Malware Analysis Report

2025-06-15 20:18

Sample ID 241215-wpt4ws1rh1
Target source_prepared.exe
SHA256 e2373c15090105d358c3ef7fa4ed03c6cd5a6a55a2db6efb020643e03a87d26a
Tags
pyinstaller pysilon upx evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2373c15090105d358c3ef7fa4ed03c6cd5a6a55a2db6efb020643e03a87d26a

Threat Level: Known bad

The file source_prepared.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon upx evasion execution persistence

Pysilon family

Detect Pysilon

Enumerates VirtualBox DLL files

Command and Scripting Interpreter: PowerShell

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Unsigned PE

Detects Pyinstaller

Views/modifies file attributes

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 18:06

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 18:06

Reported

2024-12-15 18:09

Platform

win7-20241010-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23722\ucrtbase.dll

MD5 b76f01ae50ce43187be1d701b51ca644
SHA1 cb59f1ff16f8f3996646930f02d3090422c64a02
SHA256 903806c8888e3c9ac0212ed50be6889c21cf4fd12f49931da8b548b5326a0bf8
SHA512 d0962bdc5439c7068d67e59d6434606581744daf41a628c083ae147936074f489b44dca8dd737a6766dcdc2b99a2cb7e5cbc79e13e0d9b661f77acd13a9c5300

\Users\Admin\AppData\Local\Temp\_MEI23722\api-ms-win-core-timezone-l1-1-0.dll

MD5 6d5cff14d7b266bc9cfdeefb0a05d2a8
SHA1 5d76f1a5e3ac3caf2c7cd19590e8e578f55c1ccc
SHA256 bc0a3295b1e552f47f7034d47dcaa9123caa9423d202df5737b9301d68cb6667
SHA512 5af85dde1bef032893b4e5fdf4584ddc51dd33cc73be1e37f230544f6df383927995027bd5097ad23d0248e3980b66767698177c8ee8d61d309ab5dbb6ce3662

\Users\Admin\AppData\Local\Temp\_MEI23722\api-ms-win-core-processthreads-l1-1-1.dll

MD5 ab08093ceb1da2c238f28dec5e2db51e
SHA1 f3c97f9aea448b503390794b56d0cc1e5795e4d5
SHA256 92bb2dd3172befd83dc039deb83577efc0f4e42390aa3d428d6f296bd3f462fa
SHA512 146ebbdee11ebe472c6f45836a5051cb6c53db04bd8d2745fe2097b73b6fb410c1525883271e192523533789318f7825aa678bcba8b0f1d5f354506b4d4ddd11

\Users\Admin\AppData\Local\Temp\_MEI23722\api-ms-win-core-localization-l1-2-0.dll

MD5 c8cfb99f387edd7ee3677d10faed635e
SHA1 f5d0776b3e58ba231dfd5ff5e3a63860652b7ee5
SHA256 361ebbef6e0d77624560b87d888464b331403e09845836a04f5800682aa4ed48
SHA512 1332ae54f4af98365b973fe82311a09cec2a92e07f0ef56512bf3e2a3eef9d45e9484a74eae20df6a7fe44b6758bd6aedd16bc96ae866f2536a7c906f7535af0

\Users\Admin\AppData\Local\Temp\_MEI23722\api-ms-win-core-file-l1-2-0.dll

MD5 d54860bc805f73cd8e7e3fe05d544108
SHA1 b6184d9f4477e482801a0fa1f27b868533873d1d
SHA256 68e28b5944193ab45be2cc14e49424ba0c5d8713bb6b027e96ff1c16147f19a3
SHA512 22dffca161acdad3bcda6bc83ca63d4cedcbfd47b1b3549e98fc95d9b85ce2d49576f3ee3fc150da2e353731bf8d98e4eb3db80ba3913b32e783289905376a3a

C:\Users\Admin\AppData\Local\Temp\_MEI23722\api-ms-win-core-file-l2-1-0.dll

MD5 51cdd94858eadfa992e3a397aae6a4ee
SHA1 6fe3a27f11c13fdd680802eb8c6f87a7a92518d6
SHA256 57cb180884f33b064957d9c1dd509bb5e8fd541e9458b84d88e025790c1dc986
SHA512 42702b377322fcd6e7090a01c262ce3a04a95154ff327a40841add210f678287658ad097e32bd53f23d88878cbe7625d868b7adfac042cdbc0f48e8e59b7504e

C:\Users\Admin\AppData\Local\Temp\_MEI23722\python311.dll

MD5 476ab587f630eb4f9c21e88a065828b0
SHA1 d563e0d67658861a5c8d462fcfa675a6840b2758
SHA256 7cf19201904e4e7db4e5e44cd92d223fb94ddd43da04a03d11e388bf41686b8b
SHA512 3d67e49a09777e6fab36c37cf3a7c2768382eb1c850638b0064e2b00479f74251bb70290fe62971944344ee88b7803ee1697a374a62c7f7c45a556c820800676

memory/2940-1322-0x000007FEF5500000-0x000007FEF5AF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 18:06

Reported

2024-12-15 18:09

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\Temp Spoofer\kernelspoofer.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\Temp Spoofer\kernelspoofer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe N/A
N/A N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Temp Spoofer = "C:\\Users\\Admin\\Temp Spoofer\\kernelspoofer.exe" C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 3468 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
PID 1020 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 1020 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 1020 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1020 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1020 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 1020 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\source_prepared.exe C:\Windows\system32\cmd.exe
PID 1388 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1388 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1388 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Temp Spoofer\kernelspoofer.exe
PID 1388 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Temp Spoofer\kernelspoofer.exe
PID 1388 wrote to memory of 1352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1388 wrote to memory of 1352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4284 wrote to memory of 5196 N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe C:\Users\Admin\Temp Spoofer\kernelspoofer.exe
PID 4284 wrote to memory of 5196 N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe C:\Users\Admin\Temp Spoofer\kernelspoofer.exe
PID 5196 wrote to memory of 2864 N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 2864 N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe C:\Windows\system32\cmd.exe
PID 5196 wrote to memory of 952 N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5196 wrote to memory of 952 N/A C:\Users\Admin\Temp Spoofer\kernelspoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe

"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2fc 0x2ec

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Temp Spoofer\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Temp Spoofer\activate.bat""

C:\Windows\system32\attrib.exe

attrib +s +h .

C:\Users\Admin\Temp Spoofer\kernelspoofer.exe

"kernelspoofer.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "source_prepared.exe"

C:\Users\Admin\Temp Spoofer\kernelspoofer.exe

"kernelspoofer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Temp Spoofer\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
N/A 127.0.0.1:62203 tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI34682\ucrtbase.dll

MD5 b76f01ae50ce43187be1d701b51ca644
SHA1 cb59f1ff16f8f3996646930f02d3090422c64a02
SHA256 903806c8888e3c9ac0212ed50be6889c21cf4fd12f49931da8b548b5326a0bf8
SHA512 d0962bdc5439c7068d67e59d6434606581744daf41a628c083ae147936074f489b44dca8dd737a6766dcdc2b99a2cb7e5cbc79e13e0d9b661f77acd13a9c5300

C:\Users\Admin\AppData\Local\Temp\_MEI34682\python311.dll

MD5 476ab587f630eb4f9c21e88a065828b0
SHA1 d563e0d67658861a5c8d462fcfa675a6840b2758
SHA256 7cf19201904e4e7db4e5e44cd92d223fb94ddd43da04a03d11e388bf41686b8b
SHA512 3d67e49a09777e6fab36c37cf3a7c2768382eb1c850638b0064e2b00479f74251bb70290fe62971944344ee88b7803ee1697a374a62c7f7c45a556c820800676

C:\Users\Admin\AppData\Local\Temp\_MEI34682\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/1020-1314-0x00007FFBFD3B0000-0x00007FFBFD9A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI34682\base_library.zip

MD5 b8c83ea24ecac970730a1821796e4554
SHA1 e2d7fd9659a042ae7e8772798da4e486e4b5cbb6
SHA256 0ca9f36dd9ade9b208a1ac5a2f33cdd4d6abb99378bbfdfddf7be20d62b3f6f2
SHA512 9e03b9d6e05da7c530319e9b0689c6cef03c518efbb30cd9535f73b98bd0dbdbf8d7670201456c673fa95342bb657ded95c5f16b842bd1958360439f10dd6471

C:\Users\Admin\AppData\Local\Temp\_MEI34682\_ctypes.pyd

MD5 7c1116e1656d8ab1192d927e8dd9607e
SHA1 5df70de7ed358a5cf95d3ef16bdd53db74c1e2f0
SHA256 a0ab67ea3f27337ed0873d07901eff16f0e6eb58fa7436bb0bde15a35516acc3
SHA512 004bdff5a4d76ad0d7ca3b000615de904660abccc737b3aadfee5488155e3f55612aed2bc7c1e14db07e7e784f35b779abcfe5217ea972a1bc6dd0bafad04699

C:\Users\Admin\AppData\Local\Temp\_MEI34682\python3.DLL

MD5 35da4143951c5354262a28dee569b7b2
SHA1 b07cb6b28c08c012eecb9fd7d74040163cdf4e0e
SHA256 920350a7c24c46339754e38d0db34ab558e891da0b3a389d5230a0d379bee802
SHA512 2976667732f9ee797b7049d86fd9beeb05409adb7b89e3f5b1c875c72a4076cf65c762632b7230d7f581c052fce65bb91c1614c9e3a52a738051c3bc3d167a23

C:\Users\Admin\AppData\Local\Temp\_MEI34682\libffi-8.dll

MD5 0d1c6b92d091cef3142e32ac4e0cc12e
SHA1 440dad5af38035cb0984a973e1f266deff2bd7fc
SHA256 11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6
SHA512 5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

memory/1020-1322-0x00007FFC0CF40000-0x00007FFC0CF64000-memory.dmp

memory/1020-1325-0x00007FFC0DA60000-0x00007FFC0DA6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI34682\_bz2.pyd

MD5 49d7eeb9edf72ecc9aa1f3f7751f594c
SHA1 46a3bf76d817533fb2c9dda88cbf75f2dc1cee81
SHA256 28a6b14c9d35e01d75abe386eb6a456b663e09c79ffa113e12d015ac75840b04
SHA512 bbefd1ffb5052dbcc7eec55d6be6aa7604c1b35b0c16aa7448f280cf4aa34ff33207f3586aa548e8823a9aaabb7c4854eb982a7408c238966c46b5e5c7aeba0b

memory/1020-1328-0x00007FFC0D600000-0x00007FFC0D619000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI34682\_lzma.pyd

MD5 3a53da080c83b709581e5a117b6e308e
SHA1 efa5bf61d6b8384b8c4050fd6b579b3f13ff2ebf
SHA256 779762b87cdf4bcebaa3a571f25324ea7b9e2c8b85833172acc0b58c6af5508c
SHA512 2be3b2085032ed26b734a70a0a94b420ad4c9130cdda38b7dc4b9677d603b3631d1d013839940ae165be85f65400cb77b31804c8806b91b13d0fe1893a6c7254

C:\Users\Admin\AppData\Local\Temp\_MEI34682\libmodplug-1.dll

MD5 2bb2e7fa60884113f23dcb4fd266c4a6
SHA1 36bbd1e8f7ee1747c7007a3c297d429500183d73
SHA256 9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b
SHA512 1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2

C:\Users\Admin\AppData\Local\Temp\_MEI34682\libjpeg-9.dll

MD5 c22b781bb21bffbea478b76ad6ed1a28
SHA1 66cc6495ba5e531b0fe22731875250c720262db1
SHA256 1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd
SHA512 9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

C:\Users\Admin\AppData\Local\Temp\_MEI34682\libcrypto-3.dll

MD5 443fd07a22ff1a688a3505d35f3c3dd1
SHA1 ab9f501aa1d3d523b45f8170e53981672cd69131
SHA256 f9c87ec6401039fd03b7c6732c74d1abfdb7c07c8e9803d00effe4c610baa9ee
SHA512 1de390d5d9872c9876662f89c57173391ecd300cabde69c655b2ade7eea56e67376839607cac52572111b88a025797060653dc8bb987c6a165f535b245309844

C:\Users\Admin\AppData\Local\Temp\_MEI34682\libcrypto-3-x64.dll

MD5 c785c080042afb690d944bf13ff9d10d
SHA1 7c3e3b75eab19d74cf7ee13130ce0c7f6006373e
SHA256 c7b006dca824898dfd2aab782c050ea9b3b5091aa1ff10f99900606d9a61464d
SHA512 6e09cbf1f9f6a902b30455fa5a0bd7633842e72e052ada0b7eeaf158e6cdaef2b6396fea1112702adeef6694159e0190ffe420f95c35081031aabf9b0f7d0dfe

C:\Users\Admin\AppData\Local\Temp\_MEI34682\freetype.dll

MD5 04a9825dc286549ee3fa29e2b06ca944
SHA1 5bed779bf591752bb7aa9428189ec7f3c1137461
SHA256 50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde
SHA512 0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

memory/1020-1376-0x00007FFC0CE30000-0x00007FFC0CE5D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-utility-l1-1-0.dll

MD5 d2c6ad121f260b98e77c380a51032181
SHA1 af36326e6feee56ca1742914eaaac315952b7d01
SHA256 2c9404ea15c37fd0fb6fff964917512c2191c73241cbaa40e056244b265b1171
SHA512 0994e56b8909012a0c7f896f3fc4220c61622bfc1b653e61fb85ea00dfbd95fb4c16efab5781f574693bab75dae25d3931f84c184be0fcb24f58f597dfe03e5f

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-time-l1-1-0.dll

MD5 e5a12a2194e33c9a61cbc9f62173adcc
SHA1 55ffa6b44cf234874c9abe9a3413a371320d8ced
SHA256 e748d40325659477feda7e7b4d2d770fb69cbc94c3c28289fa45b60617c413d0
SHA512 c4de5eaeae0106be08a7f38276eea4b3dd74667f9241d7efcb1c8e054412d9683189dcbff14c537772611ecc746055c7a02ce04378d721a7ca5d545be8d09514

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-string-l1-1-0.dll

MD5 1594a324156e471193c1d8a2fe5628e7
SHA1 495564f4843af3b5804c0371c03f8decd88af5d5
SHA256 bc0d452a9638c86705d93ef6b8a4dd8912cc6cfda8403dc6c6e9061599d6875e
SHA512 d092e47d3a76a2dc1343034808a1ca5ce4be127a53fdbf063955fc63dca1b843afbb179160c298801ce0fd64f33cccd05d261020d23305d8b4595ca31fbe09b2

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-stdio-l1-1-0.dll

MD5 ad0daa821fb4c090b1c53307ec8cf235
SHA1 d7740cbe91f8a2625089407aeda9a019901106a7
SHA256 56f1507c3bcdb39d4db5af07908542486200488bc47927b9724a532e99134b8e
SHA512 0a636e5f21941ca78874884ff2844aa56d3375781c6e596af43dd7947f4eb3c448813ad33898d27e775586adadf3f3e50bf32f80bf14e80559ae86bf53c2e0ae

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-runtime-l1-1-0.dll

MD5 0fb5e3fd3e4947fd056c81b1ef7f02cd
SHA1 fe9dd5fb81915408c9168f47b6d7d13bcf1848c0
SHA256 707073941e2b24bd94e7ef11e1fa7aca92fd63fcc6babf42865615ea6bb1f388
SHA512 ced7a3ab029722db874176d26493e216bb779a9473b18f4804332b77b08b38de88bc787c071ffcb9dcc257acefc6e93a72cd6c087ad25998fe6e0a3dd51033ff

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-process-l1-1-0.dll

MD5 4c65a2278f53b68adb5da20cfb58bf6f
SHA1 df4a5bcd8cdca8f4783d4a5071fc71f6bb562e0a
SHA256 5e0543b480befd83f440f2a1a30c5b7a9a9f49abd305fe02ed8ca4f156076a09
SHA512 9b22eb8d390ed5dc450975c519e7bf6a1bf45a18bdf3b0dbf91f3dfb1309d0ff53fb9304b73ff12cf54e028e14aa6ef9f11d51be83c3eac329f86238b2587ce5

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-private-l1-1-0.dll

MD5 6fc93e7f56774d0d9729bd3db3fb83a4
SHA1 625912cd7c625679590df22325e9e6eb0fc0e727
SHA256 285281fcdc0ff9a51b7b503ebb8d6e464cbd6b0ce43553a31ba8d0a9a2ec2216
SHA512 82ff4afedf1c8a8d3245e402ff63b402c88d4c380d1478451a9c1c2781762223f3a582415a444ae568de3a96d177244afd2359c893fbec8955ac2cb03186925c

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 e6d565286d17a739802951e5ad4cf50c
SHA1 ea68060efba914cdcf0bfa759757f71412760bb7
SHA256 2a563f80714375bf636785848333a54c350d37136773d024722543f93412ae01
SHA512 faab8c422f8ed33b8a9ac48038f397ebceaf7937526b56156ce224fb3cda51798ba64b9aac1706c51bc2e0e3341a3c4cc141ed63a5649f3856bdbc06c2fd10aa

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-math-l1-1-0.dll

MD5 b554b5072a9a7be819ebaa7e1b092c21
SHA1 f27cff65f79a450fe284cb0c485c923489aee6d3
SHA256 d4247022622bcecfa9e25c212e8833de1602aab55756eb3d1a54515704984e41
SHA512 1d983ffb8cc7d22e80ef2bcffd83c8c73a32f3dd09f1e239e5f9e45a1f33dc4cf98a7c850d4193920197d3c37f9d07471bfc5c5c120a35def8041dd4af4d19f9

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-locale-l1-1-0.dll

MD5 36639d9689192b3ae17d567fa17b0574
SHA1 caa8a2ee88ee3779b491a737ad1b45e2fac84b84
SHA256 c0225ee09d6779288c86db3bfcbdfbab58e39eb9355844653b5761ca09faf0ed
SHA512 bd85044220346db080b610b2446c7d7a6a1067567d546c3e8048351cf2a0fa7b23c098766a21c7872a6a1be0d798500f27c35842cd9c2caa9c07fa386cc06813

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-heap-l1-1-0.dll

MD5 f6ac76d1f72d56e55f857131c04c9fd3
SHA1 4f445435d9f6de5cb7a737f5f7e35a4ef82bb8ac
SHA256 8c7d51aa0042969b8f1c99ee7d692a214e5b220b6c59a2016ddf60b030466b2f
SHA512 443fe22237842c418616f58fe69251fc69845eedb11f99ca70b9c9f700f3b63131b8eedc6eac6194d6715d3dfcb0243daf0516e7fc845a6a600fa966fc6ad6bb

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 42cb733761283599043fa29191322f6e
SHA1 2a3bec9f8a76473265e6a60aeb0146ff0f7474f4
SHA256 03f4bffe5e2c273be4ad87cbb84363e80f3d1a63f9e2965045a0922c76cadc69
SHA512 51f3c34b8a1d3f33daf9d0a41561890b5aefe239ec3190b60573e513a3176d2a6f6c85f5361fc3430a355c613a41197dc888a74e211cf6c1b4334f09ac230e2e

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-environment-l1-1-0.dll

MD5 d0eacdb21caf6eb32fdcddd0bff82599
SHA1 f7e618e182b13341eba5e9b631fe561c7d114420
SHA256 41d678da2ed4089e9abd91ce70309d6bfadeeded25b7a96cc9a1071f1efdac12
SHA512 199cb191369fa68849e0acec293609e4683f87c5846ce02d27ac1c5a56724b59d7950ce9b0d01d2552e195ce2e85e915dce8b01a058df5c5c8b65443de93fa40

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-convert-l1-1-0.dll

MD5 05a39fd0723df4ccae65007440234ea2
SHA1 cfbc74fb5f4556b7ff92e33226cd0ddce31aa1de
SHA256 43f20e591ae0afece324a2a9636ba557690f0bca29935967a0f33098725c94fb
SHA512 88f5f2b42257eb8c287bc131fc5e93cdef5974ec72851ae253dd87a109e19d817ad7c9a2418128e70102e962249f3a52aa88f688a988868c700737688bbc47d5

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-conio-l1-1-0.dll

MD5 80cbe9a4a3a6f094e3d2197a4a60c339
SHA1 0608549d8d3b720b1aecf29efef2b63cbaf26868
SHA256 b33d0e78ff6e9a9bf3bf369942412eb9c85f02b65230e77cb11a99730f6c4030
SHA512 391dbe0e2dc7cdf5d44721bc6b700bba396424d4f35033b9265630512c8c9908d230118dc7445b84c9e587a3a20e37e3f29dd4c62d91651be9fbe3a6756925b9

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-util-l1-1-0.dll

MD5 975ee548fee0044fac4c14e50d9b2784
SHA1 f062bb3ee1f408e1aebd06522e0b5b3901867c91
SHA256 222f7e8b5774968ffd899a9ee2139f9934eb5a50b9a9da2cf0592134d3ad54b5
SHA512 04901fafa8b0b1ec80c70de345bb4ec8ad584c46de5d03f5f25cc34b2c227e948cc49e7a2eda7e8238bc058561ab1ad39597583a341077f3b9a7430372f98c1e

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-timezone-l1-1-0.dll

MD5 6d5cff14d7b266bc9cfdeefb0a05d2a8
SHA1 5d76f1a5e3ac3caf2c7cd19590e8e578f55c1ccc
SHA256 bc0a3295b1e552f47f7034d47dcaa9123caa9423d202df5737b9301d68cb6667
SHA512 5af85dde1bef032893b4e5fdf4584ddc51dd33cc73be1e37f230544f6df383927995027bd5097ad23d0248e3980b66767698177c8ee8d61d309ab5dbb6ce3662

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 a973eb24c67a725ffde1207ddd3e8626
SHA1 de117fc7ce0b15ec0bcad05a109c37c6aed7f9d0
SHA256 eccae6c70ef79c70dd3eaa6d7ec4e14f8b341169aa772bb0100de550f0a44cb4
SHA512 de9344ba442cbb2e16f1c07d18057840cdde3d4383e30943d818e7f6b97353f92f126a129021e50505bc7c49108d5383759633c420202f06639cddbbf2c7daab

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-synch-l1-2-0.dll

MD5 84c24cee099952a22f68cef112b12cab
SHA1 2facdaeff612b62d66bdd8d8f95c1b82d7df08ff
SHA256 24dd4de212b4b43c2e3d565d0c253509f44edd06e59ed9600db3fcbbf04aedb8
SHA512 4776418cfd49881b75de11605f472bec70798211e139940aed03af2acf79adcafde9961a18a3541d6a7cc71dfd2bbcf0588bd0fc1133edc338682f8756140582

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-synch-l1-1-0.dll

MD5 0794290fe57457e690a5a6daf2a49660
SHA1 ab44b9f19d333602b49e189da08ed38e23987dbe
SHA256 347a1267a70015b30d6d5752b7d1b60dd51f2b89b7cdf97c7128444d6af1ffb2
SHA512 d95411fca31eb89003b6120f8c038fd712070e48f61972033fce8227758e6e3d52a23dc04753f5c1a6f4a37cf005693bf839acc6193ff6880328779ecbb3a14f

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-string-l1-1-0.dll

MD5 8a8d7f25dc63ed2b359936c68fd5be2d
SHA1 5f5fee657924ca1183e3c90ac70b7cc30ebc8c64
SHA256 4451084c3993c3a1bd3ec0613005c59ca23c722bbc73da47d64893ee46f22103
SHA512 b1e032cc1748c7dbe46b6d10e82045e904bcf72cb1a194e9c382c16a3cd2d8547d66b0feb675f2faf9b28593817758c81805d80a533204e88c51b5e746cdea2d

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 f528d86d1360f7de8b756201c8e7af92
SHA1 827ccf7343b8988dbc3b5cb2cd1cf43672893e10
SHA256 b3237f2efe5e22eb802caded8cc85aeb104192dfdea31cfe7381b58c1b37affe
SHA512 576433598fbc25c05bff52b26877977a01519e2d53cf86188bf1bec872949e93d767477d77de1e299a572401a231c47e5f1c4d299a99c9e5c95b0cf828d28f0f

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-profile-l1-1-0.dll

MD5 2086f1637ba8170bb92cc18a4e25cfed
SHA1 e814ab6edd87ca8f16d6a15ababd491e368c994e
SHA256 f30d1aba7bb55874ab6b91b0d81378face8570420aefcc89f18e420459ca9b7a
SHA512 fd06722664988aa56eaa9c2ffc2d523e7e4bbbdaf3008e9c56c242d4b1a2855bc7140d1c865bebfd6d9ca35e71b25e639e894b29b5d85bd2447a6bc359866f18

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-processthreads-l1-1-1.dll

MD5 ab08093ceb1da2c238f28dec5e2db51e
SHA1 f3c97f9aea448b503390794b56d0cc1e5795e4d5
SHA256 92bb2dd3172befd83dc039deb83577efc0f4e42390aa3d428d6f296bd3f462fa
SHA512 146ebbdee11ebe472c6f45836a5051cb6c53db04bd8d2745fe2097b73b6fb410c1525883271e192523533789318f7825aa678bcba8b0f1d5f354506b4d4ddd11

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-processthreads-l1-1-0.dll

MD5 c0cd80654c61c5df82ad0a52064ab584
SHA1 f7b7a807fa5b4bb4d02cefcda4cc2b42457b9b3e
SHA256 ae507dcdd0e6c6bded417a64918ef0cc76e41ffe475f67478b841ba05cc73bbb
SHA512 b8cb93e9a5b4a3451b062a5a3d81d6b5deb848eb238cb12bac79695045e7441a0c068b99c0ad768f2c30b9f529de57f15d24753bd45c65175733c9d850627205

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 f29002525b0562ca1aec53b0fb9b0e9a
SHA1 b1d38dcfc5e5371cdf4ef29844d5099bbdbe1235
SHA256 f4d5be821780a3db520258a451b50fa8cde1486b607477a958f6f529dcb74f43
SHA512 ed64cddef2096b081cffd92ad3030a01b2a05b5a06615e3822c4281a31de025df78d249aed80e34e9b56b43657bd1f1efe462c43638c564c288e9a50d38f3f0d

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 ec8c3095fe58d2a2f82eb3255ac0bf2a
SHA1 47d711d926d41977d0c8d128b9653674129ffba1
SHA256 8019b8c033e5e556c006fefd540a754d85fb4bc68ab851ae78bb4c6fa42f3413
SHA512 7696f6e27462c7564d82d1728872043b499e26ba53cf8f79b9cc022a95b5d08b6d739212245cc6e1eb9eb249170ad8d4f4539dbdd8d42d0269bdbe553c270b64

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-memory-l1-1-0.dll

MD5 6c43a7fadd205d330c9d1aa360ce8baf
SHA1 9d0c430246e955d8826f725f3319039752692b16
SHA256 52785bb917c6e38fb69ed5bc1d2bcf01a1c84ec6fb0b94319dde3835cf64fb7c
SHA512 92e72d651d2049df332b9e429874a8c0bf1d5d7c9a3708c07b7797a23c1bd64da12854fce0712130e1c43c930f651929593483794c1994aa2706c635ff5230f3

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-localization-l1-2-0.dll

MD5 c8cfb99f387edd7ee3677d10faed635e
SHA1 f5d0776b3e58ba231dfd5ff5e3a63860652b7ee5
SHA256 361ebbef6e0d77624560b87d888464b331403e09845836a04f5800682aa4ed48
SHA512 1332ae54f4af98365b973fe82311a09cec2a92e07f0ef56512bf3e2a3eef9d45e9484a74eae20df6a7fe44b6758bd6aedd16bc96ae866f2536a7c906f7535af0

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 2137c99cb93c37c13252bb76b06a40ee
SHA1 c9449df9cb002872247f4b3c1dbff286dc05f205
SHA256 b942e2a62d69ce41534ca7c9822f672edeb8ff37b8e650001c9432c28b765cd7
SHA512 7fc645f280cda527129f607eebde6f8c5ac646b2fef044434f1a63f3c75cbaabe73af3cdcb6319e02e6aa9490cd6c60cb6044e906ee528c136c9cf1711a64ded

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-interlocked-l1-1-0.dll

MD5 c53b1d75109b9f6b2fee53a8794cb883
SHA1 40569042506fb1b6d7547d983e5710715fd99899
SHA256 39883213a6434f6f3a3f6d174630a1286c28ef7f47b7e3e1de4623cd9f3ce270
SHA512 5ec513cccc552e729056b464d7066d60230263d94562bff20fa6882dd6621a69aa63639814b09852e8a2c70ba01205a42cc63920b0285e03491719ce214fa665

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-heap-l1-1-0.dll

MD5 bf44c8df95c1849dac7be1ebfe29cfbc
SHA1 c3724048e190f3a8a917314151509ddb6662f1c6
SHA256 9669ee54d953bba692fc6b5e806f7f7645258c5f0618d253f8043e832fe75e2d
SHA512 6a6860061b0fb44632fac3062431773804c5331433cd34ec8ee4f5a224541be88011f90fe051fff0473d7f27d291962f8fe4dd96c072b228aba553ad582b8141

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-handle-l1-1-0.dll

MD5 3433ede93cc27167471b57f495f634af
SHA1 fd01ae7f885bc25beeba46b6dd0ec66e66c345cc
SHA256 39dbe64591ef5d0aa48bd61ab9262bb6ca37a896dd71169aafbf90bba82dea53
SHA512 33773954e80c9bb11fb2ceb2bea06f4630bfa341aa7ec5e54235f4e697f84e8ac34671877ebb22250f3ada7e0795892e88bac6a165a8a610427ce577ed99f1fb

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-file-l2-1-0.dll

MD5 51cdd94858eadfa992e3a397aae6a4ee
SHA1 6fe3a27f11c13fdd680802eb8c6f87a7a92518d6
SHA256 57cb180884f33b064957d9c1dd509bb5e8fd541e9458b84d88e025790c1dc986
SHA512 42702b377322fcd6e7090a01c262ce3a04a95154ff327a40841add210f678287658ad097e32bd53f23d88878cbe7625d868b7adfac042cdbc0f48e8e59b7504e

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-file-l1-2-0.dll

MD5 d54860bc805f73cd8e7e3fe05d544108
SHA1 b6184d9f4477e482801a0fa1f27b868533873d1d
SHA256 68e28b5944193ab45be2cc14e49424ba0c5d8713bb6b027e96ff1c16147f19a3
SHA512 22dffca161acdad3bcda6bc83ca63d4cedcbfd47b1b3549e98fc95d9b85ce2d49576f3ee3fc150da2e353731bf8d98e4eb3db80ba3913b32e783289905376a3a

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-file-l1-1-0.dll

MD5 de7b537e3ad4bbd23bc1aa1461da7893
SHA1 36b23a5889358108e9c5723aa2394da62975ca4c
SHA256 a198091842029a252e0112120b93bf7323b04ed647a3d2bd27fde72637385a7b
SHA512 cef2c7a73a9948538d27fd4724f66760bda2788f8f2e23d9437d9460452e9f898603d7a8d705f7b67ba96a5bedb4d11c8e9870f548bb169be8975453fdc10d5a

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-fibers-l1-1-0.dll

MD5 12096f3b3b8af96335897ff8226ff6a2
SHA1 361fcb192865ccaf0080053f21926143d3b51b8b
SHA256 70ea8113b1825f3529b307ce2edb1048ebc60c83c016892b6177f3c8cb56b9bc
SHA512 efc810b354e36e89c5af6244bb1415b13a4a02ee56a324f7e5de6bfa6516c6a85c319483ffc52a4042680da4295fbe6f77b9a6751b4fe29c68bdcbb780e1b9dc

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 a3d85e6ac7c84d25e288bead48197b9e
SHA1 9118b030e65e185d9310d4304f97baa01fd963eb
SHA256 41dd8451c6b25a7a924a7a42a3d466350bcd2820fca4177ef5f6305e6eadb97a
SHA512 e8df636bcdf42adabee1dc33dfdb9e17b9e9f126c0769fba0b4e6e11579908fa905144c3782f96259589ecdde5e929dd3d13f47fc3e3952fa713fb73285e6053

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-debug-l1-1-0.dll

MD5 6f5c5015c4e74602f582c21f54cecbec
SHA1 499e6c2b6614f02b6eb347980822967f5ecf8d71
SHA256 cf7dc6f5abe58e31b41912b4a84cabd106eecf7cad7f5a1942c4befaca703536
SHA512 9d064c3dbe12386fac41bde379d378a81f77ed44ebd441089b42329438953a08d41eaf9d11d4f7e1df81aab29b87f70deefcf5d2e70f4ba4d487dab49eb3b3f2

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-datetime-l1-1-0.dll

MD5 9c145aa4eb0f18ad768988612cb56d03
SHA1 e4f41a8e6e731df9a14ee2217612095ed7f3449a
SHA256 2161c0add0ee0a312e12d0346a1b24b6e5e1356a5a7e264911650a8e1d017e1c
SHA512 4e8aa7cc1996d75d5a85b3b5a4f2101650f3654bdd31e374257faa314f630553d497ca8347745945887bf3bf173463c167d310129d1bc1d0f9df8c0d8fc5a544

C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-console-l1-1-0.dll

MD5 93b762fed6eabf7be765a190e2cec0ad
SHA1 05a80f2df21b73c859e133d78a93a0ae54a3aa95
SHA256 cb3f7b194d220004ffa6eef1305849bcef38033c49cb1b16c5ab3c3d60bd9d20
SHA512 99b493ffef75d55437a3b547c3f489c59ae8d3c3b96b171d932d06fe223b479422cea9cd6de54928bdbcc87f03434ea146337668e8fd68b1f292e77dfbcb8b93

memory/1020-1378-0x00007FFC0CF20000-0x00007FFC0CF34000-memory.dmp

memory/1020-1379-0x00007FFC0CE10000-0x00007FFC0CE29000-memory.dmp

memory/1020-1377-0x00007FFBFCE80000-0x00007FFBFD3A9000-memory.dmp

memory/1020-1380-0x00007FFC0DA50000-0x00007FFC0DA5D000-memory.dmp

memory/1020-1383-0x00007FFBFD3B0000-0x00007FFBFD9A0000-memory.dmp

memory/1020-1382-0x00007FFC0C4F0000-0x00007FFC0C5BD000-memory.dmp

memory/1020-1381-0x00007FFC0CCA0000-0x00007FFC0CCD3000-memory.dmp

memory/1020-1387-0x00007FFC0CF40000-0x00007FFC0CF64000-memory.dmp

memory/1020-1386-0x00007FFC0CC50000-0x00007FFC0CC77000-memory.dmp

memory/1020-1385-0x00007FFC0CC80000-0x00007FFC0CC8B000-memory.dmp

memory/1020-1384-0x00007FFC0CC90000-0x00007FFC0CC9D000-memory.dmp

memory/1020-1388-0x00007FFC0C140000-0x00007FFC0C25C000-memory.dmp

memory/1020-1389-0x00007FFC0CB20000-0x00007FFC0CB57000-memory.dmp

memory/1020-1390-0x00007FFBFCE80000-0x00007FFBFD3A9000-memory.dmp

memory/1020-1416-0x00007FFC034C0000-0x00007FFC034DB000-memory.dmp

memory/1020-1415-0x00007FFC0C0D0000-0x00007FFC0C0F2000-memory.dmp

memory/1020-1414-0x00007FFC0C4F0000-0x00007FFC0C5BD000-memory.dmp

memory/1020-1413-0x00007FFC0CCA0000-0x00007FFC0CCD3000-memory.dmp

memory/1020-1412-0x00007FFC0C100000-0x00007FFC0C114000-memory.dmp

memory/1020-1411-0x00007FFC0C120000-0x00007FFC0C132000-memory.dmp

memory/1020-1410-0x00007FFC0C910000-0x00007FFC0C925000-memory.dmp

memory/1020-1409-0x00007FFC0C930000-0x00007FFC0C93C000-memory.dmp

memory/1020-1408-0x00007FFC0C940000-0x00007FFC0C952000-memory.dmp

memory/1020-1407-0x00007FFC0C960000-0x00007FFC0C96D000-memory.dmp

memory/1020-1406-0x00007FFC0C970000-0x00007FFC0C97B000-memory.dmp

memory/1020-1405-0x00007FFC0C9A0000-0x00007FFC0C9AC000-memory.dmp

memory/1020-1404-0x00007FFC0C9B0000-0x00007FFC0C9BB000-memory.dmp

memory/1020-1403-0x00007FFC0C9C0000-0x00007FFC0C9CB000-memory.dmp

memory/1020-1402-0x00007FFC0CAB0000-0x00007FFC0CABC000-memory.dmp

memory/1020-1401-0x00007FFC0CE10000-0x00007FFC0CE29000-memory.dmp

memory/1020-1400-0x00007FFC0CAC0000-0x00007FFC0CACE000-memory.dmp

memory/1020-1399-0x00007FFC0CC30000-0x00007FFC0CC3B000-memory.dmp

memory/1020-1398-0x00007FFC0CF20000-0x00007FFC0CF34000-memory.dmp

memory/1020-1397-0x00007FFC0CAD0000-0x00007FFC0CADD000-memory.dmp

memory/1020-1396-0x00007FFC0CAE0000-0x00007FFC0CAEC000-memory.dmp

memory/1020-1395-0x00007FFC0CAF0000-0x00007FFC0CAFB000-memory.dmp

memory/1020-1394-0x00007FFC0CB00000-0x00007FFC0CB0C000-memory.dmp

memory/1020-1393-0x00007FFC0CB10000-0x00007FFC0CB1B000-memory.dmp

memory/1020-1392-0x00007FFC0CC20000-0x00007FFC0CC2C000-memory.dmp

memory/1020-1391-0x00007FFC0CC40000-0x00007FFC0CC4B000-memory.dmp

memory/1020-1417-0x00007FFC0CC50000-0x00007FFC0CC77000-memory.dmp

memory/1020-1418-0x00007FFC034A0000-0x00007FFC034B9000-memory.dmp

memory/1020-1423-0x00007FFC0CB20000-0x00007FFC0CB57000-memory.dmp

memory/1020-1422-0x00007FFBFCDF0000-0x00007FFBFCE22000-memory.dmp

memory/1020-1421-0x00007FFBFE2A0000-0x00007FFBFE2B1000-memory.dmp

memory/1020-1420-0x00007FFC0C140000-0x00007FFC0C25C000-memory.dmp

memory/1020-1419-0x00007FFBFCE30000-0x00007FFBFCE7D000-memory.dmp

memory/1020-1424-0x00007FFBFE280000-0x00007FFBFE29E000-memory.dmp

memory/1020-1425-0x00007FFBFCD90000-0x00007FFBFCDED000-memory.dmp

memory/1020-1426-0x00007FFBFCD60000-0x00007FFBFCD89000-memory.dmp

memory/1020-1429-0x00007FFBFCB80000-0x00007FFBFCCF6000-memory.dmp

memory/1020-1428-0x00007FFBFCD00000-0x00007FFBFCD23000-memory.dmp

memory/1020-1427-0x00007FFBFCD30000-0x00007FFBFCD5E000-memory.dmp

memory/1020-1430-0x00007FFC0C0D0000-0x00007FFC0C0F2000-memory.dmp

memory/1020-1431-0x00007FFBFCB60000-0x00007FFBFCB78000-memory.dmp

memory/1020-1433-0x00007FFC0ACD0000-0x00007FFC0ACDB000-memory.dmp

memory/1020-1432-0x00007FFC034C0000-0x00007FFC034DB000-memory.dmp

memory/1020-1438-0x00007FFC05B70000-0x00007FFC05B7C000-memory.dmp

memory/1020-1437-0x00007FFC086C0000-0x00007FFC086CB000-memory.dmp

memory/1020-1436-0x00007FFC08E60000-0x00007FFC08E6C000-memory.dmp

memory/1020-1435-0x00007FFC09950000-0x00007FFC0995B000-memory.dmp

memory/1020-1434-0x00007FFBFCE30000-0x00007FFBFCE7D000-memory.dmp

memory/1020-1450-0x00007FFBFCAE0000-0x00007FFBFCAF2000-memory.dmp

memory/1020-1449-0x00007FFBFCB00000-0x00007FFBFCB0D000-memory.dmp

memory/1020-1448-0x00007FFBFCB10000-0x00007FFBFCB1B000-memory.dmp

memory/1020-1447-0x00007FFBFCB20000-0x00007FFBFCB2C000-memory.dmp

memory/1020-1446-0x00007FFBFCB30000-0x00007FFBFCB3B000-memory.dmp

memory/1020-1445-0x00007FFBFCB40000-0x00007FFBFCB4B000-memory.dmp

memory/1020-1444-0x00007FFBFCB50000-0x00007FFBFCB5C000-memory.dmp

memory/1020-1443-0x00007FFBFDEF0000-0x00007FFBFDEFE000-memory.dmp

memory/1020-1442-0x00007FFBFE190000-0x00007FFBFE19D000-memory.dmp

memory/1020-1441-0x00007FFC03490000-0x00007FFC0349C000-memory.dmp

memory/1020-1440-0x00007FFC03A20000-0x00007FFC03A2B000-memory.dmp

memory/1020-1439-0x00007FFBFCDF0000-0x00007FFBFCE22000-memory.dmp

memory/1020-1451-0x00007FFBFCAD0000-0x00007FFBFCADC000-memory.dmp

memory/1020-1455-0x00007FFBFC9A0000-0x00007FFBFC9CB000-memory.dmp

memory/1020-1454-0x00007FFBFCD60000-0x00007FFBFCD89000-memory.dmp

memory/1020-1453-0x00007FFBFCA90000-0x00007FFBFCAC6000-memory.dmp

memory/1020-1452-0x00007FFBFC9D0000-0x00007FFBFCA8C000-memory.dmp

memory/1020-1458-0x00007FFBFC750000-0x00007FFBFC999000-memory.dmp

memory/1020-1457-0x00007FFBFCD00000-0x00007FFBFCD23000-memory.dmp

memory/1020-1456-0x00007FFBFCD30000-0x00007FFBFCD5E000-memory.dmp

memory/1020-1459-0x00007FFBFCB80000-0x00007FFBFCCF6000-memory.dmp

memory/1020-1460-0x00007FFBFBF50000-0x00007FFBFC74B000-memory.dmp

memory/1020-1462-0x00007FFBFBEF0000-0x00007FFBFBF45000-memory.dmp

memory/1020-1461-0x00007FFBFCB60000-0x00007FFBFCB78000-memory.dmp

memory/1020-1463-0x00007FFBFBBE0000-0x00007FFBFBEBF000-memory.dmp

memory/1020-1464-0x00007FFBF9AE0000-0x00007FFBFBBD3000-memory.dmp

memory/1020-1467-0x00007FFBF99C0000-0x00007FFBF9A5C000-memory.dmp

memory/1020-1466-0x00007FFBF9A90000-0x00007FFBF9AB1000-memory.dmp

memory/1020-1465-0x00007FFBF9AC0000-0x00007FFBF9AD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_famkzv1r.fup.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1020-1506-0x00007FFBFD3B0000-0x00007FFBFD9A0000-memory.dmp

memory/1020-1529-0x00007FFBFE2A0000-0x00007FFBFE2B1000-memory.dmp

memory/1020-1528-0x00007FFBFCE30000-0x00007FFBFCE7D000-memory.dmp

memory/1020-1527-0x00007FFC034A0000-0x00007FFC034B9000-memory.dmp

memory/1020-1526-0x00007FFC034C0000-0x00007FFC034DB000-memory.dmp

memory/1020-1525-0x00007FFC0C0D0000-0x00007FFC0C0F2000-memory.dmp

memory/1020-1524-0x00007FFC0C100000-0x00007FFC0C114000-memory.dmp

memory/1020-1523-0x00007FFC0C120000-0x00007FFC0C132000-memory.dmp

memory/1020-1522-0x00007FFC0C910000-0x00007FFC0C925000-memory.dmp

memory/1020-1521-0x00007FFC0CB20000-0x00007FFC0CB57000-memory.dmp

memory/1020-1520-0x00007FFC0C140000-0x00007FFC0C25C000-memory.dmp

memory/1020-1519-0x00007FFC0CC50000-0x00007FFC0CC77000-memory.dmp

memory/1020-1518-0x00007FFC0CC80000-0x00007FFC0CC8B000-memory.dmp

memory/1020-1517-0x00007FFC0CC90000-0x00007FFC0CC9D000-memory.dmp

memory/1020-1516-0x00007FFC0C4F0000-0x00007FFC0C5BD000-memory.dmp

memory/1020-1515-0x00007FFC0CCA0000-0x00007FFC0CCD3000-memory.dmp

memory/1020-1514-0x00007FFC0DA50000-0x00007FFC0DA5D000-memory.dmp

memory/1020-1513-0x00007FFC0CE10000-0x00007FFC0CE29000-memory.dmp

memory/1020-1512-0x00007FFBFCE80000-0x00007FFBFD3A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42842\cryptography-44.0.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

memory/5196-4009-0x00007FFBFC730000-0x00007FFBFC741000-memory.dmp

memory/5196-4007-0x00007FFBFC7A0000-0x00007FFBFC7B9000-memory.dmp

memory/5196-4006-0x00007FFBFC7C0000-0x00007FFBFC7DB000-memory.dmp

memory/5196-4005-0x00007FFBFC7E0000-0x00007FFBFC802000-memory.dmp

memory/5196-4004-0x00007FFBFE280000-0x00007FFBFE294000-memory.dmp

memory/5196-4003-0x00007FFBFE2A0000-0x00007FFBFE2B2000-memory.dmp

memory/5196-4002-0x00007FFC034A0000-0x00007FFC034B5000-memory.dmp

memory/5196-4001-0x00007FFC0C0D0000-0x00007FFC0C0DC000-memory.dmp

memory/5196-4000-0x00007FFC034C0000-0x00007FFC034D2000-memory.dmp

memory/5196-3999-0x00007FFC0C0E0000-0x00007FFC0C0ED000-memory.dmp

memory/5196-3998-0x00007FFC0C0F0000-0x00007FFC0C0FB000-memory.dmp

memory/5196-3997-0x00007FFC0C100000-0x00007FFC0C10C000-memory.dmp

memory/5196-3996-0x00007FFC0C110000-0x00007FFC0C11B000-memory.dmp

memory/5196-3995-0x00007FFC0C120000-0x00007FFC0C12B000-memory.dmp

memory/5196-3994-0x00007FFC0C130000-0x00007FFC0C13C000-memory.dmp

memory/5196-3993-0x00007FFC0C140000-0x00007FFC0C14E000-memory.dmp

memory/5196-3992-0x00007FFC0C150000-0x00007FFC0C15D000-memory.dmp

memory/5196-3991-0x00007FFC0C160000-0x00007FFC0C16C000-memory.dmp

memory/5196-3990-0x00007FFC0C170000-0x00007FFC0C17B000-memory.dmp

memory/5196-3989-0x00007FFC0C180000-0x00007FFC0C18C000-memory.dmp

memory/5196-3988-0x00007FFC0C4F0000-0x00007FFC0C4FB000-memory.dmp

memory/5196-3985-0x00007FFC0C920000-0x00007FFC0C92B000-memory.dmp

memory/5196-3984-0x00007FFC0C510000-0x00007FFC0C547000-memory.dmp

memory/5196-3983-0x00007FFBFC810000-0x00007FFBFC92C000-memory.dmp

memory/5196-3982-0x00007FFC0C550000-0x00007FFC0C577000-memory.dmp

memory/5196-3981-0x00007FFC0C9A0000-0x00007FFC0C9AB000-memory.dmp

memory/5196-3980-0x00007FFC0C9B0000-0x00007FFC0C9BD000-memory.dmp

memory/5196-3979-0x00007FFC0C190000-0x00007FFC0C25D000-memory.dmp

memory/5196-3978-0x00007FFC0C580000-0x00007FFC0C5B3000-memory.dmp

memory/5196-3977-0x00007FFC0C9C0000-0x00007FFC0C9CD000-memory.dmp

memory/5196-3976-0x00007FFC0CAB0000-0x00007FFC0CAC9000-memory.dmp

memory/5196-3975-0x00007FFBFC930000-0x00007FFBFCE59000-memory.dmp

memory/5196-3974-0x00007FFC0CE10000-0x00007FFC0CE24000-memory.dmp

memory/5196-3973-0x00007FFC0CC50000-0x00007FFC0CC7D000-memory.dmp

memory/5196-3972-0x00007FFC0D600000-0x00007FFC0D619000-memory.dmp

memory/5196-3971-0x00007FFC0DA60000-0x00007FFC0DA6F000-memory.dmp

memory/5196-3970-0x00007FFC0CE30000-0x00007FFC0CE54000-memory.dmp

memory/5196-3987-0x00007FFC0C500000-0x00007FFC0C50C000-memory.dmp

memory/5196-3986-0x00007FFC0C910000-0x00007FFC0C91B000-memory.dmp

memory/5196-3969-0x00007FFBFD1B0000-0x00007FFBFD7A0000-memory.dmp