Analysis Overview
SHA256
9af8b897f56f1b73c8111b9c7a47038606dd385c03e452500b5b8e24bf115a83
Threat Level: Known bad
The file Astro-V15.3.rar was found to be: Known bad.
Malicious Activity Summary
Umbral
Xworm
Detect Xworm Payload
Detect Umbral payload
Enumerates VirtualBox DLL files
Sets file to hidden
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Detects videocard installed
Checks SCSI registry key(s)
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 20:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 20:14
Reported
2024-07-10 20:24
Platform
win7-20240705-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RunFirst.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxxt - Copy.lnk | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxxt - Copy.lnk | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RunFirst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Astro-V15.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RunFirst.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RunFirst.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Astro-V15.3.exe
"C:\Users\Admin\AppData\Local\Temp\Astro-V15.3.exe"
C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\RunSecond.exe
"C:\Users\Admin\AppData\Local\Temp\RunSecond.exe"
C:\Users\Admin\AppData\Local\Temp\RunFirst.exe
"C:\Users\Admin\AppData\Local\Temp\RunFirst.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE0ED.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\RunSecond.exe
"C:\Users\Admin\AppData\Local\Temp\RunSecond.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RunFirst.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RunFirst.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RunFirst.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.187.195:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp |
Files
memory/2184-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp
memory/2184-1-0x00000000003B0000-0x00000000013B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe
| MD5 | 12af3b6e31055c3fb99d029d9ea50cce |
| SHA1 | 7a3a8e8d030ac1f16f774cc7a94ec2adb8d2aa83 |
| SHA256 | 396c1941ee95bf8e9941ec6a3e53ee59dbc027bf9458495a2da8fc189c1d5dff |
| SHA512 | a1611e164b6c267ff3fa1e474c98778e97797f145b77bf944b6d4e183cb1d93bb1a984e8e2f1736cb095ba7925ec1d2b99113e984333edbe28c33afae83f3b7d |
memory/2540-7-0x0000000001340000-0x0000000001350000-memory.dmp
memory/2184-8-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
memory/2540-9-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RunFirst.exe
| MD5 | f8739f5e5dc45a8293640ed3a16e37e4 |
| SHA1 | ea6d2a89a731f6ba7c251ba2f837cb8d85ba1cf5 |
| SHA256 | 4bb0e6c8175d2e14881a7a03f43b0cbe32fb906f5761b37cdb8564e07694f631 |
| SHA512 | 111a6804a49eb172e03ed95fb4dccf35abf18aa1a6b1b7314c98ccf36bb1b5df8dc9c525a297f14dfeea25843065fdc0fb94c4fe2a504e32e7f67fe722a31f06 |
memory/536-38-0x0000000000CB0000-0x0000000000CF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE0ED.tmp.bat
| MD5 | cbd1138b8b220722a68979a48c4d363f |
| SHA1 | 21885fd284766bbb616869027e03c9b1c9de88ca |
| SHA256 | c78f9ed8e317690e7283ea4a9ec8e9bad293e1ee5f66aec0ac75fc629008f743 |
| SHA512 | a8e7be36e3250b0c907d629841aeb60cae65d9a4f4084082624fad500f65a60c772d4976f3a606d1d593fab2e6f925b040311fda938501e0ae005ab6cc3a2587 |
memory/2184-94-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
memory/2540-1204-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI29362\python312.dll
| MD5 | d521654d889666a0bc753320f071ef60 |
| SHA1 | 5fd9b90c5d0527e53c199f94bad540c1e0985db6 |
| SHA256 | 21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2 |
| SHA512 | 7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3 |
memory/2012-1295-0x000000001B550000-0x000000001B832000-memory.dmp
memory/2012-1296-0x00000000027A0000-0x00000000027A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b4b307ee05f0ab3da63b9ea324320b52 |
| SHA1 | c94d07582f547d42e2011ecf528fb37a27dabe2c |
| SHA256 | 1c08558be08e4281729b3e3f8a6a280b49a8882cb83c33a0f13e95502f5ec4d6 |
| SHA512 | 60b6a8ada6db4f6179b71735af63c7b083e34ed04df328f8473f59e6a5ebb6bae5e7134fc9dc1bb3c0a2b1a96b1ec9e91fcba52eb9770eb250d3f1806add68b7 |
memory/1572-1302-0x000000001B780000-0x000000001BA62000-memory.dmp
memory/1572-1303-0x0000000001D20000-0x0000000001D28000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2928-1331-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/2928-1332-0x0000000002870000-0x0000000002878000-memory.dmp
memory/2540-2588-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
memory/2540-2589-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 20:14
Reported
2024-07-10 20:22
Platform
win10v2004-20240709-en
Max time kernel
57s
Max time network
59s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
Enumerates VirtualBox DLL files
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\same\same.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\same\same.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RunFirst.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Astro-V15.3.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxxt - Copy.lnk | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxxt - Copy.lnk | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RunFirst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
| N/A | N/A | C:\Users\Admin\same\same.exe | N/A |
| N/A | N/A | C:\Users\Admin\same\same.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\same = "C:\\Users\\Admin\\same\\same.exe" | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RunFirst.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RunSecond.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe | N/A |
| N/A | N/A | C:\Users\Admin\same\same.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Astro-V15.3.exe
"C:\Users\Admin\AppData\Local\Temp\Astro-V15.3.exe"
C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\RunSecond.exe
"C:\Users\Admin\AppData\Local\Temp\RunSecond.exe"
C:\Users\Admin\AppData\Local\Temp\RunFirst.exe
"C:\Users\Admin\AppData\Local\Temp\RunFirst.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RunFirst.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RunFirst.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\RunSecond.exe
"C:\Users\Admin\AppData\Local\Temp\RunSecond.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x518
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\same\""
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\same\activate.bat
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\system32\attrib.exe
attrib +s +h .
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\same\same.exe
"same.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\taskkill.exe
taskkill /f /im "RunSecond.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RunFirst.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\same\same.exe
"same.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\same\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (Get-CimInstance Win32_ComputerSystemProduct).UUID
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.187.195:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:62829 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:14289 | tcp | |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:14289 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:14289 | tcp | |
| N/A | 127.0.0.1:14289 | tcp |
Files
memory/5076-0-0x00007FFCE5993000-0x00007FFCE5995000-memory.dmp
memory/5076-1-0x0000000000610000-0x0000000001610000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe
| MD5 | 12af3b6e31055c3fb99d029d9ea50cce |
| SHA1 | 7a3a8e8d030ac1f16f774cc7a94ec2adb8d2aa83 |
| SHA256 | 396c1941ee95bf8e9941ec6a3e53ee59dbc027bf9458495a2da8fc189c1d5dff |
| SHA512 | a1611e164b6c267ff3fa1e474c98778e97797f145b77bf944b6d4e183cb1d93bb1a984e8e2f1736cb095ba7925ec1d2b99113e984333edbe28c33afae83f3b7d |
memory/5076-13-0x00007FFCE5990000-0x00007FFCE6451000-memory.dmp
memory/3832-14-0x0000000000900000-0x0000000000910000-memory.dmp
memory/3832-15-0x00007FFCE5990000-0x00007FFCE6451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RunFirst.exe
| MD5 | f8739f5e5dc45a8293640ed3a16e37e4 |
| SHA1 | ea6d2a89a731f6ba7c251ba2f837cb8d85ba1cf5 |
| SHA256 | 4bb0e6c8175d2e14881a7a03f43b0cbe32fb906f5761b37cdb8564e07694f631 |
| SHA512 | 111a6804a49eb172e03ed95fb4dccf35abf18aa1a6b1b7314c98ccf36bb1b5df8dc9c525a297f14dfeea25843065fdc0fb94c4fe2a504e32e7f67fe722a31f06 |
memory/1976-68-0x00000221C07F0000-0x00000221C0830000-memory.dmp
memory/5076-127-0x00007FFCE5990000-0x00007FFCE6451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.bat
| MD5 | c4857353a5553fdb1dadbafdd3292059 |
| SHA1 | 1d209ffba3b270fce400af282a8e4dbea2f08406 |
| SHA256 | 1783af7e922794c28a0e7507dbce71334493662ced63fb13f6ba440d7e8a7080 |
| SHA512 | a7365d078c9b959d28c53929a1fd63a4cc960d5f24464300b1b5cd7f47e15c2cbd9978d915bb3a88630bd5a79a91bed952a469a9c8730f85ca0e920d0d112113 |
memory/4732-317-0x0000020EF6300000-0x0000020EF6322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wz2km3hc.rgq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3832-356-0x00007FFCE5990000-0x00007FFCE6451000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
memory/1976-708-0x00000221DAF50000-0x00000221DAFC6000-memory.dmp
memory/1976-736-0x00000221DAFD0000-0x00000221DB020000-memory.dmp
memory/1976-827-0x00000221C2590000-0x00000221C25AE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9197d29c9cdd428de6779cc21470c149 |
| SHA1 | 396e39da26c195c6b0761395e1fe81efc44fc3d0 |
| SHA256 | 15cedd50c69bbf59e679e8c49a820c06465e15c024cfee6fdb9daacfc0755040 |
| SHA512 | 984f7866814b0fc051daf0c431b64511e5274999239ca3121ab02a5cf48b71de6d16c1d43f12714da869f28a8e6095abcb14931a95b17b3f646ec3d3280a5da4 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\python312.dll
| MD5 | d521654d889666a0bc753320f071ef60 |
| SHA1 | 5fd9b90c5d0527e53c199f94bad540c1e0985db6 |
| SHA256 | 21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2 |
| SHA512 | 7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_ctypes.pyd
| MD5 | fb454c5e74582a805bc5e9f3da8edc7b |
| SHA1 | 782c3fa39393112275120eaf62fc6579c36b5cf8 |
| SHA256 | 74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1 |
| SHA512 | 727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\python3.DLL
| MD5 | a07661c5fad97379cf6d00332999d22c |
| SHA1 | dca65816a049b3cce5c4354c3819fef54c6299b0 |
| SHA256 | 5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b |
| SHA512 | 6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\base_library.zip
| MD5 | 55df3c98d18ec80bc37a6682ba0abcbb |
| SHA1 | e3bf60cfecfee2473d4e0b07057af3c27afa6567 |
| SHA256 | d8de678c0ac0cecb7be261bda75511c47e6a565f0c6260eacf240c7c5039753b |
| SHA512 | 26368c9187155ee83c450bfc792938a2908c473ba60330ce95bcc3f780390043879bbff3949bd4a25b38343eac3c5c9ba709267959109c9c99a229809c97f3bd |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_bz2.pyd
| MD5 | 5bebc32957922fe20e927d5c4637f100 |
| SHA1 | a94ea93ee3c3d154f4f90b5c2fe072cc273376b3 |
| SHA256 | 3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62 |
| SHA512 | afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_tkinter.pyd
| MD5 | 276791cca50a8b8a334d3f4f9ff520e2 |
| SHA1 | c0d73f309ef98038594c6338c81606a9947bd7f8 |
| SHA256 | a1c74836bad3d9b0aaec8dccd92e552b5ad583bfea7ef21cd40713a265d94f7e |
| SHA512 | ef1ed2eacf86885531fc0963c84c1c99773d963d5a709030df6cfee5027604e1402a55b6fe26019a3ab922fd27895d0e2ef5572a50195372b1bfb1539eac0dd0 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_ssl.pyd
| MD5 | c87c5890039c3bdb55a8bc189256315f |
| SHA1 | 84ef3c2678314b7f31246471b3300da65cb7e9de |
| SHA256 | a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2 |
| SHA512 | e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_sqlite3.pyd
| MD5 | c3a41d98c86cdf7101f8671d6cebefda |
| SHA1 | a06fce1ac0aab9f2fe6047642c90b1dd210fe837 |
| SHA256 | ee0e9b0a0af6a98d5e8ad5b9878688d2089f35978756196222b9d45f49168a9d |
| SHA512 | c088372afcfe4d014821b728e106234e556e00e5a6605f616745b93f345f9da3d8b3f69af20e94dbadfd19d3aa9991eb3c7466db5648ea452356af462203706c |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_socket.pyd
| MD5 | dd8ff2a3946b8e77264e3f0011d27704 |
| SHA1 | a2d84cfc4d6410b80eea4b25e8efc08498f78990 |
| SHA256 | b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085 |
| SHA512 | 958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_queue.pyd
| MD5 | b7e5fbd7ef3eefff8f502290c0e2b259 |
| SHA1 | 9decba47b1cdb0d511b58c3146d81644e56e3611 |
| SHA256 | dbdabb5fe0ccbc8b951a2c6ec033551836b072cab756aaa56b6f22730080d173 |
| SHA512 | b7568b9df191347d1a8d305bd8ddd27cbfa064121c785fa2e6afef89ec330b60cafc366be2b22409d15c9434f5e46e36c5cbfb10783523fdcac82c30360d36f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_overlapped.pyd
| MD5 | 7e4553ca5c269e102eb205585cc3f6b4 |
| SHA1 | 73a60dbc7478877689c96c37107e66b574ba59c9 |
| SHA256 | d5f89859609371393d379b5ffd98e5b552078050e8b02a8e2900fa9b4ee8ff91 |
| SHA512 | 65b72bc603e633596d359089c260ee3d8093727c4781bff1ec0b81c8244af68f69ff3141424c5de12355c668ae3366b4385a0db7455486c536a13529c47b54ef |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_multiprocessing.pyd
| MD5 | 2bd43e8973882e32c9325ef81898ae62 |
| SHA1 | 1e47b0420a2a1c1d910897a96440f1aeef5fa383 |
| SHA256 | 3c34031b464e7881d8f9d182f7387a86b883581fd020280ec56c1e3ec6f4cc2d |
| SHA512 | 9d51bbd25c836f4f5d1fb9b42853476e13576126b8b521851948bdf08d53b8d4b4f66d2c8071843b01aa5631abdf13dc53c708dba195656a30f262dce30a88ca |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_hashlib.pyd
| MD5 | da02cefd8151ecb83f697e3bd5280775 |
| SHA1 | 1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7 |
| SHA256 | fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354 |
| SHA512 | a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_elementtree.pyd
| MD5 | f89c26a967569f393e8e958c9127d4d7 |
| SHA1 | ea09407004b2b279f9424c20ba555cfc8909f154 |
| SHA256 | 4869325e5cffbd13d3cc02dc78226478adfb51a802b52ff65b5adfacff3511f1 |
| SHA512 | eb2090ed5e00ea1a1b7b0c21f27bab45ec271dfb8e16c2df07be16df12ceaa1f8d0e0430b0ed65e4945e443aeb5248b42a6448decfc4157a39fa2c3dea20f5c2 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_decimal.pyd
| MD5 | 492c0c36d8ed1b6ca2117869a09214da |
| SHA1 | b741cae3e2c9954e726890292fa35034509ef0f6 |
| SHA256 | b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1 |
| SHA512 | b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_cffi_backend.cp312-win_amd64.pyd
| MD5 | 0572b13646141d0b1a5718e35549577c |
| SHA1 | eeb40363c1f456c1c612d3c7e4923210eae4cdf7 |
| SHA256 | d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7 |
| SHA512 | 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_asyncio.pyd
| MD5 | 477dba4d6e059ea3d61fad7b6a7da10e |
| SHA1 | 1f23549e60016eeed508a30479886331b22f7a8b |
| SHA256 | 5bebeb765ab9ef045bc5515166360d6f53890d3ad6fc360c20222d61841410b6 |
| SHA512 | 8119362c2793a4c5da25a63ca68aa3b144db7e4c08c80cbe8c8e7e8a875f1bd0c30e497208ce20961ddb38d3363d164b6e1651d3e030ed7b8ee5f386faf809d2 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\zlib1.dll
| MD5 | 5eac41b641e813f2a887c25e7c87a02e |
| SHA1 | ec3f6cf88711ef8cfb3cc439cb75471a2bb9e1b5 |
| SHA256 | b1f58a17f3bfd55523e7bef685acf5b32d1c2a6f25abdcd442681266fd26ab08 |
| SHA512 | cad34a495f1d67c4d79ed88c5c52cf9f2d724a1748ee92518b8ece4e8f2fe1d443dfe93fb9dba8959c0e44c7973af41eb1471507ab8a5b1200a25d75287d5de5 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\VCRUNTIME140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\unicodedata.pyd
| MD5 | cc8142bedafdfaa50b26c6d07755c7a6 |
| SHA1 | 0fcab5816eaf7b138f22c29c6d5b5f59551b39fe |
| SHA256 | bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268 |
| SHA512 | c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\tk86t.dll
| MD5 | 4cdd92e60eb291053d2ad12bf0710749 |
| SHA1 | 31424e8d35459ba43672f05abba1e37c23f74536 |
| SHA256 | b30576b60aee548838243601952a05b70a9fc937f5a607f6b1413cd5ed04d900 |
| SHA512 | 80c3bb58817578708e14ba173bfbe8f62fb54efa22feb8ff08b9eefa4462b74062654f956f965c7caa8aa16295229b58ef9eea8d2c4c94652bde1e61038e6ffe |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\tcl86t.dll
| MD5 | 108d97000657e7b1b95626350784ed23 |
| SHA1 | 3814e6e5356b26e6e538f2c1803418eb83941e30 |
| SHA256 | 3d2769e69d611314d517fc9aad688a529670af94a7589f728107180ae105218f |
| SHA512 | 9475cd1c8fe2e769ed0e8469d1f19cdf808f930cccc3baf581888a705f195c9be02652168d9c1c25ba850502f94e7eb87687c2c75f0f699c38309bc92b9004a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\sqlite3.dll
| MD5 | e52f6b9bd5455d6f4874f12065a7bc39 |
| SHA1 | 8a3cb731e9c57fd8066d6dad6b846a5f857d93c8 |
| SHA256 | 7ef475d27f9634f6a75e88959e003318d7eb214333d25bdf9be1270fa0308c82 |
| SHA512 | 764bfb9ead13361be7583448b78f239964532fd589e8a2ad83857192bf500f507260b049e1eb7522dedadc81ac3dfc76a90ddeb0440557844abed6206022da96 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\select.pyd
| MD5 | d0cc9fc9a0650ba00bd206720223493b |
| SHA1 | 295bc204e489572b74cc11801ed8590f808e1618 |
| SHA256 | 411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019 |
| SHA512 | d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\SDL2_ttf.dll
| MD5 | f187dfdccc102436e27704dc572a2c16 |
| SHA1 | be4d499e66b8c4eb92480e4f520ccd8eaaa39b04 |
| SHA256 | fcdfabdfce868eb33f7514025ff59c1bb6c418f1bcd6ace2300a9cd4053e1d63 |
| SHA512 | 75002d96153dfd2bfdd6291f842fb553695ef3997012dae0b9a537c95c3f3a83b844a8d1162faefcddf9e1807f3db23b1a10c2789c95dd5f6fad2286bae91afb |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\SDL2_mixer.dll
| MD5 | 201aa86dc9349396b83eed4c15abe764 |
| SHA1 | 1a239c479e275aa7be93c5372b2d35e98d8d8cec |
| SHA256 | 2a0fc5e9f72c2eaec3240cb82b7594a58ccda609485981f256b94d0a4dd8d6f8 |
| SHA512 | bb2cd185d1d936ceca3cc20372c98a1b1542288ad5523ff8b823fb5e842205656ec2f615f076929c69987c7468245a452238b509d37109c9bec26be5f638f3b7 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\SDL2_image.dll
| MD5 | b8d249a5e394b4e6a954c557af1b80e6 |
| SHA1 | b03bb9d09447114a018110bfb91d56ef8d5ec3bb |
| SHA256 | 1e364af75fee0c83506fbdfd4d5b0e386c4e9c6a33ddbddac61ddb131e360194 |
| SHA512 | 2f2e248c3963711f1a9f5d8baea5b8527d1df1748cd7e33bf898a380ae748f7a65629438711ff9a5343e64762ec0b5dc478cdf19fbf7111dac9d11a8427e0007 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\SDL2.dll
| MD5 | 83c5ff24eae3b9038d74ad91dc884e32 |
| SHA1 | 81bf9f8109d73604768bf5310f1f70af62b72e43 |
| SHA256 | 520d0459b91efa32fbccf9027a9ca1fc5aae657e679ce8e90f179f9cf5afd279 |
| SHA512 | 38ff01891ad5093d0e4f222c5ab703a540514271bf3b94fb65f910193262af722adb9d4f4d2bd6a54c090a7d631d8c98497b7d78bd21359fdea756ff3ac63689 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\pyexpat.pyd
| MD5 | 958231414cc697b3c59a491cc79404a7 |
| SHA1 | 3dec86b90543ea439e145d7426a91a7aca1eaab6 |
| SHA256 | efd6099b1a6efdadd988d08dce0d8a34bd838106238250bccd201dc7dcd9387f |
| SHA512 | fd29d0aab59485340b68dc4552b9e059ffb705d4a64ff9963e1ee8a69d9d96593848d07be70528d1beb02bbbbd69793ee3ea764e43b33879f5c304d8a912c3be |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\portmidi.dll
| MD5 | df538704b8cd0b40096f009fd5d1b767 |
| SHA1 | d2399fbb69d237d43624e987445694ec7e0b8615 |
| SHA256 | c9f8d9043ac1570b10f104f2d00aec791f56261c84ee40773be73d0a3822e013 |
| SHA512 | 408de3e99bc1bfb5b10e58ae621c0f9276530913ff26256135fe44ce78016de274cbe4c3e967457eb71870aad34dfeb362058afcebfa2d9e64f05604ab1517d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libwebp-7.dll
| MD5 | 2c5aca898ff88eb2c9028bbeefebbd1e |
| SHA1 | 7a0048674ef614bebe6cc83b1228d670372076c9 |
| SHA256 | 9a53563b6058f70f2725029b7dd2fe96f869c20e8090031cd303e994dfe07b50 |
| SHA512 | 46fe8b151e3a13ab506c4fc8a9f3f0f47b21f64f37097a4f1f573b547443ed23e7b2f489807c1623fbc41015f7da11665d88690d8cd0ddd61aa53789586c5a13 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libtiff-5.dll
| MD5 | 7d40a697ca6f21a8f09468b9fce565ad |
| SHA1 | dc3b7f7fc0d9056af370e06f1451a65e77ff07f7 |
| SHA256 | ebfe97ac5ef26b94945af3db5ffd110a4b8e92dc02559bf81ccb33f0d5ebce95 |
| SHA512 | 5a195e3123f7f17d92b7eca46b9afa1ea600623ad6929ac29197447bb4d474a068fd5f61fca6731a60514125d3b0b2cafe1ff6be3a0161251a366355b660d61a |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libssl-3.dll
| MD5 | 19a2aba25456181d5fb572d88ac0e73e |
| SHA1 | 656ca8cdfc9c3a6379536e2027e93408851483db |
| SHA256 | 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006 |
| SHA512 | df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libpng16-16.dll
| MD5 | 3a26cd3f92436747d2285dcef1fae67f |
| SHA1 | e3d1403be06beb32fc8dc7e8a58c31e18b586a70 |
| SHA256 | e688b4a4d18f4b6ccc99c6ca4980f51218cb825610775192d9b60b2f05eff2d5 |
| SHA512 | 73d651f063246723807d837811ead30e3faca8cb0581603f264c28fea1b2bdb6d874a73c1288c7770e95463786d6945b065d4ca1cf553e08220aea4e78a6f37f |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libopusfile-0.dll
| MD5 | 245498839af5a75cd034190fe805d478 |
| SHA1 | d164c38fd9690b8649afaef7c048f4aabb51dba8 |
| SHA256 | ccaaca81810bd2d1cab4692b4253a639f8d5516996db0e24d881efd3efdcc6a4 |
| SHA512 | 4181dea590cbc7a9e06729b79201aa29e8349408cb922de8d4cda555fc099b3e10fee4f5a9ddf1a22eaec8f5ede12f9d6e37ed7ad0486beb12b7330cca51a79e |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libopus-0.x64.dll
| MD5 | 0e078e75ab375a38f99245b3fefa384a |
| SHA1 | b4c2fda3d4d72c3e3294beb8aa164887637ca22a |
| SHA256 | c84da836e8d92421ac305842cfe5a724898ed09d340d46b129e210bdc9448131 |
| SHA512 | fa838dab0a8a07ee7c370dd617073a5f795838c3518a6f79ee17d5ebc48b78cebd680e9c8cbe54f912ceb0ae6112147fb40182bcfdcc194b73aa6bab21427bfd |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libopus-0.dll
| MD5 | e1adac219ec78b7b2ac9999d8c2e1c94 |
| SHA1 | 6910ec9351bee5c355587e42bbb2d75a65ffc0cf |
| SHA256 | 771cae79410f7fcc4f993a105a18c4ed9e8cbddd6f807a42228d95f575808806 |
| SHA512 | da1912243491227168e23fb92def056b229f9f1d8c35ae122e1a0474b0be84ceb7167b138f2ee5fffd812b80c6aca719250aca6b25931585e224e27384f4cc67 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libogg-0.dll
| MD5 | 307ef797fc1af567101afba8f6ce6a8c |
| SHA1 | 0023f520f874a0c3eb3dc1fe8df73e71bde5f228 |
| SHA256 | 57abc4f6a9accdd08bf9a2b022a66640cc626a5bd4dac6c7c4f06a5df61ee1fe |
| SHA512 | 5b0b6049844c6fef0cd2b6b1267130bb6e4c17b26afc898cfc17499ef05e79096cd705007a74578f11a218786119be37289290c5c47541090d7b9dea2908688e |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libmodplug-1.dll
| MD5 | ead020db018b03e63a64ebff14c77909 |
| SHA1 | 89bb59ae2b3b8ec56416440642076ae7b977080e |
| SHA256 | 0c1a9032812ec4c20003a997423e67b71ecb5e59d62cdc18a5bf591176a9010e |
| SHA512 | c4742d657e5598c606ceff29c0abb19c588ba7976a7c4bff1df80a3109fe7df25e7d0dace962ec3962a94d2715a4848f2acc997a0552bf8d893ff6e7a78857e5 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libjpeg-9.dll
| MD5 | c540308d4a8e6289c40753fdd3e1c960 |
| SHA1 | 1b84170212ca51970f794c967465ca7e84000d0e |
| SHA256 | 3a224af540c96574800f5e9acf64b2cdfb9060e727919ec14fbd187a9b5bfe69 |
| SHA512 | 1dadc6b92de9af998f83faf216d2ab6483b2dea7cdea3387ac846e924adbf624f36f8093daf5cee6010fea7f3556a5e2fcac494dbc87b5a55ce564c9cd76f92b |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\libcrypto-3.dll
| MD5 | e547cf6d296a88f5b1c352c116df7c0c |
| SHA1 | cafa14e0367f7c13ad140fd556f10f320a039783 |
| SHA256 | 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de |
| SHA512 | 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\freetype.dll
| MD5 | 236f879a5dd26dc7c118d43396444b1c |
| SHA1 | 5ed3e4e084471cf8600fb5e8c54e11a254914278 |
| SHA256 | 1c487392d6d06970ba3c7b52705881f1fb069f607243499276c2f0c033c7df6f |
| SHA512 | cc9326bf1ae8bf574a4715158eba889d7f0d5e3818e6f57395740a4b593567204d6eef95b6e99d2717128c3bffa34a8031c213ff3f2a05741e1eaf3ca07f2254 |
C:\Users\Admin\AppData\Local\Temp\_MEI32802\_lzma.pyd
| MD5 | 195defe58a7549117e06a57029079702 |
| SHA1 | 3795b02803ca37f399d8883d30c0aa38ad77b5f2 |
| SHA256 | 7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a |
| SHA512 | c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b |
memory/1976-1415-0x00000221DAE10000-0x00000221DAE22000-memory.dmp
memory/1976-1414-0x00000221C25C0000-0x00000221C25CA000-memory.dmp
memory/4956-3786-0x00000268D0E80000-0x00000268D0EAA000-memory.dmp
memory/4956-3787-0x00000268D0E80000-0x00000268D0EA4000-memory.dmp
memory/3832-3789-0x00007FFCE5990000-0x00007FFCE6451000-memory.dmp
memory/4960-3791-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/4960-3792-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/4960-3790-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/4960-3797-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/4960-3802-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/4960-3801-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/4960-3800-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/4960-3799-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/4960-3798-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/4960-3796-0x0000026A8C110000-0x0000026A8C111000-memory.dmp
memory/3832-3803-0x00007FFCE5990000-0x00007FFCE6451000-memory.dmp