Malware Analysis Report

2025-06-15 20:18

Sample ID 241221-23wgrstlbl
Target Freakin Product.zip
SHA256 2a6f79b1f0edd9e33b85f5c4af22b0bca1856874f5b2fe0aead2eb6f2a3a0223
Tags
pyinstaller pysilon evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a6f79b1f0edd9e33b85f5c4af22b0bca1856874f5b2fe0aead2eb6f2a3a0223

Threat Level: Known bad

The file Freakin Product.zip was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon evasion execution persistence

Detect Pysilon

Pysilon family

Enumerates VirtualBox DLL files

Command and Scripting Interpreter: PowerShell

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Detects Pyinstaller

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Kills process with taskkill

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-21 23:07

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-21 23:06

Reported

2024-12-21 23:09

Platform

win7-20241010-de

Max time kernel

17s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe

"C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2828-507-0x0000000002840000-0x0000000002841000-memory.dmp

memory/1464-508-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/2828-509-0x0000000002840000-0x0000000002841000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-21 23:06

Reported

2024-12-21 23:09

Platform

win10v2004-20241007-de

Max time kernel

39s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe"

Signatures

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\Robux Generator\runtime.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\Robux Generator\runtime.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\Robux Generator\runtime.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\Robux Generator\runtime.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Robux Generator = "C:\\Users\\Admin\\Robux Generator\\runtime.exe" C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\taskmgr.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\taskmgr.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A
N/A N/A C:\Users\Admin\Robux Generator\runtime.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe
PID 1884 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe
PID 4172 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe C:\Windows\system32\cmd.exe
PID 4172 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe C:\Windows\system32\cmd.exe
PID 4172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4172 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe C:\Windows\system32\cmd.exe
PID 4172 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe C:\Windows\system32\cmd.exe
PID 3056 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3056 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3056 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Robux Generator\runtime.exe
PID 3056 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Robux Generator\runtime.exe
PID 3056 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3056 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2172 wrote to memory of 3504 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Users\Admin\Robux Generator\runtime.exe
PID 2172 wrote to memory of 3504 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Users\Admin\Robux Generator\runtime.exe
PID 3504 wrote to memory of 2940 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\system32\cmd.exe
PID 3504 wrote to memory of 2940 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\system32\cmd.exe
PID 3504 wrote to memory of 4928 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 4928 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 2148 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 2148 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5328 wrote to memory of 6072 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Users\Admin\Robux Generator\runtime.exe
PID 5328 wrote to memory of 6072 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Users\Admin\Robux Generator\runtime.exe
PID 6072 wrote to memory of 6096 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\system32\cmd.exe
PID 6072 wrote to memory of 6096 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\system32\cmd.exe
PID 6072 wrote to memory of 2820 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6072 wrote to memory of 2820 N/A C:\Users\Admin\Robux Generator\runtime.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe

"C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe"

C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe

"C:\Users\Admin\AppData\Local\Temp\Freakin Product\Injector.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Robux Generator\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Robux Generator\activate.bat""

C:\Windows\system32\attrib.exe

attrib +s +h .

C:\Users\Admin\Robux Generator\runtime.exe

"runtime.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "Injector.exe"

C:\Users\Admin\Robux Generator\runtime.exe

"runtime.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Robux Generator\""

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (Get-CimInstance Win32_ComputerSystemProduct).UUID

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Robux Generator\runtime.exe

"C:\Users\Admin\Robux Generator\runtime.exe"

C:\Users\Admin\Robux Generator\runtime.exe

"C:\Users\Admin\Robux Generator\runtime.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Robux Generator\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.134.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.134.159.162.in-addr.arpa udp
N/A 127.0.0.1:54355 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
N/A 127.0.0.1:55554 tcp
US 162.159.134.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI18842\python311.dll

MD5 387bb2c1e40bde1517f06b46313766be
SHA1 601f83ef61c7699652dec17edd5a45d6c20786c4
SHA256 0817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364
SHA512 521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad

C:\Users\Admin\AppData\Local\Temp\_MEI18842\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI18842\base_library.zip

MD5 4b011f052728ae5007f9ec4e97a4f625
SHA1 9d940561f08104618ec9e901a9cd0cd13e8b355d
SHA256 c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6
SHA512 be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_ctypes.pyd

MD5 565d011ce1cee4d48e722c7421300090
SHA1 9dc300e04e5e0075de4c0205be2e8aae2064ae19
SHA256 c148292328f0aab7863af82f54f613961e7cb95b7215f7a81cafaf45bd4c42b7
SHA512 5af370884b5f82903fd93b566791a22e5b0cded7f743e6524880ea0c41ee73037b71df0be9f07d3224c733b076bec3be756e7e77f9e7ed5c2dd9505f35b0e4f5

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI18842\SDL2.dll

MD5 83c5ff24eae3b9038d74ad91dc884e32
SHA1 81bf9f8109d73604768bf5310f1f70af62b72e43
SHA256 520d0459b91efa32fbccf9027a9ca1fc5aae657e679ce8e90f179f9cf5afd279
SHA512 38ff01891ad5093d0e4f222c5ab703a540514271bf3b94fb65f910193262af722adb9d4f4d2bd6a54c090a7d631d8c98497b7d78bd21359fdea756ff3ac63689

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_socket.pyd

MD5 b77017baa2004833ef3847a3a3141280
SHA1 39666f74bd076015b376fc81250dff89dff4b0a6
SHA256 a19e3c7c03ef1b5625790b1c9c42594909311ab6df540fbf43c6aa93300ab166
SHA512 6b24d0e038c433b995bd05de7c8fe7dd7b0a11152937c189b8854c95780b0220a9435de0db7ac796a7de11a59c61d56b1aef9a8dbaba62d02325122ceb8b003d

C:\Users\Admin\AppData\Local\Temp\_MEI18842\select.pyd

MD5 e4ab524f78a4cf31099b43b35d2faec3
SHA1 a9702669ef49b3a043ca5550383826d075167291
SHA256 bae0974390945520eb99ab32486c6a964691f8f4a028ac408d98fa8fb0db7d90
SHA512 5fccfb3523c87ad5ab2cde4b9c104649c613388bc35b6561517ae573d3324f9191dd53c0f118b9808ba2907440cbc92aecfc77d0512ef81534e970118294cdee

C:\Users\Admin\AppData\Local\Temp\_MEI18842\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 9ea8098d31adb0f9d928759bdca39819
SHA1 e309c85c1c8e6ce049eea1f39bee654b9f98d7c5
SHA256 3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753
SHA512 86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

C:\Users\Admin\AppData\Local\Temp\_MEI18842\charset_normalizer\md.cp311-win_amd64.pyd

MD5 723ec2e1404ae1047c3ef860b9840c29
SHA1 8fc869b92863fb6d2758019dd01edbef2a9a100a
SHA256 790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94
SHA512 2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_queue.pyd

MD5 7f52ef40b083f34fd5e723e97b13382f
SHA1 626d47df812738f28bc87c7667344b92847fdf6a
SHA256 3f8e7e6aa13b417acc78b63434fb1144e6319a010a9fc376c54d6e69b638fe4c
SHA512 48f7723a8c039abd6ccb2906fbd310f0cfa170dcbdf89a6437dd02c8f77f20e6c7c402d29b922cdaabd357d3a33e34c3ad826127134f38d77a4d6d9c83371949

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_ssl.pyd

MD5 0f02eccd7933b7a7c2bdedca2a72aab6
SHA1 0b4c551d8fe34d8128e5cf97daa19eb4c97db06e
SHA256 ba5388d6a6557d431e086734a3323621dc447f63ba299b0a815e5837cf869678
SHA512 90a64082dab51380e05c76047ee40e259c719d7170fb4acb247b68a03b710461b350da3821b426fd13167895ded32f9c5ec0e07587ad4125683a18a3495f5ed5

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_hashlib.pyd

MD5 b4ff25b1aca23d48897fc616e102e9b6
SHA1 8295ee478191eb5f741a5f6a3f4ab4576ceec8d2
SHA256 87dd0c858620287454fd6d31d52b6a48eddbb2a08e09e8b2d9fdb0b92200d766
SHA512 a7adcf652bc88f8878dae2742a37af75599936d80223e62fe74755d6bafaafd985678595872fb696c715f69a1f963f12e3d52cd3d7e7a83747983b2ee244e8a2

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_uuid.pyd

MD5 cc2fc10d528ec8eac403f3955a214d5b
SHA1 3eefd8e449532c13ae160aa631fdb0ad8f6f2ea4
SHA256 e6aa7f1637e211251c9d6f467203b2b6d85e5bc2d901699f2a55af637fa89250
SHA512 bf18089bd0b3a880930827d2035302060ea9db529ad1020879e5be6de42693bd0a01b40270b4e93ceaea3cfed20dad1e2942d983cde8bb2c99159b32209b34bb

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_tkinter.pyd

MD5 730c89fc98ade903787589a935aeb36d
SHA1 e9c7337ad9251f0b12d136c725ad1049bd261f42
SHA256 6f7bdc2f60a1795b58ec7015ec262d6b234aa8d0f022185de0f52bac4adab449
SHA512 d3fffc5a7f435f7e0bf40c3b7259a25c2ecb838d752a1bb76ab88fc2ec039b8469e494a023d8f53363b23cbbf4967531cb92f493276f7a91fd8a18102f7505e4

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_sqlite3.pyd

MD5 68d89aaab48b82a7d76fb65e9c613a24
SHA1 b872497ebe4aba49025c9f836f4b2a3f1f033e5e
SHA256 ff6a2a2f38b21b7784f97d604c99961d8c07ef455f7908110a4e893835d42b76
SHA512 5eec9169ab29c291010f0e171c3123552d8c68e943a615dc2f8e1ae75f809a54343572737279d9582b585997ed390af856f551dadeada85ae2f1aa908fc9b39c

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_overlapped.pyd

MD5 78e8049e26df6fd3a4011562ff8e74a0
SHA1 d5a91c720e4672c40e1dd6d54b3197b4a1f8b633
SHA256 ca106e4dfdeafeabf9e98956d3d8d0cb73e109f1a96f1a7e35bc47dbd7c7e164
SHA512 ea7a54d38cefed870cee65dd9460b6c51131ae5219933ddc998a86d12bb093784242cb5471c77bc324ccf59fa42c2914865dcf582f74c440fa52b7d15d9faeac

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_multiprocessing.pyd

MD5 cf0b31f01a95e9f181d87197786b96ca
SHA1 6214361452f7eaef5c710719a5cfb6109906975c
SHA256 975c1947798e3c39898c86675ca1eb68249f77361f41f172f9800275227213b9
SHA512 d56b096780bb263e3f7282f163da02353ed5d8767f964937deaff997156e95749312180f25582d5963d3c351260b8ff196221652e7bf088a8c6a4e766118abd3

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_elementtree.pyd

MD5 e31fd445c65aec18c32a99828732264a
SHA1 1e7e9505954b8143faeee6ce0b459712f73018b1
SHA256 02e30b6a2bee5be5336e40a9c89575603051bde86f9c9cdc78b7fa7d9b7bd1f0
SHA512 20802cae1b75f28a83e76b529caf16c8d00bc050e66f6d8665c4238c4579e391c78f121dccb369f64511fdf892619720f8c626a39a28c9aa44f2bff7472cf0f9

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_decimal.pyd

MD5 c88282908ba54510eda3887c488198eb
SHA1 94ed1b44f99642b689f5f3824d2e490252936899
SHA256 980a63f2b39cf16910f44384398e25f24482346a482addb00de42555b17d4278
SHA512 312b081a90a275465787a539e48412d07f1a4c32bab0f3aa024e6e3fe534ac9c07595238d51dc4d6f13c8d03c2441f788dff9fe3d7ca2aad3940609501d273bd

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_cffi_backend.cp311-win_amd64.pyd

MD5 210def84bb2c35115a2b2ac25e3ffd8f
SHA1 0376b275c81c25d4df2be4789c875b31f106bd09
SHA256 59767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf
SHA512 cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_asyncio.pyd

MD5 07a6e6dcc30e1c4c7e0cdc41a457a887
SHA1 53bc820b63d88cbe889944e242b50662b4b2cb42
SHA256 746bc8fa88282afe19dc60e426cc0a75bea3bd137cca06a0b57a30bd31459403
SHA512 837f1e40db9bdf1bc73b2a700df6086a3acdb7d52afc903239410b2d226ffd1dd5e8b5f317401bcf58dd042bd56787af6cdc49af96fcb588bcf0127d536b6c6d

C:\Users\Admin\AppData\Local\Temp\_MEI18842\zlib1.dll

MD5 5eac41b641e813f2a887c25e7c87a02e
SHA1 ec3f6cf88711ef8cfb3cc439cb75471a2bb9e1b5
SHA256 b1f58a17f3bfd55523e7bef685acf5b32d1c2a6f25abdcd442681266fd26ab08
SHA512 cad34a495f1d67c4d79ed88c5c52cf9f2d724a1748ee92518b8ece4e8f2fe1d443dfe93fb9dba8959c0e44c7973af41eb1471507ab8a5b1200a25d75287d5de5

C:\Users\Admin\AppData\Local\Temp\_MEI18842\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI18842\unicodedata.pyd

MD5 fd9132f966ee6d214e0076bf0492fb30
SHA1 89b95957f002bf382435d015e26962a42032cb97
SHA256 37c68617fa02a2cadced17ef724e2d450ef12a8a37215da789a4679fde1c5c02
SHA512 e35729abc45e5561aae1fb9e0e7c711dd7d3c1491520aa5c44fcc50c955f549f81d90897959327e930d02a5356afe08d6195adf002c87801a7a11235670639b5

C:\Users\Admin\AppData\Local\Temp\_MEI18842\tk86t.dll

MD5 50be514d4234103d49fb2a600a272fce
SHA1 e441b77a421598998d24814afd4af8090d306e57
SHA256 b6af038120f2b8644c7ce1e11917f410009848287622135d7e386f90d28a831c
SHA512 d93467b688f68f15eb46dc1aef4bd4f4d0b91193a2c40a1d4b5cc6e906a443343e261225df530527491a01c58803b91a138d5147d7a02aedeb9cddd3adc77fef

C:\Users\Admin\AppData\Local\Temp\_MEI18842\tcl86t.dll

MD5 50be441afc42714cb7fe98677f304807
SHA1 0604a2992f698e45d1524c44a924b7451d8ad003
SHA256 4e699ff2d6d147d0586c8c77be5a18f20ca0758f432d7b0f489223f2fa4dd221
SHA512 a99c7b5c9d42c53cf51ace16871bb2f1dfc9424077b0a758ec1b8583eb1be3cdd413d005188fa82dd61093b56882cd72b32f15b55599c5f0fcbce34321afb639

C:\Users\Admin\AppData\Local\Temp\_MEI18842\sqlite3.dll

MD5 89c2845bd090082406649f337c0cca62
SHA1 956736454f9c9e1e3d629c87d2c330f0a4443ae9
SHA256 314bba62f4a1628b986afc94c09dc29cdaf08210eae469440fbf46bcdb86d3fd
SHA512 1c467a7a3d325f0febb0c6a7f8f7ce49e4f9e3c4514e613352ef7705a338be5e448c351a47da2fb80bf5fc3d37dbd69e31c935e7ff58ead06b2155a893728a82

C:\Users\Admin\AppData\Local\Temp\_MEI18842\SDL2_ttf.dll

MD5 f187dfdccc102436e27704dc572a2c16
SHA1 be4d499e66b8c4eb92480e4f520ccd8eaaa39b04
SHA256 fcdfabdfce868eb33f7514025ff59c1bb6c418f1bcd6ace2300a9cd4053e1d63
SHA512 75002d96153dfd2bfdd6291f842fb553695ef3997012dae0b9a537c95c3f3a83b844a8d1162faefcddf9e1807f3db23b1a10c2789c95dd5f6fad2286bae91afb

C:\Users\Admin\AppData\Local\Temp\_MEI18842\SDL2_mixer.dll

MD5 201aa86dc9349396b83eed4c15abe764
SHA1 1a239c479e275aa7be93c5372b2d35e98d8d8cec
SHA256 2a0fc5e9f72c2eaec3240cb82b7594a58ccda609485981f256b94d0a4dd8d6f8
SHA512 bb2cd185d1d936ceca3cc20372c98a1b1542288ad5523ff8b823fb5e842205656ec2f615f076929c69987c7468245a452238b509d37109c9bec26be5f638f3b7

C:\Users\Admin\AppData\Local\Temp\_MEI18842\SDL2_image.dll

MD5 b8d249a5e394b4e6a954c557af1b80e6
SHA1 b03bb9d09447114a018110bfb91d56ef8d5ec3bb
SHA256 1e364af75fee0c83506fbdfd4d5b0e386c4e9c6a33ddbddac61ddb131e360194
SHA512 2f2e248c3963711f1a9f5d8baea5b8527d1df1748cd7e33bf898a380ae748f7a65629438711ff9a5343e64762ec0b5dc478cdf19fbf7111dac9d11a8427e0007

C:\Users\Admin\AppData\Local\Temp\_MEI18842\pyexpat.pyd

MD5 79561bc9f70383f8ae073802a321adfb
SHA1 5f378f47888e5092598c20c56827419d9f480fa7
SHA256 c7c7564f7f874fb660a46384980a2cf28bc3e245ca83628a197ccf861eab5560
SHA512 476c839f544b730c5b133e2ae08112144cac07b6dfb8332535058f5cbf54ce7ed4a72efb38e6d56007ae755694b05e81e247d0a10210c993376484a057f2217c

C:\Users\Admin\AppData\Local\Temp\_MEI18842\portmidi.dll

MD5 df538704b8cd0b40096f009fd5d1b767
SHA1 d2399fbb69d237d43624e987445694ec7e0b8615
SHA256 c9f8d9043ac1570b10f104f2d00aec791f56261c84ee40773be73d0a3822e013
SHA512 408de3e99bc1bfb5b10e58ae621c0f9276530913ff26256135fe44ce78016de274cbe4c3e967457eb71870aad34dfeb362058afcebfa2d9e64f05604ab1517d4

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libwebp-7.dll

MD5 2c5aca898ff88eb2c9028bbeefebbd1e
SHA1 7a0048674ef614bebe6cc83b1228d670372076c9
SHA256 9a53563b6058f70f2725029b7dd2fe96f869c20e8090031cd303e994dfe07b50
SHA512 46fe8b151e3a13ab506c4fc8a9f3f0f47b21f64f37097a4f1f573b547443ed23e7b2f489807c1623fbc41015f7da11665d88690d8cd0ddd61aa53789586c5a13

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libtiff-5.dll

MD5 7d40a697ca6f21a8f09468b9fce565ad
SHA1 dc3b7f7fc0d9056af370e06f1451a65e77ff07f7
SHA256 ebfe97ac5ef26b94945af3db5ffd110a4b8e92dc02559bf81ccb33f0d5ebce95
SHA512 5a195e3123f7f17d92b7eca46b9afa1ea600623ad6929ac29197447bb4d474a068fd5f61fca6731a60514125d3b0b2cafe1ff6be3a0161251a366355b660d61a

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libpng16-16.dll

MD5 3a26cd3f92436747d2285dcef1fae67f
SHA1 e3d1403be06beb32fc8dc7e8a58c31e18b586a70
SHA256 e688b4a4d18f4b6ccc99c6ca4980f51218cb825610775192d9b60b2f05eff2d5
SHA512 73d651f063246723807d837811ead30e3faca8cb0581603f264c28fea1b2bdb6d874a73c1288c7770e95463786d6945b065d4ca1cf553e08220aea4e78a6f37f

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libopusfile-0.dll

MD5 245498839af5a75cd034190fe805d478
SHA1 d164c38fd9690b8649afaef7c048f4aabb51dba8
SHA256 ccaaca81810bd2d1cab4692b4253a639f8d5516996db0e24d881efd3efdcc6a4
SHA512 4181dea590cbc7a9e06729b79201aa29e8349408cb922de8d4cda555fc099b3e10fee4f5a9ddf1a22eaec8f5ede12f9d6e37ed7ad0486beb12b7330cca51a79e

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libopus-0.x64.dll

MD5 0e078e75ab375a38f99245b3fefa384a
SHA1 b4c2fda3d4d72c3e3294beb8aa164887637ca22a
SHA256 c84da836e8d92421ac305842cfe5a724898ed09d340d46b129e210bdc9448131
SHA512 fa838dab0a8a07ee7c370dd617073a5f795838c3518a6f79ee17d5ebc48b78cebd680e9c8cbe54f912ceb0ae6112147fb40182bcfdcc194b73aa6bab21427bfd

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libopus-0.dll

MD5 e1adac219ec78b7b2ac9999d8c2e1c94
SHA1 6910ec9351bee5c355587e42bbb2d75a65ffc0cf
SHA256 771cae79410f7fcc4f993a105a18c4ed9e8cbddd6f807a42228d95f575808806
SHA512 da1912243491227168e23fb92def056b229f9f1d8c35ae122e1a0474b0be84ceb7167b138f2ee5fffd812b80c6aca719250aca6b25931585e224e27384f4cc67

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libogg-0.dll

MD5 307ef797fc1af567101afba8f6ce6a8c
SHA1 0023f520f874a0c3eb3dc1fe8df73e71bde5f228
SHA256 57abc4f6a9accdd08bf9a2b022a66640cc626a5bd4dac6c7c4f06a5df61ee1fe
SHA512 5b0b6049844c6fef0cd2b6b1267130bb6e4c17b26afc898cfc17499ef05e79096cd705007a74578f11a218786119be37289290c5c47541090d7b9dea2908688e

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libmodplug-1.dll

MD5 ead020db018b03e63a64ebff14c77909
SHA1 89bb59ae2b3b8ec56416440642076ae7b977080e
SHA256 0c1a9032812ec4c20003a997423e67b71ecb5e59d62cdc18a5bf591176a9010e
SHA512 c4742d657e5598c606ceff29c0abb19c588ba7976a7c4bff1df80a3109fe7df25e7d0dace962ec3962a94d2715a4848f2acc997a0552bf8d893ff6e7a78857e5

C:\Users\Admin\AppData\Local\Temp\_MEI18842\libjpeg-9.dll

MD5 c540308d4a8e6289c40753fdd3e1c960
SHA1 1b84170212ca51970f794c967465ca7e84000d0e
SHA256 3a224af540c96574800f5e9acf64b2cdfb9060e727919ec14fbd187a9b5bfe69
SHA512 1dadc6b92de9af998f83faf216d2ab6483b2dea7cdea3387ac846e924adbf624f36f8093daf5cee6010fea7f3556a5e2fcac494dbc87b5a55ce564c9cd76f92b

C:\Users\Admin\AppData\Local\Temp\_MEI18842\freetype.dll

MD5 236f879a5dd26dc7c118d43396444b1c
SHA1 5ed3e4e084471cf8600fb5e8c54e11a254914278
SHA256 1c487392d6d06970ba3c7b52705881f1fb069f607243499276c2f0c033c7df6f
SHA512 cc9326bf1ae8bf574a4715158eba889d7f0d5e3818e6f57395740a4b593567204d6eef95b6e99d2717128c3bffa34a8031c213ff3f2a05741e1eaf3ca07f2254

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_lzma.pyd

MD5 b86b9f292af12006187ebe6c606a377d
SHA1 604224e12514c21ab6db4c285365b0996c7f2139
SHA256 f5e01b516c2c23035f7703e23569dec26c5616c05a929b2580ae474a5c6722c5
SHA512 d4e97f554d57048b488bf6515c35fddadeb9d101133ee27a449381ebe75ac3556930b05e218473eba5254f3c441436e12f3d0166fb1b1e3cd7b0946d5efab312

C:\Users\Admin\AppData\Local\Temp\_MEI18842\_bz2.pyd

MD5 aa1083bde6d21cabfc630a18f51b1926
SHA1 e40e61dba19301817a48fd66ceeaade79a934389
SHA256 00b8ca9a338d2b47285c9e56d6d893db2a999b47216756f18439997fb80a56e3
SHA512 2df0d07065170fee50e0cd6208b0cc7baa3a295813f4ad02bec5315aa2a14b7345da4cdf7cac893da2c7fc21b201062271f655a85ceb51940f0acb99bb6a1d4c

C:\Users\Admin\AppData\Local\Temp\_MEI18842\python3.dll

MD5 7e07c63636a01df77cd31cfca9a5c745
SHA1 593765bc1729fdca66dd45bbb6ea9fcd882f42a6
SHA256 db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6
SHA512 8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

memory/2944-1214-0x00007FFA9B373000-0x00007FFA9B375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltaje1v1.omd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2944-1215-0x000001BEF8FB0000-0x000001BEF9036000-memory.dmp

memory/2944-1223-0x000001BEF8F50000-0x000001BEF8F72000-memory.dmp

memory/2944-1226-0x000001BEF8F20000-0x000001BEF8F30000-memory.dmp

memory/2944-1227-0x00007FFA9B370000-0x00007FFA9BE31000-memory.dmp

memory/2944-1228-0x000001BEF9250000-0x000001BEF9354000-memory.dmp

memory/2944-1229-0x00007FFA9B370000-0x00007FFA9BE31000-memory.dmp

memory/2944-1232-0x00007FFA9B370000-0x00007FFA9BE31000-memory.dmp

memory/5048-3403-0x000001212E780000-0x000001212E781000-memory.dmp

memory/5048-3413-0x000001212E780000-0x000001212E781000-memory.dmp

memory/5048-3412-0x000001212E780000-0x000001212E781000-memory.dmp

memory/5048-3411-0x000001212E780000-0x000001212E781000-memory.dmp

memory/5048-3410-0x000001212E780000-0x000001212E781000-memory.dmp

memory/5048-3409-0x000001212E780000-0x000001212E781000-memory.dmp

memory/5048-3408-0x000001212E780000-0x000001212E781000-memory.dmp

memory/5048-3407-0x000001212E780000-0x000001212E781000-memory.dmp

memory/5048-3402-0x000001212E780000-0x000001212E781000-memory.dmp

memory/5048-3401-0x000001212E780000-0x000001212E781000-memory.dmp

memory/2148-3423-0x000001DC54B40000-0x000001DC54B6A000-memory.dmp

memory/2148-3424-0x000001DC54B40000-0x000001DC54B64000-memory.dmp

memory/2148-3425-0x000001DC54B30000-0x000001DC54B46000-memory.dmp

memory/2148-3426-0x000001DC54B20000-0x000001DC54B28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI53282\attrs-23.2.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI53282\tcl\encoding\euc-cn.enc

MD5 c5aa0d11439e0f7682dae39445f5dab4
SHA1 73a6d55b894e89a7d4cb1cd3ccff82665c303d5c
SHA256 1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00
SHA512 eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5