Malware Analysis Report

2024-11-30 12:36

Sample ID 240813-2s199svflq
Target source_prepared.exe
SHA256 dcdab220f9a2af46e92298bb3b90c945e6995af5f87985cca622572dd579045f
Tags
pyinstaller pysilon upx evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcdab220f9a2af46e92298bb3b90c945e6995af5f87985cca622572dd579045f

Threat Level: Known bad

The file source_prepared.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon upx evasion execution persistence

Detect Pysilon

Pysilon family

Enumerates VirtualBox DLL files

Sets file to hidden

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

UPX packed file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Detects Pyinstaller

Unsigned PE

Suspicious use of SendNotifyMessage

Views/modifies file attributes

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 22:51

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 22:51

Reported

2024-08-13 22:55

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI24962\ucrtbase.dll

MD5 e2be135be35dff4bb1acbdd0364a3126
SHA1 47dc2254940878f4ad2266d67548ca1acdf3138a
SHA256 27247c9dd53eac1939e830fdcfeec3749ee84a1c8fdbe685e1229b09663679c2
SHA512 8bd18198d613940774c96b2784ec2e7430c393d46909d2a81b8a01092d2dcb8b97f6503a417a60dc85318e33647cc13100139cb4c9188fb63c947c9930c6897c

C:\Users\Admin\AppData\Local\Temp\_MEI24962\api-ms-win-core-file-l1-2-0.dll

MD5 fc0c4b8bf57d8a9be9d91f67a83efaff
SHA1 e4a5e3b8142ac07753370c2a97fb6eed7e76eaa8
SHA256 2f4d915840c287c5418832afff3de51e9d1b49fb65aeda2acd403c439f066384
SHA512 cc93ab5272a3498ec9c045b594eadc2cbb0735cda14c94387df04e943342bc9807ef72bc9ccb66c317420458a18caedc75678e3715326071f0a69c160aa91347

C:\Users\Admin\AppData\Local\Temp\_MEI24962\api-ms-win-core-localization-l1-2-0.dll

MD5 7e47a44825beb73f6b6f5618540602ac
SHA1 565d198ebd776bfb8bca1c1ef7de5c15b54e4060
SHA256 3bdfe429f9bee67e66bd3727e39c8dd09c4e5a1a4ee60dba2dd481f3eda30b6a
SHA512 64a35235104e98cc1a776a5fe1f2bcb8c47167d80098c32bd0547589fec3ce3db6d21d0f79ea2d3756c3cc8b5b4b7dac5cf0e9d7e0bea5d7644653027e3d2c6f

C:\Users\Admin\AppData\Local\Temp\_MEI24962\api-ms-win-core-processthreads-l1-1-1.dll

MD5 79a209cb31d9596ef727953c1e5003a4
SHA1 4161971af2d0362b7a8fb172f878cc79b987187a
SHA256 c1d6b1241c6da796ac1edd6672865f0d696383d8712d22f8965c5dbe02a29e6b
SHA512 424f419a53e7330e5a05a55e909f2e89ac185b3f046c2699300e06e5b44d98c98d97b8336f16645469f2b1475ad7041959514e393fffb9709489a03475d44454

C:\Users\Admin\AppData\Local\Temp\_MEI24962\api-ms-win-core-timezone-l1-1-0.dll

MD5 090f734605397e788d4d44ae8c02dd39
SHA1 56ff19a6f049053fe196e6af5ddd86cfefec123a
SHA256 782819827217077873faeafbe214eade667d8ef52471cdeac13bca1cd82326d7
SHA512 79aa6eda3b80158f3064754a939a21ebd3a6fa3cb8a391c56e406efe671ba2275baa753fd9f30153477eee8e5bda3f24d4e60c4bc6830bd0f118babc688ce1c9

C:\Users\Admin\AppData\Local\Temp\_MEI24962\api-ms-win-core-file-l2-1-0.dll

MD5 70505eb5d4793488aa355bbd0fc7f1fd
SHA1 173761118275a16c3bc74056c92248d0c937ce56
SHA256 6982eaf7e3cf6d34bfccaaffec1b32644f0408c14651bb0459da21a5bc6cf5a8
SHA512 97760fbaf74ca793f0d56f3538cb2258d19673a70a7360b979b9993a6d44237268bcba6d901bfe5e6f5eca5c1d9f3567f80f126c448909b2a26ce6c2951954ab

C:\Users\Admin\AppData\Local\Temp\_MEI24962\python310.dll

MD5 933b49da4d229294aad0c6a805ad2d71
SHA1 9828e3ce504151c2f933173ef810202d405510a4
SHA256 ab3e996db016ba87004a3c4227313a86919ff6195eb4b03ac1ce523f126f2206
SHA512 6023188f3b412dd12c2d4f3a8e279dcace945b6e24e1f6bbd4e49a5d2939528620ceb9a5f77b9a47d2d0454e472e2999240b81bed0239e7e400a4e25c96e1165

memory/1920-1316-0x000007FEF6110000-0x000007FEF657E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 22:51

Reported

2024-08-13 22:54

Platform

win10v2004-20240802-en

Max time kernel

82s

Max time network

70s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\Penis.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\Penis.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Penis.exe N/A
N/A N/A C:\Users\Admin\Penis.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\\\Penis.exe" C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Penis.exe N/A
N/A N/A C:\Users\Admin\Penis.exe N/A
N/A N/A C:\Users\Admin\Penis.exe N/A
N/A N/A C:\Users\Admin\Penis.exe N/A
N/A N/A C:\Users\Admin\Penis.exe N/A
N/A N/A C:\Users\Admin\Penis.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Penis.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Penis.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Penis.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 4236 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 824 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1056 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1056 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Penis.exe
PID 1056 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Penis.exe
PID 1056 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1056 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4468 wrote to memory of 2240 N/A C:\Users\Admin\Penis.exe C:\Users\Admin\Penis.exe
PID 4468 wrote to memory of 2240 N/A C:\Users\Admin\Penis.exe C:\Users\Admin\Penis.exe
PID 2240 wrote to memory of 4348 N/A C:\Users\Admin\Penis.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 4348 N/A C:\Users\Admin\Penis.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 4648 N/A C:\Users\Admin\Penis.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 4648 N/A C:\Users\Admin\Penis.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2ec 0x4e8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\\\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\\activate.bat

C:\Windows\system32\attrib.exe

attrib +s +h .

C:\Users\Admin\Penis.exe

"Penis.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "source_prepared.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\Penis.exe

"Penis.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\\\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
N/A 127.0.0.1:50751 tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI42362\ucrtbase.dll

MD5 e2be135be35dff4bb1acbdd0364a3126
SHA1 47dc2254940878f4ad2266d67548ca1acdf3138a
SHA256 27247c9dd53eac1939e830fdcfeec3749ee84a1c8fdbe685e1229b09663679c2
SHA512 8bd18198d613940774c96b2784ec2e7430c393d46909d2a81b8a01092d2dcb8b97f6503a417a60dc85318e33647cc13100139cb4c9188fb63c947c9930c6897c

C:\Users\Admin\AppData\Local\Temp\_MEI42362\python310.dll

MD5 933b49da4d229294aad0c6a805ad2d71
SHA1 9828e3ce504151c2f933173ef810202d405510a4
SHA256 ab3e996db016ba87004a3c4227313a86919ff6195eb4b03ac1ce523f126f2206
SHA512 6023188f3b412dd12c2d4f3a8e279dcace945b6e24e1f6bbd4e49a5d2939528620ceb9a5f77b9a47d2d0454e472e2999240b81bed0239e7e400a4e25c96e1165

C:\Users\Admin\AppData\Local\Temp\_MEI42362\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/824-1308-0x00007FFD08280000-0x00007FFD086EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42362\base_library.zip

MD5 ecf379cfbba3700e600c14f97787a80a
SHA1 d69012935da8adbfd5fa2e9234eb05232e22fef4
SHA256 3894257c825f74b77e048bdfe56ecdec86a5a7cb735723c32bb4cc3d8d548314
SHA512 2165e37cacdd19ab5f94239efe13fcc280c5c87c2ef86f58fc92889545f025d7b7e832208d550348373c7ba4b47614ee552bbd61fbe8f2c95b47b621d59210e7

C:\Users\Admin\AppData\Local\Temp\_MEI42362\_ctypes.pyd

MD5 fab57c847ccd83d1eda8d0f70223284c
SHA1 9036fb9ddf58384d41805b0f5701d0dd3fc9fe5d
SHA256 f94440debb2c034d504859edb115ae1ba3ec3f65a084178c810eada77cc0b803
SHA512 4dfff55c12415fcf4b75594bee323423a8bcf7cbec0384978d2cde23c803aa447e9935e3990e5f87aa70e4187890ac1b4bed68780bda479707e17a68d6dd398d

C:\Users\Admin\AppData\Local\Temp\_MEI42362\python3.DLL

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI42362\libffi-7.dll

MD5 36b9af930baedaf9100630b96f241c6c
SHA1 b1d8416250717ed6b928b4632f2259492a1d64a4
SHA256 d2159e1d1c9853558b192c75d64033e09e7de2da2b3f1bf26745124ed33fbf86
SHA512 5984b32a63a4440a13ebd2f5ca0b22f1391e63ac15fe67a94d4a579d58b8bb0628980a2be484ac65ad3a215bbe44bd14fe33ec7b3581c6ab521f530395847dd5

C:\Users\Admin\AppData\Local\Temp\_MEI42362\_bz2.pyd

MD5 9ae5b35c4be5684c4e20eca61c31b04f
SHA1 22ce82be0de9ce1975daf9779f4c03373579d2ee
SHA256 9ecc29ef0eb63bfd91880bd13d1a8e8ae81d6dfd3cb0608410c1c24338e0760f
SHA512 0784831b295680d5e53b3e94e7262fbb6554e7100ed66d33c370151a385ae7e979204cde55dc00ec75874e8a52152b8caf8eeaa446f3e6421322dac5af6f7666

C:\Users\Admin\AppData\Local\Temp\_MEI42362\_lzma.pyd

MD5 c1b2399c226b9010dfaa6a1022c636b0
SHA1 d5dfca039b69b32ad8b5d65c197e0f59fb7aa954
SHA256 6a962508477ac29ae37b40e9fe6444382a528390fe4a0c8f1685cabcf91f1e94
SHA512 45dc18daf7b3c8e9350aa71ae0b58e452fa275a4fb25dbc26c003e46c49b73b7606c86a7c7e0e2dd91e30bdd35c3007843f9d749a7e6138d953e60a839186d02

memory/824-1319-0x00007FFD18820000-0x00007FFD1882F000-memory.dmp

memory/824-1318-0x00007FFD18680000-0x00007FFD186A4000-memory.dmp

memory/824-1324-0x00007FFD183D0000-0x00007FFD183FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 1cf5ffac68a4e0e685c7964056244491
SHA1 0dc6603181005d92f98ba121aa24a9594d2f7d0b
SHA256 8ad33588ad269f778c9fc3953d2d11d385700466a465bd2234e76471bd45af12
SHA512 8108248d096980d10d1bfbea7f9e1080c6401d94f70d508d95fd59ff5f8599a6b056ac0d922419e565ffe665094d9d02cccc8b4df16fa441dc776c7f948b2bd4

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-synch-l1-2-0.dll

MD5 110a525e0e81cef3b5a3cedf5b1fd097
SHA1 953d404dac7dce3284e412da229892596d00a2bc
SHA256 1dfa9cfa3660fcce9c9981a069fb5b51d3b4634a9c98d880f54dfd0507ca4e41
SHA512 b8012602036c9dd8e45a7b226109e92d2c0cebe7a875e9f67d0be902da8f6121b1be8fe3c7d2960dd17e2fd5644caa6fbe59b3b9183fcbeae0a966e988f9ff17

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-synch-l1-1-0.dll

MD5 3bc0e6095556da0c5b4a35605af50d57
SHA1 527a5dc983020d20b989fe18b6a7fad30553803f
SHA256 e9e9120623be004d43789cd90d0424884ea8ce8374c1d86cff461f968d469264
SHA512 a6619afed90c3eebffd817e60503442bc240dbf9c17dcd66206d1f1ecd75754ecea1b3beaaf247018cd0a08261dc4268e342e1dd69cd5a99451a6ed8d3b13568

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-string-l1-1-0.dll

MD5 cda2051acd463127e852242a27aa4059
SHA1 e76599fc28f6133a2373cb39f721e21c837b5ff1
SHA256 a359b124c12e97cf98f33fdb5a8e8756ea9e4fec0fd53cdd94333ee17100d50b
SHA512 cbf6de5e85205e57ff5a533fa9689eaa23ca6617619d9c12b77185562d1aae53222cb5f860ea40f1ca542998339adcfaf923cfdfeafbe7fc21082cd4f99cb568

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 de5472a11ded7ca69c1ee2d83cd9d386
SHA1 8be37093e2f239a5c143111517cfd275e326c894
SHA256 3a8e428b286056cf31ce0fe1b1785e2f0f5ff6b43706bfea24265b5595d1c026
SHA512 657daeb02f915c7f64de2c4c596c973ccac0487a2a5f7c34b71b6250ccdafbf0052c0af4a5411ee152e3f1b83fa71fb27328081adba1f904d615b88fe050540e

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-profile-l1-1-0.dll

MD5 3a97f7499cb8a20f16c7899be8080933
SHA1 86cf0f1a788dddf31590dd88daf287914d608b91
SHA256 ab723db5ff0e43aa3207c7d2c8877d70e3f8cd06415873ac9eaecb71e687abf4
SHA512 2579654b9eca4a64570f5b93503d923d5cdf6a662b2581be1d76794687a052d8657b09d23f3c71cabf4c2b2ec60f986677874e6dbcf023217294518ba9832e17

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-math-l1-1-0.dll

MD5 2a1477c7b59ef2b96eaa627d7c895c41
SHA1 f19124e54babe4a0622c205e05275981de3177d9
SHA256 ab9608a92f6517ea1741b5c0ab822ddc0ad78557955f900afc6413e218c35847
SHA512 d7d5b8d7074d2cbcd29dc69c5eb3a20059963eae418456ebe6cefb45f992565ebef4d9e7b2996b7f30f76c538b0fc3b9d18d563fed53437afc47277f5cccb697

C:\Users\Admin\AppData\Local\Temp\_MEI42362\libjpeg-9.dll

MD5 c22b781bb21bffbea478b76ad6ed1a28
SHA1 66cc6495ba5e531b0fe22731875250c720262db1
SHA256 1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd
SHA512 9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

C:\Users\Admin\AppData\Local\Temp\_MEI42362\libmodplug-1.dll

MD5 2bb2e7fa60884113f23dcb4fd266c4a6
SHA1 36bbd1e8f7ee1747c7007a3c297d429500183d73
SHA256 9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b
SHA512 1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2

memory/824-1371-0x00007FFD18640000-0x00007FFD18654000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42362\libcrypto-1_1.dll

MD5 8e7025186c1c6f3f61198c027ff38627
SHA1 79c6f11358c38bda0c12ee1e3ab90a21f4651fa1
SHA256 f393f54886674e42bb7667087c92af67bd46e542c44ddff11c5061481261c90e
SHA512 4bbbf7d0a51aec361779d7735c6a91f1bdd468da0aaa3626c3cb52128c998d6454be8c473c8743172ffcea9dc66403a5a81ff5535d9baf87fa6ab990a35add41

C:\Users\Admin\AppData\Local\Temp\_MEI42362\freetype.dll

MD5 04a9825dc286549ee3fa29e2b06ca944
SHA1 5bed779bf591752bb7aa9428189ec7f3c1137461
SHA256 50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde
SHA512 0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

C:\Users\Admin\AppData\Local\Temp\_MEI42362\crypto_clipper.json

MD5 8bff94a9573315a9d1820d9bb710d97f
SHA1 e69a43d343794524b771d0a07fd4cb263e5464d5
SHA256 3f7446866f42bcbeb8426324d3ea58f386f3171abe94279ea7ec773a4adde7d7
SHA512 d5ece1ea9630488245c578cb22d6d9d902839e53b4550c6232b4fb9389ef6c5d5392426ea4a9e3c461979d6d6aa94ddf3b2755f48e9988864788b530cdfcf80f

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-utility-l1-1-0.dll

MD5 6b3f0f24d9374bd125a3685651ac7130
SHA1 e162c3954726a3c15f341909bc415a887701f61c
SHA256 f65428e5acfbeba4b6487d4d6ea3b0d31733c48c74a3044849613b4c34961cb5
SHA512 f822eeeff48e40d4594bbc0e9a32736213c5c4838157dc71990b00000662b86d7b45ae30fb9ce4e7a71ea2b5fbee085d74d8daaec212965c94de2836a81a495c

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-time-l1-1-0.dll

MD5 ac35b5dd9d21fbd9bd8c84a8ee104fdd
SHA1 73d14b01bc0a05a4c955907a06d74b5f02436870
SHA256 036c32dc38a30a7f09ce7de71830b2aec33a3067befd264ae0d2d4f8b668d72d
SHA512 6274eff61ddb178b3bc9ae94d126e5c22099ffdd5c559ab692be9ba321fa3807aac5d8bde8b78d43293def412cfac6b8d91178323fcacaddd004a65b346aa0d8

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-string-l1-1-0.dll

MD5 e760b655fa4ad5f78be24893f742466f
SHA1 21692945a2d40341b2885492f32f65235d181ad2
SHA256 9104b5fc175e333019e6dfae10d9d38a7c66c8959e56698a4033ed0f09ac5857
SHA512 06654269d20fdf368bbc8ceacd7cbac0665d710b3eb04516e8f7587c8bf3294f6f617dc164e4df2569899ae33a8b68b33dea766743f1b9dcf16180e60387b5ec

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-stdio-l1-1-0.dll

MD5 cb990ffc02838d6d8b3a43bd3813d18b
SHA1 84cbbde61e4a759998d3e4c6f09daaf4935f7d0b
SHA256 ef59713151ac9ee78e13aced7b2d7258b26f8f29e4e3662c0e34ed3fe6470e48
SHA512 3ef9e63f122567a3d1214c060874a046ba3fed1431927347dddf196db53561b3d5391f3d42a6c009a7186ea7040d726b9a9637cb8259ee2ed7b05b89508b084c

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-runtime-l1-1-0.dll

MD5 7ecd95be22c353d6ffc06c44be35bec2
SHA1 4a57a7628065d54866e2dbad1db222e868a51b53
SHA256 4a9d4a76514f399a9652f0ef48fe6e5fb95c1395378a429ad79ed93911e2336d
SHA512 5cd339d9ddacca0ec06ae920ec27de9505cc807e4fd381e8019af6849175a44637d6733878c166cb2e6949bc7aa4404a5473aa2a805a9d847c1ae983286e8729

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-process-l1-1-0.dll

MD5 f5ae0d51f4097a12598ebe32ba3ee7a5
SHA1 cf1ac9a7b81941deb991db7b9214f94a7fc40308
SHA256 85a2b414a4fb3cbd38d57f62f876cfe37960658831db3ec8b3eebf73e229baee
SHA512 054c51f567d2c283cecff21bd921ba8f60566133766ca201da3e25314b78e2e03de12235ed27cb6a368dffc22ba1960f5ccfe0686382204ab247bcd988ba351e

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-private-l1-1-0.dll

MD5 010d50d3745cbf73c8b9fa9cccfe9c44
SHA1 beb81857f209dadfc9b981641954f795744b7f48
SHA256 05f2592c20dac94949ed5e1a1067d023840a4a8cb939c56cbdee3a9cb64ae7a7
SHA512 d99c0e4d0a6857c6847417cc2a4f21d50a6b3dd034d5af2396ce3031110f0ded53a87d283fcb5c20553eeefecaf91389722dbdf16147f82b6bff2be9e4225a93

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-locale-l1-1-0.dll

MD5 7eedf14296e86f6321ad32c91807409d
SHA1 702dceca42fd3c3f5bf2558f07681ccf8931875e
SHA256 87433782dc94428c0a6c27206bf8041f9f181724a1c3fb87caea322a10f5d1ad
SHA512 bf11b0506d91908ba5dd032e7336a3bf1c1cf1fad912685493713eef63fb4cacb6864d4ae6f390302f77a4144de79eb8b0ee1c79d431ccef390e5ffefd848708

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-heap-l1-1-0.dll

MD5 f1ca5f520479b0f81cf00f186a746766
SHA1 77361e2b0a6056fea060bb4d71d9bcf2b56cbd43
SHA256 c7b050ce4b4bb7647bea87e7e7b116b9f823394c23ef8217175ad2e92446e3c6
SHA512 6366560b9898b6e609b797b06cde56e0bb00cd9905701e98861369e90725026c56dfd458bb59ec06d1ab108670892230fd701fb7d38fd20e157e4df2a3a9ec66

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 e88aeac6571e52e6c836c436cf60b716
SHA1 bc243ab3db9611b375cad55598f046fb8168bf32
SHA256 3eaee54d542835301d81fdd4b4181982988265b54e8aafbb990f05e59cd351de
SHA512 d4ee2d590f98b6c7017f5662c3bd1acd05aa5a8f3969954c370ab899447f249fde249cd9509b2dd4ff7cb148ba74e4b43a73759112cff9a06272d85d77ef7cf8

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 ee516478db5c80388e93666a27d1d014
SHA1 970d2a4ffb5ff30d3a61a30dba49667c05253a0a
SHA256 ee8fa55cf511632ba6358dca8cca265cda60dcc23db13b5d8be43f7f87195dd5
SHA512 aae5e16833bdd79e370ee45918d1468568490357ffd5813aa30dc1eab4755c48698427534ceb167061b3857da0b197a4b6735465221a51faaca6462fe0fb422e

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-environment-l1-1-0.dll

MD5 3170d5aaa2b66fec5b466579cdaea479
SHA1 ded566197dc0690ef005d4f7a7bd06b75370775f
SHA256 6d94c33dc8b7ac9beaae54255a53d0817471d21e79fb0d12d5397d6e6b49af3c
SHA512 0edbb87939f452f964b650e3be6ee4b56c85d9e1b2fdc099d7d481cc38c36ebf48c53aced384083a01dcdbda8ec9524b462242a2b3371fce705f3cfcdfbf0d14

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-convert-l1-1-0.dll

MD5 957ad5fa508840203c3ee50cb89a2343
SHA1 c1d154ed7f731a2b412c99114df23a8c33f0cfa0
SHA256 f8095fb95af15fbf0148b02bb55fcad6c490b7bc876dc63ba2a21f2fe744745e
SHA512 538d6e354237f370f6f79f02ec3b5177f203048cce07a9e52b43bda6d8d5afdd7a31f0b061412f7724e61b61906866d6b4a8e4b93b4e5cf927e6af17a89407bc

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-crt-conio-l1-1-0.dll

MD5 995d7723cdf4857f148ae9772daa4dc6
SHA1 6e9d236f5cf40bf2a20bbce965179db75ac92ffa
SHA256 f48b36a47d7fba81b73ad11bcc4ff0ffddbbd1a12cc9bd30b86e923e8251c005
SHA512 c0606ca056908877b77c2407f80815563aedb966511fd6f228ecf06312069fe03d534de51b115cfb6e4422254898e65330aae5506090426be6d1763f95960dd7

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-util-l1-1-0.dll

MD5 2da24219abe775c1eef3b58bf454bf92
SHA1 887b2067152aed8868e8ec93a7a05070c16dba07
SHA256 5d86913cd2265b7ce9a0b4d4e9f46ca7d3154027fd118c80e1c6b62267cac738
SHA512 ddc9646bca50c9639b42f5f4c41affcecba73d246a333a373204c2a8b2a7f59f58b77b276c59fb8a81946e942bca3688ff2f3f8ba3fb26176a2722f15abaae43

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-timezone-l1-1-0.dll

MD5 090f734605397e788d4d44ae8c02dd39
SHA1 56ff19a6f049053fe196e6af5ddd86cfefec123a
SHA256 782819827217077873faeafbe214eade667d8ef52471cdeac13bca1cd82326d7
SHA512 79aa6eda3b80158f3064754a939a21ebd3a6fa3cb8a391c56e406efe671ba2275baa753fd9f30153477eee8e5bda3f24d4e60c4bc6830bd0f118babc688ce1c9

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-processthreads-l1-1-1.dll

MD5 79a209cb31d9596ef727953c1e5003a4
SHA1 4161971af2d0362b7a8fb172f878cc79b987187a
SHA256 c1d6b1241c6da796ac1edd6672865f0d696383d8712d22f8965c5dbe02a29e6b
SHA512 424f419a53e7330e5a05a55e909f2e89ac185b3f046c2699300e06e5b44d98c98d97b8336f16645469f2b1475ad7041959514e393fffb9709489a03475d44454

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-processthreads-l1-1-0.dll

MD5 5f623d0848177add342c31d68bcecad0
SHA1 d61f4ea3e76164dd61e9016d010e56fe3d3a962f
SHA256 65d4f46937a15cbf23cc27e7fde41fde23cd471f276d008e18bc2b2babe1bcf4
SHA512 69567ade356227612752f26e8a2c11b74afa5e89fd27f8c1a5f2b25fcea0fd2d947406cde4bdadad0ba17fb44276971de459f36f564a0c73a7da4d46906330c8

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 7347de5834c014102fdffdb9a8cc28a7
SHA1 cf458b2e6896284856b27d63678e38d2873fc3af
SHA256 af5774a734dd5b9585c065df6ee43088ca33a81ede5a9bc07a3756706012bf0e
SHA512 55c777f437d77abfabffc65d8bb9c70cb415368b340462b05966b0dea5991391a6b996a03343214ddad9a9ed727f4f0d90a2f2dbee64a06e069d7d7d713a37e2

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 b072dd46eef927979a05f35698e3fcb0
SHA1 ae7ae66ee906e4a9bd4547144ea668b80f803cd9
SHA256 21aff9f0b9d749a3aee5372acaed9528f1573394b9d30503a91cc7ca48cc8556
SHA512 a0602888e6fa2221bca0d4d1a3e03c27bbe997a97adfb79a43b1ea475e79096cc07a99566452057d839c186d7b2538082c595e2750314706d8c77d2e609eaef3

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-memory-l1-1-0.dll

MD5 9646e0d5837a87b74a19e7a884dccb0e
SHA1 db21e36acbe6871bc6f489b7e8a110d1126d09cb
SHA256 009b2843c1da40616d102b8d6bdfaada128a1a5d22173658b80f9fdba5e1bbfa
SHA512 e53d8ffd6b90fdf03c522a58d53c61c59fbb6ae11d4467b6e6757a88b39303c9eae34402a325066b94930647eec16c5329c2aea685b5c848949b52f8731f0d8a

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-localization-l1-2-0.dll

MD5 7e47a44825beb73f6b6f5618540602ac
SHA1 565d198ebd776bfb8bca1c1ef7de5c15b54e4060
SHA256 3bdfe429f9bee67e66bd3727e39c8dd09c4e5a1a4ee60dba2dd481f3eda30b6a
SHA512 64a35235104e98cc1a776a5fe1f2bcb8c47167d80098c32bd0547589fec3ce3db6d21d0f79ea2d3756c3cc8b5b4b7dac5cf0e9d7e0bea5d7644653027e3d2c6f

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 8460dfa032d020b5b4bd77a356d77ad8
SHA1 7d782ac8f351bf4c2ff394dc3277fcbb6452bde0
SHA256 44a2e0ec47e85554e8f74f2e0d9382795d3648ed6689edb25d8b2fdca1e5f97b
SHA512 934d969e2013b14214e444d8df99f625427c1095695e886b3b2a60b5016f14d5644d42df58af04b9f7a3fb5306ffb7dad3c7c6ec16a9ad626c9382728b52ed38

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-interlocked-l1-1-0.dll

MD5 9c17c9a4f423936fb93e4e76359e318c
SHA1 a539c102bb3df7d8b25619a3efaeee76b5998d8f
SHA256 f3f136e877077b9aa891bec54e7e45e13a19226f178372af8554cf2b5bcfaa33
SHA512 69946b1bd9d61321307e74e3a69f67dcd43721cae3a52b3f9756c81b844d926671f2a850532a0520fbd3bf29f9f9c60c217dfa3348a6aafcc8d6d3f8ce364c72

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-heap-l1-1-0.dll

MD5 d45108390768d12c8275e3dc2791a670
SHA1 6d195feb830ff8458271744d04bd43986e53073f
SHA256 b59d31a1a5c3e900ede3a030214090bbeeb2766961b9bfe692691ec4afb30f6b
SHA512 69cc9672196287b1aad862bf988e3814cc77a3345a866d1bc699e57ced050d3b13d8e661021b09322dea6e0a729d6cafe106b4d413d7c45af7e216acf92f2f68

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-handle-l1-1-0.dll

MD5 eab27ab2fa5984b725bb9d0d20923ef8
SHA1 71f286ff5ae5e1cbb8e1e011e091699779cc53f9
SHA256 ebf3225dba3d697e8b3c6d2e4cf6a1d1d3bcf4f05ce3838dea24f1fa80e90f98
SHA512 6188b77f64d192b5df4992d5632ba2da8614ee909bd49571ff6c9e1b7e0713393ccc4378d91b2c7c57d168ef37c8dab7e603b594e7e5cd92068ed457690414c9

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-file-l2-1-0.dll

MD5 70505eb5d4793488aa355bbd0fc7f1fd
SHA1 173761118275a16c3bc74056c92248d0c937ce56
SHA256 6982eaf7e3cf6d34bfccaaffec1b32644f0408c14651bb0459da21a5bc6cf5a8
SHA512 97760fbaf74ca793f0d56f3538cb2258d19673a70a7360b979b9993a6d44237268bcba6d901bfe5e6f5eca5c1d9f3567f80f126c448909b2a26ce6c2951954ab

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-file-l1-2-0.dll

MD5 fc0c4b8bf57d8a9be9d91f67a83efaff
SHA1 e4a5e3b8142ac07753370c2a97fb6eed7e76eaa8
SHA256 2f4d915840c287c5418832afff3de51e9d1b49fb65aeda2acd403c439f066384
SHA512 cc93ab5272a3498ec9c045b594eadc2cbb0735cda14c94387df04e943342bc9807ef72bc9ccb66c317420458a18caedc75678e3715326071f0a69c160aa91347

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-file-l1-1-0.dll

MD5 769e5e720639151e61274b3d7c34cd3e
SHA1 0ba3bff4927934f5116e19b3980ef180262a0e8c
SHA256 54a007ab385b4f93a8539adfd424d2c6dc0e2b840383a1c2999edd74a1bd19af
SHA512 34f765360ce86e8729de6c283264e70a63555f5f52e99cdf316936355b4cb8eba7987e9f4ab994d028bd991c61ce04f7bdeb6a42f257d944a16daf129e773863

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-fibers-l1-1-0.dll

MD5 f5beea282d5dea8f026b99a8b5d0adad
SHA1 83cc2ed494977ce184dd3de30300896c42c86e38
SHA256 89162df343d1f995845aac525cb7b469baa4560074407d844bd885bbfa031981
SHA512 f8d8005c4fbde0de2bfc8e1b7c0f31afa6548d572bec752ae26da01286548faa26fa72e76562a9773b66089229ffb4ee40a6a0b404bc8f7e714d5e2826fe67d3

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 c25dd75666f10795e8694c4af0b5cfc8
SHA1 ac76dea3bed3826be27c3c4ec97989bde143b4cc
SHA256 60bb9e5261e6f926d04f7453e6b7dd9ef6c420520641c1c0ab687785a3d8680b
SHA512 b88f37660c387093f93e4ec8cad51ad055dea08cb8125cb12fe062a6346cdb458c559445e8a8e2b3a3e360c3bb447a0da1d4d14d65eb7375ec9f7dbd7156c1b6

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-debug-l1-1-0.dll

MD5 d8c481d760600aa2a8b98ce07dfc321d
SHA1 8a206bdd5923f04b504e94cfed16ef1dd0d1cf0c
SHA256 98a4945801606fbe1aa45cff39b8697556dc9172ed9ac871e6306a5cc3eaae71
SHA512 18ed701dbf29ec95e6fc5745a748952fb7e0dea7d2ab1f009009d69ea12ea662b4e96efea35b366ad21db519a41cc93addb2b3f5efb1adb96eb96cb9636417d6

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-datetime-l1-1-0.dll

MD5 756435838125a2e6c99249b2fe84ff47
SHA1 3f74b0a0c01ea3ac7cd788bc4fb17b9cfa478dfc
SHA256 6afb9cfa43e8cf820cb38b7ef2089e3ffdca6eaf7fc0eae42e85a0b128f87a10
SHA512 0e9dba464c566918a36c1a5d9ac3f1027cb36d57eaf4a8f5d22786e61e77677c83290f6f4bf6a09aafc6b460c75064ff242b540ba1f2cb13a084042268f264f8

C:\Users\Admin\AppData\Local\Temp\_MEI42362\api-ms-win-core-console-l1-1-0.dll

MD5 b1802ff54326d58fc9fd5c504ddac80f
SHA1 7405c190b446903835c6fea853e0ca8fb9ae454b
SHA256 4ffd6eb7cefb2b0423e5c8d57a118a5438d5a7a6a2676e6e62a58f281c4bdb70
SHA512 d099462f85e5bef5aa9b025d9018e900e413f5777111a7a4d3951c838ff20f167548e0a3fb895b8becff4c8f7bbe5dfd895511ab9ccb85b77545a9f53feef10b

memory/824-1323-0x00007FFD18660000-0x00007FFD18679000-memory.dmp

memory/824-1372-0x00007FFD07F00000-0x00007FFD08275000-memory.dmp

memory/824-1373-0x00007FFD183B0000-0x00007FFD183C9000-memory.dmp

memory/824-1375-0x00007FFD18290000-0x00007FFD182BE000-memory.dmp

memory/824-1376-0x00007FFD133C0000-0x00007FFD13478000-memory.dmp

memory/824-1374-0x00007FFD182C0000-0x00007FFD182CD000-memory.dmp

memory/824-1377-0x00007FFD18260000-0x00007FFD1826D000-memory.dmp

memory/824-1380-0x00007FFD07DE0000-0x00007FFD07EF8000-memory.dmp

memory/824-1379-0x00007FFD18170000-0x00007FFD18196000-memory.dmp

memory/824-1378-0x00007FFD181A0000-0x00007FFD181AB000-memory.dmp

memory/824-1381-0x00007FFD08280000-0x00007FFD086EE000-memory.dmp

memory/824-1382-0x00007FFD17C70000-0x00007FFD17CA6000-memory.dmp

memory/824-1390-0x00007FFD07F00000-0x00007FFD08275000-memory.dmp

memory/824-1396-0x00007FFD17AB0000-0x00007FFD17ABB000-memory.dmp

memory/824-1397-0x00007FFD18290000-0x00007FFD182BE000-memory.dmp

memory/824-1404-0x00007FFD179E0000-0x00007FFD179EC000-memory.dmp

memory/824-1403-0x00007FFD17880000-0x00007FFD17892000-memory.dmp

memory/824-1402-0x00007FFD179F0000-0x00007FFD179FD000-memory.dmp

memory/824-1401-0x00007FFD17A80000-0x00007FFD17A8C000-memory.dmp

memory/824-1408-0x00007FFD13390000-0x00007FFD133B2000-memory.dmp

memory/824-1407-0x00007FFD14510000-0x00007FFD14524000-memory.dmp

memory/824-1406-0x00007FFD17870000-0x00007FFD17880000-memory.dmp

memory/824-1405-0x00007FFD14530000-0x00007FFD14545000-memory.dmp

memory/824-1400-0x00007FFD17A90000-0x00007FFD17A9C000-memory.dmp

memory/824-1399-0x00007FFD17AA0000-0x00007FFD17AAB000-memory.dmp

memory/824-1398-0x00007FFD133C0000-0x00007FFD13478000-memory.dmp

memory/824-1395-0x00007FFD183B0000-0x00007FFD183C9000-memory.dmp

memory/824-1394-0x00007FFD17AF0000-0x00007FFD17AFC000-memory.dmp

memory/824-1393-0x00007FFD17AC0000-0x00007FFD17ACC000-memory.dmp

memory/824-1392-0x00007FFD17AD0000-0x00007FFD17ADE000-memory.dmp

memory/824-1391-0x00007FFD17AE0000-0x00007FFD17AEC000-memory.dmp

memory/824-1389-0x00007FFD18640000-0x00007FFD18654000-memory.dmp

memory/824-1388-0x00007FFD17C20000-0x00007FFD17C2B000-memory.dmp

memory/824-1387-0x00007FFD17C30000-0x00007FFD17C3C000-memory.dmp

memory/824-1386-0x00007FFD17C40000-0x00007FFD17C4B000-memory.dmp

memory/824-1385-0x00007FFD17C50000-0x00007FFD17C5C000-memory.dmp

memory/824-1384-0x00007FFD17C60000-0x00007FFD17C6B000-memory.dmp

memory/824-1383-0x00007FFD18160000-0x00007FFD1816B000-memory.dmp

memory/824-1410-0x00007FFD10560000-0x00007FFD10577000-memory.dmp

memory/824-1409-0x00007FFD18170000-0x00007FFD18196000-memory.dmp

memory/824-1412-0x00007FFD10540000-0x00007FFD10559000-memory.dmp

memory/824-1411-0x00007FFD07DE0000-0x00007FFD07EF8000-memory.dmp

memory/824-1413-0x00007FFD17C70000-0x00007FFD17CA6000-memory.dmp

memory/824-1414-0x00007FFD104F0000-0x00007FFD1053D000-memory.dmp

memory/824-1415-0x00007FFD0F260000-0x00007FFD0F271000-memory.dmp

memory/824-1416-0x00007FFD15FE0000-0x00007FFD15FEA000-memory.dmp

memory/824-1417-0x00007FFD0F200000-0x00007FFD0F21E000-memory.dmp

memory/824-1418-0x00007FFD095B0000-0x00007FFD0960D000-memory.dmp

memory/824-1419-0x00007FFD0EB60000-0x00007FFD0EB89000-memory.dmp

memory/824-1420-0x00007FFD08BF0000-0x00007FFD08C1E000-memory.dmp

memory/824-1421-0x00007FFD13390000-0x00007FFD133B2000-memory.dmp

memory/824-1423-0x00007FFD076A0000-0x00007FFD07811000-memory.dmp

memory/824-1422-0x00007FFD07820000-0x00007FFD0783F000-memory.dmp

memory/824-1425-0x00007FFD07680000-0x00007FFD07698000-memory.dmp

memory/824-1424-0x00007FFD10560000-0x00007FFD10577000-memory.dmp

memory/824-1430-0x00007FFD07650000-0x00007FFD0765C000-memory.dmp

memory/824-1429-0x00007FFD07660000-0x00007FFD0766B000-memory.dmp

memory/824-1428-0x00007FFD07670000-0x00007FFD0767C000-memory.dmp

memory/824-1427-0x00007FFD08BE0000-0x00007FFD08BEB000-memory.dmp

memory/824-1426-0x00007FFD095A0000-0x00007FFD095AB000-memory.dmp

memory/824-1432-0x00007FFD07640000-0x00007FFD0764B000-memory.dmp

memory/824-1433-0x00007FFD07630000-0x00007FFD0763C000-memory.dmp

memory/824-1431-0x00007FFD104F0000-0x00007FFD1053D000-memory.dmp

memory/824-1441-0x00007FFD075C0000-0x00007FFD075CC000-memory.dmp

memory/824-1440-0x00007FFD075D0000-0x00007FFD075DC000-memory.dmp

memory/824-1439-0x00007FFD075E0000-0x00007FFD075EB000-memory.dmp

memory/824-1438-0x00007FFD075F0000-0x00007FFD075FB000-memory.dmp

memory/824-1437-0x00007FFD07600000-0x00007FFD0760C000-memory.dmp

memory/824-1436-0x00007FFD07610000-0x00007FFD0761E000-memory.dmp

memory/824-1435-0x00007FFD07620000-0x00007FFD0762C000-memory.dmp

memory/824-1434-0x00007FFD15FE0000-0x00007FFD15FEA000-memory.dmp

memory/824-1446-0x00007FFD07820000-0x00007FFD0783F000-memory.dmp

memory/824-1445-0x00007FFD0EB60000-0x00007FFD0EB89000-memory.dmp

memory/824-1444-0x00007FFD07590000-0x00007FFD075A2000-memory.dmp

memory/824-1443-0x00007FFD075B0000-0x00007FFD075BD000-memory.dmp

memory/824-1442-0x00007FFD095B0000-0x00007FFD0960D000-memory.dmp

memory/824-1447-0x00007FFD07580000-0x00007FFD0758C000-memory.dmp

memory/824-1448-0x00007FFD076A0000-0x00007FFD07811000-memory.dmp

memory/824-1450-0x00007FFD07480000-0x00007FFD0753C000-memory.dmp

memory/824-1449-0x00007FFD07540000-0x00007FFD07574000-memory.dmp

memory/824-1452-0x00007FFD07450000-0x00007FFD0747B000-memory.dmp

memory/824-1451-0x00007FFD07680000-0x00007FFD07698000-memory.dmp

memory/824-1453-0x00007FFD07170000-0x00007FFD0744F000-memory.dmp

memory/824-1454-0x00007FFD05070000-0x00007FFD07163000-memory.dmp

memory/824-1455-0x00007FFD05050000-0x00007FFD05067000-memory.dmp

memory/824-1456-0x00007FFD05020000-0x00007FFD05041000-memory.dmp

memory/824-1457-0x00007FFD04FF0000-0x00007FFD05012000-memory.dmp

memory/824-1459-0x00007FFD04F20000-0x00007FFD04F50000-memory.dmp

memory/824-1458-0x00007FFD04F50000-0x00007FFD04FEC000-memory.dmp

memory/824-1460-0x00007FFD04E70000-0x00007FFD04E8A000-memory.dmp

memory/824-1461-0x00007FFD04E30000-0x00007FFD04E4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cxdtp13u.25m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/824-1494-0x00007FFD08280000-0x00007FFD086EE000-memory.dmp

memory/824-1516-0x000001C07FB70000-0x000001C07FBEA000-memory.dmp

memory/824-1515-0x000001C07FAF0000-0x000001C07FB6B000-memory.dmp

memory/824-1514-0x00007FFD10560000-0x00007FFD10577000-memory.dmp

memory/824-1513-0x00007FFD13390000-0x00007FFD133B2000-memory.dmp

memory/824-1512-0x00007FFD14510000-0x00007FFD14524000-memory.dmp

memory/824-1511-0x00007FFD17870000-0x00007FFD17880000-memory.dmp

memory/824-1510-0x00007FFD14530000-0x00007FFD14545000-memory.dmp

memory/824-1509-0x00007FFD17C70000-0x00007FFD17CA6000-memory.dmp

memory/824-1508-0x00007FFD07DE0000-0x00007FFD07EF8000-memory.dmp

memory/824-1507-0x00007FFD18170000-0x00007FFD18196000-memory.dmp

memory/824-1506-0x00007FFD181A0000-0x00007FFD181AB000-memory.dmp

memory/824-1505-0x00007FFD18260000-0x00007FFD1826D000-memory.dmp

memory/824-1504-0x00007FFD133C0000-0x00007FFD13478000-memory.dmp

memory/824-1503-0x00007FFD18290000-0x00007FFD182BE000-memory.dmp

memory/824-1502-0x00007FFD182C0000-0x00007FFD182CD000-memory.dmp

memory/824-1501-0x00007FFD183B0000-0x00007FFD183C9000-memory.dmp

memory/824-1500-0x00007FFD07F00000-0x00007FFD08275000-memory.dmp

memory/824-1499-0x00007FFD18640000-0x00007FFD18654000-memory.dmp

memory/824-1498-0x00007FFD183D0000-0x00007FFD183FD000-memory.dmp

memory/824-1497-0x00007FFD18660000-0x00007FFD18679000-memory.dmp

memory/824-1496-0x00007FFD18820000-0x00007FFD1882F000-memory.dmp

memory/824-1495-0x00007FFD18680000-0x00007FFD186A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI44682\cryptography-43.0.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

memory/4800-2843-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/4800-2842-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/4800-2841-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/4800-2867-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/4800-2866-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/4800-2865-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/4800-2864-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/4800-2863-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/4800-2862-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/4800-2861-0x0000018BBA360000-0x0000018BBA361000-memory.dmp

memory/2240-2878-0x00007FFD073D0000-0x00007FFD0783E000-memory.dmp

memory/2240-2908-0x00007FFD17880000-0x00007FFD1788D000-memory.dmp

memory/2240-2907-0x00007FFD17890000-0x00007FFD1789C000-memory.dmp

memory/2240-2906-0x00007FFD179E0000-0x00007FFD179EC000-memory.dmp

memory/2240-2905-0x00007FFD179F0000-0x00007FFD179FB000-memory.dmp

memory/2240-2904-0x00007FFD17A80000-0x00007FFD17A8B000-memory.dmp

memory/2240-2903-0x00007FFD17A90000-0x00007FFD17A9C000-memory.dmp

memory/2240-2902-0x00007FFD17AA0000-0x00007FFD17AAE000-memory.dmp

memory/2240-2901-0x00007FFD17AB0000-0x00007FFD17ABC000-memory.dmp

memory/2240-2900-0x00007FFD17C20000-0x00007FFD17C2C000-memory.dmp

memory/2240-2899-0x00007FFD17C30000-0x00007FFD17C3B000-memory.dmp

memory/2240-2898-0x00007FFD17C40000-0x00007FFD17C4C000-memory.dmp

memory/2240-2897-0x00007FFD17D80000-0x00007FFD17D8B000-memory.dmp

memory/2240-2896-0x00007FFD17D90000-0x00007FFD17D9C000-memory.dmp

memory/2240-2895-0x00007FFD17E70000-0x00007FFD17E7B000-memory.dmp

memory/2240-2894-0x00007FFD18260000-0x00007FFD1826B000-memory.dmp

memory/2240-2893-0x00007FFD17AC0000-0x00007FFD17AF6000-memory.dmp

memory/2240-2892-0x00007FFD072B0000-0x00007FFD073C8000-memory.dmp

memory/2240-2891-0x00007FFD17C50000-0x00007FFD17C76000-memory.dmp

memory/2240-2890-0x00007FFD18290000-0x00007FFD1829B000-memory.dmp

memory/2240-2889-0x00007FFD18640000-0x00007FFD1864D000-memory.dmp

memory/2240-2888-0x00007FFD07DF0000-0x00007FFD07EA8000-memory.dmp

memory/2240-2887-0x00007FFD17C80000-0x00007FFD17CAE000-memory.dmp

memory/2240-2886-0x00007FFD18820000-0x00007FFD1882D000-memory.dmp

memory/2240-2885-0x00007FFD17E80000-0x00007FFD17E99000-memory.dmp

memory/2240-2884-0x00007FFD07EB0000-0x00007FFD08225000-memory.dmp

memory/2240-2883-0x00007FFD17EA0000-0x00007FFD17EB4000-memory.dmp

memory/2240-2882-0x00007FFD18160000-0x00007FFD1818D000-memory.dmp

memory/2240-2881-0x00007FFD18190000-0x00007FFD181A9000-memory.dmp

memory/2240-2880-0x00007FFD188C0000-0x00007FFD188CF000-memory.dmp

memory/2240-2879-0x00007FFD182A0000-0x00007FFD182C4000-memory.dmp