Analysis Overview
SHA256
67b65b3c64249a9b168acfa3e39411666f65c27c624f21cfe0fad19aeda730f5
Threat Level: Known bad
The file anyrun-detect.exe was found to be: Known bad.
Malicious Activity Summary
Xenorat family
XenorRat
Detect XenoRat Payload
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Checks BIOS information in registry
Loads dropped DLL
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Detects Pyinstaller
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies registry key
Checks SCSI registry key(s)
Checks processor information in registry
Runs regedit.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-23 11:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-23 11:31
Reported
2025-03-23 11:49
Platform
win10v2004-20250314-en
Max time kernel
1048s
Max time network
1049s
Command Line
Signatures
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XenorRat
Xenorat family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\regedit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\regedit.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updaterr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updater.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updaterr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\updaterr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updater.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateService = "powershell.exe -WindowStyle Hidden -Command \"C:\\Users\\Admin\\AppData\\Local\\NotifyTemp_b8076aa0\\client.exe\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateClient = "powershell.exe -WindowStyle Hidden -Command \"C:\\Users\\Admin\\AppData\\Local\\NotifyTemp_b8076aa0\\updaterr.exe\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updaterr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\updaterr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\regedit.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture | C:\Windows\regedit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile | C:\Windows\regedit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\regedit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information | C:\Windows\regedit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\regedit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updater.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\anyrun-detect.exe
"C:\Users\Admin\AppData\Local\Temp\anyrun-detect.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\anyrun-detect.exe
anyrun-detect.exe
C:\Windows\regedit.exe
regedit
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\system32\reg.exe
reg query hklm\hardware\description\system /v SystemBiosVersion
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updater.exe
"C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updater.exe"
C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updaterr.exe
"C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updaterr.exe"
C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\client.exe
"C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\client.exe"
C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\client.exe
"C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\client.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\updaterr.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\updaterr.exe"
C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updater.exe
"C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "infoi"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "office365m" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8605.tmp" /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | reddit.com.im | udp |
| US | 76.76.21.21:80 | reddit.com.im | tcp |
| US | 76.76.21.21:80 | reddit.com.im | tcp |
| US | 76.76.21.21:80 | reddit.com.im | tcp |
| US | 76.76.21.21:443 | reddit.com.im | tcp |
| US | 8.8.8.8:53 | pronotinew1.vercel.app | udp |
| US | 216.198.79.129:443 | pronotinew1.vercel.app | tcp |
| US | 8.8.8.8:53 | officemcr.vercel.app | udp |
| US | 64.29.17.1:443 | officemcr.vercel.app | tcp |
| US | 8.8.8.8:53 | tgnewn.vercel.app | udp |
| US | 64.29.17.1:443 | tgnewn.vercel.app | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | luna-mz1v6.in | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:15185 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:15185 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:15185 | 2.tcp.ngrok.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 76.76.21.21:443 | reddit.com.im | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2028-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1352-1-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4788-7-0x000001CA793A0000-0x000001CA793C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yg4yqlxx.0pq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4788-12-0x000001CA79A50000-0x000001CA79A94000-memory.dmp
memory/4788-13-0x000001CA79AA0000-0x000001CA79B16000-memory.dmp
memory/4788-20-0x000001CA7A2D0000-0x000001CA7AA76000-memory.dmp
memory/4788-23-0x000001D27B050000-0x000001D27B212000-memory.dmp
memory/1540-24-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
memory/1540-26-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
memory/1540-25-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
memory/1540-36-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
memory/1540-35-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
memory/1540-34-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
memory/1540-33-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
memory/1540-32-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
memory/1540-30-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
memory/1540-31-0x0000014DA6520000-0x0000014DA6521000-memory.dmp
C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updater.exe
| MD5 | 057342aca360ea1144ddf56af792de61 |
| SHA1 | 4ca437d938ce1b768bb738463ea0d2a5588d5419 |
| SHA256 | 7d062acf8a56f6189b903bbb6627101c7cc515e1cae47765d345aee899bc16af |
| SHA512 | 313dc6a16c64424cd56658757ccf35be5e5003622899b4d63bd4c0f86b411fe14c4b9f62460752fa786d9d9b482224069d67f39a7dba614d5c1329a4a54fbd25 |
C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\updaterr.exe
| MD5 | 55da7b69b81adb08ba5e14da33c97d7a |
| SHA1 | 532d159edcd1f6b72e1ae308206af921b88fd38e |
| SHA256 | 7e0acb666458ce766d64dcf536e7a6a2aad1ed5e7c175b6014b1cae1a65945a1 |
| SHA512 | 38ca6985a55a1e14f61b7ff9a087ba5024573cab641c73ddac1db013ff028025f178a9f5e603cd933114c62dd64cc393a23aa927574a479f6a85d68ef157285b |
C:\Users\Admin\AppData\Local\NotifyTemp_b8076aa0\client.exe
| MD5 | 6685554822efc6a80004cca63cdfa7b0 |
| SHA1 | 91ded7a0e42f105524446b32e7810ae30d7c01b6 |
| SHA256 | ae6ad8ca221daf98bfe44160e34bae878631810c80a300aae64b8714e456abff |
| SHA512 | 7d61276e215518e35c3943ea522aa34820568561782dfbbef4c0362b82073ed20c2cf4200ddde140a9231b25214daa8979e059ab6bb04755ca7a245fe3d1a9a2 |
memory/3932-324-0x0000000000DB0000-0x0000000000DC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43122\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_ssl.pyd
| MD5 | 069bccc9f31f57616e88c92650589bdd |
| SHA1 | 050fc5ccd92af4fbb3047be40202d062f9958e57 |
| SHA256 | cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32 |
| SHA512 | 0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\python3.dll
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_socket.pyd
| MD5 | 8140bdc5803a4893509f0e39b67158ce |
| SHA1 | 653cc1c82ba6240b0186623724aec3287e9bc232 |
| SHA256 | 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769 |
| SHA512 | d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_queue.pyd
| MD5 | ff8300999335c939fcce94f2e7f039c0 |
| SHA1 | 4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a |
| SHA256 | 2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78 |
| SHA512 | f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_lzma.pyd
| MD5 | 337b0e65a856568778e25660f77bc80a |
| SHA1 | 4d9e921feaee5fa70181eba99054ffa7b6c9bb3f |
| SHA256 | 613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a |
| SHA512 | 19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\libcrypto-1_1.dll
| MD5 | 6f4b8eb45a965372156086201207c81f |
| SHA1 | 8278f9539463f0a45009287f0516098cb7a15406 |
| SHA256 | 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541 |
| SHA512 | 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\certifi\cacert.pem
| MD5 | 234d271ecb91165aaec148ad6326dd39 |
| SHA1 | d7fccec47f7a5fbc549222a064f3053601400b6f |
| SHA256 | c55b21f907f7f86d48add093552fb5651749ff5f860508ccbb423d6c1fbd80c7 |
| SHA512 | 69289a9b1b923d89ba6e914ab601c9aee4d03ff98f4ed8400780d4b88df5f4d92a8ca1a458abcfde00c8455d3676aca9ec03f7d0593c64b7a05ed0895701d7ed |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\unicodedata.pyd
| MD5 | bc58eb17a9c2e48e97a12174818d969d |
| SHA1 | 11949ebc05d24ab39d86193b6b6fcff3e4733cfd |
| SHA256 | ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa |
| SHA512 | 4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
| MD5 | bd18f35f8a56415ec604d97bd3dd44c4 |
| SHA1 | 63f51eb5dafeb24327e3bcb63828336c920b4fcd |
| SHA256 | f3501ebce24205f3dc54192cd917eab9a899fe936570650253d4c1466383eff1 |
| SHA512 | 3c1c268005f494413cd2f9409b64ed3a2c9af558c0f317447af2c27776406c61dcb28ae6720af156145078ec565a14a3e12d409e57389bb3d4d10f8d7a92a7d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\PIL\_imaging.cp311-win_amd64.pyd
| MD5 | 12b15796716a81a13b79a79d26c61f22 |
| SHA1 | a0fb9e7ee4778a6d0c2f642586754a0eee5486b8 |
| SHA256 | b231d11718a12994a32e744b93f830e931409ae13faeb150d9f020a2e81cb18c |
| SHA512 | 5480d3165a66fab6ac7d6a7abc2608b7bd54eae0d267ce5a41c697538db4236a2234deaed6f989964181cd0c5ac6305ecd15524a18f0f2eb1daac2b807bc5e10 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\charset_normalizer\md.cp311-win_amd64.pyd
| MD5 | e3d495cf14d857349554a3606a8e7210 |
| SHA1 | db0843b89a84fb37efd3c76168bcb303174aac29 |
| SHA256 | e21f4c40c29be0b115463e7bb8a365946a4afc152b9fff602abd41c6e0ce68a2 |
| SHA512 | 8f69a16042e88bc51d30ad4c78d8240e2619104324e79e5f382975486bfb39b4e0a3c35976d08399300d7823d6a358104658374daf36a513ce0774f3611d4d6e |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_hashlib.pyd
| MD5 | de4d104ea13b70c093b07219d2eff6cb |
| SHA1 | 83daf591c049f977879e5114c5fea9bbbfa0ad7b |
| SHA256 | 39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e |
| SHA512 | 567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\libssl-1_1.dll
| MD5 | 8769adafca3a6fc6ef26f01fd31afa84 |
| SHA1 | 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6 |
| SHA256 | 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071 |
| SHA512 | fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\updaterr.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\select.pyd
| MD5 | 97ee623f1217a7b4b7de5769b7b665d6 |
| SHA1 | 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0 |
| SHA256 | 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790 |
| SHA512 | 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_bz2.pyd
| MD5 | 4101128e19134a4733028cfaafc2f3bb |
| SHA1 | 66c18b0406201c3cfbba6e239ab9ee3dbb3be07d |
| SHA256 | 5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80 |
| SHA512 | 4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_elementtree.pyd
| MD5 | 63629a705bffca85ce6a4539bfbdd760 |
| SHA1 | c5bf5f263e4284766cfb27d4b7417e62cce88d12 |
| SHA256 | df71d64818cfecd61ad0122bea23b685d01bd241f1b06879a2999917818b0787 |
| SHA512 | c9191b97fa40661fc5b85fc40f51a7177f7dc9e23acfc5842921631ebb7cd253736af748108c5afc03683f94fbf9c2f02fca7415303f7226f1d30c18e2dddb10 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_decimal.pyd
| MD5 | d47e6acf09ead5774d5b471ab3ab96ff |
| SHA1 | 64ce9b5d5f07395935df95d4a0f06760319224a2 |
| SHA256 | d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e |
| SHA512 | 52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_cffi_backend.cp311-win_amd64.pyd
| MD5 | 739d352bd982ed3957d376a9237c9248 |
| SHA1 | 961cf42f0c1bb9d29d2f1985f68250de9d83894d |
| SHA256 | 9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980 |
| SHA512 | 585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\pyexpat.pyd
| MD5 | 1c0a578249b658f5dcd4b539eea9a329 |
| SHA1 | efe6fa11a09dedac8964735f87877ba477bec341 |
| SHA256 | d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509 |
| SHA512 | 7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6 |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\base_library.zip
| MD5 | 296d092f9617ea59cd5e7a2ba6904c9f |
| SHA1 | 6d07ceb5a7a253d103208ca872c0601d047c23f0 |
| SHA256 | 5ac721167416acd2c30da6292f7cbbf05d365207cf45e8deb552a8db4f35f8f2 |
| SHA512 | bceee1c013d165d2169b2456d897ecda753f734dadc567fec58a3d25e848f3d5839a5a04b1f47bd2418a4876b0f97c593f65df99cee7f3383d24f7573ca878ee |
C:\Users\Admin\AppData\Local\Temp\_MEI43122\python311.dll
| MD5 | 9a24c8c35e4ac4b1597124c1dcbebe0f |
| SHA1 | f59782a4923a30118b97e01a7f8db69b92d8382a |
| SHA256 | a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7 |
| SHA512 | 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b |
C:\Users\Admin\AppData\Local\Temp\_MEI21082\setuptools-65.5.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI21082\python311.dll
| MD5 | 4fcf14c7837f8b127156b8a558db0bb2 |
| SHA1 | 8de2711d00bef7b5f2dcf8a2c6871fa1db67cf1f |
| SHA256 | a67df621a383f4ce5a408e0debe3ebc49ffc766d6a1d6d9a7942120b8ec054dc |
| SHA512 | 7a6195495b48f66c35b273a2c9d7ff59e96a4180ea8503f31c8b131167c6cdddd8d6fe77388a34096964a73c85eab504281a14ae3d05350cfee5c51d2491cec8 |
memory/1120-886-0x00007FFB4E730000-0x00007FFB4ED18000-memory.dmp
memory/1120-893-0x00007FFB6A5C0000-0x00007FFB6A5E4000-memory.dmp
memory/1120-896-0x00007FFB6F070000-0x00007FFB6F07F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21082\libffi-8.dll
| MD5 | 24ea21ebcc3bef497d2bd208e7986f88 |
| SHA1 | d936f79431517b9687ee54d837e9e4be7afc082d |
| SHA256 | 18c097ef19f3e502a025c1d63cfec73a4fa30c5482286f4000d40d4784a0070a |
| SHA512 | 1bdbeddd812ecc2cdfbbf3498b0a8ef551cc18ce73fc30eb40b415fab0cdd20b80057a25a33ca2f9247b08978838df3587a3caf6e1a8e108c5a9a4f67dd75a94 |
memory/1120-898-0x00007FFB6A420000-0x00007FFB6A439000-memory.dmp
memory/1120-899-0x00007FFB69F00000-0x00007FFB69F2D000-memory.dmp
memory/1120-901-0x00007FFB6A400000-0x00007FFB6A419000-memory.dmp
memory/1120-904-0x00007FFB69E90000-0x00007FFB69EBE000-memory.dmp
memory/1120-908-0x00007FFB69E60000-0x00007FFB69E8B000-memory.dmp
memory/1120-907-0x00007FFB6A5C0000-0x00007FFB6A5E4000-memory.dmp
memory/1120-906-0x00007FFB5B210000-0x00007FFB5B2CC000-memory.dmp
memory/1120-911-0x00007FFB6A420000-0x00007FFB6A439000-memory.dmp
memory/1120-914-0x00007FFB5B150000-0x00007FFB5B208000-memory.dmp
memory/1120-918-0x00007FFB69A80000-0x00007FFB69A92000-memory.dmp
memory/1120-917-0x00007FFB6A400000-0x00007FFB6A419000-memory.dmp
memory/1120-916-0x00007FFB69AA0000-0x00007FFB69AB5000-memory.dmp
memory/1120-915-0x00007FFB69EC0000-0x00007FFB69EF5000-memory.dmp
memory/1120-920-0x00007FFB576F0000-0x00007FFB5780C000-memory.dmp
memory/1120-919-0x00007FFB6EF20000-0x00007FFB6EF2D000-memory.dmp
memory/1120-913-0x00007FFB69F00000-0x00007FFB69F2D000-memory.dmp
memory/1120-912-0x00007FFB4E3B0000-0x00007FFB4E725000-memory.dmp
memory/1120-910-0x00007FFB69E30000-0x00007FFB69E5E000-memory.dmp
memory/1120-909-0x00007FFB6F070000-0x00007FFB6F07F000-memory.dmp
memory/1120-905-0x00007FFB4E730000-0x00007FFB4ED18000-memory.dmp
memory/1120-903-0x00007FFB6EEA0000-0x00007FFB6EEAD000-memory.dmp
memory/1120-902-0x00007FFB6EF20000-0x00007FFB6EF2D000-memory.dmp
memory/1120-900-0x00007FFB69EC0000-0x00007FFB69EF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_bz2.pyd
| MD5 | af3d45698d379c97a90cca9625bc5926 |
| SHA1 | 0783866af330c1029253859574c369901969208e |
| SHA256 | 47af0730824f96865b5e20f8bba34b0d5f3a330087411adba71269312bf7ccec |
| SHA512 | 117e95d2ba0432f5ece882ad67a3fbf2e2cd251b4327a0d66b3fffd444e2d1813ddb568321bde1636b4180d19607db6103df145153e4ff84e9be601fd2dd5691 |
C:\Users\Admin\AppData\Local\Temp\_MEI21082\_ctypes.pyd
| MD5 | 2346cf6a1ad336f3ee23c4ec3ff7871c |
| SHA1 | e36b759c0b78d2def431aa11bcbb7d7cf02f1eea |
| SHA256 | 490a11d03dd3aeb05a410eb0d285e3da788e73b643ea9914fffd5a2c102dc1df |
| SHA512 | 7a92de4937b23952e2a31bb09a58b2ad81c06da23704e4b4f964eb42948adad1a1e57920c021283da1b7154e7ac19e46031ffee6b69a73acbc85d95ef45bf8ff |
C:\Users\Admin\AppData\Local\Temp\_MEI21082\base_library.zip
| MD5 | 381f25d953dd41b4592dc378529b3939 |
| SHA1 | 570715d807c8a6ecbbee18476c9b5ea451b9d01f |
| SHA256 | 6fb48a334048f958e96547c8023f2fa713af8d2434aa3336aa2cffecb305c8d6 |
| SHA512 | 278988a0df2e0773fbe7b31eed688a2c20033458c6f2b07417f7d5103840cb84969d9e2608d3112f59ede3906d81ad304adcd587b6d401560c89a8dd208cb7a0 |
memory/1120-921-0x00007FFB6EEA0000-0x00007FFB6EEAD000-memory.dmp
memory/1120-923-0x00007FFB5B210000-0x00007FFB5B2CC000-memory.dmp
memory/1120-922-0x00007FFB69E90000-0x00007FFB69EBE000-memory.dmp
memory/1120-925-0x00007FFB69E60000-0x00007FFB69E8B000-memory.dmp
memory/1120-926-0x00007FFB69E30000-0x00007FFB69E5E000-memory.dmp
memory/1120-933-0x00007FFB69970000-0x00007FFB69997000-memory.dmp
memory/1120-937-0x00007FFB642D0000-0x00007FFB642F3000-memory.dmp
memory/1120-938-0x00007FFB4E230000-0x00007FFB4E3A3000-memory.dmp
memory/1120-939-0x00007FFB63E30000-0x00007FFB63E67000-memory.dmp
memory/1120-944-0x00007FFB69960000-0x00007FFB6996B000-memory.dmp
memory/1120-946-0x00007FFB69920000-0x00007FFB6992C000-memory.dmp
memory/1120-958-0x00007FFB6A5B0000-0x00007FFB6A5BB000-memory.dmp
memory/1120-962-0x00007FFB60AC0000-0x00007FFB60ACD000-memory.dmp
memory/1120-969-0x00007FFB4DFC0000-0x00007FFB4E225000-memory.dmp
memory/1120-968-0x00007FFB5B120000-0x00007FFB5B149000-memory.dmp
memory/1120-967-0x00007FFB67D10000-0x00007FFB67D1C000-memory.dmp
memory/1120-966-0x00007FFB60A90000-0x00007FFB60A9C000-memory.dmp
memory/1120-982-0x00007FFB69E30000-0x00007FFB69E5E000-memory.dmp
memory/1120-1012-0x00007FFB69960000-0x00007FFB6996B000-memory.dmp
memory/1120-1011-0x00007FFB69A70000-0x00007FFB69A7C000-memory.dmp
memory/1120-1010-0x00007FFB69BC0000-0x00007FFB69BCB000-memory.dmp
memory/1120-1009-0x00007FFB6A5B0000-0x00007FFB6A5BB000-memory.dmp
memory/1120-1008-0x00007FFB60AF0000-0x00007FFB60AFB000-memory.dmp
memory/1120-1007-0x00007FFB63340000-0x00007FFB6334C000-memory.dmp
memory/1120-1006-0x00007FFB642D0000-0x00007FFB642F3000-memory.dmp
memory/1120-1005-0x00007FFB69640000-0x00007FFB69658000-memory.dmp
memory/1120-1004-0x00007FFB6A850000-0x00007FFB6A85A000-memory.dmp
memory/1120-1003-0x00007FFB589D0000-0x00007FFB58A57000-memory.dmp
memory/1120-1002-0x00007FFB6D600000-0x00007FFB6D60B000-memory.dmp
memory/1120-1001-0x00007FFB69970000-0x00007FFB69997000-memory.dmp
memory/1120-1000-0x00007FFB69A10000-0x00007FFB69A24000-memory.dmp
memory/1120-999-0x00007FFB576F0000-0x00007FFB5780C000-memory.dmp
memory/1120-998-0x00007FFB69A80000-0x00007FFB69A92000-memory.dmp
memory/1120-997-0x00007FFB5B150000-0x00007FFB5B208000-memory.dmp
memory/1120-996-0x00007FFB63E30000-0x00007FFB63E67000-memory.dmp
memory/1120-995-0x00007FFB4E230000-0x00007FFB4E3A3000-memory.dmp
memory/1120-981-0x00007FFB69E60000-0x00007FFB69E8B000-memory.dmp
memory/1120-980-0x00007FFB5B210000-0x00007FFB5B2CC000-memory.dmp
memory/1120-979-0x00007FFB69E90000-0x00007FFB69EBE000-memory.dmp
memory/1120-978-0x00007FFB6EEA0000-0x00007FFB6EEAD000-memory.dmp
memory/1120-977-0x00007FFB6EF20000-0x00007FFB6EF2D000-memory.dmp
memory/1120-976-0x00007FFB6A400000-0x00007FFB6A419000-memory.dmp
memory/1120-975-0x00007FFB69EC0000-0x00007FFB69EF5000-memory.dmp
memory/1120-974-0x00007FFB69F00000-0x00007FFB69F2D000-memory.dmp
memory/1120-973-0x00007FFB6A420000-0x00007FFB6A439000-memory.dmp
memory/1120-972-0x00007FFB6F070000-0x00007FFB6F07F000-memory.dmp
memory/1120-971-0x00007FFB6A5C0000-0x00007FFB6A5E4000-memory.dmp
memory/1120-970-0x00007FFB4E730000-0x00007FFB4ED18000-memory.dmp
memory/1120-985-0x00007FFB69AA0000-0x00007FFB69AB5000-memory.dmp
memory/1120-983-0x00007FFB4E3B0000-0x00007FFB4E725000-memory.dmp
memory/1120-965-0x00007FFB67D20000-0x00007FFB67D2B000-memory.dmp
memory/1120-964-0x00007FFB60AA0000-0x00007FFB60AB2000-memory.dmp
memory/1120-963-0x00007FFB69920000-0x00007FFB6992C000-memory.dmp
memory/1120-961-0x00007FFB69960000-0x00007FFB6996B000-memory.dmp
memory/1120-960-0x00007FFB60AD0000-0x00007FFB60ADB000-memory.dmp
memory/1120-959-0x00007FFB60AE0000-0x00007FFB60AEC000-memory.dmp
memory/1120-957-0x00007FFB60AF0000-0x00007FFB60AFB000-memory.dmp
memory/1120-956-0x00007FFB63E30000-0x00007FFB63E67000-memory.dmp
memory/1120-955-0x00007FFB63340000-0x00007FFB6334C000-memory.dmp
memory/1120-954-0x00007FFB61140000-0x00007FFB6114B000-memory.dmp
memory/1120-953-0x00007FFB63890000-0x00007FFB6389E000-memory.dmp
memory/1120-952-0x00007FFB4E230000-0x00007FFB4E3A3000-memory.dmp
memory/1120-951-0x00007FFB63E20000-0x00007FFB63E2D000-memory.dmp
memory/1120-950-0x00007FFB642D0000-0x00007FFB642F3000-memory.dmp
memory/1120-949-0x00007FFB67D10000-0x00007FFB67D1C000-memory.dmp
memory/1120-948-0x00007FFB69640000-0x00007FFB69658000-memory.dmp
memory/1120-947-0x00007FFB67D20000-0x00007FFB67D2B000-memory.dmp
memory/1120-945-0x00007FFB69970000-0x00007FFB69997000-memory.dmp
memory/1120-943-0x00007FFB69A70000-0x00007FFB69A7C000-memory.dmp
memory/1120-942-0x00007FFB69A10000-0x00007FFB69A24000-memory.dmp
memory/1120-941-0x00007FFB69BC0000-0x00007FFB69BCB000-memory.dmp
memory/1120-940-0x00007FFB6A5B0000-0x00007FFB6A5BB000-memory.dmp
memory/1120-936-0x00007FFB69640000-0x00007FFB69658000-memory.dmp
memory/1120-935-0x00007FFB6A850000-0x00007FFB6A85A000-memory.dmp
memory/1120-934-0x00007FFB576F0000-0x00007FFB5780C000-memory.dmp
memory/1120-932-0x00007FFB6D600000-0x00007FFB6D60B000-memory.dmp
memory/1120-931-0x00007FFB69AA0000-0x00007FFB69AB5000-memory.dmp
memory/1120-930-0x00007FFB69A10000-0x00007FFB69A24000-memory.dmp
memory/1120-929-0x00007FFB5B150000-0x00007FFB5B208000-memory.dmp
memory/1120-928-0x00007FFB589D0000-0x00007FFB58A57000-memory.dmp
memory/1120-927-0x00007FFB4E3B0000-0x00007FFB4E725000-memory.dmp
memory/2892-1696-0x00000254DF610000-0x00000254DF611000-memory.dmp
memory/2892-1695-0x00000254DF610000-0x00000254DF611000-memory.dmp
memory/2892-1694-0x00000254DF610000-0x00000254DF611000-memory.dmp
memory/2892-1703-0x00000254DF610000-0x00000254DF611000-memory.dmp
memory/2892-1702-0x00000254DF610000-0x00000254DF611000-memory.dmp
memory/2892-1701-0x00000254DF610000-0x00000254DF611000-memory.dmp
memory/2892-1700-0x00000254DF610000-0x00000254DF611000-memory.dmp
memory/2892-1699-0x00000254DF610000-0x00000254DF611000-memory.dmp
memory/2892-1698-0x00000254DF610000-0x00000254DF611000-memory.dmp