Malware Analysis Report

2025-03-15 00:49

Sample ID 240626-neemfsvekk
Target NetViperV.1.5PRUEBA.exe
SHA256 b20912296e8413bf819db323bbdd972245c279e199c54a5dc099ecbab8f13c06
Tags
defense_evasion execution persistence privilege_escalation spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b20912296e8413bf819db323bbdd972245c279e199c54a5dc099ecbab8f13c06

Threat Level: Likely malicious

The file NetViperV.1.5PRUEBA.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion execution persistence privilege_escalation spyware stealer upx

Command and Scripting Interpreter: PowerShell

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Hide Artifacts: Hidden Files and Directories

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 11:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 11:18

Reported

2024-06-26 11:23

Platform

win10v2004-20240611-es

Max time kernel

300s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‌    .scr C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‌    .scr C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‌    .scr C:\Windows\system32\attrib.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe
PID 2952 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe
PID 4904 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Windows\system32\cmd.exe
PID 4904 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Windows\system32\cmd.exe
PID 1788 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1788 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4904 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Windows\system32\cmd.exe
PID 4904 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Windows\system32\cmd.exe
PID 3660 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Windows\system32\cmd.exe
PID 4904 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Windows\system32\cmd.exe
PID 1324 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1324 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1324 wrote to memory of 3296 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1324 wrote to memory of 3296 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1324 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1324 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Windows\SYSTEM32\netsh.exe
PID 4904 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe C:\Windows\SYSTEM32\netsh.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe

"C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe"

C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe

"C:\Users\Admin\AppData\Local\Temp\NetViperV.1.5PRUEBA.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‌    .scr"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‌    .scr"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"

C:\Windows\SYSTEM32\netsh.exe

netsh wlan show profiles

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 52.182.143.210:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI29522\ucrtbase.dll

MD5 d40325e6c994228a3403f8ba8f24601f
SHA1 6266b5dc2001ffd75da3588dd7c43027a706589d
SHA256 a2ab58e44828009f6dafe54dd5ed57edfa6b09641e3c8eaa473b37e5b0e2b862
SHA512 59e712713d6492fa1b002da34bc9db82a85e19d13b694b77b57db1030681432c41705d56e9f75031ed9522d43a344d1475c745af7c8c92f70f7fc78e8b8895f9

C:\Users\Admin\AppData\Local\Temp\_MEI29522\python312.dll

MD5 8f165bfadf970edafd59067ad45a3952
SHA1 16c1876f2233087156b49db35d4d935c6e17be6a
SHA256 22470af77229d53d9141823c12780db63c43703dd525940bc479730d2e43513d
SHA512 b3af95dc9a68e21e8eca98e451b935f72663c2552ebf26de299716f17193f238d55c292df953d641defcbcec3ea18eb37cd4b839800804efa8f40658427263ae

C:\Users\Admin\AppData\Local\Temp\_MEI29522\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/4904-162-0x00007FF92F6D0000-0x00007FF92FD94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29522\python3.dll

MD5 a07661c5fad97379cf6d00332999d22c
SHA1 dca65816a049b3cce5c4354c3819fef54c6299b0
SHA256 5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b
SHA512 6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_ctypes.pyd

MD5 fc609234e81821c069d54a7c8d4a7e05
SHA1 9aef96aa0276feb2df28ce0abf4ec1f2f766d011
SHA256 506cdca8f4cc4754a78edac3be230a5ec7ca4a0d61ef08fe0accab4080b2c69e
SHA512 bea687c1a9ed32db6c99be1c8689ac9e498f0ffce74c0c66c6c7653d58b6ee90e50df66c8a48b49854d47142fa9a930047f4828651193f7a500ae7fbc1882d2e

C:\Users\Admin\AppData\Local\Temp\_MEI29522\libffi-8.dll

MD5 be8ceb4f7cb0782322f0eb52bc217797
SHA1 280a7cc8d297697f7f818e4274a7edd3b53f1e4d
SHA256 7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676
SHA512 07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

C:\Users\Admin\AppData\Local\Temp\_MEI29522\base_library.zip

MD5 43935f81d0c08e8ab1dfe88d65af86d8
SHA1 abb6eae98264ee4209b81996c956a010ecf9159b
SHA256 c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0
SHA512 06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-datetime-l1-1-0.dll

MD5 a5b142425b889f6b27f264c8c131a29c
SHA1 e14046651850d44c36e813756f9ac515628d147e
SHA256 dc0d05807133d554eb817f7db8bc4b1ffaec784644cc8fb5924134c7fb144b8f
SHA512 662988690e97ef1270bb65d979e433a9167108212475735e98b3a809eb39d297f30f60e527ac3ac05180f0700a3e9c07345f6e13c2a7cd25983863eab23e0499

C:\Users\Admin\AppData\Local\Temp\_MEI29522\unicodedata.pyd

MD5 97f08bbcf9903c768668b1cd1e30aada
SHA1 84e2dc5c3662bd39ac09b5f682a59104ffec16d2
SHA256 c5c2997c3b16eb8b89fe230582a579a753efc8317ffd95d9795ec2762aa54ed9
SHA512 076ca0017ae252d62d4a3bd7a42af95800e39a164bda990a0ca651aa2f0df2736c0dfdc086d8328a1834ae89f17716c5f76e798460a90263d1d8b6f2c233c686

memory/4904-224-0x00007FF93FB40000-0x00007FF93FB6D000-memory.dmp

memory/4904-223-0x00007FF93FD80000-0x00007FF93FD9A000-memory.dmp

memory/4904-222-0x00007FF946620000-0x00007FF94662F000-memory.dmp

memory/4904-221-0x00007FF9450B0000-0x00007FF9450D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29522\sqlite3.dll

MD5 b26fa7619d82c7272b7279eb7aae801c
SHA1 fa6a3240a531615a0853306f3b3d66aed98a04d8
SHA256 74dc76a2a2d06d61f9f06bd3b0972bfb30ab57b0e5cb8c3011e79ce4a52924f0
SHA512 20b0d6cf3e07ca0d565f140c9f9c1e218406ed9bdaaf75433858acb250bfb71bb134a6479fdcf6d4d0e0252707b1fb14f9c9d3e4d6a40824c3fdc7a43dfad0ee

C:\Users\Admin\AppData\Local\Temp\_MEI29522\select.pyd

MD5 3b214dfb6ec4ca67be55b3aa52922827
SHA1 f665ffeab25d2bab506b873be944280586eb50f6
SHA256 7507a92c4787e9e7936a0b4a8eeb0a3f24e5ee12ae58cd7988543581d99817ac
SHA512 de4e9b9d79b01d21aca74179c6a3e8fc6fe041f71cdd78910fd893cda90c2cfe7e54ade91064333f37ffc880d446879a64dd8bb790677039df56df1f80ec6b45

C:\Users\Admin\AppData\Local\Temp\_MEI29522\pyexpat.pyd

MD5 7291100352b163626455abf2252f2a96
SHA1 3c4d13bbf5fb69fe6f2af70f675ed2e437cea893
SHA256 01974148486d569e9f1ad62d36d4d54b5396b07c853bd50f358d5580fde331f4
SHA512 fc384703828bb7a38b51dcf1a131b49283808b5658395e1d1c5ee9a204f895da0c29b12a7b1fc9aa468babc5d6f03be638fecf519e41911bf015a481f95458bc

C:\Users\Admin\AppData\Local\Temp\_MEI29522\luna.aes

MD5 c04f96725628fc71ba4c752fa91343f8
SHA1 d835482eb9c32934d86ea5d380a77be89abd285e
SHA256 12c46b442d39c6517dd46060c57f2f2f91563b7bce4d4462bbe2a67928149485
SHA512 211fbe4247279ccc58f991b9e22154f8e9e971df72484c698bf283d3a2bd8bfce65763bc59c6e38120dace3f5fec4169ec933df37c9b3373e1ed693fc3ce7bf3

C:\Users\Admin\AppData\Local\Temp\_MEI29522\libssl-3.dll

MD5 7e87c34b39f3a8c332df6e15fd83160b
SHA1 db712b55f23d8e946c2d91cbbeb7c9a78a92b484
SHA256 41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601
SHA512 eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559

C:\Users\Admin\AppData\Local\Temp\_MEI29522\libcrypto-3.dll

MD5 63eb76eccfe70cff3a3935c0f7e8ba0f
SHA1 a8dd05dce28b79047e18633aee5f7e68b2f89a36
SHA256 785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e
SHA512 8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-utility-l1-1-0.dll

MD5 b3e5b1a7f42f664ff51a2097eef25ac9
SHA1 88ee2702b919d5bf1eaa94f1c3289b624fe79ac1
SHA256 07080f3ae43d57fe79c15cf13f203a87feb56698bb7223ebe37dd1f7567a08da
SHA512 2a734e1c89008650f178bdfb0e825317d4639cff314f495a2912383c697339547bcd6326925a7bc35048bcabc5492eb6c544776e20fcabef798281f4fb9d0574

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-time-l1-1-0.dll

MD5 81f87034a0ba80f0468104ea2c31fc37
SHA1 493eaf2f914f59419a1f00153624968f0498aadd
SHA256 19391f88cd09b8e80b1ed1d3acfd392eee0b9211da57f74e1f5824306a577aae
SHA512 cc340ca78851991e5a50a7c14a064d23591366a03eb3b8455f006d0cda837bf765c75ade2de8a1e1273819eacfb06ea04ca815a38ae57d62df0aa8dc8af93298

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-string-l1-1-0.dll

MD5 d753c4c29f5959480f084496fe72ec73
SHA1 5df4b5e9c831beff0f1f373745239ca58e2eaf5d
SHA256 6c9c9f3189883c9aeb84b5d6bf4e8be9315326e43fcc599ed11ce996955db4da
SHA512 7915844c60d34ce70a8e4a25caacf9213f34899442f5285b0e02ab9d12e61c4cf422ffd824f1fbae614311855464b8b2f06bca84d70417b3c284c5202c8391b6

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-stdio-l1-1-0.dll

MD5 79783b701ea88d60b2065f5a2c8b7ee8
SHA1 4b2ef66320a8d37cb22a5f0c9ce3574a807cc8da
SHA256 e295c846d8871a1e2114f8dd233adcc7611e49e2e47055cfc955553c22b85fa5
SHA512 135848e2d6c70eb724a7449ea62ce4ac0cf0ddb54675b4d965ec140141bcd7acad6d30b7bb57e7dde362ba27143fce41d218cb397d35cbcefbc7d57525cd3b0c

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-runtime-l1-1-0.dll

MD5 0b39e68f4505ca8fee89958c36af5b80
SHA1 ec37adbd9c1d4a138968d20bbfc30500ee2eeb8d
SHA256 09e3e6c3e08575b1747697e1a35e1670fa0f2ecfcb08b5bf0e400fd1f1b363cc
SHA512 39212132f8e953b6a188cf93ad6158117a87b897aa5f59e7f3f97aff25a9d2b5c13e919da82628e1d867f89ef2bebc7163e05842b8825808a500187125c54236

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-process-l1-1-0.dll

MD5 ee64bcf3136c7c3a8977bccaafb599e0
SHA1 451d3f0fe169f3931e7dfff6160a2be080b4b00e
SHA256 68aba1b66f879cb6324941b6e5193f21c8fd0da28cd50b5e136aaca408efbb99
SHA512 0e9bcbdad1bf882ec07c01b633f301c3e43020abe64f852753f2fe81cf4b08e75a94ce926acb77bcf7e5d3733a26a8c4f655f7598429be0e23fba049f0249d72

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-private-l1-1-0.dll

MD5 df1b3d89629a6fe1d20cf9ce1fd0e9b5
SHA1 38e6b082cb40a7ca592de96bfb73b22ce38dde61
SHA256 bc23d240f00516a41f1ce64b6cfac6051a3bb5e6556547c3ef16259f2b047b5e
SHA512 6baf58b3ac0f739958d4304344f228c8d0fa5b9bdd0e56e60405691dbce32352a4023b0ff8afbab0488e381e6515201c68c302f1e1fe32cc455f2dc3a14d3753

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-math-l1-1-0.dll

MD5 c61b2455e4a4b795e289eafe98f28868
SHA1 41eef8e70a24580859690d236688fc22d104a439
SHA256 ea2967017c1adf9a32351bccd6064a436666d009824a906dad698eac9148c5ad
SHA512 426b4855d2306e933d3b6387f64bbdc3ee3a1ce3b05ac11edfdbee0126ab124fe02a24a45da9849ab88d7bd1a1eb6d1bdbe435e04a8d08493a5f352752084db5

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-locale-l1-1-0.dll

MD5 8db69659ffef12be1bd902315b51c7d9
SHA1 523dd5daefaba7bfb8194086fce2f2fe40e51931
SHA256 e1fb8284905dce8b81a025832a57347b385d8d813649d6c851b6d37dce5d33cc
SHA512 0cbcb92589e49ed65ae545d83b2cc02c9d3673e6f62a67f00d453ced40c55639d093ae1717112df340a1b8c5c6a7410a56208e1fc16b89142c77546f1e0d38be

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-heap-l1-1-0.dll

MD5 d8d2f19cc9bfdfd775b64e835bb7ee19
SHA1 3743efb6a5689cdbcf412b99a238a52624cd3fcc
SHA256 1ea6a71b8b3dd43f77905858e7d9096b24ef4b69036fa85f5ab95f0126f1bf8e
SHA512 589fce4e2641c8bca9f4aaf944c5b3fb93a56c74ba3e89a94396fd8270c402f1ae0097dab04a9c06ee4d8af40b052c6256aa5ee5c2eed73a305bdfac6cd4b415

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 d52f9f4282cb6b900e2ed5f6c3847fa9
SHA1 7763edff451b1528f1e8c586a0dc88bd93df29fa
SHA256 378965f64cfc2b75176696bf480386c959498fe9f42ee5cdea5e840594916598
SHA512 6403054428b80e3ea2f5516c8abf0479458ba80daaf3e5bcb55ca2be8e17c3fd46017f6a5641b08d0a1c125eaf7eae99aa547b262356bd4c810a7bb9be7b1c68

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-environment-l1-1-0.dll

MD5 34bb82dda243dc6ce3d121b80878a5fe
SHA1 1023c191e6005d5042d7fa78e5ad03f77fa1f60e
SHA256 f88917bd3b1e6f0816d5bc10280173180c11961b1a28bd987f3431adc1b9fa27
SHA512 4ad07e370e96c19a85b9b088780ec879f08ce92e4a6973f9ca241bf9c7c8d394b19a01e95cf2f9141d791595839b288b42b7a6989fdc4d1832207590044c2244

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-convert-l1-1-0.dll

MD5 d2ffcea7c898dc57bb6f33479571be4f
SHA1 c4f90864c07053816858f61008c63e81d669251b
SHA256 0e3a7169896bc3c91d2267db186bdf45b248daf60839b89c3e8267fb39d3a8c6
SHA512 13b8dfd221c50e66ad84cccb273d962f45e1ae9fcc94d7f1f71e2783c1762b079664264abc9ada0754baa79c6bb6dd64bc68ed38a8dbe3d0494e32ddbd82862d

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-crt-conio-l1-1-0.dll

MD5 5ea151da7905fb8033039d970c86fdd1
SHA1 f57870611efe6f99dfcaaa1a272150c80423d6b3
SHA256 082ffdd55b8aa9d0732c75bd61050deaa51ea921bb8715be70c32dea0dc67881
SHA512 e68777b55ac03e668e593d220682848b8df37ebf517afd7ca02a1a5381b753064d325a09a114e501a94f514ef91bbcbd00b01d99364d90b35ec2b79b613f5b4b

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-util-l1-1-0.dll

MD5 bd849705253b08c266b580a161777ba2
SHA1 769ec0f734a5dbbf002f8a700e47ba8bc59cc0ec
SHA256 ec379c70184c851c3a0607aa16bb0706c968306cdd0c1cad248e2c8d20b51429
SHA512 feea626abe96bd4eef9efa653c5aa9b09187de6b0bcd6734da3c211f1053044e41b655fa64afbde734e47c368ee05cad16008bf1ba028cdf44e1142ac957130b

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-timezone-l1-1-0.dll

MD5 49100ae18d47b3a944205adb0820ff90
SHA1 5ecd49104c4f5c15a4147bfee35c6b9ac1291d0f
SHA256 53ecaca6e272bb4b283013a76a23004f8fa5bc0340d171b764c2bbd856e26a1f
SHA512 899a5b3f1b9a93db634507bde71be8157acba6fac4af3d35d08fca598a7cf6dc5c5d16fa122493a0516c13a22466909165ff94ef99ec9f394cbf2f2ced7a82cc

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 f66b984895690696da524425335e5079
SHA1 91f9a826f0e70f988f9ae84d7f7e39d7a87b0ded
SHA256 507919ebf0560d3c77937ffcfbeb4ec0958bebd96509cb1b37135eff38499776
SHA512 e49dad7dcbd83c1c9249aacbda89e1552eadab7110e78ee6db27fa1e4b2a110dd595fc9dbb86ccf4d57bdf92cb7de112007445f5ba155aa1b830d00610b02a0e

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-synch-l1-2-0.dll

MD5 a332dcf1e4098759c52c76678b3982ee
SHA1 450b71ab21fac70b07b3cdc35dd684ee45815f73
SHA256 38ee2dba965f1a3b3ca6a13bd59e90b6053c24057329c2dbfd94db2c09f31844
SHA512 b6ba214248d8d46015c10c01a5a966c9728bb9736860d614202c99f803d6c2e550b6b6f9813af7f69f9abcb2577b17a4ca3cfddc1849187b06139ebc8b12baf6

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-synch-l1-1-0.dll

MD5 6f891d727e0ebf983704395f8a88a0e2
SHA1 b790faaa91d965b2850eee7af42f4dd4e8490955
SHA256 9f2c5563aafd8cb42287342b74d7345416caca1e21be558cf9208d57769f25a7
SHA512 e6276856895d77d4ef0aba9f2510ad865cc7935f6937e675b08b892c85bec25f5fe911c2ee09a6187cf8b0b1e312f52ce3cb0e4b73e7d19d9d00d3b1eca8d680

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-string-l1-1-0.dll

MD5 f46c1c06143840f811028eb7c5d0457f
SHA1 6ba27a0b8f4f5e48ec75f87922f0ce6e2906eeea
SHA256 0c8c234df372482de52ac3bae3db89623c19c5a55736e888af9fb4fab71ad1ce
SHA512 d6f7e2ed15445ade903b185657e85053d612d66dd9eb314fd9f6a57bc2402345f067152b471722dc46180e8cdc1192215516ac02aab6864556b6aa75a47b13f2

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 e7b3f861ea619a726208333d42b80c88
SHA1 9fba674dc286eb30be9051e0dca74476c000fc15
SHA256 a349f59482def958906bc5f3b84440755ee30520504bc8c38a76b23d39d0a5a3
SHA512 2616d12a8f68c162edd735defe37dba839b61c4d4136fabd674aaff59c575301ab8566076ac4bec98eb6057998310cdcb2adf5e36bfaf406f5c2dc8c46986b5e

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-profile-l1-1-0.dll

MD5 82f93724a0a7b732980efb91f4729560
SHA1 acf54c4f7cfb8d56efec8c06a317c56795cefd50
SHA256 e9458284ad7be14b86cbdd5fff2aa459258eb4d6fae29dfeae69f1e897f7508c
SHA512 4b6bd90fb80e89a495c6287fe5dfff24a7fdbff8b75df63ed75d457b8b5278cb0cc4560b4e378e61f08f5c81d6a260dbb48441d715ff332732b6a769da5f55a8

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-processthreads-l1-1-1.dll

MD5 92233d5f2057a6c99939e1549c8a63ab
SHA1 3e9a3b9e362025410d69458727462bb6338198f0
SHA256 6fe93c03cb84c7be2e8ef5c12f6c1595861c78edd1e099137f0c0866dc2fa5d0
SHA512 9aff968531a3cab229b3b5d216299149bf6ecf03086c5ddbe5a09ed52b62434ceffcf245be6306d7308e478acc5c445e1a6494491c0e8627818ec2472ce052fb

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-processthreads-l1-1-0.dll

MD5 5ef924f38ee210dfbb16e41a6bc2e150
SHA1 9033b6b010b9f28b4168000db20bb6f1d315eecc
SHA256 36bd79aba8dd89c170a3da25b948f88b227da3cc3d24e74fa7d757bfac0f5904
SHA512 f89e285c906a2b2b95a79372369b9c915a75819ee9d9ef0583fbb51c068a55a5b26b0745cc6cf645d7e2c1a92286e934703416a3164a7dabed0fc9cb813661ed

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 8a19ef4760fb3c6bc8c63452d156d427
SHA1 4fb5a62aadc9ebe50d3926ad2d328f9e4a0192bb
SHA256 c8b0a3cef3a5f583fc2723e7f61ad02fc3f9cddd69bdb1926ced4cb0dd62d505
SHA512 1cbff63950734787906cb748209b3194c5e9707ee739d8bb9ed76a52135b7c8a585bf86213f10b6138eff6c4dd843716fc4f8c1be755a16b0e21af3cc5417db1

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 3bcedd51584a4981744e2d68d0e43229
SHA1 979dc6859df3d391f18b8057413af43d73976f30
SHA256 bcf16101035920f8f1dab719c3526a4859069f332d77e554e3b771ef8771e4d8
SHA512 3018794a29d6df6a44a170479d92a3371c64e365189a0d328fbaa5b1569c946990e107033095f3885161251120014cbbac6db88b58c53ef76422b405e3376df5

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-memory-l1-1-0.dll

MD5 d4d725d390aa6f73c2b2d8d6bbe6b66f
SHA1 15a5896f0e68e9edd61bebfcf320c0e61c9153fe
SHA256 54b73975d18e30a8c2b8dba8aba6e536391a28742771aef6a268d60e319302df
SHA512 a7d5c4dc9d2348618e05a55b4ca89c066f40eab79e7b3abfd6955d5a01e9eceacdd3122e9cc594c5925efe43fff9b05caa0068a2b8fd1d1f9de8523e274a3101

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-localization-l1-2-0.dll

MD5 7f1ee2e33c903c7ea23dc80a19d6ec3c
SHA1 5e533f79dd14268c42e426efb1d3c3d29106e47e
SHA256 2ae12476304e22e7f31c71398fcf0acb626a6b44b37a7f68b6357cd049567d2f
SHA512 266f0337c1ea2c39b6248c5db9b8f500dca7664c11e72abcf37b3e04b541ec8f7efa84d46980c0bf007cdc8df726703de5bb04bc7c62da4e99d354d7cb4cafaa

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 a573e6d7a584f0e3dd2cccf9b45da14e
SHA1 ae555fac030f23d5f0f56c5010baf84798bb6abe
SHA256 bf7f70b5ccd2e25d9ae3f9ea5407368ca7ad6080fa65c75b821e850b62861551
SHA512 0116384916988bb1d120b76a3c40ab16dec4df2d10d219503822aef6d51924cd0abc78e5c813632e8e84a69c8f6bb50996a5f8e4990843d59d6e7e5b8b4d3fe5

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-interlocked-l1-1-0.dll

MD5 359ad2ef91c8a9e5e19c5bd0ea61b9cd
SHA1 a1197d3f567f443106632500be0ab854091ac778
SHA256 8cd91ebacce5ac4f64618abe2fab16640e98cfc16ab518f32e572aec7067fd46
SHA512 104976b73a4a7b6262ce04f2b4f03274dc6e6820260fbaf8424b048d6d8d2b22ca03eed9e297802671cfdbe025c2a6ac74e5990e1015213c35f9f702a3b79fb3

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-heap-l1-1-0.dll

MD5 677272c53d3c5f2d074bcb6806401832
SHA1 f48460bf34373582aceff7f30cf71c85def0f254
SHA256 294b9f1d640ca5d46f8c1b93633bda71e434e56d65f0241193631f208b6117bf
SHA512 838265128ac579c3d8b33d52b4a638634ebaffb9f72afca8e01ffa8f2dd0380c6e3742389eaea119815332dec946ca6aa0484078584ad505267d2ebd2ec8b4f8

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-handle-l1-1-0.dll

MD5 72a7164a642173c55eb8dc2a08affa06
SHA1 df19c88493424dcc69cccac29765d092669aa85c
SHA256 e1aea06985ba231ab277f4c42e66045a1bc1fedb0c7ddc5fe0a4a709c59a5cfe
SHA512 6b34cace21b6895af4c8b5c04be3ca9ea2ec3c9d4bb85610a0b37163d8dea71ea989e3198e3d41e68a049a639acf22cb6d9daad449b83a10f6d438e96e8675f0

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-file-l2-1-0.dll

MD5 e8bdf021f69a63aa761ee231ace7efbe
SHA1 f1ba959f0c196748c9fd7a81f4b626075fd8afe9
SHA256 d0d8495562a6c8b7f6d68dcd9dbd096dc5b68a5f337b7fd0b1fea60014c25adb
SHA512 f16dfc423cfa60c11d215db3448b93c7f3b405f96002ba636068f51f2de1971b4ccd8b020fad1b761ab82e8692a80872668d0baf9a560ad012f30ae440d73c81

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-file-l1-2-0.dll

MD5 e36ac4af8b02564857edaa68e2bbe1c0
SHA1 b6b379261b5432b019b4182b7be50ae61c1fd06e
SHA256 4237c0d089329b605d5416dae4005e1c4808a284b51dbaafe07a4b2cc7fcfb00
SHA512 61a6b2cd08ee54765d9ec6d2d1ae1b898b40a718eee022c74300a1c640afc7bbb43e7269e3caf42703991507e354566aca6923ea9e32bb513f4a1504feff2e4a

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-file-l1-1-0.dll

MD5 ddeeb4428fffd76692a477535e31be3a
SHA1 d0f5ab600890a50532d4e6a392a3680e0d4add1d
SHA256 baeae4a847ee5ef7a315d0a8a892ff1a961f6212bf6b168754c8bbfd71cc68da
SHA512 4643ffd3d6d4b80f3a3789ad26eb4c485f26e4afbd47b6ab61289de90142b431f49c2f06ed74f24d56b526eccb7fc3c947d1558bc3460a4ca2b4df68e5217608

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 05ee0d4ae83c82939aa9f27f4a2df699
SHA1 3fe20143fe89f11f1a9617a84a3a9eddda663af0
SHA256 e4f03845127136f5a18721268807fdba386c13c8ab60f36a8055f030dd58df1c
SHA512 2d7a5c47f8b76540e07c057bce6782bb3aaefa9cea7c1f806243da2df50f0feeadf0f6c8c1a1e058a228c5c8d93ce9f9d6b142a3d879847f2ddf955a28593b52

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-debug-l1-1-0.dll

MD5 635bf381649d6be0673d8357455631fa
SHA1 f766b950d2f60e539a0ad383088185aacb158ea0
SHA256 3a21f51d6111a46eb1f77c20af566ee2bc4c5939110b99a3daaef9ee15895b86
SHA512 a047943c025b1127dcdd2f144f7063691355df04dfebaf911c27e945c70d17e2b602507cb250b3f9bdc4122bb6d15fe1e9136ddf459a45f5b0c87efb1f93af94

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_lzma.pyd

MD5 ed15089e3c0c1b2ab5b73354abf0087b
SHA1 f51ade203d249e27ebf9ae2159220fabdb8726c0
SHA256 02fe60ad99452d53294514e8c6b8d95d79cc013742e3a4cd74b36601fc3fb09b
SHA512 a9f869b2988057c37d14ee56495ecbf2ec688517203a7e2d1bc1488f4d37c6e3d3fb6fb439442c86679a9cebbbd5b2e7b11d42f64bdbce7212b6411cd27073ac

C:\Users\Admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-console-l1-1-0.dll

MD5 fa978d1dcbefa3eb7c09afc61758b4fd
SHA1 8bc524ba87dd064bfc3c1a5f8d29bf690cc2dbc0
SHA256 1e089f3fcf76338bfcb963924b4de95cd8ca0fe9c99accd5ffda38ecb2081629
SHA512 23f2be3e0b4733b93b83053827a16f9dcf3d2dce260dd86d2d5b01ad22849e89a832dfbca64119416597488073549a5c8a4f7b12c13c8f5508a1ed2d5f27b5cd

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_bz2.pyd

MD5 ab542da47a7745a2f588ca78d41734e0
SHA1 d8f1601548510333e35199e3b6bb4eaf994ca9ae
SHA256 4aba601dd528a85dad5975daf6aa394002c8a38582e4abb05a89684f52130084
SHA512 d80228ae846c562e08b08b92796e871e546760cd8ed92cbbe526675947ea2a5524ff4a93210e820c9f646912db24ff112ed2a354fc018a53a5161934c7fbd0f0

memory/4904-231-0x00007FF92F1A0000-0x00007FF92F6C9000-memory.dmp

memory/4904-230-0x00007FF93F750000-0x00007FF93F764000-memory.dmp

memory/4904-229-0x00007FF93F770000-0x00007FF93F77D000-memory.dmp

memory/4904-228-0x00007FF945A90000-0x00007FF945A9D000-memory.dmp

memory/4904-227-0x00007FF93F780000-0x00007FF93F799000-memory.dmp

memory/4904-226-0x00007FF93FB00000-0x00007FF93FB36000-memory.dmp

memory/4904-225-0x00007FF946610000-0x00007FF94661F000-memory.dmp

memory/4904-233-0x00007FF93EF40000-0x00007FF93F00D000-memory.dmp

memory/4904-232-0x00007FF93FBC0000-0x00007FF93FBF3000-memory.dmp

memory/4904-234-0x00007FF93EEE0000-0x00007FF93EEF6000-memory.dmp

memory/4904-235-0x00007FF93E550000-0x00007FF93E562000-memory.dmp

memory/4904-236-0x00007FF92E7D0000-0x00007FF92E8EB000-memory.dmp

memory/4904-237-0x00007FF92E330000-0x00007FF92E3B7000-memory.dmp

memory/4904-238-0x00007FF93F700000-0x00007FF93F70B000-memory.dmp

memory/4904-239-0x00007FF9358F0000-0x00007FF935917000-memory.dmp

memory/4904-241-0x00007FF92FDA0000-0x00007FF92FDB8000-memory.dmp

memory/4904-243-0x00007FF92EF00000-0x00007FF92EF24000-memory.dmp

memory/4904-242-0x00007FF92E1B0000-0x00007FF92E32F000-memory.dmp

memory/4904-240-0x00007FF92F6D0000-0x00007FF92FD94000-memory.dmp

memory/4904-245-0x00007FF93F750000-0x00007FF93F764000-memory.dmp

memory/4904-250-0x00007FF92FE80000-0x00007FF92FE8B000-memory.dmp

memory/4904-255-0x00007FF92E1A0000-0x00007FF92E1AC000-memory.dmp

memory/4904-254-0x00007FF93EF40000-0x00007FF93F00D000-memory.dmp

memory/4904-253-0x00007FF935EA0000-0x00007FF935EAC000-memory.dmp

memory/4904-252-0x00007FF9380E0000-0x00007FF9380EB000-memory.dmp

memory/4904-251-0x00007FF92EEF0000-0x00007FF92EEFC000-memory.dmp

memory/4904-261-0x00007FF92E140000-0x00007FF92E14C000-memory.dmp

memory/4904-264-0x00007FF92E100000-0x00007FF92E10C000-memory.dmp

memory/4904-263-0x00007FF92E110000-0x00007FF92E122000-memory.dmp

memory/4904-262-0x00007FF92E130000-0x00007FF92E13D000-memory.dmp

memory/4904-260-0x00007FF92E150000-0x00007FF92E15C000-memory.dmp

memory/4904-259-0x00007FF92E160000-0x00007FF92E16B000-memory.dmp

memory/4904-258-0x00007FF92E170000-0x00007FF92E17B000-memory.dmp

memory/4904-257-0x00007FF92E180000-0x00007FF92E18C000-memory.dmp

memory/4904-256-0x00007FF92E190000-0x00007FF92E19E000-memory.dmp

memory/4904-249-0x00007FF93A820000-0x00007FF93A82C000-memory.dmp

memory/4904-248-0x00007FF93E520000-0x00007FF93E52B000-memory.dmp

memory/4904-247-0x00007FF93E540000-0x00007FF93E54B000-memory.dmp

memory/4904-244-0x00007FF946610000-0x00007FF94661F000-memory.dmp

memory/4904-246-0x00007FF92F1A0000-0x00007FF92F6C9000-memory.dmp

memory/4904-266-0x00007FF92E0D0000-0x00007FF92E0F9000-memory.dmp

memory/4904-269-0x00007FF92E070000-0x00007FF92E08C000-memory.dmp

memory/4904-268-0x00007FF92E090000-0x00007FF92E09B000-memory.dmp

memory/4904-267-0x00007FF92E0A0000-0x00007FF92E0CE000-memory.dmp

memory/1316-274-0x00007FF92D273000-0x00007FF92D275000-memory.dmp

memory/4904-273-0x00007FF92E7D0000-0x00007FF92E8EB000-memory.dmp

memory/1316-275-0x0000020332400000-0x0000020332482000-memory.dmp

memory/1316-286-0x00007FF92D270000-0x00007FF92DD31000-memory.dmp

memory/1316-285-0x0000020332320000-0x0000020332342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5hiol3f.pqp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1316-287-0x0000020319DF0000-0x0000020319E00000-memory.dmp

memory/1316-288-0x00007FF92D270000-0x00007FF92DD31000-memory.dmp

memory/1316-289-0x00000203326A0000-0x00000203327A2000-memory.dmp

memory/1316-292-0x00007FF92D270000-0x00007FF92DD31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hCqg37x3Je\Common Files\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\hCqg37x3Je\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

C:\Users\Admin\AppData\Local\Temp\hCqg37x3Je\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

C:\Users\Admin\AppData\Local\Temp\hCqg37x3Je\Common Files\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

memory/4904-366-0x00007FF92F6D0000-0x00007FF92FD94000-memory.dmp

memory/4904-408-0x00007FF93FBC0000-0x00007FF93FBF3000-memory.dmp

memory/4904-407-0x00007FF935EA0000-0x00007FF935EAC000-memory.dmp

memory/4904-406-0x00007FF93F750000-0x00007FF93F764000-memory.dmp

memory/4904-405-0x00007FF93F770000-0x00007FF93F77D000-memory.dmp

memory/4904-404-0x00007FF945A90000-0x00007FF945A9D000-memory.dmp

memory/4904-403-0x00007FF93F780000-0x00007FF93F799000-memory.dmp

memory/4904-402-0x00007FF9380E0000-0x00007FF9380EB000-memory.dmp

memory/4904-401-0x00007FF946610000-0x00007FF94661F000-memory.dmp

memory/4904-400-0x00007FF93FB40000-0x00007FF93FB6D000-memory.dmp

memory/4904-399-0x00007FF93FD80000-0x00007FF93FD9A000-memory.dmp

memory/4904-398-0x00007FF946620000-0x00007FF94662F000-memory.dmp

memory/4904-397-0x00007FF9450B0000-0x00007FF9450D5000-memory.dmp

memory/4904-396-0x00007FF92EF00000-0x00007FF92EF24000-memory.dmp

memory/4904-395-0x00007FF92EEF0000-0x00007FF92EEFC000-memory.dmp

memory/4904-394-0x00007FF92FE80000-0x00007FF92FE8B000-memory.dmp

memory/4904-391-0x00007FF93A820000-0x00007FF93A82C000-memory.dmp

memory/4904-390-0x00007FF93E520000-0x00007FF93E52B000-memory.dmp

memory/4904-389-0x00007FF93E540000-0x00007FF93E54B000-memory.dmp

memory/4904-388-0x00007FF92E1B0000-0x00007FF92E32F000-memory.dmp

memory/4904-386-0x00007FF92FDA0000-0x00007FF92FDB8000-memory.dmp

memory/4904-385-0x00007FF9358F0000-0x00007FF935917000-memory.dmp

memory/4904-384-0x00007FF93F700000-0x00007FF93F70B000-memory.dmp

memory/4904-383-0x00007FF92E330000-0x00007FF92E3B7000-memory.dmp

memory/4904-382-0x00007FF92E7D0000-0x00007FF92E8EB000-memory.dmp

memory/4904-381-0x00007FF93E550000-0x00007FF93E562000-memory.dmp

memory/4904-380-0x00007FF93EEE0000-0x00007FF93EEF6000-memory.dmp

memory/4904-379-0x00007FF93EF40000-0x00007FF93F00D000-memory.dmp

memory/4904-377-0x00007FF92F1A0000-0x00007FF92F6C9000-memory.dmp

memory/4904-372-0x00007FF93FB00000-0x00007FF93FB36000-memory.dmp

memory/4904-409-0x00007FF92E1A0000-0x00007FF92E1AC000-memory.dmp

memory/4904-410-0x00007FF92E190000-0x00007FF92E19E000-memory.dmp

memory/4904-416-0x00007FF92E130000-0x00007FF92E13D000-memory.dmp

memory/4904-422-0x00007FF92E140000-0x00007FF92E14C000-memory.dmp

memory/4904-421-0x00007FF92E090000-0x00007FF92E09B000-memory.dmp

memory/4904-420-0x00007FF92E0A0000-0x00007FF92E0CE000-memory.dmp

memory/4904-419-0x00007FF92E0D0000-0x00007FF92E0F9000-memory.dmp

memory/4904-418-0x00007FF92E100000-0x00007FF92E10C000-memory.dmp

memory/4904-417-0x00007FF92E110000-0x00007FF92E122000-memory.dmp

memory/4904-415-0x00007FF92E070000-0x00007FF92E08C000-memory.dmp

memory/4904-414-0x00007FF92E150000-0x00007FF92E15C000-memory.dmp

memory/4904-413-0x00007FF92E160000-0x00007FF92E16B000-memory.dmp

memory/4904-412-0x00007FF92E170000-0x00007FF92E17B000-memory.dmp

memory/4904-411-0x00007FF92E180000-0x00007FF92E18C000-memory.dmp