Malware Analysis Report

2025-01-22 08:27

Sample ID 241026-fyht8axqar
Target TEST..exe
SHA256 b4a5392fe433b3647a8b9e9d8d42475dd1c9c8519798edbab270f0506559d4e3
Tags
pyinstaller discovery execution persistence privilege_escalation spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b4a5392fe433b3647a8b9e9d8d42475dd1c9c8519798edbab270f0506559d4e3

Threat Level: Likely malicious

The file TEST..exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller discovery execution persistence privilege_escalation spyware stealer upx

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Unsigned PE

Detects Pyinstaller

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 05:16

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 05:16

Reported

2024-10-26 05:18

Platform

win11-20241023-en

Max time kernel

8s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TEST..exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TEST..exe C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe C:\Users\Admin\AppData\Local\Temp\TEST..exe
PID 4916 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe C:\Users\Admin\AppData\Local\Temp\TEST..exe
PID 3156 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe C:\Windows\system32\cmd.exe
PID 3092 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3092 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3156 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\TEST..exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TEST..exe

"C:\Users\Admin\AppData\Local\Temp\TEST..exe"

C:\Users\Admin\AppData\Local\Temp\TEST..exe

"C:\Users\Admin\AppData\Local\Temp\TEST..exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI49162\setuptools\_vendor\importlib_resources-6.4.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI49162\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE

MD5 141643e11c48898150daa83802dbc65f
SHA1 0445ed0f69910eeaee036f09a39a13c6e1f37e12
SHA256 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741
SHA512 ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

C:\Users\Admin\AppData\Local\Temp\_MEI49162\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

MD5 43136dde7dd276932f6197bb6d676ef4
SHA1 6b13c105452c519ea0b65ac1a975bd5e19c50122
SHA256 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714
SHA512 e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

C:\Users\Admin\AppData\Local\Temp\_MEI49162\python313.dll

MD5 6ef5d2f77064df6f2f47af7ee4d44f0f
SHA1 0003946454b107874aa31839d41edcda1c77b0af
SHA256 ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA512 1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

C:\Users\Admin\AppData\Local\Temp\_MEI49162\VCRUNTIME140.dll

MD5 862f820c3251e4ca6fc0ac00e4092239
SHA1 ef96d84b253041b090c243594f90938e9a487a9a
SHA256 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA512 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

memory/3156-208-0x00007FFDD94A0000-0x00007FFDD9B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\base_library.zip

MD5 a9cbd0455b46c7d14194d1f18ca8719e
SHA1 e1b0c30bccd9583949c247854f617ac8a14cbac7
SHA256 df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19
SHA512 b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_ctypes.pyd

MD5 79879c679a12fac03f472463bb8ceff7
SHA1 b530763123bd2c537313e5e41477b0adc0df3099
SHA256 8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3
SHA512 ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

C:\Users\Admin\AppData\Local\Temp\_MEI49162\python3.DLL

MD5 16855ebef31c5b1ebe767f1c617645b3
SHA1 315521f3a748abfa35cd4d48e8dd09d0556d989b
SHA256 a5c6a329698490a035133433928d04368ce6285bb91a9d074fc285de4c9a32a4
SHA512 c3957b3bd36b10c7ad6ea1ff3bc7bd65cdceb3e6b4195a25d0649aa0da179276ce170da903d77b50a38fc3d5147a45be32dbcfdbfbf76cc46301199c529adea4

C:\Users\Admin\AppData\Local\Temp\_MEI49162\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/3156-216-0x00007FFDDE050000-0x00007FFDDE077000-memory.dmp

memory/3156-218-0x00007FFDE34D0000-0x00007FFDE34DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_bz2.pyd

MD5 58fc4c56f7f400de210e98ccb8fdc4b2
SHA1 12cb7ec39f3af0947000295f4b50cbd6e7436554
SHA256 dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150
SHA512 ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

memory/3156-222-0x00007FFDDF440000-0x00007FFDDF459000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_lzma.pyd

MD5 055eb9d91c42bb228a72bf5b7b77c0c8
SHA1 5659b4a819455cf024755a493db0952e1979a9cf
SHA256 de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e
SHA512 c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

memory/3156-244-0x00007FFDD9F10000-0x00007FFDD9F3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\VCRUNTIME140_1.dll

MD5 68156f41ae9a04d89bb6625a5cd222d4
SHA1 3be29d5c53808186eba3a024be377ee6f267c983
SHA256 82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd
SHA512 f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

C:\Users\Admin\AppData\Local\Temp\_MEI49162\pyexpat.pyd

MD5 20981e22b263956da46264421008c0ef
SHA1 367c52c3bbdf04dc87450e3a90d71a9a039d2dcf
SHA256 44a23658bada34ce682fc2a03a620d125362f782fe401aac7b13ef531e0f5bdc
SHA512 9ef41daa6c04bead890d94a51891956b1c44e2d50dbbdcab1219b45b44b765c50dfd1473703ccb550cfca6484f04ae806137d62b725f0a4a43218305416dcb66

memory/3156-253-0x00007FFDDD200000-0x00007FFDDD214000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\libcrypto-3.dll

MD5 8377fe5949527dd7be7b827cb1ffd324
SHA1 aa483a875cb06a86a371829372980d772fda2bf9
SHA256 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512 c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_hashlib.pyd

MD5 d6f123c4453230743adcc06211236bc0
SHA1 9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e
SHA256 7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9
SHA512 f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_socket.pyd

MD5 14392d71dfe6d6bdc3ebcdbde3c4049c
SHA1 622479981e1bbc7dd13c1a852ae6b2b2aebea4d7
SHA256 a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2
SHA512 0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_ssl.pyd

MD5 7ef27cd65635dfba6076771b46c1b99f
SHA1 14cb35ce2898ed4e871703e3b882a057242c5d05
SHA256 6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4
SHA512 ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

C:\Users\Admin\AppData\Local\Temp\_MEI49162\select.pyd

MD5 fb70aece725218d4cba9ba9bbb779ccc
SHA1 bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5
SHA256 9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617
SHA512 63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

C:\Users\Admin\AppData\Local\Temp\_MEI49162\libssl-3.dll

MD5 b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1 331269521ce1ab76799e69e9ae1c3b565a838574
SHA256 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA512 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

memory/3156-261-0x00007FFDD92E0000-0x00007FFDD93AE000-memory.dmp

memory/3156-265-0x00007FFDDCE90000-0x00007FFDDCE9D000-memory.dmp

memory/3156-264-0x00007FFDD9E30000-0x00007FFDD9E49000-memory.dmp

memory/3156-263-0x00007FFDD94A0000-0x00007FFDD9B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

MD5 4ce7501f6608f6ce4011d627979e1ae4
SHA1 78363672264d9cd3f72d5c1d3665e1657b1a5071
SHA256 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b
SHA512 a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

memory/3156-260-0x00007FFDD9C50000-0x00007FFDD9C84000-memory.dmp

memory/3156-255-0x00007FFDD53B0000-0x00007FFDD58E3000-memory.dmp

memory/3156-251-0x00007FFDDF280000-0x00007FFDDF28D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_queue.pyd

MD5 513dce65c09b3abc516687f99a6971d8
SHA1 8f744c6f79a23aa380d9e6289cb4504b0e69fe3b
SHA256 d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc
SHA512 621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

memory/3156-249-0x00007FFDD9E50000-0x00007FFDD9E86000-memory.dmp

memory/3156-246-0x00007FFDE2D20000-0x00007FFDE2D2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_wmi.pyd

MD5 5fe7e224eda8f5399e259ebcb255c5eb
SHA1 fd8e72ef3cc73a8748b761d97cc0a8b53249cf92
SHA256 55eeb2b3adea1aa0de1e7494c77dc96c1739c1f9630ddf20802e8bb723787685
SHA512 7d20eee31f00085f479218ea52f855bc99c4355ce79a2fa8bbe5bbcdadc36eb1fab0c0a16a781c52d78adabf70a005ae4844e319298eea8237c745fc45b808fa

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_uuid.pyd

MD5 3acf3138d5550ca6de7e2580e076e0f7
SHA1 3e878a18df2362aa6f0bdbfa058dca115e70d0b8
SHA256 f9d5008f0772aa0720bc056a6ecd5a2a3f24965e4b470b022d88627a436c1ffe
SHA512 f05e90a0feaa2994b425884af32149fbbe2e11cb7499fc88ca92d8a74410edcd62b2b2c0f1ecd1a46985133f7e89575f2c114bd01f619c22ce52f3cf2a7e37c4

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_sqlite3.pyd

MD5 8cd40257514a16060d5d882788855b55
SHA1 1fd1ed3e84869897a1fad9770faf1058ab17ccb9
SHA256 7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891
SHA512 a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_overlapped.pyd

MD5 51f10ab22d2dd766df5f315ffaf6118f
SHA1 7031d26ef70f3eb8f642d628d36790ab8bfc0cde
SHA256 a7afc75c7b7d919689a9f42683783c9bb8371ead77ee78b5759a705373609e63
SHA512 dac85a9cde682d892e2cb4a873578ebad52bab733d1804e895e2f95b9d213676446653d240385f0b353f07b4082788b4ed45d2be08fa2bf904f31f9ccc8b7906

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_multiprocessing.pyd

MD5 c7639f15afe6089a7702a81c4df8c95f
SHA1 fc63d44e442414c0061b7fab77c3d503bbcdd8ce
SHA256 cc2b57dff9ac911315565b28b5b006279c2972992cf0d57c22b77097c6052505
SHA512 d4c576f400423d191fb4d83d9bb8e67442d6de05c4abad436246334b54c212b71be1b9e57993b07cb3b7c58a40cccdc91e4b63cfb5de22126f9dd70981227bfc

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_elementtree.pyd

MD5 96ca940a51b8fac093f9427fd14e47ba
SHA1 d72cc51ba1090ca8985fe9e44b8126aaf907b13e
SHA256 8a7da78aee0ad812acf73ffbf05eb4a3c8cc400993e7527105ddfdb5bdf56d2a
SHA512 028ed8a9504dfc1ac821c41e54c020dd09f6853f79b54d6a6f744c9c7f9692954d56cc379b9ac111dde4dc797ac7d37db507be27ab5a60a966e9cd943d20a7f4

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_decimal.pyd

MD5 21d27c95493c701dff0206ff5f03941d
SHA1 f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600
SHA256 38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877
SHA512 a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_cffi_backend.cp313-win_amd64.pyd

MD5 8a32974141e88c0bdf8ff4eae7073550
SHA1 a3b85b6bff4a1fbe8361462c67b7f39dcc5358a3
SHA256 66c059c925aee7269b4368f0d0297b460a65817dd2dad4d48c2b66de21973736
SHA512 fe04382ccfea26d75b218fe2f1905652e454b00af065280ea49f0fa9f884aacda31c62ca4e05e03c7e44b4f5cf312b84639ec4ec2542736a854bd39083c4a807

C:\Users\Admin\AppData\Local\Temp\_MEI49162\_asyncio.pyd

MD5 c3d7e7a10af3a128c3dfa7ae77fc7c7d
SHA1 020ff416e6a13c6f22cc143075d9d7b08c8f0b06
SHA256 e5f8d0735312af6b90029aac39c23e8b2f2992c7673ce71c6ec8c316d0a5cea1
SHA512 f5a66c1c2759c10c658d44415d5895ee4742d8c594f58891b2a8722b94985ec8e07b9630417773b09d274ccfa3167eb253f03a0c4d25ed0d985373fde269ec25

C:\Users\Admin\AppData\Local\Temp\_MEI49162\unicodedata.pyd

MD5 b2712b0dd79a9dafe60aa80265aa24c3
SHA1 347e5ad4629af4884959258e3893fde92eb3c97e
SHA256 b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a
SHA512 4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

C:\Users\Admin\AppData\Local\Temp\_MEI49162\sqlite3.dll

MD5 21aea45d065ecfa10ab8232f15ac78cf
SHA1 6a754eb690ff3c7648dae32e323b3b9589a07af2
SHA256 a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7
SHA512 d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

memory/3156-268-0x00007FFDD9C20000-0x00007FFDD9C45000-memory.dmp

memory/3156-267-0x00007FFDDE050000-0x00007FFDDE077000-memory.dmp

memory/3156-270-0x00007FFDD9160000-0x00007FFDD92DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\psutil\_psutil_windows.pyd

MD5 c6b58473112940b1c51daab751ad600f
SHA1 f0653bbec27277efbd783a3b5fb5b2ae38ca53ae
SHA256 6c8d5a4ad401d3994dc8609dfd356382f3e3e1ab51225a8cad21434f9b75276a
SHA512 45e4ed13b924f9fb2073c4fd0f551394eefc962971e63473ab6d3b0e1dbfdf604af5591d53b92890b10904dc310ce71d12c99b6e53063f6c8c5ab1a70adcf20c

memory/3156-273-0x00007FFDD9E10000-0x00007FFDD9E28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\charset_normalizer\md.cp313-win_amd64.pyd

MD5 d0b38f1445119c61de26d4a151558ea6
SHA1 2dc4ab4c00ff2ff48e6b68701ceb1da8620d7401
SHA256 641bae68119122101fce6abda99ba8d486aab14e2cf7c8707b922d312a3071c7
SHA512 8a2dbc16c95c06c70af18cbaf3f35928174f8b032ffffef08912a6c799272938c15fb3180e9f9e72b1b297c034b5d2ef2d5dafea1bcf811c430f9c962159a203

memory/3156-277-0x00007FFDDCD10000-0x00007FFDDCD1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

MD5 fffa67eea0cba154e5d37d484732c1a5
SHA1 da4d420d3ef574602abaf645c87be78fc2390780
SHA256 328873bb1d98d8b539993ad1c9ad1804cd6942d1013202aa19267931f0c7994d
SHA512 5eb591671e5ea490f32f60be6e272ecf25dcbab104273defce7a3e6378a80b999a3b4471be1ea2bb5ba19aaf782551e9e61c0edb2550cd72cfc766aa35b50b79

memory/3156-279-0x00007FFDE2D20000-0x00007FFDE2D2F000-memory.dmp

memory/3156-280-0x00007FFDD9470000-0x00007FFDD9497000-memory.dmp

memory/3156-282-0x00007FFDD90A0000-0x00007FFDD9153000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49162\certifi\cacert.pem

MD5 50ea156b773e8803f6c1fe712f746cba
SHA1 2c68212e96605210eddf740291862bdf59398aef
SHA256 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA512 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

C:\Users\Admin\AppData\Local\Temp\_MEI49162\Cryptodome\Cipher\_raw_ecb.pyd

MD5 5293811151e512c4236d2566c9943758
SHA1 7ecc90f3c68d7fda5321814805969628367cfd59
SHA256 6fc9fc660a3469f812db7f2ec1316716ee74b5743a3019a8280b89a31a7cbd9b
SHA512 d69470ab850f286ed06999a8e01a6bb33cd592f715f354b7fd36b1ac52a4a2003b2038199727b9b94625c2c9818648897eafb7528c1137c11537d0ee2eab6d83

C:\Users\Admin\AppData\Local\Temp\_MEI49162\Cryptodome\Cipher\_raw_cbc.pyd

MD5 b081833ff21acedb817fcde62cab77be
SHA1 9586a570130268e16c2cdfbb00cbef4e6834a367
SHA256 6fd5e6ab908537ced6a4165d068de39dae96a819c0e42034a5d5da4e85dd5e0a
SHA512 daeeafa6f3f29b7c8d896e6f932503e004af70d56529cf590a126dd2a412d8cce7eaa469a34002b22e432612933f90e7831c8fc7016fbbc5491f9a76f1bfa486

C:\Users\Admin\AppData\Local\Temp\_MEI49162\Cryptodome\Cipher\_raw_cfb.pyd

MD5 a5045ee4056013d68e3eaf0bb071c4f9
SHA1 8075d75f8285d4c4475adc5772f7fe9b7b62cbd9
SHA256 ce8cd2b12526536171105a4a2f3dcb62613b3b6d596e5e4fbb0080b02bbf9129
SHA512 8ec4209814b99e585c8a682ea5e5744d9bd8789467b0699e8d36b08511c4e559397904b53147ddb92ee81f42d47b16d70aeedbc7f2ca055dcc047f554d9bf639

C:\Users\Admin\AppData\Local\Temp\_MEI49162\Cryptodome\Cipher\_raw_ofb.pyd

MD5 e7ce6e446ade075b48ae1009e19112db
SHA1 efc9c9d49019a5d17d949615f3c9a2c413e17d48
SHA256 bc165b1cd715ee082827af31dd96cc44dc458de4608ba0ac640d97255a96e553
SHA512 547bdabfaf8cf621629b8d7ebbe7f2e19a862f03350b6350554ce0256684e6b254535bd99d2511a36e06ec672710250409d05db26211949370ebf030d709866e

memory/3156-291-0x00007FFDD53B0000-0x00007FFDD58E3000-memory.dmp

memory/3156-299-0x00007FFDD9440000-0x00007FFDD944C000-memory.dmp

memory/3156-298-0x00007FFDD92E0000-0x00007FFDD93AE000-memory.dmp

memory/3156-297-0x00007FFDD9C50000-0x00007FFDD9C84000-memory.dmp

memory/3156-300-0x00007FFDD9090000-0x00007FFDD909B000-memory.dmp

memory/3156-304-0x00007FFDD9070000-0x00007FFDD907D000-memory.dmp

memory/3156-305-0x00007FFDD9060000-0x00007FFDD906E000-memory.dmp

memory/3156-306-0x00007FFDD9050000-0x00007FFDD905C000-memory.dmp

memory/3156-309-0x00007FFDD9030000-0x00007FFDD903B000-memory.dmp

memory/3156-311-0x00007FFDD9020000-0x00007FFDD902C000-memory.dmp

memory/3156-312-0x00007FFDD9010000-0x00007FFDD901B000-memory.dmp

memory/3156-313-0x00007FFDD9000000-0x00007FFDD900D000-memory.dmp

memory/3156-315-0x00007FFDD8FF0000-0x00007FFDD8FFC000-memory.dmp

memory/3156-314-0x00007FFDD5A10000-0x00007FFDD5A22000-memory.dmp

memory/3156-310-0x00007FFDD90A0000-0x00007FFDD9153000-memory.dmp

memory/3156-308-0x00007FFDD9040000-0x00007FFDD904B000-memory.dmp

memory/3156-307-0x00007FFDD9470000-0x00007FFDD9497000-memory.dmp

memory/3156-303-0x00007FFDD9080000-0x00007FFDD908C000-memory.dmp

memory/3156-302-0x00007FFDD9160000-0x00007FFDD92DF000-memory.dmp

memory/3156-301-0x00007FFDD9C20000-0x00007FFDD9C45000-memory.dmp

memory/3156-324-0x00007FFDD59E0000-0x00007FFDD5A0A000-memory.dmp

memory/3156-323-0x00007FFDD5380000-0x00007FFDD53AF000-memory.dmp

memory/3156-322-0x00007FFDC8670000-0x00007FFDC88B9000-memory.dmp

memory/3156-296-0x00007FFDD9B70000-0x00007FFDD9B7B000-memory.dmp

memory/3156-295-0x00007FFDDD200000-0x00007FFDDD214000-memory.dmp

memory/3156-294-0x00007FFDD9450000-0x00007FFDD945B000-memory.dmp

memory/3156-293-0x00007FFDD9460000-0x00007FFDD946C000-memory.dmp

memory/3156-292-0x00007FFDD9BC0000-0x00007FFDD9BCB000-memory.dmp

memory/804-333-0x000001C8AA1E0000-0x000001C8AA202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4k1wnicz.chy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\GT6P8jaVO5\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

C:\Users\Admin\AppData\Local\Temp\GT6P8jaVO5\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

memory/3156-397-0x00007FFDD9E10000-0x00007FFDD9E28000-memory.dmp

memory/3156-414-0x00007FFDD9010000-0x00007FFDD901B000-memory.dmp

memory/3156-413-0x00007FFDD9020000-0x00007FFDD902C000-memory.dmp

memory/3156-412-0x00007FFDD9030000-0x00007FFDD903B000-memory.dmp

memory/3156-411-0x00007FFDD9040000-0x00007FFDD904B000-memory.dmp

memory/3156-410-0x00007FFDD9050000-0x00007FFDD905C000-memory.dmp

memory/3156-409-0x00007FFDD9060000-0x00007FFDD906E000-memory.dmp

memory/3156-408-0x00007FFDD9070000-0x00007FFDD907D000-memory.dmp

memory/3156-407-0x00007FFDD9080000-0x00007FFDD908C000-memory.dmp

memory/3156-406-0x00007FFDD9090000-0x00007FFDD909B000-memory.dmp

memory/3156-405-0x00007FFDD9440000-0x00007FFDD944C000-memory.dmp

memory/3156-404-0x00007FFDD9450000-0x00007FFDD945B000-memory.dmp

memory/3156-403-0x00007FFDD9460000-0x00007FFDD946C000-memory.dmp

memory/3156-402-0x00007FFDD9B70000-0x00007FFDD9B7B000-memory.dmp

memory/3156-401-0x00007FFDD9BC0000-0x00007FFDD9BCB000-memory.dmp

memory/3156-400-0x00007FFDD90A0000-0x00007FFDD9153000-memory.dmp

memory/3156-399-0x00007FFDD9470000-0x00007FFDD9497000-memory.dmp

memory/3156-398-0x00007FFDDCD10000-0x00007FFDDCD1B000-memory.dmp

memory/3156-396-0x00007FFDD9160000-0x00007FFDD92DF000-memory.dmp

memory/3156-395-0x00007FFDD9C20000-0x00007FFDD9C45000-memory.dmp

memory/3156-394-0x00007FFDD92E0000-0x00007FFDD93AE000-memory.dmp

memory/3156-390-0x00007FFDD53B0000-0x00007FFDD58E3000-memory.dmp

memory/3156-389-0x00007FFDDD200000-0x00007FFDDD214000-memory.dmp

memory/3156-388-0x00007FFDDF280000-0x00007FFDDF28D000-memory.dmp

memory/3156-387-0x00007FFDD9E50000-0x00007FFDD9E86000-memory.dmp

memory/3156-386-0x00007FFDE2D20000-0x00007FFDE2D2F000-memory.dmp

memory/3156-385-0x00007FFDD9F10000-0x00007FFDD9F3B000-memory.dmp

memory/3156-384-0x00007FFDDF440000-0x00007FFDDF459000-memory.dmp

memory/3156-383-0x00007FFDE34D0000-0x00007FFDE34DF000-memory.dmp

memory/3156-382-0x00007FFDDE050000-0x00007FFDDE077000-memory.dmp

memory/3156-393-0x00007FFDD9C50000-0x00007FFDD9C84000-memory.dmp

memory/3156-392-0x00007FFDDCE90000-0x00007FFDDCE9D000-memory.dmp

memory/3156-391-0x00007FFDD9E30000-0x00007FFDD9E49000-memory.dmp

memory/3156-381-0x00007FFDD94A0000-0x00007FFDD9B03000-memory.dmp

memory/3156-415-0x00007FFDD8FF0000-0x00007FFDD8FFC000-memory.dmp

memory/3156-416-0x00007FFDD9000000-0x00007FFDD900D000-memory.dmp

memory/3156-418-0x00007FFDD59E0000-0x00007FFDD5A0A000-memory.dmp

memory/3156-417-0x00007FFDD5A10000-0x00007FFDD5A22000-memory.dmp

memory/3156-419-0x00007FFDD5380000-0x00007FFDD53AF000-memory.dmp

memory/3156-420-0x00007FFDC8670000-0x00007FFDC88B9000-memory.dmp