Analysis Overview
SHA256
7ca8222b08638e514ea815fe8386c001ac0e3b48e8156933e0560b82279f178a
Threat Level: Known bad
The file Kasperipee.exe was found to be: Known bad.
Malicious Activity Summary
Exelastealer family
Exela Stealer
Grants admin privileges
Modifies Windows Firewall
Reads user/profile data of web browsers
Clipboard Data
Loads dropped DLL
Enumerates connected drives
Looks up external IP address via web service
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Network Service Discovery
Enumerates processes with tasklist
UPX packed file
Hide Artifacts: Hidden Files and Directories
Drops file in Windows directory
Launches sc.exe
Detects Pyinstaller
System Network Connections Discovery
Browser Information Discovery
System Network Configuration Discovery: Wi-Fi Discovery
System Location Discovery: System Language Discovery
Permission Groups Discovery: Local Groups
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Gathers network information
Views/modifies file attributes
Suspicious behavior: AddClipboardFormatListener
Runs net.exe
Detects videocard installed
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Collects information from the system
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Gathers system information
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-19 05:44
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 05:44
Reported
2024-11-19 05:47
Platform
win10ltsc2021-20241023-en
Max time kernel
71s
Max time network
66s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe" | C:\Windows\system32\reg.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\unregmp2.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe
"C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe"
C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe
"C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RevokeOptimize.aifc"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7be9a240-b956-4c99-8cb8-0562ab933f3c} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9a8b400-c833-46e0-874b-ec7eeb20b50f} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2936 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2840 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42d6e681-104a-4b5a-8ade-58ccfe307adc} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b652a10f-6aab-41c4-9c4d-336498d65dea} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4788 -prefMapHandle 4876 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {221f21e7-f89b-4e07-a2c1-21933c6ec4be} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de653586-998c-4fe7-861e-696fc78e1514} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0523eb91-f20a-4bfc-b105-1c964568726d} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e15de9e-1bd0-40f9-995a-4d6d4d39822a} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:49911 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:49921 | tcp | |
| N/A | 127.0.0.1:49927 | tcp | |
| N/A | 127.0.0.1:49931 | tcp | |
| N/A | 127.0.0.1:49933 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.242.104:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 104.242.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:50090 | tcp | |
| N/A | 127.0.0.1:50092 | tcp | |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:50288 | tcp | |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 98.64.12.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:50298 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI1922\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\python311.dll
| MD5 | db09c9bbec6134db1766d369c339a0a1 |
| SHA1 | c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b |
| SHA256 | b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79 |
| SHA512 | 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/1824-90-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI1922\base_library.zip
| MD5 | 83d235e1f5b0ee5b0282b5ab7244f6c4 |
| SHA1 | 629a1ce71314d7abbce96674a1ddf9f38c4a5e9c |
| SHA256 | db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0 |
| SHA512 | 77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\_ctypes.pyd
| MD5 | b4c41a4a46e1d08206c109ce547480c7 |
| SHA1 | 9588387007a49ec2304160f27376aedca5bc854d |
| SHA256 | 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9 |
| SHA512 | 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\python3.DLL
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
memory/1824-98-0x00007FFBD5540000-0x00007FFBD5564000-memory.dmp
memory/1824-100-0x00007FFBDEBC0000-0x00007FFBDEBCF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI1922\libffi-8.dll
| MD5 | decbba3add4c2246928ab385fb16a21e |
| SHA1 | 5f019eff11de3122ffa67a06d52d446a3448b75e |
| SHA256 | 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d |
| SHA512 | 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\_lzma.pyd
| MD5 | bfca96ed7647b31dd2919bedebb856b8 |
| SHA1 | 7d802d5788784f8b6bfbb8be491c1f06600737ac |
| SHA256 | 032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e |
| SHA512 | 3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551 |
memory/1824-151-0x00007FFBD58B0000-0x00007FFBD58C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI1922\select.pyd
| MD5 | c39459806c712b3b3242f8376218c1e1 |
| SHA1 | 85d254fb6cc5d6ed20a04026bff1158c8fd0a530 |
| SHA256 | 7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9 |
| SHA512 | b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d |
memory/1824-155-0x00007FFBD5170000-0x00007FFBD5193000-memory.dmp
memory/1824-156-0x00007FFBC5CB0000-0x00007FFBC5E23000-memory.dmp
memory/1824-154-0x00007FFBD51A0000-0x00007FFBD51CD000-memory.dmp
memory/1824-153-0x00007FFBD51D0000-0x00007FFBD51E9000-memory.dmp
memory/1824-152-0x00007FFBDDC10000-0x00007FFBDDC1D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI1922\_hashlib.pyd
| MD5 | 0629bdb5ff24ce5e88a2ddcede608aee |
| SHA1 | 47323370992b80dafb6f210b0d0229665b063afb |
| SHA256 | f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8 |
| SHA512 | 3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\_decimal.pyd
| MD5 | e9501519a447b13dcca19e09140c9e84 |
| SHA1 | 472b1aa072454d065dfe415a05036ffd8804c181 |
| SHA256 | 6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c |
| SHA512 | ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\_cffi_backend.cp311-win_amd64.pyd
| MD5 | 3ee19e638459380934a44073c184b5c0 |
| SHA1 | 6849d2f9e0920564e7a82f365616d6b763b1386f |
| SHA256 | d26943222b0645c4d00f29fb4e0fb234ab2b963d8d48f616f204d8ae644c7322 |
| SHA512 | a7985b0acc57b635ed88b4945e72919c48c203bdea2f85659f0169ad3778ffb405e579d4bfcd9fc8d9752d10bec2f1cc793ac4e0c2cb84f4ce5b2297cd468d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\_bz2.pyd
| MD5 | 80c69a1d87f0c82d6c4268e5a8213b78 |
| SHA1 | bae059da91d48eaac4f1bb45ca6feee2c89a2c06 |
| SHA256 | 307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87 |
| SHA512 | 542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\_asyncio.pyd
| MD5 | 1b8ce772a230a5da8cbdccd8914080a5 |
| SHA1 | 40d4faf1308d1af6ef9f3856a4f743046fd0ead5 |
| SHA256 | fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f |
| SHA512 | d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\unicodedata.pyd
| MD5 | 06a5e52caf03426218f0c08fc02cc6b8 |
| SHA1 | ae232c63620546716fbb97452d73948ebfd06b35 |
| SHA256 | 118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a |
| SHA512 | 546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\sqlite3.dll
| MD5 | 895f001ae969364432372329caf08b6a |
| SHA1 | 4567fc6672501648b277fe83e6b468a7a2155ddf |
| SHA256 | f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7 |
| SHA512 | 05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\pyexpat.pyd
| MD5 | fe0e32bfe3764ed5321454e1a01c81ec |
| SHA1 | 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb |
| SHA256 | b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92 |
| SHA512 | d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\libssl-1_1.dll
| MD5 | 6cd33578bc5629930329ca3303f0fae1 |
| SHA1 | f2f8e3248a72f98d27f0cfa0010e32175a18487f |
| SHA256 | 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0 |
| SHA512 | c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\libcrypto-1_1.dll
| MD5 | 86cfc84f8407ab1be6cc64a9702882ef |
| SHA1 | 86f3c502ed64df2a5e10b085103c2ffc9e3a4130 |
| SHA256 | 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307 |
| SHA512 | b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | a0776b3a28f7246b4a24ff1b2867bdbf |
| SHA1 | 383c9a6afda7c1e855e25055aad00e92f9d6aaff |
| SHA256 | 2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9 |
| SHA512 | 7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 001e60f6bbf255a60a5ea542e6339706 |
| SHA1 | f9172ec37921432d5031758d0c644fe78cdb25fa |
| SHA256 | 82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945 |
| SHA512 | b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 115e8275eb570b02e72c0c8a156970b3 |
| SHA1 | c305868a014d8d7bbef9abbb1c49a70e8511d5a6 |
| SHA256 | 415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004 |
| SHA512 | b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 96498dc4c2c879055a7aff2a1cc2451e |
| SHA1 | fecbc0f854b1adf49ef07beacad3cec9358b4fb2 |
| SHA256 | 273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d |
| SHA512 | 4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 20c0afa78836b3f0b692c22f12bda70a |
| SHA1 | 60bb74615a71bd6b489c500e6e69722f357d283e |
| SHA256 | 962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc |
| SHA512 | 65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 272c0f80fd132e434cdcdd4e184bb1d8 |
| SHA1 | 5bc8b7260e690b4d4039fe27b48b2cecec39652f |
| SHA256 | bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d |
| SHA512 | 94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-math-l1-1-0.dll
| MD5 | b8f0210c47847fc6ec9fbe2a1ad4debb |
| SHA1 | e99d833ae730be1fedc826bf1569c26f30da0d17 |
| SHA256 | 1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7 |
| SHA512 | 992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 650435e39d38160abc3973514d6c6640 |
| SHA1 | 9a5591c29e4d91eaa0f12ad603af05bb49708a2d |
| SHA256 | 551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0 |
| SHA512 | 7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | d5d77669bd8d382ec474be0608afd03f |
| SHA1 | 1558f5a0f5facc79d3957ff1e72a608766e11a64 |
| SHA256 | 8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8 |
| SHA512 | 8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 5107487b726bdcc7b9f7e4c2ff7f907c |
| SHA1 | ebc46221d3c81a409fab9815c4215ad5da62449c |
| SHA256 | 94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade |
| SHA512 | a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | f9235935dd3ba2aa66d3aa3412accfbf |
| SHA1 | 281e548b526411bcb3813eb98462f48ffaf4b3eb |
| SHA256 | 2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200 |
| SHA512 | ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | edf71c5c232f5f6ef3849450f2100b54 |
| SHA1 | ed46da7d59811b566dd438fa1d09c20f5dc493ce |
| SHA256 | b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc |
| SHA512 | 481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | d4fba5a92d68916ec17104e09d1d9d12 |
| SHA1 | 247dbc625b72ffb0bf546b17fb4de10cad38d495 |
| SHA256 | 93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5 |
| SHA512 | d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-util-l1-1-0.dll
| MD5 | 0f129611a4f1e7752f3671c9aa6ea736 |
| SHA1 | 40c07a94045b17dae8a02c1d2b49301fad231152 |
| SHA256 | 2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f |
| SHA512 | 6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | d12403ee11359259ba2b0706e5e5111c |
| SHA1 | 03cc7827a30fd1dee38665c0cc993b4b533ac138 |
| SHA256 | f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781 |
| SHA512 | 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | fd46c3f6361e79b8616f56b22d935a53 |
| SHA1 | 107f488ad966633579d8ec5eb1919541f07532ce |
| SHA256 | 0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df |
| SHA512 | 3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 1281e9d1750431d2fe3b480a8175d45c |
| SHA1 | bc982d1c750b88dcb4410739e057a86ff02d07ef |
| SHA256 | 433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa |
| SHA512 | a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 225d9f80f669ce452ca35e47af94893f |
| SHA1 | 37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50 |
| SHA256 | 61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232 |
| SHA512 | 2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-string-l1-1-0.dll
| MD5 | 2666581584ba60d48716420a6080abda |
| SHA1 | c103f0ea32ebbc50f4c494bce7595f2b721cb5ad |
| SHA256 | 27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328 |
| SHA512 | befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | a0c2dbe0f5e18d1add0d1ba22580893b |
| SHA1 | 29624df37151905467a223486500ed75617a1dfd |
| SHA256 | 3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f |
| SHA512 | 3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-profile-l1-1-0.dll
| MD5 | f3ff2d544f5cd9e66bfb8d170b661673 |
| SHA1 | 9e18107cfcd89f1bbb7fdaf65234c1dc8e614add |
| SHA256 | e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f |
| SHA512 | 184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 517eb9e2cb671ae49f99173d7f7ce43f |
| SHA1 | 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab |
| SHA256 | 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54 |
| SHA512 | 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | c3632083b312c184cbdd96551fed5519 |
| SHA1 | a93e8e0af42a144009727d2decb337f963a9312e |
| SHA256 | be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125 |
| SHA512 | 8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 0462e22f779295446cd0b63e61142ca5 |
| SHA1 | 616a325cd5b0971821571b880907ce1b181126ae |
| SHA256 | 0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e |
| SHA512 | 07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | 321a3ca50e80795018d55a19bf799197 |
| SHA1 | df2d3c95fb4cbb298d255d342f204121d9d7ef7f |
| SHA256 | 5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f |
| SHA512 | 3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 3c38aac78b7ce7f94f4916372800e242 |
| SHA1 | c793186bcf8fdb55a1b74568102b4e073f6971d6 |
| SHA256 | 3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d |
| SHA512 | c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 724223109e49cb01d61d63a8be926b8f |
| SHA1 | 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b |
| SHA256 | 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210 |
| SHA512 | 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 1f2a00e72bc8fa2bd887bdb651ed6de5 |
| SHA1 | 04d92e41ce002251cc09c297cf2b38c4263709ea |
| SHA256 | 9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142 |
| SHA512 | 8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | c6024cc04201312f7688a021d25b056d |
| SHA1 | 48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd |
| SHA256 | 8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500 |
| SHA512 | d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-heap-l1-1-0.dll
| MD5 | accc640d1b06fb8552fe02f823126ff5 |
| SHA1 | 82ccc763d62660bfa8b8a09e566120d469f6ab67 |
| SHA256 | 332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f |
| SHA512 | 6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-handle-l1-1-0.dll
| MD5 | e89cdcd4d95cda04e4abba8193a5b492 |
| SHA1 | 5c0aee81f32d7f9ec9f0650239ee58880c9b0337 |
| SHA256 | 1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238 |
| SHA512 | 55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1c58526d681efe507deb8f1935c75487 |
| SHA1 | 0e6d328faf3563f2aae029bc5f2272fb7a742672 |
| SHA256 | ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2 |
| SHA512 | 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-file-l1-1-0.dll
| MD5 | efad0ee0136532e8e8402770a64c71f9 |
| SHA1 | cda3774fe9781400792d8605869f4e6b08153e55 |
| SHA256 | 3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed |
| SHA512 | 69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | eb0978a9213e7f6fdd63b2967f02d999 |
| SHA1 | 9833f4134f7ac4766991c918aece900acfbf969f |
| SHA256 | ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e |
| SHA512 | 6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 33bbece432f8da57f17bf2e396ebaa58 |
| SHA1 | 890df2dddfdf3eeccc698312d32407f3e2ec7eb1 |
| SHA256 | 7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e |
| SHA512 | 619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | cfe0c1dfde224ea5fed9bd5ff778a6e0 |
| SHA1 | 5150e7edd1293e29d2e4d6bb68067374b8a07ce6 |
| SHA256 | 0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e |
| SHA512 | b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000 |
C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-console-l1-1-0.dll
| MD5 | e8b9d74bfd1f6d1cc1d99b24f44da796 |
| SHA1 | a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452 |
| SHA256 | b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59 |
| SHA512 | b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27 |
memory/1824-157-0x00007FFBD5140000-0x00007FFBD516E000-memory.dmp
memory/1824-158-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp
memory/1824-159-0x00007FFBC5BF0000-0x00007FFBC5CA8000-memory.dmp
memory/1824-162-0x00007FFBD5540000-0x00007FFBD5564000-memory.dmp
memory/1824-161-0x00007FFBC5870000-0x00007FFBC5BE5000-memory.dmp
memory/1824-160-0x000002A31BA30000-0x000002A31BDA5000-memory.dmp
memory/1824-165-0x00007FFBD47A0000-0x00007FFBD47B4000-memory.dmp
memory/1824-164-0x00007FFBD47C0000-0x00007FFBD47D4000-memory.dmp
memory/1824-163-0x00007FFBD4B80000-0x00007FFBD4B95000-memory.dmp
memory/1824-172-0x00007FFBCBBC0000-0x00007FFBCBBDE000-memory.dmp
memory/1824-176-0x00007FFBD2EC0000-0x00007FFBD2ED7000-memory.dmp
memory/1824-175-0x00007FFBD47E0000-0x00007FFBD47F2000-memory.dmp
memory/1824-174-0x00007FFBD58B0000-0x00007FFBD58C9000-memory.dmp
memory/1824-173-0x00007FFBC4DF0000-0x00007FFBC5591000-memory.dmp
memory/1824-177-0x00007FFBCBAE0000-0x00007FFBCBB16000-memory.dmp
memory/1824-171-0x00007FFBD52A0000-0x00007FFBD52AA000-memory.dmp
memory/1824-170-0x00007FFBCC2B0000-0x00007FFBCC2C1000-memory.dmp
memory/1824-169-0x00007FFBCC2D0000-0x00007FFBCC31D000-memory.dmp
memory/1824-168-0x00007FFBCCD40000-0x00007FFBCCD59000-memory.dmp
memory/1824-167-0x00007FFBCFCB0000-0x00007FFBCFCD2000-memory.dmp
memory/1824-166-0x00007FFBC55A0000-0x00007FFBC56BC000-memory.dmp
memory/1824-225-0x00007FFBD5170000-0x00007FFBD5193000-memory.dmp
memory/1824-226-0x00007FFBD4790000-0x00007FFBD479D000-memory.dmp
memory/2104-229-0x0000027CBD900000-0x0000027CBD922000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jqsltoi.nbe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1824-243-0x00007FFBC5CB0000-0x00007FFBC5E23000-memory.dmp
memory/1824-244-0x00007FFBD5140000-0x00007FFBD516E000-memory.dmp
memory/1824-245-0x000002A31BA30000-0x000002A31BDA5000-memory.dmp
memory/1824-246-0x00007FFBC5BF0000-0x00007FFBC5CA8000-memory.dmp
memory/1824-247-0x00007FFBC5870000-0x00007FFBC5BE5000-memory.dmp
memory/1824-248-0x00007FFBD4B80000-0x00007FFBD4B95000-memory.dmp
memory/1824-251-0x00007FFBCC2D0000-0x00007FFBCC31D000-memory.dmp
memory/1824-250-0x00007FFBCCD40000-0x00007FFBCCD59000-memory.dmp
memory/1824-249-0x00007FFBCFCB0000-0x00007FFBCFCD2000-memory.dmp
memory/1824-252-0x00007FFBC4DF0000-0x00007FFBC5591000-memory.dmp
memory/1824-281-0x00007FFBD2EC0000-0x00007FFBD2ED7000-memory.dmp
memory/1824-280-0x00007FFBD47E0000-0x00007FFBD47F2000-memory.dmp
memory/1824-278-0x00007FFBCBAE0000-0x00007FFBCBB16000-memory.dmp
memory/1824-253-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp
memory/1824-254-0x00007FFBD5540000-0x00007FFBD5564000-memory.dmp
memory/1824-317-0x00007FFBD4B80000-0x00007FFBD4B95000-memory.dmp
memory/1824-324-0x00007FFBCCD40000-0x00007FFBCCD59000-memory.dmp
memory/1824-322-0x00007FFBCFCB0000-0x00007FFBCFCD2000-memory.dmp
memory/1824-316-0x00007FFBC5870000-0x00007FFBC5BE5000-memory.dmp
memory/1824-315-0x00007FFBC5BF0000-0x00007FFBC5CA8000-memory.dmp
memory/1824-314-0x00007FFBD5140000-0x00007FFBD516E000-memory.dmp
memory/1824-305-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BlockPop.xlsx
| MD5 | e109c0741f67697b59720aa5ae564de3 |
| SHA1 | dfda58e64f860e6a8252ba1acb2f326348368cd6 |
| SHA256 | 02fa3d790052635acc9460bf2bf88e145843ec2f51c65144a524bcf4447fb477 |
| SHA512 | eeb14eac933cfc8ca7e966431d1814730fcd2d18c62118a6f0f47971fe346be0837de83448a966dd9e5d87f9f0c0a7004986ce58e6f559aee50b900bbcf91eb9 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\PopInitialize.jpeg
| MD5 | e1b447d5c6ed339a69992ab0bec09730 |
| SHA1 | e6e103f3be319390bce9c1bef6dabb774655ca19 |
| SHA256 | 16192351f1c1bfd18e7b1df0fbfcfe70dac9125e03d536de37aae222affe5d9c |
| SHA512 | 2374b716fff6a3a1d5a5686474ac11fdc865cdc1853edf478f474decce7fa2bbb7f3285871f2a21cf1f0c961eaeddf1ecc7d1b5486141c8c92b1f5f22eda97c8 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UndoWatch.mp3
| MD5 | 1a0db5f9a058fd453166743b135b85e4 |
| SHA1 | 9303e4bb7011b8621725937285444cb87551d574 |
| SHA256 | e12a66a7491d6d1441291b6723db563f252f6e0c3687dc6d0bbb3b67b0a3ebdf |
| SHA512 | 8900707cdd8d3c5f8c4cabad1830c72d34318084485a9869e521988dce5679ab8f9722bfdfb82e501536c148c70072a8b06224e492deb5f91ae24cbee84006ee |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RemoveMerge.docx
| MD5 | 61e96170b55cb9f826fd9d1b68ddc6ac |
| SHA1 | 43f310836d62669ce9dfbeb057336da1b1ed9acc |
| SHA256 | af8f9251f98161ee5e724038b41e71e6858f51edd2c772a84bb37a49f6e0a3a3 |
| SHA512 | 56c1faaa9ddb33d5a63ee3cb0a17062cf3c991f8078b0a3a2c7701e9cd72a2052d4eff28b1243e267c852f9b036ba8af74eb10af0feb7f42da255dc72bdce92d |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\InstallRevoke.xlsx
| MD5 | 8b0ba480586b3ac80389493f8848d469 |
| SHA1 | 735f9e19c7fef89cf5876afc20a3e5ce8a8522a7 |
| SHA256 | ebe7db0abea9574b159264f8524799445842ac8638d2f38da885f4c97b0c41d9 |
| SHA512 | 71071480b30b4e8434204e4afa3f087bc8ee80e54e904b710d4b4980da58b8d12c566c68a610d030afff40b77a7a245e59288e870d8a1032d5498391a95e877e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BlockFormat.xlsx
| MD5 | 85c0d47ee7eb2542cc5f98c5c3468840 |
| SHA1 | 974c41513cdecdbab2f798811337083dc6d59413 |
| SHA256 | cf37508ba948dba8cd60728dab68b668dcd2e6e5a65de5f0d7ba0bdff0cb0fc2 |
| SHA512 | 0cc492d1221c27b9d56457a4a573a7d7d192ebfc373242fc1f2e24c4449c9f03a8d4a64f1e7e19fa1cf86a8aee5e36210fc4aaf199f26a063339e59fd5deb6af |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResizeRestore.docx
| MD5 | 0fd192359ce2d90102e3fdf9a0ce019f |
| SHA1 | 6f8740a6f3b926eb33aa898f7b956d78ad076ced |
| SHA256 | 778914e052cc5ae5df64853f0d2dae6f17a4150b960a7b1a6f740d7db520fd63 |
| SHA512 | bd58cfcc84fb16e9a0c2bc4d8b15f41590285870a23528c32a7e583c712fcadc8e1eb92a5f8ce67b3b76e0f3b02a5c73da78e1f8a656d17740ce86e94dbf1d0e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RequestClear.xlsx
| MD5 | 5de39c927e2dc72d76f80c8405afefa7 |
| SHA1 | d1838861f03009738610b9871671c515b30bd22b |
| SHA256 | 00b4c309251dd18eb4fe7ea9edca42bf1329c3af549a478b97a2e816923e3b04 |
| SHA512 | a9888822387b6bc402bf129dd0ba923b34267d8eee14ead09cbbffbc0f3f311759cbd5877e6ea4513d4005ff3b0b98bc25aa0f7a05af6f911de68f4bfd39c284 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RegisterUnregister.txt
| MD5 | bd7d2dcfd1ff9d55f115572aa98f9c94 |
| SHA1 | eef2c4ca9ad33ac3fa9d2c0a43edcedb86218469 |
| SHA256 | 6dd6c2d17a4e79939a8291ee88ce1111aea22efaafd897139a497e79d566eee0 |
| SHA512 | 761e345afc23becd9cf834405ebf282a05c120217c9d026c7a0b2c4d67c5ed3e684e221163a43c7069e0941daa8c9e0150c628b95c887ba0035bec5b40698a51 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\MeasureEdit.docx
| MD5 | e3e8752e23dcab3bc572f5f1eace242a |
| SHA1 | 07311f8b370cb29521fad52efedeff605a8f2016 |
| SHA256 | 07c25c51e9fa642a13557543081a260e12f82de483c215afdfe0c985edbfe42c |
| SHA512 | 689d5370748b1b2d8663e725268f305b844339ceb27a96f6cf425ce8f2b0da923326204300d853a9d4c0eb118dd240208f170bfacf15b1d2d8defd81aa7a2325 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UpdateRedo.docx
| MD5 | 1dddc649d543dddc41fe9e4ed4f1b6d0 |
| SHA1 | 907d2db5f403882fcaa290bd66bbeb0443879625 |
| SHA256 | fb51ea6985199638d5224797cfe4ee0dd12db5352f68e597fe3cf552cf6e3cab |
| SHA512 | c9fd315f33ecf140672a23d7eeb311a3537111281a9d381015a09e7083df20f622ae2ccbb9e767a1b35320600dba6dfd8d88ffad0a13df0a1ccb4788b84ddce0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupLock.lnk
| MD5 | 6ac7d534cd9430463c6317bdb5b6508d |
| SHA1 | cb3c16016b84c894e631bfd2eca6ee4713826600 |
| SHA256 | f7d5da74eec9e9704f3629a152272cad5011d95ebcffef4a60c80d67b84481ab |
| SHA512 | 54c9a51144542e96f8aeb597792655f4f923f8da4bb30bc2514439f22230160d9b1215e3902300e8afba13d59bd5fd750cbb95f828c0ca6d5e38b6a06e9fb486 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SyncWatch.xlsx
| MD5 | 064ab4326071b127bff3378189e46757 |
| SHA1 | a81ea66ce53be2bed556adc59952db43bee544d2 |
| SHA256 | 88973e3375ec0aa2495ec488747fd0734b0f9e44def320d03fe66b7ae077997b |
| SHA512 | 1c753f928d993a333e1e234697693edc45ea5f21b77fb34600a96ad6a622e158d264b1dd6f0fda08f803f6ebc325bddcebe0598a99505b038a72b095f7127966 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\SendRepair.zip
| MD5 | a3e78a53d80364efabd969532778d012 |
| SHA1 | eb43e040634b28ac407b3e03ce3d9ededdb231da |
| SHA256 | 4a8eb0d3b70a74026d1ba587cc24382af1a7a930f8a3e1c1b5e52de3259bc5b2 |
| SHA512 | 2fac3a666617b6cfc0a2b76ff30bb1515fd1b3350ba34ee3c91ce10e93df5755d46f20f64611e510db0e9fc164dd6bd65ec4caf04c1881dcf3d8c2e7158e67c9 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\AssertEnter.jpeg
| MD5 | ad14313665d7efdbcc65127d059c11a7 |
| SHA1 | 68ba44b4858d755b7259a1c3ea5834a2cfd75a1c |
| SHA256 | c2035bccf30d8cd4e8cea7017854ba1d84c9a02470e577501629b2817409b391 |
| SHA512 | b1f46bb1e715415f95eff43d9279f2e5432f2b5019c4808929a6de6f728c7f1952bf8666ceacd251779cd59b82bd501b87b1c79e52ed4959e4fe2495a2c07cc2 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\MoveRevoke.png
| MD5 | ba9fc6a0a401b8c780abef9967821b99 |
| SHA1 | b661f384ad57e5309e51b3919b9f479de521845b |
| SHA256 | 57d32cd8e86c5c6545f1510e21f62dc4b6a025e0ff1b439b57d03dcea59265f1 |
| SHA512 | 7fd2520e363e6357d7d699d4ea07feaa9b7be0177ac569a45e7b5ee26a504aadec311d8bca2728dc8c4b7172a56fe58c578a37de5f469a43fb179d1c10db4783 |
memory/816-447-0x00007FFBC3E10000-0x00007FFBC3E44000-memory.dmp
memory/816-446-0x00007FF6BCD70000-0x00007FF6BCE68000-memory.dmp
memory/816-448-0x00007FFBC3B50000-0x00007FFBC3E06000-memory.dmp
memory/816-449-0x00007FFBC0EB0000-0x00007FFBC1F60000-memory.dmp
memory/1824-469-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp
memory/1824-496-0x00007FFBC5870000-0x00007FFBC5BE5000-memory.dmp
memory/1824-504-0x00007FFBC5CB0000-0x00007FFBC5E23000-memory.dmp
memory/1824-517-0x00007FFBCBBC0000-0x00007FFBCBBDE000-memory.dmp
memory/1824-521-0x00007FFBD4790000-0x00007FFBD479D000-memory.dmp
memory/1824-520-0x00007FFBCBAE0000-0x00007FFBCBB16000-memory.dmp
memory/1824-519-0x00007FFBC55A0000-0x00007FFBC56BC000-memory.dmp
memory/1824-518-0x00007FFBC4DF0000-0x00007FFBC5591000-memory.dmp
memory/1824-516-0x00007FFBD52A0000-0x00007FFBD52AA000-memory.dmp
memory/1824-515-0x00007FFBCC2B0000-0x00007FFBCC2C1000-memory.dmp
memory/1824-514-0x00007FFBCC2D0000-0x00007FFBCC31D000-memory.dmp
memory/1824-513-0x00007FFBCCD40000-0x00007FFBCCD59000-memory.dmp
memory/1824-512-0x00007FFBCFCB0000-0x00007FFBCFCD2000-memory.dmp
memory/1824-511-0x00007FFBD2EC0000-0x00007FFBD2ED7000-memory.dmp
memory/1824-510-0x00007FFBD47A0000-0x00007FFBD47B4000-memory.dmp
memory/1824-509-0x00007FFBD47C0000-0x00007FFBD47D4000-memory.dmp
memory/1824-508-0x00007FFBD4B80000-0x00007FFBD4B95000-memory.dmp
memory/1824-507-0x00007FFBD47E0000-0x00007FFBD47F2000-memory.dmp
memory/1824-506-0x00007FFBC5BF0000-0x00007FFBC5CA8000-memory.dmp
memory/1824-505-0x00007FFBD5140000-0x00007FFBD516E000-memory.dmp
memory/1824-503-0x00007FFBD5170000-0x00007FFBD5193000-memory.dmp
memory/1824-502-0x00007FFBD51A0000-0x00007FFBD51CD000-memory.dmp
memory/1824-501-0x00007FFBD51D0000-0x00007FFBD51E9000-memory.dmp
memory/1824-500-0x00007FFBDDC10000-0x00007FFBDDC1D000-memory.dmp
memory/1824-499-0x00007FFBD58B0000-0x00007FFBD58C9000-memory.dmp
memory/1824-498-0x00007FFBDEBC0000-0x00007FFBDEBCF000-memory.dmp
memory/1824-497-0x00007FFBD5540000-0x00007FFBD5564000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\pending_pings\3f78098a-a1ef-4a59-a7ab-b872c2592ecc
| MD5 | b32e207bad8a7d438aea14e7d1242812 |
| SHA1 | 497a57f523d32e2e8f327b88ba8ba3ee4f6c359a |
| SHA256 | dedea83ed3aa528b4fe7cb14080a9420a484ce2567c229c074f851c85e44f8ef |
| SHA512 | 9d3f00ead485586936bed7f680754a51e20b2612ace968e3825b0c48e3ccd711ac8774bdfa096f2c72c63a72207c6b94c7b7d4af6d898eee2275c84cadceb353 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\pending_pings\4d64e4be-effb-4d0f-92d2-1741cb74fadc
| MD5 | a155a968da1383a0eb7b347192cac740 |
| SHA1 | 1eee021c835f8ff4fb6f6affcc4d4afb0fa0e603 |
| SHA256 | 274fb91126a167ef9054457b595011b6bf33b998bc0f3acdfd1c1f425d0b7026 |
| SHA512 | f8a15f68082ef1fe6712c28bfa226aa1e6579079dfde45dcc5d9096e7cf9c39cac9cb49d46e18e6e6acf70b5212573eb0d869ce31872ce100dc99dad025597ca |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 18b59b5fafa4b22362d0a6358605fb31 |
| SHA1 | 967db2c9e102eb0149ea59f99f8f06bcac2f9260 |
| SHA256 | b2e5480d131189ca6cf298c9cf602bcddf6a752869660d5741e1c406f9fec1d4 |
| SHA512 | 3296fa49f70ba2a0a8c7f1736455170bd6d2a8fbd2e1df9c7f5bd20efb6df16e474710bb0722c69e6b07150d30889df80546aa3aab5e6b9f5e3df31f8289713b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\enjqfdim.default-release\activity-stream.discovery_stream.json
| MD5 | 3cb5082b56d541f82169dbf0d3c162e8 |
| SHA1 | 10d9618843742fedae8c09460a966301910d6ec3 |
| SHA256 | 6d46e44bec83349de8626cddf38eb6afb6193d7d0e154fb855d0bd7261f6f7b9 |
| SHA512 | 8331fb1d36bbe48496e9e159476ac23692725ce7a35212bb77fc6a15443bf0df5ccfcbb40418aff00aa8c9ebb6d3141e8ad1c3d11760d7704db500308a77ca76 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 216569920b1b72c8cf54797f20d23241 |
| SHA1 | 18d2327a223718a2610fe2c986ee324f1cacae47 |
| SHA256 | cdc8f2bbdc793d3df8530c6cd81c9b4a5c296ca4c15bd0c74ca4c404ae1e2cbc |
| SHA512 | 2f0912dc84cc3f2f586cf1d27f3626907a52da3930720a4fa9f298e94c1d5a2d00ead75fc94a77195b5dd1a13beda7c4573d84829871a4690f1aa048b13fc489 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\prefs.js
| MD5 | 85cf1f103a0c7f945e29d557b25d2578 |
| SHA1 | a0f4ad0566661dc86291966ceb49d55e9d983ed8 |
| SHA256 | 2ae1d7584d2a7b71b1ce7d02d334548d52206b9d20f2fa3eb536e4f36d7334d2 |
| SHA512 | bf2c855490fcbb1478977eb7aab5879d442ff46390bf2b3166326cd3287f3c2e2e2db48d4a155de84736dab6f7df0969991a61e5fdc808c276ac2b0459d1e91d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\pending_pings\bb36b317-8011-4208-b39f-be73a366441e
| MD5 | 5eb7469f140aaf29666b4468b0d4bb23 |
| SHA1 | 1ef903fb774038897da7dcbc811d3ce8d13ce76f |
| SHA256 | 84a7c76beec410f1ec38a1e2f70f407b51c51cc65d1617a394d95bba1d0bc2c1 |
| SHA512 | 792454cc1de04c15bd2551ade80640d0085fdedf126e3bf1bc7c9c878ab316fb93a6d5e625e2b49dbaa1a908cd78f67f986866840451c116558338b2a57014fa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\prefs-1.js
| MD5 | c04cf80131b11eae867fbd0a86b35326 |
| SHA1 | 09de7fec91781916a1f8ca5c4549ad4e69892adb |
| SHA256 | f4cebfeceb9fc4ba54e8a649d7239c343e6be928a74cca6781670c4390cdca7c |
| SHA512 | a617af3b999b5bc3181b8b2c5b972a64d5f4d04763f5c47db601ece536de5ec9eb73fe6398b096ba6fd7f64477da069782b0c8087c4bfd6288b107ff0b9da162 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\sessionCheckpoints.json
| MD5 | e6c20f53d6714067f2b49d0e9ba8030e |
| SHA1 | f516dc1084cdd8302b3e7f7167b905e603b6f04f |
| SHA256 | 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092 |
| SHA512 | 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 0715d82a3387aa3bb5e5c673882a01c0 |
| SHA1 | aa243ee94a0fd91d73130897227085ebd91c4900 |
| SHA256 | d56989fd5608250743410bec9a7b629ad4760371b53f2a84cd3ff7cb330dbbc8 |
| SHA512 | b73e047427f8cff2e49ef6007e5db749d4024fbef08d6550c6596743f589013712997427d02b2b4a321baca9e9c315a5fd61dd4ca6f8fccc0ede8b05e808753c |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | fe3ba87843946e149f9bd3f1810acfaf |
| SHA1 | dede1a628b38a925399c5e15eab7a7c8e084a118 |
| SHA256 | ab76565058a4d5acfa0464782a7ada6f05bea94ad30475b7be947c0906e57422 |
| SHA512 | 723c6cd7657a4b2e71374521751d76b2b8e3153bf2b4ed3acf6491f87ec3ab8b9347623f8f84d3313197364fc6b6114fb4598a956d5ef0b08774f1f7ddf888f9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
| MD5 | afb9982784cb1735c227348023c24f9e |
| SHA1 | a070b4fd0be3ac65e0c8c6ef39fd9eecf5ce837a |
| SHA256 | 47c1edb9ce57c25cddb0d3c0e657b111254553d5ff8360c752ba05d31a4ce344 |
| SHA512 | 72f012d6f6f4dd0037bc5fb16aa86300866a19b06d663e24bdbcc97bd89ab2fa7ee7c770290e31320466683cd36cfe2d49ba183d3d3c2889e5506ca430fdbbba |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
| MD5 | 1ba78c4f57c90c132bec8dd0850358b5 |
| SHA1 | 8b37d552a50dc65da460ac47b4b749a506a9c983 |
| SHA256 | 25e6204f5619dbf4c311c88bee8aed881563f366adee051342412a49954da7b1 |
| SHA512 | 99ba71157cb801364b5a44edf6687c7135b1352d87ae7221c42ffe8c04b15c8a4d29d3f604759fcb1b4d28ed5111f7e5bb47a21f467619a54fd1ef67a6e58c61 |