Malware Analysis Report

2025-05-05 21:32

Sample ID 240529-hsdpesfb42
Target 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2
SHA256 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2

Threat Level: Shows suspicious behavior

The file 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Executes dropped EXE

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 06:59

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 06:59

Reported

2024-05-29 07:02

Platform

win7-20231129-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2064 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2064 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2064 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1044 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2204 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2204 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2204 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1044 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 1044 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 1044 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 1044 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 940 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 940 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 940 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 940 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe

"C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C taskkill /IM pppwn_.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM pppwn_.exe /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C taskkill /IM pppwn_.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM pppwn_.exe /f

C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe

"C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface="" --fw=1100 --stage1=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin --stage2=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage2\stage2_1100.bin

C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe

"C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface="" --fw=1100 --stage1=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin --stage2=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage2\stage2_1100.bin

Network

N/A

Files

memory/1044-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

memory/1044-1-0x00000000008C0000-0x0000000002A6A000-memory.dmp

memory/1044-2-0x0000000000210000-0x0000000000211000-memory.dmp

memory/1044-3-0x0000000006F60000-0x0000000007454000-memory.dmp

memory/1044-4-0x00000000740BE000-0x00000000740BF000-memory.dmp

memory/1044-5-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/1044-6-0x00000000740B0000-0x000000007479E000-memory.dmp

\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe

MD5 4495b20ab591002c3dddbe78ad8039aa
SHA1 4c05606b4caadac43cd87b9edc9618e193b318c1
SHA256 1d97f2c2368e6c727d3bfeab62e256fb5ab1cfa877342b03b7c9b7858b121327
SHA512 466b911df96f83b3995e6205e45056aa612b177c9ee12f039935c61cdec6cafe1b46a49ae3216e1d0fecee214799b79edf61d58222df9c1e088854d52365b4fa

C:\Users\Admin\AppData\Local\Temp\_MEI9402\python311.dll

MD5 68193b0ed6bb05e7bf70e380852a4e58
SHA1 842c0346cfbc140988f00c91b575f9b81de94b26
SHA256 d08c8e21a93e60c13ebe30a805f0276e0c8950e4a8af76e6271f1e7264440110
SHA512 f15bbbad656b67e3ece46c9fd624e360471c96cadc636b098b85eb7b37d3d0b06ec774dc843262bcdb3524f4d6bd2659965219dc35c156cd7f60e2f48388b441

memory/1044-93-0x00000000740B0000-0x000000007479E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 06:59

Reported

2024-05-29 07:02

Platform

win10v2004-20240426-en

Max time kernel

113s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3840 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4380 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4380 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3840 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3840 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 3840 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 3840 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 2416 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 2416 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 2416 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
PID 2848 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3696 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3696 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3840 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3840 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe

"C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C taskkill /IM pppwn_.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM pppwn_.exe /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C taskkill /IM pppwn_.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM pppwn_.exe /f

C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe

"C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface="Ethernet" --fw=1100 --stage1=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin --stage2=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage2\stage2_1100.bin

C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe

"C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface="Ethernet" --fw=1100 --stage1=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin --stage2=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage2\stage2_1100.bin

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C taskkill /IM pppwn_.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM pppwn_.exe /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://npcap.com/#download

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd12746f8,0x7ffdd1274708,0x7ffdd1274718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,21425579594346219,6276226970689413218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 npcap.com udp
US 45.33.49.119:443 npcap.com tcp
US 45.33.49.119:443 npcap.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 45.33.49.119:443 npcap.com tcp
US 45.33.49.119:443 npcap.com tcp
US 45.33.49.119:443 npcap.com tcp
US 45.33.49.119:443 npcap.com tcp
US 45.33.49.119:443 npcap.com tcp
US 45.33.49.119:443 npcap.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3840-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

memory/3840-1-0x0000000000890000-0x0000000002A3A000-memory.dmp

memory/3840-2-0x00000000035E0000-0x00000000035E1000-memory.dmp

memory/3840-3-0x0000000007AF0000-0x0000000008094000-memory.dmp

memory/3840-4-0x0000000007540000-0x0000000007A34000-memory.dmp

memory/3840-5-0x0000000007A30000-0x0000000007AC2000-memory.dmp

memory/3840-6-0x0000000007520000-0x000000000752A000-memory.dmp

memory/3840-7-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/3840-8-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/3840-50-0x00000000747EE000-0x00000000747EF000-memory.dmp

memory/3840-51-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/3840-52-0x00000000747E0000-0x0000000074F90000-memory.dmp

C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe

MD5 4495b20ab591002c3dddbe78ad8039aa
SHA1 4c05606b4caadac43cd87b9edc9618e193b318c1
SHA256 1d97f2c2368e6c727d3bfeab62e256fb5ab1cfa877342b03b7c9b7858b121327
SHA512 466b911df96f83b3995e6205e45056aa612b177c9ee12f039935c61cdec6cafe1b46a49ae3216e1d0fecee214799b79edf61d58222df9c1e088854d52365b4fa

C:\Users\Admin\AppData\Local\Temp\_MEI24162\python311.dll

MD5 68193b0ed6bb05e7bf70e380852a4e58
SHA1 842c0346cfbc140988f00c91b575f9b81de94b26
SHA256 d08c8e21a93e60c13ebe30a805f0276e0c8950e4a8af76e6271f1e7264440110
SHA512 f15bbbad656b67e3ece46c9fd624e360471c96cadc636b098b85eb7b37d3d0b06ec774dc843262bcdb3524f4d6bd2659965219dc35c156cd7f60e2f48388b441

C:\Users\Admin\AppData\Local\Temp\_MEI24162\VCRUNTIME140.dll

MD5 81b11024a8ed0c9adfd5fbf6916b133c
SHA1 c87f446d9655ba2f6fddd33014c75dc783941c33
SHA256 eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829
SHA512 e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

C:\Users\Admin\AppData\Local\Temp\_MEI24162\base_library.zip

MD5 2f6d57bccf7f7735acb884a980410f6a
SHA1 93a6926887a08dc09cd92864cd82b2bec7b24ec5
SHA256 1b7d326bad406e96a4c83b5a49714819467e3174ed0a74f81c9ebd96d1dd40b3
SHA512 95bcfc66dbe7b6ad324bd2dc2258a3366a3594bfc50118ab37a2a204906109e42192fb10a91172b340cc28c12640513db268c854947fb9ed8426f214ff8889b4

C:\Users\Admin\AppData\Local\Temp\_MEI24162\libffi-8.dll

MD5 74d2b5e0120a6faae57042a9894c4430
SHA1 592f115016a964b7eb42860b589ed988e9fff314
SHA256 b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0
SHA512 f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_ctypes.pyd

MD5 5d21f0a0f73b4bd8237fc5b970fdd5cc
SHA1 d8aabe7c8ecacf70e2f605247d9153a16aef0cea
SHA256 366ba840074223bcebc5fb1d152199e6d0461669463a54016a360da48ca46ac5
SHA512 6c47f65155686dd64ff0cb07ba8e6440bbb5f61c05b4cefd78cea38e4432b4c7d73e81a87931e746e4d5257c7f3f3ec02e0d653d4f3934eba69befcf17e4df49

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_bz2.pyd

MD5 70ca7d29ac5f6a8e0cfaa3501e1aee2c
SHA1 477e11fc890b95fc522fd8ba3f6a695b07332dfc
SHA256 e3b35789a6ecfddcdd9b384cbd9d6822cc8d539e58b43433470e109bc94f9e6e
SHA512 9e844b50cd2c6788de1f334c0a151edfe37fe6d0c07267856b028c9c12abb8c34334b94c8bbf5120f594db32adac50c327f8da9d6803f29763be2b5e2783c829

C:\Users\Admin\AppData\Local\Temp\_MEI24162\libssl-1_1.dll

MD5 ca3f5e1496fc9af4edc9dc585e29c8fe
SHA1 aa60dbfa8423c98097c79b09faffff2fe06314d2
SHA256 ce48d4e55fad09ae5dfe6caedde57bbd04a1012f0f526e3705528ac1e2ba0268
SHA512 1aee4ea0b99704b77812eb8faff1b6cacf4dd2240f860d9ea03a551cab2dbf5220d56400c546b874e348abcdf3357495c6884950139bd0c093924dd241f2457d

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_uuid.pyd

MD5 8cd9d8119b9b38c64d57a7b87d239a07
SHA1 6619ed7f586305fe77e76c7b66be6dca5280b036
SHA256 e716dc76caef169bd6f33f782575d50f4860808b3090bee531ab02c3fc6dbacd
SHA512 bddd80d3ad8ea200d8086309d3cf2215b06745aa3716255530dd50df2b2463c2ccbcf898f5eb942b862f0972223955f0bba0a87a4ac8e7a6d6c66a2cd01a4e8e

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_ssl.pyd

MD5 8f7c200970927741ce8a2bad7d0b8847
SHA1 58396c72d5c5b1dcfbb3dbdfccd7d44f60dc57cb
SHA256 1da75f8dcfca394a5059c7d56d8e0bf75e5e142f4c30be2a89496fbfb1dc7b6b
SHA512 a1ca16e4c6620aaace4a98f057b769c105ebc6d787ddc9b2fa874b217cb7ec2315054d1d799234de3ec7fba023f11f722383fa0b52de68471d3a1b1b11e3dffc

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_socket.pyd

MD5 539eea75b5a032a9887329a5dc0c51a4
SHA1 50ad9ad4ab4a69bd951c7ccc838e69913527d441
SHA256 39df200a3f8a88c3634c6c91889aa1afef884aa31cd857f64a7f0aad0211a339
SHA512 4820e4d308313868a22eb3a27418a106dd0e3ee4dadf30883ea5bad9a0a81603893df024c89663c0050e9c4afe39cbb33106bd94ea5bf90aac4a8639a8a3bfb8

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_queue.pyd

MD5 188619ea2cc75374eef0ba8bd6f34f8a
SHA1 7efb73306ef732d6b85a5fad7acd028ecbd96e65
SHA256 f7a3dbb57f345625b282722724a1867b6a9f365ba678f14026e88a881c693599
SHA512 cf4f40335c5eb104a65ce7c04a55ae1bd448c402bb2be30437b8fb0e9c38e7c789cb84811080a7c491ce6dad2ea851bfdff6f6c30cbb6234ae009017d1932a05

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_multiprocessing.pyd

MD5 7436706aa30910f0145ccee2bfd51310
SHA1 a5b06eef46059dfa07fb0affc0ccadc1087505b3
SHA256 41eb0fdeb3ce2f64a12d871666e4f0f82804cb8437d6830b0492c6ee5a90560a
SHA512 a868cbdbe482e4774cae82c5ac69c07cb5dc25235c1f6239e51bdabb9be6f987d754550006f10c4c3963455e34da15d8a65d4d94bccd2aefd5d86bee7556e90b

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_hashlib.pyd

MD5 2b1d9619090883d3529b6ebe52a3a4fc
SHA1 3baeee160e6cde7a04d7d2424da19c29c4760211
SHA256 48a560b66c7dd4678ea26ab5287ebc50fd289389131225c486cd2ca685df74dd
SHA512 624fafe5fcfea836ed1c87f02bf037d69079a16a07af751defea40dab884adc0cff9c7ca25e38c5292d129a8796bf70a239411c3737781df95d4f9dc63fdecdf

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_decimal.pyd

MD5 869ad0f3f86a1934de64af388cab9876
SHA1 6b8006c6aa399f2b08054c6ca26a3daa2eb45225
SHA256 0bee31f637bfa2e1955620d0eb00f3c28980bcab76a269320c3b1f37c878c8c3
SHA512 64d6eb13aff0eb34d737aec71b351988537758a9a51825784eb78a6bf9ceb533919fc209b0792d68f3e395d0233b65960a526d9fdc78368e71077f8a608d6f7a

C:\Users\Admin\AppData\Local\Temp\_MEI24162\unicodedata.pyd

MD5 cd76fab95cac1616bc385a71faafa09a
SHA1 e6f4d6ff6371bb70c35ba9ab8eba2b3c9b1ddc1c
SHA256 720c5ada66dd0c680fc7f225d69c5a3d38c5c62cd4e5ecce57c0584dcf47dd16
SHA512 ecb908103af0a62bd925066736dce3e76b777c4b9b59579f5e14f04e17a58e7a8c73a811cf4433c5221053b669b62b8cd01a512446d25a947b1e9db8c6460c4a

C:\Users\Admin\AppData\Local\Temp\_MEI24162\select.pyd

MD5 c66138b2b77c84caf681979e9d45cedb
SHA1 e8dcac1d118b23b1e242dcab9f71771596fff84d
SHA256 49a40999f904ff17869b6f6e52c9f86e13a62d5738b679dfb40b6fa34b1eb3da
SHA512 6a750cd69e21aba0dee13629b720e8e76a917e9c03993d8cf10da945a0fa087b03a15595deeb9f76bec9ffd5fa8a2975080ca172e3373ce379678175de7b46c6

C:\Users\Admin\AppData\Local\Temp\_MEI24162\pyexpat.pyd

MD5 3c97ceb3fa49dcb4f21a8855faedac6f
SHA1 47f6542ef17b5f4c529ad30fef95eaa76579febc
SHA256 45140295649ece38f988665b330198ef1f845f56d42411aef90f403ff95c40cf
SHA512 35d6f107e52ac78fbd20c7ca334866bf8d3ffcdcd108ba2a266fe17c0e0c2fd1209055c436e69f7d51e37673ad9ac535d3d8f4536148ee9dd2a4a0b16f3aad11

C:\Users\Admin\AppData\Local\Temp\_MEI24162\libcrypto-1_1.dll

MD5 5829cda43cac0f04b8501d892a89cf59
SHA1 aafbe19349575f471a7953795b953b40b71964a1
SHA256 037d54d692d6b003b272f990fd25fcf8a462dd83d3693d3384af28ae41519d9d
SHA512 9e5bc764cc7d81d643419f0aa9e4ae974f7e1633d711b5568adb321b9581aa5861007f0e1de69b4a672d96186f955c9e56ab4b29fd26aecf5e9c2dec1f6b899c

C:\Users\Admin\AppData\Local\Temp\_MEI24162\_lzma.pyd

MD5 20514c4b7bf23f8993f76d00ec0dfdd4
SHA1 bea7bbb520580ee56998deaf7dff228aa8885df6
SHA256 583f8b5d53fbbea9876dba68f210609082ba99a7a1d9d1ea50584336b12c8684
SHA512 bd90519da146e3c1b03d97ab68560f60dcf6e91d0c1d73740f6ce9de621be491b182a9bc4fb81b9523fb30c3012c7b270c5522c88deda7d3dc65ed78a6ab03b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8b167567021ccb1a9fdf073fa9112ef0
SHA1 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA256 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

\??\pipe\LOCAL\crashpad_3340_JFOJOUVOQEUYFBWP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 537815e7cc5c694912ac0308147852e4
SHA1 2ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256 b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA512 63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 32ba77aec00c354f9307f71a00015bf7
SHA1 bf6db889738a7048f16bb5d3ec25e7858363451a
SHA256 cb2267e5311be733187d0a47a6c8b81a45a4a06f84110ab79f5afcdc22253563
SHA512 46b526c9c147f44fc685336a4f1911efd8b41bf87b6354e4e30855ecfa20c238ce6e621627277f256f109149b2ce69cf7f9ea0bdbfe6c9ea406a2cc4aa0999e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 146105efc7c9d83e3f1a89df7740f06a
SHA1 dde447e9c30edd60409653f3f9be735cdd3eb01f
SHA256 565804f88cbbdede5513b7534f39e1f7506e71825ac4488db470d9b97e78fdd9
SHA512 8156e97cd63388180c38fa16ab675c5fd098f9621e434ed4a9953a0384de2d5a7daf4f9b3d044d62a33571af5509f54c1bf1271f1d157bc5a09b5d3b87916ef7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7a2cbe5401feb4f57e267337aace9391
SHA1 28350c5ec31d18c5ee9e7562bb4e30da04cb5582
SHA256 06384564d004e47c9cc8df712d3af931e3817d8c352fd05be31f70ea092f17a1
SHA512 f78e365ac697c54781ded557a668d50d155d71c5327b7d2ff0d752887ab2eac719061159ac846cfe223ea8525613dfe7f823ecc833c4d07583c388ac2529419f