Malware Analysis Report

2024-11-15 07:46

Sample ID 240619-p74ygs1bkd
Target koboldcpp_nocuda.exe
SHA256 31d4e85544a71ea3faa456b21c3bb984446d917e24a2240e36bae38c8a2947e3
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

31d4e85544a71ea3faa456b21c3bb984446d917e24a2240e36bae38c8a2947e3

Threat Level: Shows suspicious behavior

The file koboldcpp_nocuda.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in Windows directory

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 12:59

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 12:59

Reported

2024-06-19 13:00

Platform

win10-20240404-en

Max time kernel

37s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI6122\winclinfo.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI6122\winclinfo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI6122\winclinfo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 60b75dad48c2da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3dba1fad48c2da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch\OpenSearchDescriptionData = baffc49ee383374a8abf67e99635ea1e0100000053b06a1abe27334898108231552c52911f0000001e0000006700690074006800750062002e0063006f006d0000001f00fa7f4c000000680074007400700073003a002f002f006700690074006800750062002e0063006f006d002f006f00700065006e007300650061007200630068002e0078006d006c0000001f0090f81600000047006900740048007500620000001f0070000a000000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 612 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe
PID 612 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe
PID 5036 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe C:\Users\Admin\AppData\Local\Temp\_MEI6122\winclinfo.exe
PID 5036 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe C:\Users\Admin\AppData\Local\Temp\_MEI6122\winclinfo.exe
PID 4688 wrote to memory of 4760 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4688 wrote to memory of 4760 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4688 wrote to memory of 4760 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4688 wrote to memory of 4760 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4688 wrote to memory of 4760 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4688 wrote to memory of 4760 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe

"C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe"

C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe

"C:\Users\Admin\AppData\Local\Temp\koboldcpp_nocuda.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\AppData\Local\Temp\_MEI6122\winclinfo.exe

C:\Users\Admin\AppData\Local\Temp\_MEI6122\winclinfo.exe --json

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 private-user-images.githubusercontent.com udp
US 185.199.111.133:443 private-user-images.githubusercontent.com tcp
US 185.199.111.133:443 private-user-images.githubusercontent.com tcp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI6122\pyinstaller-5.11.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI6122\ucrtbase.dll

MD5 637c17ad8bccc838b0cf83ffb8e2c7fd
SHA1 b2dd2890668e589badb2ba61a27c1da503d73c39
SHA256 be7368df484688493fb49fb0c4ad641485070190db62a2c071c9c50612e43fed
SHA512 f6b727c319ca2e85a9b5c5e0b9d8b9023f0cf4193fab983cfa26060923374c6abd6d11db1da2e524a8b04622a4e13beb4c48dc23f98886d4abb33eb09f3a0776

C:\Users\Admin\AppData\Local\Temp\_MEI6122\python38.dll

MD5 26ba25d468a778d37f1a24f4514d9814
SHA1 b64fe169690557656ede3ae50d3c5a197fea6013
SHA256 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128
SHA512 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

\Users\Admin\AppData\Local\Temp\_MEI6122\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

C:\Users\Admin\AppData\Local\Temp\_MEI6122\base_library.zip

MD5 eb64bb7e17b788962914a11c997b7118
SHA1 f98d41a009144316b0f2b074abb0676674824041
SHA256 6f0f43477d1fda625f853edece7bfad275906924eecd48a8549ac79b6f4785fa
SHA512 d97fd5caf6bd6fa95015119c4a869005cad7ee6dfafb5ba654d100747ed518715dee6112f8558c412c958d3cb548ec25b1a8f251a2c907098d48ecbabc4ab543

C:\Users\Admin\AppData\Local\Temp\_MEI6122\_ctypes.pyd

MD5 291a0a9b63bae00a4222a6df71a22023
SHA1 7a6a2aad634ec30e8edb2d2d8d0895c708d84551
SHA256 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324
SHA512 d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

C:\Users\Admin\AppData\Local\Temp\_MEI6122\python3.DLL

MD5 c9f0b55fce50c904dff9276014cef6d8
SHA1 9f9ae27df619b695827a5af29414b592fc584e43
SHA256 074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e
SHA512 8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799

C:\Users\Admin\AppData\Local\Temp\_MEI6122\_bz2.pyd

MD5 a49c5f406456b79254eb65d015b81088
SHA1 cfc2a2a89c63df52947af3610e4d9b8999399c91
SHA256 ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced
SHA512 bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

\Users\Admin\AppData\Local\Temp\_MEI6122\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

\Users\Admin\AppData\Local\Temp\_MEI6122\_lzma.pyd

MD5 cf9fd17b1706f3044a8f74f6d398d5f1
SHA1 c5cd0debbde042445b9722a676ff36a0ac3959ad
SHA256 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4
SHA512 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

C:\Users\Admin\AppData\Local\Temp\_MEI6122\_socket.pyd

MD5 4827652de133c83fa1cae839b361856c
SHA1 182f9a04bdc42766cfd5fb352f2cb22e5c26665e
SHA256 87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba
SHA512 8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a

\Users\Admin\AppData\Local\Temp\_MEI6122\select.pyd

MD5 e21cff76db11c1066fd96af86332b640
SHA1 e78ef7075c479b1d218132d89bf4bec13d54c06a
SHA256 fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28
SHA512 e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f

C:\Users\Admin\AppData\Local\Temp\_MEI6122\libcrypto-1_1.dll

MD5 89511df61678befa2f62f5025c8c8448
SHA1 df3961f833b4964f70fcf1c002d9fd7309f53ef8
SHA256 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf
SHA512 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

\Users\Admin\AppData\Local\Temp\_MEI6122\libssl-1_1.dll

MD5 50bcfb04328fec1a22c31c0e39286470
SHA1 3a1b78faf34125c7b8d684419fa715c367db3daa
SHA256 fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9
SHA512 370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

\Users\Admin\AppData\Local\Temp\_MEI6122\_ssl.pyd

MD5 d4dfd8c2894670e9f8d6302c09997300
SHA1 c3a6cc8d8079a06a4cac8950e0baba2b43fb1f8e
SHA256 0a721fc230eca278a69a2006e13dfa00e698274281378d4df35227e1f68ea3e0
SHA512 1422bf45d233e2e3f77dce30ba0123625f2a511f73dfdf42ee093b1755963d9abc371935111c28f0d2c02308c5e82867de2546d871c35e657da32a7182026048

\Users\Admin\AppData\Local\Temp\_MEI6122\pyexpat.pyd

MD5 2ae23047648257afa90d0ca96811979f
SHA1 0833cf7ccae477faa4656c74d593d0f59844cadd
SHA256 5caf51f12406bdb980db1361fab79c51be8cac0a2a0071a083adf4d84f423e95
SHA512 13052eb183bb7eb8bb2740ff39f63805b69e920f2e21b482657a9995aa002579a88296b81ec415942511d2ed146689d1868b446f7e698e72da22f5c182706030

C:\Users\Admin\AppData\Local\Temp\_MEI6122\_asyncio.pyd

MD5 0400b1958d0f7aa0d2ad409ea12ffec7
SHA1 ce1a5c61192ffe489a53f029ac0a95d4abb3d2b9
SHA256 6e25aa5931f175b971dfd05aab7a24cef29edd8f4b524341c414d0577c07a200
SHA512 8790f3f9c69823d55350ea63a1b8ebb3dad64942b6e6752109d2932b3bb848a5101e2a9a4645e93a476a8c4e5c8b27e15eb39b33fcc772a876b0e8ab9fd5eefa

\Users\Admin\AppData\Local\Temp\_MEI6122\_overlapped.pyd

MD5 7d5bb2a3e4fbceaddfeef929a21e610c
SHA1 942b69e716ee522ef01bde792434c638e3d5497a
SHA256 5f92c163b9fe6abb0f8b106a972f6a86f84271b2e32c67f95737387c85719837
SHA512 8c44f1683fdea0d8121ff2fe36f2582313980ef20ee1985af7ff36acb022acbb7617e85d2dd3b8e75715444dc0cfc4487c81b43d0222bd832aac867875afbe30

C:\Users\Admin\AppData\Local\Temp\_MEI6122\koboldcpp_vulkan_noavx2.dll

MD5 08f6efb6ed9948ff8c4a4ac6d28d85fe
SHA1 dbfc9d6afa674bc7d8a8023b1a7dc9051459f183
SHA256 30b02283283e6e2db44faa999642870f72bcc98be5b3db8be030d51721fd12cc
SHA512 cfb8afb37e8db24c4cad2c097104f1f408d70c133a036f381ca8394bc0d7b4fd051292b170c1259fc3d3f5e651f742209bb8334e4f5eca3e821c66c420913d27

C:\Users\Admin\AppData\Local\Temp\_MEI6122\koboldcpp_vulkan.dll

MD5 0f44f3ac9278d28dc12489286f275d8b
SHA1 19b89da1c2a55ce4892f286cc7d50f2a3780f5c6
SHA256 a223f256451ae52734b978d4e803f7a2a54b10aa26def88ed37cd004c1190707
SHA512 fb9a83455964146f28cc557945c2b0588e5a1d5d85d40c5935366f0a5186225b233c6ec7557aa408b2fe4c501e0c6e15032e27a0d043a0a07638d8b3c35df9ed

C:\Users\Admin\AppData\Local\Temp\_MEI6122\koboldcpp_clblast_noavx2.dll

MD5 6cfb5150dbf002a9102f261312b2c791
SHA1 9c429c15a7a4de05aec1d4f3b3a69510de05683b
SHA256 b520128d28204c0d81f5494a7380da6c64aecc8d0374165935b911cf6b9e5e1f
SHA512 8b71a87a81fdbe51943ac84d639955bf263d28e9b926b1b17d08ec112f6e000ff73aa5b8089e47dc3aa5f945eae01fd0d011b0bf1790cba19df7b3f3d55a05b0

C:\Users\Admin\AppData\Local\Temp\_MEI6122\koboldcpp_clblast.dll

MD5 f98356d4d76b94a40e6ea785bad1f396
SHA1 56da30a4d379207d32ac697e84a5b13bbd994602
SHA256 3412c98440ee8ad98511fe9373af829ef8e8e21a2b7b503a02a4a6dd3f207ccd
SHA512 cef67f50af9e45b57d2708da10e1dd70d86848843fdc5038e3ed93913a5649554fefa106da8d36e984d800c7db9aeefbc2d1c426bb441fe5f85251ad4143cf39

C:\Users\Admin\AppData\Local\Temp\_MEI6122\koboldcpp_noavx2.dll

MD5 6d2efe111913c9a3ec29e59b24df545f
SHA1 3057ef042e257876ecb9092c3704adece6cfbfaa
SHA256 28da46fa0744e4be016eb05907dceaa46700103a59db344c498eacd02351806b
SHA512 569158cfc4988152a54436f3fbc1dc14276d07609951d558574e91bfc71ed150a77deaa982280290238676d2441fce651989c70026dd830e02246627a7fa6058

C:\Users\Admin\AppData\Local\Temp\_MEI6122\koboldcpp_openblas.dll

MD5 ec9568a84c2de221b00ecca42c07bc12
SHA1 f439e438f96364c42e0160379eecc024f35f0660
SHA256 e58ddb2847471cca6192271d3f1d8b6b3ffdb76cb1b11eaac8441f8e71578cb4
SHA512 54ade9e13060121929faee19692f38ca03ff8f3b0126eed424ecc335ffa0939629ea6c782496e5b054b0d661ba11af4168d5d8959cd152f81462a1c7f14bbefb

C:\Users\Admin\AppData\Local\Temp\_MEI6122\koboldcpp_failsafe.dll

MD5 35a965ebb3e64aad5ce9d2dcf89a64a5
SHA1 5f9b32e93ec4ff17ee9cbcd87bbd7d182447ab69
SHA256 ca4db370acfc3360d07ffcb741fe7035ac33513f2355c1d98441b8edaa165a6e
SHA512 c4373376c95bc4a056f63e111e79953a505cd9a595c987695526f718341206fe56bb683e00ce27702a9a49c03686e1c550bdab2161c654ad5f6de237f74d07bb

C:\Users\Admin\AppData\Local\Temp\_MEI6122\koboldcpp_default.dll

MD5 809a5f5707b80097f2b469305ad8ebbd
SHA1 22ff961468417a5f3fc39f9d6d07478c858ec5c1
SHA256 0b32cf09ceb3e90a63219b96eab3ecc613488483b7d5daf6e3fa484b48535a23
SHA512 3826f36b0dddd8ceea68c0fa75c4344933745563b6c895970ddf144b282647dae07baa204e25e0189ac255aee600c8976dd612af7fd880f508cacbe994967a99

\Users\Admin\AppData\Local\Temp\_MEI6122\_queue.pyd

MD5 dd146e2fa08302496b15118bf47703cf
SHA1 d06813e2fcb30cbb00bb3893f30c2661686cf4b7
SHA256 67e4e888559ea2c62ff267b58d7a7e95c2ec361703b5aa232aa8b2a1f96a2051
SHA512 5b93a782c9562370fc5b3f289ca422b4d1a1c532e81bd6c95a0063f2e3889ecf828003e42b674439fc7cd0fa72f64ad607bab6910abe9d959a4fb9fb08df263c

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tcl\init.tcl

MD5 b900811a252be90c693e5e7ae365869d
SHA1 345752c46f7e8e67dadef7f6fd514bed4b708fc5
SHA256 bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a
SHA512 36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

C:\Users\Admin\AppData\Local\Temp\_MEI6122\customtkinter\assets\themes\blue.json

MD5 05eb3947ce9a8c3bef66c14d0f938671
SHA1 06ffc811ee51609809d88894022e222b339aefee
SHA256 c9417470c16ced7a43d6c4a8e027afa6edc62c24d5aee7c4c2dcd11385964d3b
SHA512 4db7c14fba78185edf6459016608cb8fa0a250dfb48432c552bb4e0466cf49622b34d847e17c254bb1c8d15bf365e91bce3ede552ba8733fde9d21779f7f1c13

\Users\Admin\AppData\Local\Temp\_MEI6122\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

\Users\Admin\AppData\Local\Temp\_MEI6122\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

\Users\Admin\AppData\Local\Temp\_MEI6122\_tkinter.pyd

MD5 cc74d36aeedc687d5ee733041042e2e5
SHA1 c304c579d15204eb25198e09a558ec747dea4832
SHA256 d55ef406b4612695499186355a6130885ad522e48556327c0fb409e0345d552d
SHA512 4e7e5330610e9588ad920f120e13260fa1ff94c73f5f286a42dd8475ce8387a8112ed38a5b0de5dcc855a0bcad6324a9b9344d8c576954f4c50a627ec6c34c86

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tk\button.tcl

MD5 309ab5b70f664648774453bccbe5d3ce
SHA1 51bf685dedd21de3786fe97bc674ab85f34bd061
SHA256 0d95949cfacf0df135a851f7330acc9480b965dac7361151ac67a6c667c6276d
SHA512 d5139752bd7175747a5c912761916efb63b3c193dd133ad25d020a28883a1dea6b04310b751f5fcbe579f392a8f5f18ae556116283b3e137b4ea11a2c536ec6b

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tk\icons.tcl

MD5 2652aad862e8fe06a4eedfb521e42b75
SHA1 ed22459ad3d192ab05a01a25af07247b89dc6440
SHA256 a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161
SHA512 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tcl\opt0.4\pkgIndex.tcl

MD5 92ff1e42cfc5fecce95068fc38d995b3
SHA1 b2e71842f14d5422a9093115d52f19bcca1bf881
SHA256 eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718
SHA512 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tcl\http1.0\pkgIndex.tcl

MD5 10ec7cd64ca949099c818646b6fae31c
SHA1 6001a58a0701dff225e2510a4aaee6489a537657
SHA256 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c
SHA512 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tk\pkgIndex.tcl

MD5 a6448af2c8fafc9a4f42eaca6bf6ab2e
SHA1 0b295b46b6df906e89f40a907022068bc6219302
SHA256 cd44ee7f76c37c0c522bd0cfca41c38cdeddc74392b2191a3af1a63d9d18888e
SHA512 5b1a8ca5b09b7281de55460d21d5195c4ee086bebdc35fa561001181490669ffc67d261f99eaa900467fe97e980eb733c5ffbf9d8c541ede18992bf4a435c749

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tcl\package.tcl

MD5 55e2db5dcf8d49f8cd5b7d64fea640c7
SHA1 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd
SHA256 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad
SHA512 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tcl8\8.5\msgcat-1.6.1.tm

MD5 db52847c625ea3290f81238595a915cd
SHA1 45a4ed9b74965e399430290bcdcd64aca5d29159
SHA256 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55
SHA512 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tcl\tm.tcl

MD5 f9ed2096eea0f998c6701db8309f95a6
SHA1 bcdb4f7e3db3e2d78d25ed4e9231297465b45db8
SHA256 6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b
SHA512 e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tk\tk.tcl

MD5 3250ec5b2efe5bbe4d3ec271f94e5359
SHA1 6a0fe910041c8df4f3cdc19871813792e8cc4e4c
SHA256 e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf
SHA512 f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tcl\auto.tcl

MD5 5e9b3e874f8fbeaadef3a004a1b291b5
SHA1 b356286005efb4a3a46a1fdd53e4fcdc406569d0
SHA256 f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840
SHA512 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

C:\Users\Admin\AppData\Local\Temp\_MEI6122\tcl\tclIndex

MD5 e127196e9174b429cc09c040158f6aab
SHA1 ff850f5d1bd8efc1a8cb765fe8221330f0c6c699
SHA256 abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806
SHA512 c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162

memory/4676-1255-0x000002C3E3220000-0x000002C3E3230000-memory.dmp

memory/4676-1271-0x000002C3E3320000-0x000002C3E3330000-memory.dmp

memory/4676-1290-0x000002C3E07A0000-0x000002C3E07A2000-memory.dmp

memory/4760-1317-0x000001EB29B00000-0x000001EB29C00000-memory.dmp

memory/4760-1318-0x000001EB29B00000-0x000001EB29C00000-memory.dmp

memory/4760-1488-0x000001EB3BA00000-0x000001EB3BB00000-memory.dmp

memory/4760-1497-0x000001EB3D3F0000-0x000001EB3D3F2000-memory.dmp

memory/4760-1538-0x000001EB3D700000-0x000001EB3D702000-memory.dmp

memory/4760-1536-0x000001EB3D6E0000-0x000001EB3D6E2000-memory.dmp

memory/4760-1534-0x000001EB3D620000-0x000001EB3D622000-memory.dmp

memory/4760-1532-0x000001EB3D600000-0x000001EB3D602000-memory.dmp

memory/4760-1526-0x000001EB3D520000-0x000001EB3D522000-memory.dmp

memory/4760-1540-0x000001EB3D820000-0x000001EB3D840000-memory.dmp

memory/4760-1542-0x000001EB3E440000-0x000001EB3E460000-memory.dmp

memory/4676-1558-0x000002C3E75C0000-0x000002C3E75C2000-memory.dmp

memory/4676-1561-0x000002C3E07F0000-0x000002C3E07F1000-memory.dmp

memory/4676-1565-0x000002C3E0790000-0x000002C3E0791000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF554664BFBB3F2E0A.TMP

MD5 0c0ff14a79f8013c134ecc66aafc397c
SHA1 c701546f0fdadb67e93a4e5b51b6d15316fad79d
SHA256 9d16a6f3b15495f4c1fd2b5b57231dd10bc8f1340ab0c751fc3c0543ebb88bb1
SHA512 98f9432f30d484d3222403382a98ef3b0fde537aef5ae47edb1f6d74bdb8395f96faec038109ab8bb27f4ab2fed262f0fa0a5fca6707bf339a3decf4e6baa1b6

memory/4676-1575-0x000002C3E04F0000-0x000002C3E04F1000-memory.dmp

memory/4676-1574-0x000002C3E04E0000-0x000002C3E04E1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TABYYGGX\favicon[1].png

MD5 346e09471362f2907510a31812129cd2
SHA1 323b99430dd424604ae57a19a91f25376e209759
SHA256 74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08
SHA512 a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

MD5 afaac76d215c1b1ee33f8511daea340d
SHA1 d73a398ea50fc88bbf0ef66d408f9275503cb415
SHA256 b3f5043c65168e85f69512d7910394ce78414c36233a372bc9c0ce8df543bb62
SHA512 7a42428be1aec2f792aa51863742940d34f0dc10fb6a7044b90faf22154131150d96764ae32547a84a3dbf23d5048b75adfcd585942d89243e91aa76f2ca4789