Malware Analysis Report

2024-12-07 14:51

Sample ID 241006-qlsh1awclk
Target 4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN
SHA256 4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9e
Tags
pyinstaller discovery evasion execution exploit persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9e

Threat Level: Known bad

The file 4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN was found to be: Known bad.

Malicious Activity Summary

pyinstaller discovery evasion execution exploit persistence privilege_escalation trojan

UAC bypass

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Possible privilege escalation attempt

Modifies file permissions

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 13:21

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 13:21

Reported

2024-10-06 13:24

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\system32\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe
PID 2680 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe
PID 2680 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe
PID 2656 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
PID 2656 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
PID 2656 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
PID 2656 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\takeown.exe
PID 2656 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\takeown.exe
PID 2656 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\takeown.exe
PID 2656 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\icacls.exe
PID 2656 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\icacls.exe
PID 2656 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\icacls.exe
PID 2656 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\icacls.exe
PID 2656 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\icacls.exe
PID 2656 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\icacls.exe
PID 2656 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\netsh.exe
PID 2656 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\netsh.exe
PID 2656 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\netsh.exe
PID 2656 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\netsh.exe
PID 2656 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\netsh.exe
PID 2656 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\netsh.exe
PID 2656 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\netsh.exe
PID 2656 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\netsh.exe
PID 2656 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\netsh.exe
PID 2656 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\taskkill.exe
PID 2656 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\taskkill.exe
PID 2656 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe

"C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe"

C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe

"C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start file/x64/pack64.exe

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

Powershell -Command Add-MpPreference -ExclusionExtension exe

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehavior /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f

C:\Windows\system32\takeown.exe

takeown /f "%systemroot%\System32\smartscreen.exe" /a

C:\Windows\system32\icacls.exe

icacls "%systemroot%\System32\smartscreen.exe" /reset

C:\Windows\system32\icacls.exe

icacls "%systemroot%\System32\smartscreen.exe" /setowner *S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=services

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=services protocol=any dir=in action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=services protocol=any dir=out action=allow

C:\Windows\system32\taskkill.exe

taskkill /F /IM obj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 8.8.8.8:53 dl.pro-cheatguide.xyz udp
US 104.21.88.45:443 dl.pro-cheatguide.xyz tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI26802\ucrtbase.dll

MD5 bd8b198c3210b885fe516500306a4fcf
SHA1 28762cb66003587be1a59c2668d2300fce300c2d
SHA256 ce2621719f1358508c2c33bcc1380d78a737ca20cd18c0ac89f38e1be788d9a2
SHA512 c32b6c083d3a7da01085718e5685e9a04034be91251c065794ceef1dfaaf6573fdd845cbc84e926ab3f510d295649cb6e497564fbe52cc79c053357c645c11a5

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-timezone-l1-1-0.dll

MD5 a84f802749ae5a0aa522f203ece20b7f
SHA1 3c631ce4107b2ffc9a4a06c16d41d7d0ea0a9b2f
SHA256 e4d28023eca5bd147ac645048b18bd7272735da10c30c2dbc83cd1c96703d869
SHA512 52b68a300ae56eb8a3b3f811cc7368afe5d4f1e8ee37b6fdae0878978952041bd5467eaaaec23aab12c1735ed3afd8134b2171b633ee1dae3b159e99d765a71d

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-file-l2-1-0.dll

MD5 4a18beda5038c5203993191431b98d62
SHA1 facba10698a89a42c0e419bac056366e809dedc0
SHA256 3144bccc1385efc1ff204442a5aecc0a990776341a268fad15aa605449fca04a
SHA512 fd4a1963babe134202c5b9c97b8a83c0dc1c7e58f04a5cb12f6ccf7ae6ac41f13303fb3d01052e2b670805a7e2d21c193ee888e98e68054dd52b9bdc636a7597

\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-localization-l1-2-0.dll

MD5 3018f5b28a9e26395b7933ebcfd6f40c
SHA1 ea38f03430f1a54e9b37e9694eabc7487b6e7201
SHA256 0c62b8ab1e5f30d4a9eadcd412677e0ab5e4e9304f0870a4ee562f08d09ccc7e
SHA512 f9a81f4565d083f30049ee8e4c4da996ba86c7c20e58d3dcd102eb41ab58c6d94941545ea2ee3aa538d352847efdd84376144ff852bdef4ea3c54dab4e5ced47

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-processthreads-l1-1-1.dll

MD5 004f7f67994de33959d6480ef4d4f515
SHA1 76e83db625d504d1feec5dec918552f9ec51c4c3
SHA256 053a83b3f8ac76232952bdb8fb5c5067f06ba48f82b474829c25326adbd26361
SHA512 d187950683c79b1dffe4432fb476071a203cb14d7987377f71538b81fd36077f181fb7d64e9e4e30099f239764e6cbb501b65c095cd4532bc0b2ab9fbd7755a3

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-file-l1-2-0.dll

MD5 cb3e0dd38c444938ce1c189aadd29a3f
SHA1 45b985ccd1d30c67c757580d4e9abe6ca7be4dd7
SHA256 b2d983883afd758913a7db54222a2db4bfeb1051b0c0f92e8faae93c0bc90fc4
SHA512 cde637e676819a05cfe6f757bcb6a1aca72bd7d4422e7cedfbf9d8ba42b47eac7868a821fce93e6d0f1de20672a8de7362f9dba0066db812c74e060134fc293e

C:\Users\Admin\AppData\Local\Temp\_MEI26802\python38.dll

MD5 26ba25d468a778d37f1a24f4514d9814
SHA1 b64fe169690557656ede3ae50d3c5a197fea6013
SHA256 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128
SHA512 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

C:\Users\Admin\AppData\Local\Temp\_MEI26802\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-runtime-l1-1-0.dll

MD5 1b923d7b425ee35cc865715e8ff2b920
SHA1 0302fe5cd576c9e28f1e9939ac04ac6ad89e371e
SHA256 fd40b4d21e907f8c168504bba248ca7eed4a84537ceec8a9903112e531b6a406
SHA512 62571b373b969889d07be3fc26146d93fed2955d6e9b336e4fc8f8759db98a8ec4154b6df5244c3b37cd3bfd7f153b2c6be7799845a02e0446c41a6898f82f31

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-heap-l1-1-0.dll

MD5 156da44de8586202cd7badda883b5994
SHA1 de58f32e2172d31a55df26f0d9a0c5ac9880efdd
SHA256 6e0460ea48738b50c8628038368e4e4b425fb6aa5de76f7fe06f2473fabc0e9e
SHA512 a80a316db9fd3f6907e28771bd39c00244f510096eab3daf617c65962bb223c728505a40dc2c3f651cc49df5d7bfa6f660ea1f9889aeb2bcf9b93a2eb6c0503e

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-string-l1-1-0.dll

MD5 1a3292019af01d7a6ed8bc52686840e6
SHA1 e1684c73ae12cd341250d544afcc539856c9bb43
SHA256 e01b24d0fe72ae8d2c76b287d1286741940b84808e4bf11514402a0a6d2706f9
SHA512 941c238c96de015d511bf691e878592ff8c71556ce95b3fba268bf9dc6a2e2ecde3c02b4dff66d3eeaf3b177624b193c42691c692e293982126ef70a10caf48b

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-stdio-l1-1-0.dll

MD5 d263b7ce85efdc007c40aabca5acb255
SHA1 b7fac5089b3990cddc2435138e89da2d5d515032
SHA256 37dfd6cd14f191e97e5f1674422e79febfcae062b4a56959f76ff63803e58a55
SHA512 6bc594fcb1ad5149f27c86674e78bae447e6d3f2e494e2749eaeb15af28a212dad075ec441541b490774770e77377e798a3dced94c1e9b9cfdc4f5c95bf936f6

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-convert-l1-1-0.dll

MD5 f5d4ef8a0c33cbf321dd51abafd5ffb2
SHA1 c85b87aa33f3fcee76facc1d0fec65f1cc5f1b55
SHA256 053e6f664d1aebe7fd120bf89056f2612b7667e1f71df0dddb504e04c58a508a
SHA512 9d85e5c320699c079df98695641f24d9baada5514435ae9b69c28ad3c3b5c29129cd46d0f8f2398fc94ade30777ed44ca5f75f6e78eb86d64ceb32c71046479c

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-math-l1-1-0.dll

MD5 fd374a7f3079a4f7d96b4c8a1e71b1a3
SHA1 3f3c768239d26cf8c6f83af96131e7b8e85ed017
SHA256 f7117aa5df8fbfed9f625cbe11cd64fdac1220099484b3ae534107d02a99058d
SHA512 3f7d9d632e434ed01588c4eea69483197040588f09fdf0a9acb902ea59664ec2a0257723ab61fbe56545d14462be475919da8f072f5e1e720569cbb3a776110c

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-locale-l1-1-0.dll

MD5 10c18ee8eb974e9f6382917ad3cd7d11
SHA1 3308cd7d9d29e42e137fd348b96545c206ea7096
SHA256 3a292b3ae218086edd2d136fcc9eb65e788caa6933c864908a07f004fecd9972
SHA512 a18769ce5ef8e0da4b9bf997d9c8800e9d715c54f603cac6534cadc0ade3f9c70a0e9fc2e607d1dfd6d7326f9fb4f519466cd0953591494d0376d1624d77f1de

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-time-l1-1-0.dll

MD5 1bf2af4deb96801edfde04a763ea4028
SHA1 f6a9a0a603b34d212620f8b513b48039e8576f47
SHA256 e4fd646a54d9a21c52c1480e5ae36bb519a7e2237a026725570776d61a43b5a1
SHA512 42fe94de60a8eb5f3b401047316440a4f36e3184f1cb9e22f750b37627ca2a6199fb55cb950b6e5cfebbe413554128723b17bc421301768ddf9636ad3c9d07d8

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-environment-l1-1-0.dll

MD5 f5f31dc3b928073274bcdf7b4d4136f9
SHA1 07624699fd428b5e60a5ffdafe3ad1b820aa2b8d
SHA256 5cde06aaddd28e0bb3afe756215d6ae5f2eb20b00413a6a1d2095d81493c5ddd
SHA512 9458453d9530f6652f3580e988ed0f8320268a2a1a4d4a017a00935f6133fc3e8f91e8bbba07b1f628eba1a3822e4a3c3a8b72c2861950e1ede9521dd04868b6

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-process-l1-1-0.dll

MD5 9600008630390e2209199e7791185075
SHA1 7e85b6c55a2d17c0d9ffc96649a92f3e73d6757c
SHA256 0e16041aa9cff135af254e79d85b5f3944bf21e9448bc07f058894eb2013f724
SHA512 8690cde896e5731074c4a703ed0a26fe5fc136a13e57656c3a92ca5a6915ec741d587258e02e60cb4b1ccafd24e110c248641c06f8d839c0c1e235b0318491b8

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-conio-l1-1-0.dll

MD5 21ab8a6f559d1e49c8ffa3cdaf037839
SHA1 87f2edace67ebe04ba869ba77c6f3014d9cb60c0
SHA256 30b677b95de5fcbaa2ae67088822a5feabdb63a53101cc44de83067018b457c8
SHA512 6f117397ee46519a5cf29d3c8a72503861a78a83ccbc56bd4447ab2f4693857147c35292c87cb5ba5efadde97bce3735aedb0275fcabea1006c1621945a44498

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 861a2fd3afb4557ba49a6d60a02c39bf
SHA1 03622632d5e810b87b806ddfc0ed6ea3d2171b96
SHA256 c1a072b49acb82640104aada665ff948415cc57dfcbc495d4d85b1f18d84a1a3
SHA512 ae20bb93d7661d47048042a3a21d95f0c1b20918f170fee77cd7de2b9367a3f819b39e45cb6c58689603f1670cf3c46cdf6453162f3d88871c794df13460f374

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_ctypes.pyd

MD5 291a0a9b63bae00a4222a6df71a22023
SHA1 7a6a2aad634ec30e8edb2d2d8d0895c708d84551
SHA256 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324
SHA512 d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

C:\Users\Admin\AppData\Local\Temp\_MEI26802\base_library.zip

MD5 09f7062e078379845347034c2a63943e
SHA1 9683dd8ef7d72101674850f3db0e05c14039d5fd
SHA256 7c1c73de4909d11efb20028f4745a9c8494fb4ee8dcf2f049907115def3d2629
SHA512 a169825e9b0bb995a115134cf1f7b76a96b651acd472dc4ce8473900d8852fc93b9f87a26d2c64f7bb3dd76d5feb01eeb4af4945e0c0b95d5c9c97938fa85b34

C:\Users\Admin\AppData\Local\Temp\_MEI26802\python3.DLL

MD5 c9f0b55fce50c904dff9276014cef6d8
SHA1 9f9ae27df619b695827a5af29414b592fc584e43
SHA256 074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e
SHA512 8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799

C:\Users\Admin\AppData\Local\Temp\_MEI26802\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_bz2.pyd

MD5 a49c5f406456b79254eb65d015b81088
SHA1 cfc2a2a89c63df52947af3610e4d9b8999399c91
SHA256 ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced
SHA512 bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_lzma.pyd

MD5 cf9fd17b1706f3044a8f74f6d398d5f1
SHA1 c5cd0debbde042445b9722a676ff36a0ac3959ad
SHA256 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4
SHA512 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-memory-l1-1-0.dll

MD5 db31bdb3725819fc5c5df30c608673c3
SHA1 5253f48e153b9c722acac8ee558e9a6091f5ee3e
SHA256 3115632c9bea1ccdeb7747689aa65fa36291788339793fce306afb03ca748a6c
SHA512 5db501b57d129511afa868716d82f27b8505be5c0e2edb5c1509b38b2537f14586da71c4424055bfe1b812f333e3f30d63e52501700ccdf848a37e49a0235cbd

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-processthreads-l1-1-0.dll

MD5 624033b39b9c5e1eb13d5ede2d213ddf
SHA1 055995c888275105e3560f07a2442e28295588f6
SHA256 83a0079fbf50719b46275f9cc5675a299c987862ba7ad3ad0ee5f6e714400af5
SHA512 1200daec55e5f5e80489022efe3ee67baae64278f9289e828deb8a3507355e2d643e9fefa7cf21c2056b4c5458270ef605697f38c3f3cacd41d23e3ded3c7ef8

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 9ce4f24efdf1a23bd71206b870b2a049
SHA1 2faac945038e108b21c5f9a0c175622f65f30072
SHA256 f4cae758d318b23e76ddf50202768f4cbea9cc16d36114f4cecb15957206e4af
SHA512 86c4db450bd26bfa007c032514e862a026e0317a48d1b05cf489b30b33985f01b98eafff2073d86028622694599070d80c95ae6b4c31b4832c55c6261575019c

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 a8d532500495d617ca1b9f5525494486
SHA1 9542ccb68fd7e5337953c25fb33589c486d98788
SHA256 c0d62d6a9350e66fb144e297c49ae2a8efb997148807a60dbac1aa95c88fa8f4
SHA512 68cdfcf37a60931567f341c4b1cf2751123a90733622daa1c02d2a8937b32d7faa4537fc4f93d238cff6f2fab11f7710c1dc15812d1ba028898f8a4dfb0cd10d

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 465c8ca52d6a5ebb8cdddaddcc6255c2
SHA1 d51db3b2382a0457533350e687489d91a229e5e8
SHA256 e68ff1811bfe8cd7682c45a1d562c90ccb35a70971cd75d195c7773d668e1dc4
SHA512 0641ef1524c00183c0693ee301ab0d982d4ba4bdc1326294d20a9cdd8f5c1af16a0038c6fd11d490a1db09221c6729fe03e6329a4262d6055bb5b37b32f8b393

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-interlocked-l1-1-0.dll

MD5 d0da5a427b151f8c524948d13c51cab4
SHA1 a51ac6ba7814188b669c7abbfdee535d798f05e1
SHA256 65912b7d8ad3423ad4609b9e2e3c262647d5273706796f043c9b515f1e8c78f2
SHA512 01ef7f3c43ac8e81e25edd324f56f7916ff990cf7350f582a0e2ce67ed54f584bb72d95d8faf129964351771f5099e36e8f02f1b067cf05b3349b64ea696bcde

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-heap-l1-1-0.dll

MD5 065dff75d5e5a28bbf5b2e1b7b3fbf5c
SHA1 c4dc31ea4888e5e7ca5e8155f0eafe25ad781073
SHA256 59d807fe256fc61866ee54dc4f18bb4f8901d902f7e23b15ecbf7b7a4dc6fc5f
SHA512 067ae4cab058be6bfca080c95ea5123413e11b7ff6a84eccc10d750fac2719ee5d86a6362d0d4155b54ace6c4d44d7a55b627236ebea7d3fd0b9620ed2f10a57

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-handle-l1-1-0.dll

MD5 d525807d6a2d16bd9b8b22ffe99b7c26
SHA1 2f78df1d946a2de936c3f9b6cc88fe401aa74b72
SHA256 1ab5fe4396f72938193a8ce5e18fcb522f84dd24591f39ec1302fc822f875496
SHA512 013b2c635e6be446096de81a2003e1f65658d203f5f6eae3477cd54ea5ff3eec929ed41cf6e33a61aaa201ca920cdf9f96eb34eb8ebd526146d2da2910a3a9d1

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-file-l1-1-0.dll

MD5 aa766b098462eff6f0f129b5c6ef1c5e
SHA1 3be25b0d330586a08c317d97ea139d096b35b0b6
SHA256 34790e8f47a8f478a4ba4f89695cea1be64d16ff416542ec3036acb5633009ed
SHA512 3fd9e39cd161e164c9c3f42140a5659f516416985238f93c97bfa9079ab203cd7f920c675fc891fddcab683c52d876838cb623c26d7a3c8b7a0c1799dcfada11

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 94671f5b4c8cbaaa25b6948b9af8eacd
SHA1 71ad4f949f80efca1bb493f6678c8afeeb923646
SHA256 5eb1c0679756b46c57acaf600246ceff260b88f602215e4a94231ef0c30b0af7
SHA512 10247a1f40f429ef22b68c51c9df4cff7c64f79fe09485a1a7f4fd6fd3f9b13801f6336ed6a7c1804918dc1e78660f6f4126c8052bfc0cff15906c941bbee12c

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-debug-l1-1-0.dll

MD5 2882b2bcd74b4d79e21f5349da2931bc
SHA1 ebeaff6f40ea6148193a9cc3368e8d9894fd53d4
SHA256 dcafa02c5e11d38c590754ee6a23dc65c3342308bb28435efb75de914f2b3652
SHA512 3d8e97f67217ed52c60b0fb871e2d0fa163fe1a1fb42c2888813d496fae9ef621f8daeed7984f8368d3b6de45857013df5d77e1694cfd5f4d95bc219bef82fd1

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-datetime-l1-1-0.dll

MD5 727e82d02106289000923bef8916771b
SHA1 5e5edad1487e1553d8017f49b54289162ed3a516
SHA256 93ebce911997392650aee0f22b72687787c55c7a4a731724a58c45dc3e1f6cc6
SHA512 ec8a3faa00463db6bf24e7cb764fd6a17f4a3df4cd21810eeef5f2684c0cab0c1cb2bafb5074fe3641cfee2814e0defa938fc9a881ed7dbd5c1b34ede9858946

C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-console-l1-1-0.dll

MD5 3127e73e09b2f660dbb1b6a3e23159ca
SHA1 d121de4d3cc1788317015f61b3abcea651830c2c
SHA256 a3db4aca7b1ba6f802df24916f086e4a803093ffb29f8902c18b8a09aa18ddcb
SHA512 8daf52fddb4066fd4106fab0c1c34e7bab4522230090242783ed1838a49da3de9453c4cb8379c03112b9c1d353cc3c32e0eef20890429f62209082ade9464cb5

memory/2940-135-0x000000001B770000-0x000000001BA52000-memory.dmp

memory/2940-136-0x0000000001E20000-0x0000000001E28000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 13:21

Reported

2024-10-06 13:23

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SYSTEM32\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\reg.exe N/A
N/A N/A C:\Windows\SYSTEM32\reg.exe N/A
N/A N/A C:\Windows\SYSTEM32\reg.exe N/A
N/A N/A C:\Windows\SYSTEM32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\takeown.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SYSTEM32\icacls.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe
PID 4836 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe
PID 3132 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
PID 3132 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
PID 3132 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\reg.exe
PID 3132 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\reg.exe
PID 3132 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\reg.exe
PID 3132 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\reg.exe
PID 3132 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\reg.exe
PID 3132 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\reg.exe
PID 3132 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\reg.exe
PID 3132 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\reg.exe
PID 3132 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\takeown.exe
PID 3132 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\takeown.exe
PID 3132 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\icacls.exe
PID 3132 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\icacls.exe
PID 3132 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\icacls.exe
PID 3132 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\icacls.exe
PID 3132 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\netsh.exe
PID 3132 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\netsh.exe
PID 3132 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\netsh.exe
PID 3132 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\netsh.exe
PID 3132 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\netsh.exe
PID 3132 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\netsh.exe
PID 3132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\taskkill.exe
PID 3132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe C:\Windows\SYSTEM32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe

"C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe"

C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe

"C:\Users\Admin\AppData\Local\Temp\4093bbcc81ac07e93a0ad1e1817e1529deb8ea3b06239308658b2712e0adff9eN.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start file/x64/pack64.exe

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

Powershell -Command Add-MpPreference -ExclusionExtension exe

C:\Windows\SYSTEM32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehavior /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\takeown.exe

takeown /f "%systemroot%\System32\smartscreen.exe" /a

C:\Windows\SYSTEM32\icacls.exe

icacls "%systemroot%\System32\smartscreen.exe" /reset

C:\Windows\SYSTEM32\icacls.exe

icacls "%systemroot%\System32\smartscreen.exe" /setowner *S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall delete rule name=services

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name=services protocol=any dir=in action=allow

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name=services protocol=any dir=out action=allow

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM obj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 dl.pro-cheatguide.xyz udp
US 172.67.172.138:443 dl.pro-cheatguide.xyz tcp
US 8.8.8.8:53 138.172.67.172.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI48362\ucrtbase.dll

MD5 bd8b198c3210b885fe516500306a4fcf
SHA1 28762cb66003587be1a59c2668d2300fce300c2d
SHA256 ce2621719f1358508c2c33bcc1380d78a737ca20cd18c0ac89f38e1be788d9a2
SHA512 c32b6c083d3a7da01085718e5685e9a04034be91251c065794ceef1dfaaf6573fdd845cbc84e926ab3f510d295649cb6e497564fbe52cc79c053357c645c11a5

C:\Users\Admin\AppData\Local\Temp\_MEI48362\python38.dll

MD5 26ba25d468a778d37f1a24f4514d9814
SHA1 b64fe169690557656ede3ae50d3c5a197fea6013
SHA256 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128
SHA512 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

C:\Users\Admin\AppData\Local\Temp\_MEI48362\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

C:\Users\Admin\AppData\Local\Temp\_MEI48362\base_library.zip

MD5 09f7062e078379845347034c2a63943e
SHA1 9683dd8ef7d72101674850f3db0e05c14039d5fd
SHA256 7c1c73de4909d11efb20028f4745a9c8494fb4ee8dcf2f049907115def3d2629
SHA512 a169825e9b0bb995a115134cf1f7b76a96b651acd472dc4ce8473900d8852fc93b9f87a26d2c64f7bb3dd76d5feb01eeb4af4945e0c0b95d5c9c97938fa85b34

C:\Users\Admin\AppData\Local\Temp\_MEI48362\python3.dll

MD5 c9f0b55fce50c904dff9276014cef6d8
SHA1 9f9ae27df619b695827a5af29414b592fc584e43
SHA256 074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e
SHA512 8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799

C:\Users\Admin\AppData\Local\Temp\_MEI48362\_ctypes.pyd

MD5 291a0a9b63bae00a4222a6df71a22023
SHA1 7a6a2aad634ec30e8edb2d2d8d0895c708d84551
SHA256 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324
SHA512 d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

C:\Users\Admin\AppData\Local\Temp\_MEI48362\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI48362\_lzma.pyd

MD5 cf9fd17b1706f3044a8f74f6d398d5f1
SHA1 c5cd0debbde042445b9722a676ff36a0ac3959ad
SHA256 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4
SHA512 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

C:\Users\Admin\AppData\Local\Temp\_MEI48362\_bz2.pyd

MD5 a49c5f406456b79254eb65d015b81088
SHA1 cfc2a2a89c63df52947af3610e4d9b8999399c91
SHA256 ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced
SHA512 bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-string-l1-1-0.dll

MD5 c8196cd707f4a41c4a763b8e6d2ede7a
SHA1 371be162f04e7742246c0d9c9b2ad31a25043978
SHA256 b5082680b5ca71fdea49e8e23efbda2b72f6e1b1a48782b4b63530ee7be19a2c
SHA512 3690d87e9eddf0de7d71bfbab831d80009b572e5c2f181fb23b2966d1249861aeff61ebbb16e46836697b443a0c1af2cfdfc930e9f010b613337ed5ac475a306

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-convert-l1-1-0.dll

MD5 f5d4ef8a0c33cbf321dd51abafd5ffb2
SHA1 c85b87aa33f3fcee76facc1d0fec65f1cc5f1b55
SHA256 053e6f664d1aebe7fd120bf89056f2612b7667e1f71df0dddb504e04c58a508a
SHA512 9d85e5c320699c079df98695641f24d9baada5514435ae9b69c28ad3c3b5c29129cd46d0f8f2398fc94ade30777ed44ca5f75f6e78eb86d64ceb32c71046479c

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-conio-l1-1-0.dll

MD5 21ab8a6f559d1e49c8ffa3cdaf037839
SHA1 87f2edace67ebe04ba869ba77c6f3014d9cb60c0
SHA256 30b677b95de5fcbaa2ae67088822a5feabdb63a53101cc44de83067018b457c8
SHA512 6f117397ee46519a5cf29d3c8a72503861a78a83ccbc56bd4447ab2f4693857147c35292c87cb5ba5efadde97bce3735aedb0275fcabea1006c1621945a44498

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-util-l1-1-0.dll

MD5 2d8249636011cf1467be41c8bdf7c765
SHA1 c7edaf6444690db617f58b0506dd979e1f2314a4
SHA256 84ce120aae88dd77a71c30630d409382f2ad22b11be4ccedd1800c4bb2ca4937
SHA512 4732c247b6505c48a41a0c5ba933f2c7dc63301f09ff891f2e50ef765c3eae00d520d9e08cb5229d6e90048aa826caf34a282b5fb80f10a63ee987a60836f9ef

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-environment-l1-1-0.dll

MD5 f5f31dc3b928073274bcdf7b4d4136f9
SHA1 07624699fd428b5e60a5ffdafe3ad1b820aa2b8d
SHA256 5cde06aaddd28e0bb3afe756215d6ae5f2eb20b00413a6a1d2095d81493c5ddd
SHA512 9458453d9530f6652f3580e988ed0f8320268a2a1a4d4a017a00935f6133fc3e8f91e8bbba07b1f628eba1a3822e4a3c3a8b72c2861950e1ede9521dd04868b6

C:\Users\Admin\AppData\Local\Temp\_MEI48362\_asyncio.pyd

MD5 0400b1958d0f7aa0d2ad409ea12ffec7
SHA1 ce1a5c61192ffe489a53f029ac0a95d4abb3d2b9
SHA256 6e25aa5931f175b971dfd05aab7a24cef29edd8f4b524341c414d0577c07a200
SHA512 8790f3f9c69823d55350ea63a1b8ebb3dad64942b6e6752109d2932b3bb848a5101e2a9a4645e93a476a8c4e5c8b27e15eb39b33fcc772a876b0e8ab9fd5eefa

C:\Users\Admin\AppData\Local\Temp\_MEI48362\unicodedata.pyd

MD5 601aee84e12b87ca66826dfc7ca57231
SHA1 3a7812433ca7d443d4494446a9ced24b6774ceca
SHA256 d8091e62c74e1b2b648086f778c3c41ce01f09661a75ea207d3fea2cf26a8762
SHA512 7c2d64623c6cfd66d6729f59909c90aa944e810ff6514c58b2b3142ee90e8660b7ddf7fa187389dd333e47efe8b19e935dd4e9119c15375b69b4880d043877d7

C:\Users\Admin\AppData\Local\Temp\_MEI48362\select.pyd

MD5 e21cff76db11c1066fd96af86332b640
SHA1 e78ef7075c479b1d218132d89bf4bec13d54c06a
SHA256 fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28
SHA512 e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f

C:\Users\Admin\AppData\Local\Temp\_MEI48362\pyexpat.pyd

MD5 2ae23047648257afa90d0ca96811979f
SHA1 0833cf7ccae477faa4656c74d593d0f59844cadd
SHA256 5caf51f12406bdb980db1361fab79c51be8cac0a2a0071a083adf4d84f423e95
SHA512 13052eb183bb7eb8bb2740ff39f63805b69e920f2e21b482657a9995aa002579a88296b81ec415942511d2ed146689d1868b446f7e698e72da22f5c182706030

C:\Users\Admin\AppData\Local\Temp\_MEI48362\libssl-1_1.dll

MD5 50bcfb04328fec1a22c31c0e39286470
SHA1 3a1b78faf34125c7b8d684419fa715c367db3daa
SHA256 fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9
SHA512 370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

C:\Users\Admin\AppData\Local\Temp\_MEI48362\libcrypto-1_1.dll

MD5 89511df61678befa2f62f5025c8c8448
SHA1 df3961f833b4964f70fcf1c002d9fd7309f53ef8
SHA256 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf
SHA512 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-utility-l1-1-0.dll

MD5 fcfb6405cf54d78c5baa81a66802918c
SHA1 ffa88fadee5b00f7daf1a10baea98274c590e697
SHA256 91067f7c04812981dd32ea882c7931d128219eb376190500389bc5e60a5a116e
SHA512 cb9f02217d5fb73c91f758f29c5b6d4ed607e75bf94b90a63371902b4910d68f328f406cab6bd1f273382514b4b8e1facb0d6a3f7f09536f7b627dba7e94e80b

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-time-l1-1-0.dll

MD5 1bf2af4deb96801edfde04a763ea4028
SHA1 f6a9a0a603b34d212620f8b513b48039e8576f47
SHA256 e4fd646a54d9a21c52c1480e5ae36bb519a7e2237a026725570776d61a43b5a1
SHA512 42fe94de60a8eb5f3b401047316440a4f36e3184f1cb9e22f750b37627ca2a6199fb55cb950b6e5cfebbe413554128723b17bc421301768ddf9636ad3c9d07d8

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-string-l1-1-0.dll

MD5 1a3292019af01d7a6ed8bc52686840e6
SHA1 e1684c73ae12cd341250d544afcc539856c9bb43
SHA256 e01b24d0fe72ae8d2c76b287d1286741940b84808e4bf11514402a0a6d2706f9
SHA512 941c238c96de015d511bf691e878592ff8c71556ce95b3fba268bf9dc6a2e2ecde3c02b4dff66d3eeaf3b177624b193c42691c692e293982126ef70a10caf48b

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-stdio-l1-1-0.dll

MD5 d263b7ce85efdc007c40aabca5acb255
SHA1 b7fac5089b3990cddc2435138e89da2d5d515032
SHA256 37dfd6cd14f191e97e5f1674422e79febfcae062b4a56959f76ff63803e58a55
SHA512 6bc594fcb1ad5149f27c86674e78bae447e6d3f2e494e2749eaeb15af28a212dad075ec441541b490774770e77377e798a3dced94c1e9b9cfdc4f5c95bf936f6

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-runtime-l1-1-0.dll

MD5 1b923d7b425ee35cc865715e8ff2b920
SHA1 0302fe5cd576c9e28f1e9939ac04ac6ad89e371e
SHA256 fd40b4d21e907f8c168504bba248ca7eed4a84537ceec8a9903112e531b6a406
SHA512 62571b373b969889d07be3fc26146d93fed2955d6e9b336e4fc8f8759db98a8ec4154b6df5244c3b37cd3bfd7f153b2c6be7799845a02e0446c41a6898f82f31

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-process-l1-1-0.dll

MD5 9600008630390e2209199e7791185075
SHA1 7e85b6c55a2d17c0d9ffc96649a92f3e73d6757c
SHA256 0e16041aa9cff135af254e79d85b5f3944bf21e9448bc07f058894eb2013f724
SHA512 8690cde896e5731074c4a703ed0a26fe5fc136a13e57656c3a92ca5a6915ec741d587258e02e60cb4b1ccafd24e110c248641c06f8d839c0c1e235b0318491b8

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-math-l1-1-0.dll

MD5 fd374a7f3079a4f7d96b4c8a1e71b1a3
SHA1 3f3c768239d26cf8c6f83af96131e7b8e85ed017
SHA256 f7117aa5df8fbfed9f625cbe11cd64fdac1220099484b3ae534107d02a99058d
SHA512 3f7d9d632e434ed01588c4eea69483197040588f09fdf0a9acb902ea59664ec2a0257723ab61fbe56545d14462be475919da8f072f5e1e720569cbb3a776110c

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-locale-l1-1-0.dll

MD5 10c18ee8eb974e9f6382917ad3cd7d11
SHA1 3308cd7d9d29e42e137fd348b96545c206ea7096
SHA256 3a292b3ae218086edd2d136fcc9eb65e788caa6933c864908a07f004fecd9972
SHA512 a18769ce5ef8e0da4b9bf997d9c8800e9d715c54f603cac6534cadc0ade3f9c70a0e9fc2e607d1dfd6d7326f9fb4f519466cd0953591494d0376d1624d77f1de

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-heap-l1-1-0.dll

MD5 156da44de8586202cd7badda883b5994
SHA1 de58f32e2172d31a55df26f0d9a0c5ac9880efdd
SHA256 6e0460ea48738b50c8628038368e4e4b425fb6aa5de76f7fe06f2473fabc0e9e
SHA512 a80a316db9fd3f6907e28771bd39c00244f510096eab3daf617c65962bb223c728505a40dc2c3f651cc49df5d7bfa6f660ea1f9889aeb2bcf9b93a2eb6c0503e

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 861a2fd3afb4557ba49a6d60a02c39bf
SHA1 03622632d5e810b87b806ddfc0ed6ea3d2171b96
SHA256 c1a072b49acb82640104aada665ff948415cc57dfcbc495d4d85b1f18d84a1a3
SHA512 ae20bb93d7661d47048042a3a21d95f0c1b20918f170fee77cd7de2b9367a3f819b39e45cb6c58689603f1670cf3c46cdf6453162f3d88871c794df13460f374

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-timezone-l1-1-0.dll

MD5 a84f802749ae5a0aa522f203ece20b7f
SHA1 3c631ce4107b2ffc9a4a06c16d41d7d0ea0a9b2f
SHA256 e4d28023eca5bd147ac645048b18bd7272735da10c30c2dbc83cd1c96703d869
SHA512 52b68a300ae56eb8a3b3f811cc7368afe5d4f1e8ee37b6fdae0878978952041bd5467eaaaec23aab12c1735ed3afd8134b2171b633ee1dae3b159e99d765a71d

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 705476aaa1ef452e50c61fa56f84d919
SHA1 f86ada80b5c2c528fb328d1aaacc817e538ccc85
SHA256 1d7a5a3cd3185d839d31c83dcb2192a08a80c4a7ec17eae550ab5a4d84b189d9
SHA512 db6fdec0f758a955a4fa888571ad2496f072d9f580895628aa2da143daa4f64c9fbdf5d9a6950bc06ca5f69395c04515d77c1ee45744c4e7600c1e5dd4cd559e

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-synch-l1-2-0.dll

MD5 bc03011a527274767effd05f90d26011
SHA1 56659c88000ff70422e818ad827fdcb01f036de2
SHA256 7f840e721c8cd073631f03159565219d24128eaca905668cfc7394889b908b9e
SHA512 600d1163ffb6b7244770a67f2a543b387a33940178dbbc010ad8c5a5e32872bb0d065e1dcf5a985174577922762ccd2b462cf40c1d4d6dc99e07d22daaee098a

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-synch-l1-1-0.dll

MD5 4219b20d53c2c6b533ae93ed45876351
SHA1 8973762e7c4ace85a1d9aaa1dd35fac6bd48c0ed
SHA256 c75a838ff92199678df2ad04a31f609309967cf6b66d34c58d26eb3909e6daa5
SHA512 b73fc539d6a36e38a557d3dcf44fabd1500ccea9c9c10c0101104b10d1923e46cd78be0791b9fcbb1603da7a1ccd33e6a3e3b807bc5f5448d24e44351b5e100d

C:\Users\Admin\AppData\Local\Temp\_MEI48362\_multiprocessing.pyd

MD5 5cadb7186df07ca4ca5a8654cb00c9f1
SHA1 513b9160a849a3d7d510f59ffa5e201809d0161b
SHA256 54c28dcf2f2a72fc854f49c76fb021bbf2b53675fe5b5ed021c61efe9467197b
SHA512 f853c618ca243b5da04e53079d3e6a0c6a9e4e358bb5020196b49638f28bf4171a487db7ce0e5e2c46df6a643c04434f967f1c614086121d1edddcf891f5a409

C:\Users\Admin\AppData\Local\Temp\_MEI48362\_decimal.pyd

MD5 a2b554d61e6cf63c6e5bbafb20ae3359
SHA1 26e043efdaaa52e9034602cebeb564d4f9714a7f
SHA256 30eea56a4d1dd78f9d65fcb6168ab189cfa8098c38aad47ee770756a056749ca
SHA512 5ea99fa23e7657e9f01dc155741d5f93945a2e6c90f1494873aa7c35a8da0001815b31b387b239ef7de1695b8f416028166dd94db259d246d8dc10a37e20da97

C:\Users\Admin\AppData\Local\Temp\_MEI48362\_hashlib.pyd

MD5 5e5af52f42eaf007e3ac73fd2211f048
SHA1 1a981e66ab5b03f4a74a6bac6227cd45df78010b
SHA256 a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b
SHA512 bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 7db9f8a411f116ba765000e6500fb926
SHA1 4267018a03d814b8963ab1e256ee9ea8f0a33fed
SHA256 f8dd900d459335eedbe3855f1ba7858e19dfc0d348ebd25e6548d4ecb0da61b1
SHA512 54f4c79747e2de6f26bef354a4328fe7f596b8d8ac0f2c14220e8998a1980553a09bca61756316e12846b502cacc45ab4f90efcff0deb3c9e39037e5cc52556c

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-profile-l1-1-0.dll

MD5 0b786fa5d778e0ea9a2175263320ee8c
SHA1 83553ac046847ab0c852403e512e748b73be5dec
SHA256 a124c3f8402636219e06beb708d8be67f6dbaa7ff4f6d402b50734230fcfba1b
SHA512 bb29f985653105e23f52f381bef5ac1f8d1a34d1eca4678f50fc6f308860104d073fc1551f42ae4f460c32366e95c95f7d9bf84b34b7ff48bd3921904f94607a

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-processthreads-l1-1-1.dll

MD5 004f7f67994de33959d6480ef4d4f515
SHA1 76e83db625d504d1feec5dec918552f9ec51c4c3
SHA256 053a83b3f8ac76232952bdb8fb5c5067f06ba48f82b474829c25326adbd26361
SHA512 d187950683c79b1dffe4432fb476071a203cb14d7987377f71538b81fd36077f181fb7d64e9e4e30099f239764e6cbb501b65c095cd4532bc0b2ab9fbd7755a3

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-processthreads-l1-1-0.dll

MD5 624033b39b9c5e1eb13d5ede2d213ddf
SHA1 055995c888275105e3560f07a2442e28295588f6
SHA256 83a0079fbf50719b46275f9cc5675a299c987862ba7ad3ad0ee5f6e714400af5
SHA512 1200daec55e5f5e80489022efe3ee67baae64278f9289e828deb8a3507355e2d643e9fefa7cf21c2056b4c5458270ef605697f38c3f3cacd41d23e3ded3c7ef8

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 9ce4f24efdf1a23bd71206b870b2a049
SHA1 2faac945038e108b21c5f9a0c175622f65f30072
SHA256 f4cae758d318b23e76ddf50202768f4cbea9cc16d36114f4cecb15957206e4af
SHA512 86c4db450bd26bfa007c032514e862a026e0317a48d1b05cf489b30b33985f01b98eafff2073d86028622694599070d80c95ae6b4c31b4832c55c6261575019c

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 a8d532500495d617ca1b9f5525494486
SHA1 9542ccb68fd7e5337953c25fb33589c486d98788
SHA256 c0d62d6a9350e66fb144e297c49ae2a8efb997148807a60dbac1aa95c88fa8f4
SHA512 68cdfcf37a60931567f341c4b1cf2751123a90733622daa1c02d2a8937b32d7faa4537fc4f93d238cff6f2fab11f7710c1dc15812d1ba028898f8a4dfb0cd10d

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-memory-l1-1-0.dll

MD5 db31bdb3725819fc5c5df30c608673c3
SHA1 5253f48e153b9c722acac8ee558e9a6091f5ee3e
SHA256 3115632c9bea1ccdeb7747689aa65fa36291788339793fce306afb03ca748a6c
SHA512 5db501b57d129511afa868716d82f27b8505be5c0e2edb5c1509b38b2537f14586da71c4424055bfe1b812f333e3f30d63e52501700ccdf848a37e49a0235cbd

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-localization-l1-2-0.dll

MD5 3018f5b28a9e26395b7933ebcfd6f40c
SHA1 ea38f03430f1a54e9b37e9694eabc7487b6e7201
SHA256 0c62b8ab1e5f30d4a9eadcd412677e0ab5e4e9304f0870a4ee562f08d09ccc7e
SHA512 f9a81f4565d083f30049ee8e4c4da996ba86c7c20e58d3dcd102eb41ab58c6d94941545ea2ee3aa538d352847efdd84376144ff852bdef4ea3c54dab4e5ced47

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 465c8ca52d6a5ebb8cdddaddcc6255c2
SHA1 d51db3b2382a0457533350e687489d91a229e5e8
SHA256 e68ff1811bfe8cd7682c45a1d562c90ccb35a70971cd75d195c7773d668e1dc4
SHA512 0641ef1524c00183c0693ee301ab0d982d4ba4bdc1326294d20a9cdd8f5c1af16a0038c6fd11d490a1db09221c6729fe03e6329a4262d6055bb5b37b32f8b393

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-interlocked-l1-1-0.dll

MD5 d0da5a427b151f8c524948d13c51cab4
SHA1 a51ac6ba7814188b669c7abbfdee535d798f05e1
SHA256 65912b7d8ad3423ad4609b9e2e3c262647d5273706796f043c9b515f1e8c78f2
SHA512 01ef7f3c43ac8e81e25edd324f56f7916ff990cf7350f582a0e2ce67ed54f584bb72d95d8faf129964351771f5099e36e8f02f1b067cf05b3349b64ea696bcde

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-heap-l1-1-0.dll

MD5 065dff75d5e5a28bbf5b2e1b7b3fbf5c
SHA1 c4dc31ea4888e5e7ca5e8155f0eafe25ad781073
SHA256 59d807fe256fc61866ee54dc4f18bb4f8901d902f7e23b15ecbf7b7a4dc6fc5f
SHA512 067ae4cab058be6bfca080c95ea5123413e11b7ff6a84eccc10d750fac2719ee5d86a6362d0d4155b54ace6c4d44d7a55b627236ebea7d3fd0b9620ed2f10a57

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-handle-l1-1-0.dll

MD5 d525807d6a2d16bd9b8b22ffe99b7c26
SHA1 2f78df1d946a2de936c3f9b6cc88fe401aa74b72
SHA256 1ab5fe4396f72938193a8ce5e18fcb522f84dd24591f39ec1302fc822f875496
SHA512 013b2c635e6be446096de81a2003e1f65658d203f5f6eae3477cd54ea5ff3eec929ed41cf6e33a61aaa201ca920cdf9f96eb34eb8ebd526146d2da2910a3a9d1

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-file-l2-1-0.dll

MD5 4a18beda5038c5203993191431b98d62
SHA1 facba10698a89a42c0e419bac056366e809dedc0
SHA256 3144bccc1385efc1ff204442a5aecc0a990776341a268fad15aa605449fca04a
SHA512 fd4a1963babe134202c5b9c97b8a83c0dc1c7e58f04a5cb12f6ccf7ae6ac41f13303fb3d01052e2b670805a7e2d21c193ee888e98e68054dd52b9bdc636a7597

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-file-l1-2-0.dll

MD5 cb3e0dd38c444938ce1c189aadd29a3f
SHA1 45b985ccd1d30c67c757580d4e9abe6ca7be4dd7
SHA256 b2d983883afd758913a7db54222a2db4bfeb1051b0c0f92e8faae93c0bc90fc4
SHA512 cde637e676819a05cfe6f757bcb6a1aca72bd7d4422e7cedfbf9d8ba42b47eac7868a821fce93e6d0f1de20672a8de7362f9dba0066db812c74e060134fc293e

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-file-l1-1-0.dll

MD5 aa766b098462eff6f0f129b5c6ef1c5e
SHA1 3be25b0d330586a08c317d97ea139d096b35b0b6
SHA256 34790e8f47a8f478a4ba4f89695cea1be64d16ff416542ec3036acb5633009ed
SHA512 3fd9e39cd161e164c9c3f42140a5659f516416985238f93c97bfa9079ab203cd7f920c675fc891fddcab683c52d876838cb623c26d7a3c8b7a0c1799dcfada11

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 94671f5b4c8cbaaa25b6948b9af8eacd
SHA1 71ad4f949f80efca1bb493f6678c8afeeb923646
SHA256 5eb1c0679756b46c57acaf600246ceff260b88f602215e4a94231ef0c30b0af7
SHA512 10247a1f40f429ef22b68c51c9df4cff7c64f79fe09485a1a7f4fd6fd3f9b13801f6336ed6a7c1804918dc1e78660f6f4126c8052bfc0cff15906c941bbee12c

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-debug-l1-1-0.dll

MD5 2882b2bcd74b4d79e21f5349da2931bc
SHA1 ebeaff6f40ea6148193a9cc3368e8d9894fd53d4
SHA256 dcafa02c5e11d38c590754ee6a23dc65c3342308bb28435efb75de914f2b3652
SHA512 3d8e97f67217ed52c60b0fb871e2d0fa163fe1a1fb42c2888813d496fae9ef621f8daeed7984f8368d3b6de45857013df5d77e1694cfd5f4d95bc219bef82fd1

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-datetime-l1-1-0.dll

MD5 727e82d02106289000923bef8916771b
SHA1 5e5edad1487e1553d8017f49b54289162ed3a516
SHA256 93ebce911997392650aee0f22b72687787c55c7a4a731724a58c45dc3e1f6cc6
SHA512 ec8a3faa00463db6bf24e7cb764fd6a17f4a3df4cd21810eeef5f2684c0cab0c1cb2bafb5074fe3641cfee2814e0defa938fc9a881ed7dbd5c1b34ede9858946

C:\Users\Admin\AppData\Local\Temp\_MEI48362\api-ms-win-core-console-l1-1-0.dll

MD5 3127e73e09b2f660dbb1b6a3e23159ca
SHA1 d121de4d3cc1788317015f61b3abcea651830c2c
SHA256 a3db4aca7b1ba6f802df24916f086e4a803093ffb29f8902c18b8a09aa18ddcb
SHA512 8daf52fddb4066fd4106fab0c1c34e7bab4522230090242783ed1838a49da3de9453c4cb8379c03112b9c1d353cc3c32e0eef20890429f62209082ade9464cb5

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjyhksxs.14x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4592-140-0x000001C9CB1A0000-0x000001C9CB1C2000-memory.dmp