Malware Analysis Report

2024-11-15 07:42

Sample ID 240803-hm885swcrp
Target source_prepared.exe
SHA256 14238e258942fb69b9f3e793c5c0e17069035ef2c7b6a8ee7567f2cacd292d90
Tags
pyinstaller pysilon discovery execution upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14238e258942fb69b9f3e793c5c0e17069035ef2c7b6a8ee7567f2cacd292d90

Threat Level: Known bad

The file source_prepared.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon discovery execution upx

Detect Pysilon

Pysilon family

Enumerates VirtualBox DLL files

Command and Scripting Interpreter: PowerShell

UPX packed file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Detects Pyinstaller

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer Phishing Filter

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 06:52

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 06:52

Reported

2024-08-03 06:56

Platform

win10-20240404-en

Max time kernel

195s

Max time network

197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 8a355b70c486da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C2E2CA1-5165-11EF-ABE2-6AD6A3DEF400} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: 35 N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 1240 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 4540 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 4540 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 4540 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 5036 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 1480 wrote to memory of 4984 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1480 wrote to memory of 4984 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4984 wrote to memory of 2020 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4984 wrote to memory of 2020 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4984 wrote to memory of 2020 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2452 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 2452 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 4156 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 4156 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 4156 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4156 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\System32nigga\""

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\System32nigga\""

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\source_prepared

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4984 CREDAT:82945 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\System32nigga\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:51184 tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
N/A 127.0.0.1:52739 tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:54601 tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI12402\python310.dll

MD5 b93eda8cc111a5bde906505224b717c3
SHA1 5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e
SHA256 efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983
SHA512 b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

C:\Users\Admin\AppData\Local\Temp\_MEI12402\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

memory/4540-1151-0x00007FFF49E20000-0x00007FFF4A285000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI12402\base_library.zip

MD5 ee5e8289c2812cf3480909a981dad93c
SHA1 2453fc7b0ebd9bf127da65398a37be0b3e78febd
SHA256 97841306af616f940c6a79c18510549d05a4f0583939918c9386d0c219bc73ec
SHA512 fa39ca5a13dd11c0fb46dcef5972eb741746e430d7d073c9d9820823c0b3cdd656be58919a584e50b5e15a486631a33e1480b27bd002e75b0af315ba336873b7

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_ctypes.pyd

MD5 5c0bda19c6bc2d6d8081b16b2834134e
SHA1 41370acd9cc21165dd1d4aa064588d597a84ebbe
SHA256 5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e
SHA512 b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

C:\Users\Admin\AppData\Local\Temp\_MEI12402\python3.DLL

MD5 704d647d6921dbd71d27692c5a92a5fa
SHA1 6f0552ce789dc512f183b565d9f6bf6bf86c229d
SHA256 a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769
SHA512 6b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4

\Users\Admin\AppData\Local\Temp\_MEI12402\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

memory/4540-1160-0x00007FFF4AC10000-0x00007FFF4AC34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_bz2.pyd

MD5 c24b301f99a05305ac06c35f7f50307f
SHA1 0cee6de0ea38a4c8c02bf92644db17e8faa7093b
SHA256 c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24
SHA512 936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

memory/4540-1161-0x00007FFF4D1A0000-0x00007FFF4D1AF000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI12402\_lzma.pyd

MD5 215acc93e63fb03742911f785f8de71a
SHA1 d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9
SHA256 ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63
SHA512 9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_uuid.pyd

MD5 4278a4ffd749329d90715971ba8cd272
SHA1 4ece149819dad6a8094b8b6f05805807dda91111
SHA256 06c0860bee75ea5da42179941f098fcfbcce73623c4b4cc03ae66d55ee8bc585
SHA512 4fcb7468c12ff41c25944531bf3d933a59805be59e50d477ff838e8ecc067c54535f8754eaadd108c37f251a1b4d4bf1c88448e187c97d5438ed9f4221ab6ecf

\Users\Admin\AppData\Local\Temp\_MEI12402\_hashlib.pyd

MD5 8ba5202e2f3fb1274747aa2ae7c3f7bf
SHA1 8d7dba77a6413338ef84f0c4ddf929b727342c16
SHA256 0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b
SHA512 d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_tkinter.pyd

MD5 93b89f787beb8638af87b1e69be1f674
SHA1 62efa23821f7f5ade3e520f5511792660d847220
SHA256 511aee4b7abe580cb69d43d9b08c51d46191c9cd696a608aed78f4c85fbfa576
SHA512 b0a57a509e85905ee10001d21a07905a7ac65a98ac66554932ce335eda7478599e822a6368191be411c7aa0d18a73b4ab4a741d073a95618d660e969fa7f36a3

\Users\Admin\AppData\Local\Temp\_MEI12402\libcrypto-1_1.dll

MD5 3cc020baceac3b73366002445731705a
SHA1 6d332ab68dca5c4094ed2ee3c91f8503d9522ac1
SHA256 d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8
SHA512 1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

\Users\Admin\AppData\Local\Temp\_MEI12402\_socket.pyd

MD5 1f7e5e111207bc4439799ebf115e09ed
SHA1 e8b643f19135c121e77774ef064c14a3a529dca3
SHA256 179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04
SHA512 7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

\Users\Admin\AppData\Local\Temp\_MEI12402\libssl-1_1.dll

MD5 7f77a090cb42609f2efc55ddc1ee8fd5
SHA1 ef5a128605654350a5bd17232120253194ad4c71
SHA256 47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f
SHA512 a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

C:\Users\Admin\AppData\Local\Temp\_MEI12402\charset_normalizer\md.cp310-win_amd64.pyd

MD5 6cb45ddd63c231afb8d090e6df919bf8
SHA1 88ff70c0704368a35c683c3b460a363f2a840b83
SHA256 7d5f6a03c33226f046a96988ba83bc03d29a776f32dd81dbeb895614cef76ed3
SHA512 91216757972ccbe2e93e647c64fbaf8e2d29546410a22064779257a5fcddff866194ed0ddcf7b15dacedd2e251caca6ead12c00c0254c26352717164294b8e04

\Users\Admin\AppData\Local\Temp\_MEI12402\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 a2bb62fff3d5458ae670a5f4d03f9116
SHA1 878c92142856719d64ec07f38d4a342d4f7cfd3f
SHA256 c841e4aa267be53a08ae2b989dabbd5f043661548c34a9916a06cd836a744319
SHA512 afd0dd3c87015a0a774b3240694c9f4cb4ef50f780679ed1654ecacc930e57871f2672b3d19e5b2ea1e07ff6ec7a21a76262dfbaf6371d731508bd0c1ff3b674

C:\Users\Admin\AppData\Local\Temp\_MEI12402\libogg-0.dll

MD5 0d65168162287df89af79bb9be79f65b
SHA1 3e5af700b8c3e1a558105284ecd21b73b765a6dc
SHA256 2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24
SHA512 69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2

memory/4540-1216-0x00007FFF4A810000-0x00007FFF4A825000-memory.dmp

memory/4540-1226-0x00007FFF4A670000-0x00007FFF4A6A8000-memory.dmp

memory/4540-1227-0x00007FFF49CF0000-0x00007FFF49CFB000-memory.dmp

memory/4540-1225-0x00007FFF49D00000-0x00007FFF49E18000-memory.dmp

memory/4540-1224-0x00007FFF4A6B0000-0x00007FFF4A6D6000-memory.dmp

memory/4540-1223-0x00007FFF4A6E0000-0x00007FFF4A6EB000-memory.dmp

memory/4540-1222-0x00007FFF4A6F0000-0x00007FFF4A6FD000-memory.dmp

memory/4540-1221-0x00007FFF4A700000-0x00007FFF4A7B7000-memory.dmp

memory/4540-1220-0x00007FFF4A7C0000-0x00007FFF4A7EE000-memory.dmp

memory/4540-1219-0x00007FFF4AB10000-0x00007FFF4AB1D000-memory.dmp

memory/4540-1247-0x00007FFF48450000-0x00007FFF48472000-memory.dmp

memory/4540-1246-0x00007FFF48480000-0x00007FFF48494000-memory.dmp

memory/4540-1245-0x00007FFF484A0000-0x00007FFF484B0000-memory.dmp

memory/4540-1244-0x00007FFF484B0000-0x00007FFF484C4000-memory.dmp

memory/4540-1243-0x00007FFF484D0000-0x00007FFF484DC000-memory.dmp

memory/4540-1242-0x00007FFF484E0000-0x00007FFF484F2000-memory.dmp

memory/4540-1241-0x00007FFF48500000-0x00007FFF4850D000-memory.dmp

memory/4540-1240-0x00007FFF48510000-0x00007FFF4851C000-memory.dmp

memory/4540-1239-0x00007FFF48520000-0x00007FFF4852C000-memory.dmp

memory/4540-1238-0x00007FFF48530000-0x00007FFF4853B000-memory.dmp

memory/4540-1237-0x00007FFF49C50000-0x00007FFF49C5B000-memory.dmp

memory/4540-1236-0x00007FFF49C60000-0x00007FFF49C6C000-memory.dmp

memory/4540-1235-0x00007FFF49C70000-0x00007FFF49C7E000-memory.dmp

memory/4540-1234-0x00007FFF49C80000-0x00007FFF49C8C000-memory.dmp

memory/4540-1233-0x00007FFF49C90000-0x00007FFF49C9C000-memory.dmp

memory/4540-1232-0x00007FFF49CA0000-0x00007FFF49CAB000-memory.dmp

memory/4540-1231-0x00007FFF49CB0000-0x00007FFF49CBC000-memory.dmp

memory/4540-1230-0x00007FFF49CC0000-0x00007FFF49CCB000-memory.dmp

memory/4540-1229-0x00007FFF49CD0000-0x00007FFF49CDC000-memory.dmp

memory/4540-1228-0x00007FFF49CE0000-0x00007FFF49CEB000-memory.dmp

memory/4540-1218-0x00007FFF4A7F0000-0x00007FFF4A809000-memory.dmp

memory/4540-1217-0x00007FFF3ABE0000-0x00007FFF3AF57000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI12402\_queue.pyd

MD5 7b9f914d6c0b80c891ff7d5c031598d9
SHA1 ef9015302a668d59ca9eb6ebc106d82f65d6775c
SHA256 7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae
SHA512 d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

\Users\Admin\AppData\Local\Temp\_MEI12402\_ssl.pyd

MD5 a65b98bf0f0a1b3ffd65e30a83e40da0
SHA1 9545240266d5ce21c7ed7b632960008b3828f758
SHA256 44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949
SHA512 0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

\Users\Admin\AppData\Local\Temp\_MEI12402\select.pyd

MD5 3cdfdb7d3adf9589910c3dfbe55065c9
SHA1 860ef30a8bc5f28ae9c81706a667f542d527d822
SHA256 92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932
SHA512 1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_sqlite3.pyd

MD5 e5111e0cb03c73c0252718a48c7c68e4
SHA1 39a494eefecb00793b13f269615a2afd2cdfb648
SHA256 c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b
SHA512 cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_overlapped.pyd

MD5 213c988dd662568daa1619db9247ec4f
SHA1 67de38f61ff2a4b1b4f684068c4358484eaa3129
SHA256 e27aa70f4b187fc483c46cee45d340c92b9675f8c0375e8c59491a1640334d2f
SHA512 b9db82b424a611162b22abf339b3a475d145f84040edbaba67e13ed73f72470c2858237f3cb1b207da399aa4ab0ac513f66bb39b80fea6f9fbbdb50538b6675e

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_multiprocessing.pyd

MD5 10d7164d97b8053653fe65c950af231a
SHA1 f03de00469ce086d89c60b12c339247cec2b3d55
SHA256 6ab3086555e5a962cb980a1a98d09b4a68dece776e618ccf6cfccf1c4d8f9163
SHA512 757cc79bd1e8f3e313d541248620830b46b132014340b04ee81d3ac3600e44286bba29280cda553b80e7ca0d58336bc83d9a39635e221dac371d5d23715e81d3

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_elementtree.pyd

MD5 bbb68421416912fedb1d0db62b84bb55
SHA1 136fe62f908121d96f5ea516d3a31ba8c0bea44b
SHA256 5cf49f6a7b25d3e4ac6adae07cdab6456b2e710c547a2365e1456979dd614370
SHA512 086149180c01ea59bc66c91a068b30597338a8315e0fd0679b9e179b12da75462e3c692b1b557e1708ff2dbf05d215b81933650b207c6d5c938490e9d2a4d438

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_decimal.pyd

MD5 604154d16e9a3020b9ad3b6312f5479c
SHA1 27c874b052d5e7f4182a4ead6b0486e3d0faf4da
SHA256 3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6
SHA512 37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_cffi_backend.cp310-win_amd64.pyd

MD5 76041575bfb6c23f89168485ba802cd3
SHA1 740dbbbfb5a48985ee866139b2c3edcc33e88587
SHA256 3adf6b1cfcb47d99653c284dc74b13764f960873edf651e99b52a1b6ba1df590
SHA512 800fcac9c2e1312a6f3d46148a9d621ecbde07b473681d88a383d385c30adcc660d763a8babf32b8a4e815b2c2ce4a23d86660403c341f3dbc9ee021df341070

C:\Users\Admin\AppData\Local\Temp\_MEI12402\_asyncio.pyd

MD5 7376246e83a181f4837f6089d145c55e
SHA1 4379a10a940433f4a1314adb52733edc9a14e012
SHA256 7e9b38a085103a8fda2fd489caea16ae11c75dcbac6291be7751f94b5b44d4a5
SHA512 7455a698323f874f71cbc563f28bfa4e484036dcf2c0f52c7dfb641ea49ca008ee1697565a68e000e3a62a2d15d203256462f01926789d952ddfd302db6a5439

C:\Users\Admin\AppData\Local\Temp\_MEI12402\zlib1.dll

MD5 ee06185c239216ad4c70f74e7c011aa6
SHA1 40e66b92ff38c9b1216511d5b1119fe9da6c2703
SHA256 0391066f3e6385a9c0fe7218c38f7bd0b3e0da0f15a98ebb07f1ac38d6175466
SHA512 baae562a53d491e19dbf7ee2cff4c13d42de6833036bfdaed9ed441bcbf004b68e4088bd453b7413d60faaf1b334aee71241ba468437d49050b8ccfa9232425d

C:\Users\Admin\AppData\Local\Temp\_MEI12402\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI12402\unicodedata.pyd

MD5 2218b2730b625b1aeee6a67095c101a4
SHA1 aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a
SHA256 5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca
SHA512 77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

C:\Users\Admin\AppData\Local\Temp\_MEI12402\tk86t.dll

MD5 19adc6ec8b32110665dffe46c828c09f
SHA1 964eca5250e728ea2a0d57dda95b0626f5b7bf09
SHA256 6d134200c9955497c5829860f7373d99eec8cbe4936c8e777b996da5c3546ba7
SHA512 4baa632c45a97dc2ca0f0b52fd3882d083b9d83a88e0fa2f29b269e16ad7387029423839756ee052348589b216509a85f5d6ee05a1e8a1850ce5d673ae859c27

C:\Users\Admin\AppData\Local\Temp\_MEI12402\tcl86t.dll

MD5 2ac611c106c5271a3789c043bf36bf76
SHA1 1f549bff37baf84c458fc798a8152cc147aadf6e
SHA256 7410e4e74a3f5941bb161fc6fc8675227de2ad28a1cec9b627631faa0ed330e6
SHA512 3763a63f45fc48f0c76874704911bcefe0ace8d034f9af3ea1401e60aa993fda6174ae61b951188bec009a14d7d33070b064e1293020b6fd4748bee5c35bbd08

C:\Users\Admin\AppData\Local\Temp\_MEI12402\sqlite3.dll

MD5 59ed17799f42cc17d63a20341b93b6f6
SHA1 5f8b7d6202b597e72f8b49f4c33135e35ac76cd1
SHA256 852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1
SHA512 3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

C:\Users\Admin\AppData\Local\Temp\_MEI12402\SDL2_ttf.dll

MD5 eb0ce62f775f8bd6209bde245a8d0b93
SHA1 5a5d039e0c2a9d763bb65082e09f64c8f3696a71
SHA256 74591aab94bb87fc9a2c45264930439bbc0d1525bf2571025cd9804e5a1cd11a
SHA512 34993240f14a89179ac95c461353b102ea74e4180f52c206250bb42c4c8427a019ea804b09a6903674ac00ab2a3c4c686a86334e483110e79733696aa17f4eb6

C:\Users\Admin\AppData\Local\Temp\_MEI12402\SDL2_mixer.dll

MD5 b7b45f61e3bb00ccd4ca92b2a003e3a3
SHA1 5018a7c95dc6d01ba6e3a7e77dd26c2c74fd69bc
SHA256 1327f84e3509f3ccefeef1c12578faf04e9921c145233687710253bf903ba095
SHA512 d3449019824124f3edbda57b3b578713e9c9915e173d31566cd8e4d18f307ac0f710250fe6a906dd53e748db14bfa76ec1b58a6aef7d074c913679a47c5fdbe7

C:\Users\Admin\AppData\Local\Temp\_MEI12402\SDL2_image.dll

MD5 25e2a737dcda9b99666da75e945227ea
SHA1 d38e086a6a0bacbce095db79411c50739f3acea4
SHA256 22b27380d4f1f217f0e5d5c767e5c244256386cd9d87f8ddf303baaf9239fc4c
SHA512 63de988387047c17fd028a894465286fd8f6f8bd3a1321b104c0ceb5473e3e0b923153b4999143efbdd28684329a33a5b468e43f25214037f6cddd4d1884adb8

C:\Users\Admin\AppData\Local\Temp\_MEI12402\SDL2.dll

MD5 ec3c1d17b379968a4890be9eaab73548
SHA1 7dbc6acee3b9860b46c0290a9b94a344d1927578
SHA256 aaa11e97c3621ed680ff2388b91acb394173b96a6e8ffbf3b656079cd00a0b9f
SHA512 06a7880ec80174b48156acd6614ab42fb4422cd89c62d11a7723a3c872f213bfc6c1006df8bdc918bb79009943d2b65c6a5c5e89ad824d1a940ddd41b88a1edb

C:\Users\Admin\AppData\Local\Temp\_MEI12402\pyexpat.pyd

MD5 8538fbac3f61a5b042c254adb77c5c86
SHA1 0de293f129476b9c69c2b2ed1d2b7b28a53c653a
SHA256 23fe88f8f17ec20fb9dbcf90fa2b9ed4ca31bab0d69dda1b0feaa561577bdc83
SHA512 84242c1c4aec4a97fe1d5472bd36b4240d7a86f28b4933f46f2b9075521f33e6498944bb95fadcd56ec88a6abe887232fa2d0bfa94a5719e2b1100e90ac9cde1

C:\Users\Admin\AppData\Local\Temp\_MEI12402\portmidi.dll

MD5 0df0699727e9d2179f7fd85a61c58bdf
SHA1 82397ee85472c355725955257c0da207fa19bf59
SHA256 97a53e8de3f1b2512f0295b5de98fa7a23023a0e4c4008ae534acdba54110c61
SHA512 196e41a34a60de83cb24caa5fc95820fd36371719487350bc2768354edf39eeb6c7860ff3fd9ecf570abb4288523d7ab934e86e85202b9753b135d07180678cd

C:\Users\Admin\AppData\Local\Temp\_MEI12402\libwebp-7.dll

MD5 b0dd211ec05b441767ea7f65a6f87235
SHA1 280f45a676c40bd85ed5541ceb4bafc94d7895f3
SHA256 fc06b8f92e86b848a17eaf7ed93464f54ed1f129a869868a74a75105ff8ce56e
SHA512 eaeb83e46c8ca261e79b3432ec2199f163c44f180eb483d66a71ad530ba488eb4cdbd911633e34696a4ccc035e238bc250a8247f318aa2f0cd9759cad4f90fff

C:\Users\Admin\AppData\Local\Temp\_MEI12402\libtiff-5.dll

MD5 ebad1fa14342d14a6b30e01ebc6d23c1
SHA1 9c4718e98e90f176c57648fa4ed5476f438b80a7
SHA256 4f50820827ac76042752809479c357063fe5653188654a6ba4df639da2fbf3ca
SHA512 91872eaa1f3f45232ab2d753585e650ded24c6cc8cc1d2a476fa98a61210177bd83570c52594b5ad562fc27cb76e034122f16a922c6910e4ed486da1d3c45c24

C:\Users\Admin\AppData\Local\Temp\_MEI12402\libpng16-16.dll

MD5 55009dd953f500022c102cfb3f6a8a6c
SHA1 07af9f4d456ddf86a51da1e4e4c5b54b0cf06ddb
SHA256 20391787cba331cfbe32fbf22f328a0fd48924e944e80de20ba32886bf4b6fd2
SHA512 4423d3ec8fef29782f3d4a21feeac9ba24c9c765d770b2920d47b4fb847a96ff5c793b20373833b4ff8bc3d8fa422159c64beffb78ce5768ed22742740a8c6c6

C:\Users\Admin\AppData\Local\Temp\_MEI12402\libopusfile-0.dll

MD5 2d5274bea7ef82f6158716d392b1be52
SHA1 ce2ff6e211450352eec7417a195b74fbd736eb24
SHA256 6dea07c27c0cc5763347357e10c3b17af318268f0f17c7b165325ce524a0e8d5
SHA512 9973d68b23396b3aa09d2079d18f2c463e807c9c1fdf4b1a5f29d561e8d5e62153e0c7be23b63975ad179b9599ff6b0cf08ebdbe843d194483e7ec3e7aeb232a

C:\Users\Admin\AppData\Local\Temp\_MEI12402\libopus-0.dll

MD5 3fb9d9e8daa2326aad43a5fc5ddab689
SHA1 55523c665414233863356d14452146a760747165
SHA256 fd8de9169ccf53c5968eec0c90e9ff3a66fb451a5bf063868f3e82007106b491
SHA512 f263ea6e0fab84a65fe3a9b6c0fe860919eee828c84b888a5aa52dea540434248d1e810a883a2aff273cd9f22c607db966dd8776e965be6d2cfe1b50a1af1f57

C:\Users\Admin\AppData\Local\Temp\_MEI12402\libmodplug-1.dll

MD5 2bb2e7fa60884113f23dcb4fd266c4a6
SHA1 36bbd1e8f7ee1747c7007a3c297d429500183d73
SHA256 9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b
SHA512 1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2

C:\Users\Admin\AppData\Local\Temp\_MEI12402\libjpeg-9.dll

MD5 c22b781bb21bffbea478b76ad6ed1a28
SHA1 66cc6495ba5e531b0fe22731875250c720262db1
SHA256 1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd
SHA512 9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

C:\Users\Admin\AppData\Local\Temp\_MEI12402\freetype.dll

MD5 04a9825dc286549ee3fa29e2b06ca944
SHA1 5bed779bf591752bb7aa9428189ec7f3c1137461
SHA256 50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde
SHA512 0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

memory/4540-1167-0x00007FFF4AB20000-0x00007FFF4AB4C000-memory.dmp

memory/4540-1166-0x00007FFF4AB50000-0x00007FFF4AB68000-memory.dmp

memory/4540-1248-0x00007FFF48430000-0x00007FFF48447000-memory.dmp

memory/4540-1249-0x00007FFF48410000-0x00007FFF48429000-memory.dmp

memory/4540-1250-0x00007FFF483C0000-0x00007FFF4840D000-memory.dmp

memory/4540-1252-0x00007FFF483A0000-0x00007FFF483B1000-memory.dmp

memory/4540-1253-0x00007FFF48390000-0x00007FFF4839A000-memory.dmp

memory/4540-1251-0x00007FFF49E20000-0x00007FFF4A285000-memory.dmp

memory/4540-1254-0x00007FFF4AC10000-0x00007FFF4AC34000-memory.dmp

memory/4540-1257-0x00007FFF48310000-0x00007FFF4836D000-memory.dmp

memory/4540-1256-0x00007FFF4AB20000-0x00007FFF4AB4C000-memory.dmp

memory/4540-1255-0x00007FFF48370000-0x00007FFF4838E000-memory.dmp

memory/4540-1259-0x00007FFF48280000-0x00007FFF482AE000-memory.dmp

memory/4540-1258-0x00007FFF482B0000-0x00007FFF482D9000-memory.dmp

memory/4540-1261-0x00007FFF47A30000-0x00007FFF47A4E000-memory.dmp

memory/4540-1260-0x00007FFF4A670000-0x00007FFF4A6A8000-memory.dmp

memory/4540-1262-0x00007FFF3AA60000-0x00007FFF3ABD1000-memory.dmp

memory/4540-1263-0x00007FFF47A10000-0x00007FFF47A28000-memory.dmp

memory/4540-1269-0x00007FFF46BE0000-0x00007FFF46BEC000-memory.dmp

memory/4540-1268-0x00007FFF46BF0000-0x00007FFF46BFB000-memory.dmp

memory/4540-1267-0x00007FFF46C00000-0x00007FFF46C0C000-memory.dmp

memory/4540-1266-0x00007FFF47370000-0x00007FFF4737B000-memory.dmp

memory/4540-1265-0x00007FFF47380000-0x00007FFF4738B000-memory.dmp

memory/4540-1264-0x00007FFF48450000-0x00007FFF48472000-memory.dmp

memory/4540-1275-0x00007FFF3AA50000-0x00007FFF3AA5E000-memory.dmp

memory/4540-1274-0x00007FFF3AFD0000-0x00007FFF3AFDC000-memory.dmp

memory/4540-1273-0x00007FFF483C0000-0x00007FFF4840D000-memory.dmp

memory/4540-1272-0x00007FFF43060000-0x00007FFF4306C000-memory.dmp

memory/4540-1271-0x00007FFF46BD0000-0x00007FFF46BDB000-memory.dmp

memory/4540-1270-0x00007FFF48430000-0x00007FFF48447000-memory.dmp

memory/4540-1282-0x00007FFF3A9F0000-0x00007FFF3A9FD000-memory.dmp

memory/4540-1281-0x00007FFF3AA00000-0x00007FFF3AA0C000-memory.dmp

memory/4540-1280-0x00007FFF48310000-0x00007FFF4836D000-memory.dmp

memory/4540-1279-0x00007FFF3AA10000-0x00007FFF3AA1C000-memory.dmp

memory/4540-1278-0x00007FFF3AA20000-0x00007FFF3AA2B000-memory.dmp

memory/4540-1277-0x00007FFF3AA30000-0x00007FFF3AA3B000-memory.dmp

memory/4540-1276-0x00007FFF3AA40000-0x00007FFF3AA4C000-memory.dmp

memory/4540-1286-0x00007FFF3A9C0000-0x00007FFF3A9CC000-memory.dmp

memory/4540-1285-0x00007FFF3A9D0000-0x00007FFF3A9E2000-memory.dmp

memory/4540-1284-0x00007FFF3AA60000-0x00007FFF3ABD1000-memory.dmp

memory/4540-1283-0x00007FFF47A30000-0x00007FFF47A4E000-memory.dmp

memory/4540-1287-0x00007FFF3A980000-0x00007FFF3A9B5000-memory.dmp

memory/4540-1289-0x00007FFF3A890000-0x00007FFF3A8BB000-memory.dmp

memory/4540-1288-0x00007FFF3A8C0000-0x00007FFF3A97C000-memory.dmp

memory/4540-1290-0x00007FFF3A5B0000-0x00007FFF3A88F000-memory.dmp

memory/4540-1291-0x00007FFF384B0000-0x00007FFF3A5A3000-memory.dmp

memory/4540-1295-0x00007FFF38460000-0x00007FFF38481000-memory.dmp

memory/4540-1294-0x00007FFF38490000-0x00007FFF384A7000-memory.dmp

memory/4540-1296-0x00007FFF38430000-0x00007FFF38452000-memory.dmp

memory/4540-1297-0x00007FFF38390000-0x00007FFF3842C000-memory.dmp

memory/4540-1300-0x00007FFF382D0000-0x00007FFF38318000-memory.dmp

memory/4540-1299-0x00007FFF38320000-0x00007FFF38353000-memory.dmp

memory/4540-1298-0x00007FFF38360000-0x00007FFF38390000-memory.dmp

memory/4540-1305-0x00007FFF38270000-0x00007FFF3828D000-memory.dmp

memory/4540-1304-0x00007FFF38290000-0x00007FFF382A9000-memory.dmp

memory/4540-1303-0x00007FFF38190000-0x00007FFF38244000-memory.dmp

memory/4540-1302-0x00007FFF38250000-0x00007FFF38263000-memory.dmp

memory/4540-1301-0x00007FFF382B0000-0x00007FFF382CA000-memory.dmp

memory/4540-1307-0x00007FFF3A5B0000-0x00007FFF3A88F000-memory.dmp

memory/4540-1306-0x00007FFF3A890000-0x00007FFF3A8BB000-memory.dmp

memory/4540-1308-0x00007FFF384B0000-0x00007FFF3A5A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jiqkzy0c.rah.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4540-1456-0x00007FFF48450000-0x00007FFF48472000-memory.dmp

memory/4540-1454-0x00007FFF484A0000-0x00007FFF484B0000-memory.dmp

memory/4540-1453-0x00007FFF484B0000-0x00007FFF484C4000-memory.dmp

memory/4540-1435-0x00007FFF4A670000-0x00007FFF4A6A8000-memory.dmp

memory/4540-1431-0x00007FFF4A6F0000-0x00007FFF4A6FD000-memory.dmp

memory/4540-1429-0x00007FFF4A7C0000-0x00007FFF4A7EE000-memory.dmp

memory/4540-1420-0x00007FFF49E20000-0x00007FFF4A285000-memory.dmp

memory/4540-1421-0x00007FFF4AC10000-0x00007FFF4AC34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI24522\attrs-23.2.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI24522\tcl\encoding\euc-cn.enc

MD5 c5aa0d11439e0f7682dae39445f5dab4
SHA1 73a6d55b894e89a7d4cb1cd3ccff82665c303d5c
SHA256 1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00
SHA512 eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5