220000-0x00007FF92326A000-memory.dmp

memory/740-1366-0x00007FF9132F0000-0x00007FF913810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libogg-0.dll

MD5 6ffebd7d283079e9029c7f29d8ca7fba
SHA1 b470b09c8aa2f3e42bcff8392d95b6259cb87555
SHA256 0d9a915ea29ed4da271f86dbcfa90b52064a26b5136af590b2bb430d5dd6a67e
SHA512 2b9a9b5f298eefccf0a08af52d7c2c803db19ab9f3cedad2bb19df50466527c05e31f956b6018c9a337565448249465eba8952e9e8397b728b7f76e4f0561c68

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libmodplug-1.dll

MD5 072093b2671589d4ce465de2b92ebee4
SHA1 821d9827286271859640984df28e01b4a37341fb
SHA256 04d07b4dcae8d3998156d563df20881ba790c32389aca23ade91de9cf9f4a3d4
SHA512 522d5faa8d17017f1891374a23d6e653cd62b51818734bf1f7343248d09e1e314ae49821595818fe69af62c9e51debca4ae384e421ad8fa658aced95f977379e

memory/740-1367-0x00007FF923200000-0x00007FF923211000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libjpeg-9.dll

MD5 6e67e46f957f50215b7e68c9091db53f
SHA1 e969fa4858351c95c337352dd0578fe5a83403f0
SHA256 24b25fe9ebe303496973c4d11144b053a5f5a03eabf53f9d8eab0c15fdbfbffe
SHA512 86af5560269ef21490f5343ea3e0522f35e271d42e64f61a2f05471302856de79d34bf00658e1667d7145af48667627fa3897bca2fc479928ab9a62ecba81396

memory/740-1368-0x00007FF914B90000-0x00007FF914BAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI42242\freetype.dll

MD5 522257e451efcc3bfe980f56d3fed113
SHA1 f5e12321517f523842943ea7f3ba74d449dba1f4
SHA256 8c74376e7932eebcd084191b40774056b32525ba48e375d942754cdc4fc03c60
SHA512 d590cd813281278be4aec86af3713216dd306399b4910221a2447a3200accbca1b5f8d9495bf21f69ff8e09e5465a71c715a85ce0d87cdc26cbf27b0fae2cc4c

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/740-1369-0x00007FF914B30000-0x00007FF914B8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/740-1370-0x00007FF9237B0000-0x00007FF9237C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

C:\Users\Admin\AppData\Local\Temp\_MEI42242\tk86t.dll

MD5 a3b28c19b23fddf32c8920a4d492be47
SHA1 2b9aedaf02d2ec7dbb36596b8ceeb10657480e43
SHA256 c611b2a311da589f93e83f0662dcb8b3bb3db8450c64084da4b067b36a52ecb2
SHA512 24d44d6ddde9d05eaabfa58aadeef85443be46c535d3f290b50f2208fd79f27215f65b099389a04381b6b44a812b17687886185b49eb94f7fd193114cf3c9436

C:\Users\Admin\AppData\Local\Temp\_MEI42242\tcl86t.dll

MD5 ad6e74d50f92edcdb4420750d190610c
SHA1 af6b5fae4d3d5a064df0e727bfd63e8ff82828bc
SHA256 6074ed09ce5ff856dd8f3b27a3207cf31d8f48fa1247853773609357b511068d
SHA512 18630348aa556a672bb1675f2cae3182929c3c4a6c3c5745dfda9865b17d19f895d5f1da98ec6b03ffe921abd34b16a90a56bfede64c351f307491a7f3df6e3e

C:\Users\Admin\AppData\Local\Temp\_MEI42242\sqlite3.dll

MD5 dbc64142944210671cca9d449dab62e6
SHA1 a2a2098b04b1205ba221244be43b88d90688334c
SHA256 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA512 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

C:\Users\Admin\AppData\Local\Temp\_MEI42242\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI42242\SDL2_ttf.dll

MD5 9f5ece4e13e42058fa5ea65215c41c5d
SHA1 eddcecb4f10f2bb9b61c57b88fb6bd1b1d560a07
SHA256 f5f2690285fc087376ff03edb8849ab5f24c6e9d60ae3661013bea621786582b
SHA512 09cf0927b7cdb84f9ddec465ba10874af6160f947e58e9ff9ead2aa6d10e7d164dd8c5e2df6314f0dd8a84d0b104b48dbac8cc96522f749d54041b3e8ec03400

C:\Users\Admin\AppData\Local\Temp\_MEI42242\SDL2_mixer.dll

MD5 1230b474eca2c4cefb13cf0aaa2fc5d0
SHA1 e23f9cf8cb7dd47e92a02f7508922f01d4d1364b
SHA256 6879a16d963159cb0666e654ea4d5e9a92abffd96cfc6fffe6b39ae81b4ffca3
SHA512 2520fdfbd1370bb9683c29fe1722f771e3d4c7df635987371190be5445237f9e96ae506bbeb79035f6f483ac116995b56bb1e9fc35b6f6a6d49bb940dbf72ead

C:\Users\Admin\AppData\Local\Temp\_MEI42242\SDL2_image.dll

MD5 7174d7a8eec42d7700c5f4adfff39b57
SHA1 b850f0814e77a67f0414a85aae88c9534ca857e5
SHA256 155eab85fe565f6dd1ecb29d6496425539c994bc0d14b52cabd850df5927f9bf
SHA512 9a79cc9661cdab7efeb096f1eb121807ba937b444546d46a321613f6d2792ebf09cc62ff067ece7cb0458b988d6081feadd33e93a52c24faac53dc1539bf32c9

C:\Users\Admin\AppData\Local\Temp\_MEI42242\SDL2.dll

MD5 9684069bb2b8892408ccb50d66abbeda
SHA1 7df5e8f28481c4e7aef128e017a53a36b86c3b7b
SHA256 123c8a0d647e5b866545f8e1cc4cfba5fdadf8c1a247692050355a609d81996b
SHA512 fbe493326da9b582c9c4fa1b16ba02e5befcf5787324116656e108527894f692c3fc21493419a419833ab37a5fa5fb5e38e2c04a8cbdbc3c8afeba08df390697

C:\Users\Admin\AppData\Local\Temp\_MEI42242\pyexpat.pyd

MD5 07c481d3ecdc06b1c5fd15c503490298
SHA1 656c79384d418de31b84c7b68b30a7e37251a475
SHA256 40672a3fc0931133fd74802ec34edc4a91fccf432d8fc1b63e693f64912f8284
SHA512 c7ed37aa552e72106d590206d77836f9e32f2285bc767e55579b17dd97d6e48a5201fb53fff4641a9a84c261343e8b00ec3899c16ccf50c707af858f4bf4e501

C:\Users\Admin\AppData\Local\Temp\_MEI42242\crypto_clipper.json

MD5 8bff94a9573315a9d1820d9bb710d97f
SHA1 e69a43d343794524b771d0a07fd4cb263e5464d5
SHA256 3f7446866f42bcbeb8426324d3ea58f386f3171abe94279ea7ec773a4adde7d7
SHA512 d5ece1ea9630488245c578cb22d6d9d902839e53b4550c6232b4fb9389ef6c5d5392426ea4a9e3c461979d6d6aa94ddf3b2755f48e9988864788b530cdfcf80f

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

memory/740-1275-0x00007FF9280B0000-0x00007FF9280BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

memory/740-1272-0x00007FF923980000-0x00007FF9239A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42242\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/740-1372-0x00007FF914AD0000-0x00007FF914AFE000-memory.dmp

memory/740-1373-0x00007FF914A90000-0x00007FF914AB3000-memory.dmp

memory/740-1371-0x00007FF914B00000-0x00007FF914B29000-memory.dmp

memory/740-1374-0x00007FF923770000-0x00007FF9237A3000-memory.dmp

memory/740-1375-0x00007FF913170000-0x00007FF9132E7000-memory.dmp

memory/740-1376-0x00007FF9231C0000-0x00007FF9231F8000-memory.dmp

memory/740-1377-0x00007FF914A70000-0x00007FF914A88000-memory.dmp

memory/740-1379-0x00007FF914A40000-0x00007FF914A4C000-memory.dmp

memory/740-1378-0x00007FF914A50000-0x00007FF914A5B000-memory.dmp

memory/740-1380-0x00007FF914A30000-0x00007FF914A3B000-memory.dmp

memory/740-1381-0x00007FF914A10000-0x00007FF914A1B000-memory.dmp

memory/740-1382-0x00007FF914A00000-0x00007FF914A0C000-memory.dmp

memory/740-1384-0x00007FF9149D0000-0x00007FF9149DC000-memory.dmp

memory/740-1386-0x00007FF913AD0000-0x00007FF913ADB000-memory.dmp

memory/740-1385-0x00007FF9149C0000-0x00007FF9149CC000-memory.dmp

memory/740-1383-0x00007FF9149E0000-0x00007FF9149EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hxh33ap0.ahq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/740-1512-0x00007FF913CD0000-0x00007FF9142B9000-memory.dmp

memory/740-1513-0x00007FF923980000-0x00007FF9239A3000-memory.dmp

memory/740-1527-0x00007FF9231C0000-0x00007FF9231F8000-memory.dmp

memory/740-1552-0x00007FF923220000-0x00007FF92326A000-memory.dmp

memory/740-1549-0x00007FF923290000-0x00007FF9232B2000-memory.dmp

memory/740-1560-0x00007FF914A70000-0x00007FF914A88000-memory.dmp