Malware Analysis Report

2025-03-15 03:46

Sample ID 241119-gfmacs1kas
Target Kasperipee.exe
SHA256 7ca8222b08638e514ea815fe8386c001ac0e3b48e8156933e0560b82279f178a
Tags
pyinstaller exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ca8222b08638e514ea815fe8386c001ac0e3b48e8156933e0560b82279f178a

Threat Level: Known bad

The file Kasperipee.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Exelastealer family

Exela Stealer

Grants admin privileges

Modifies Windows Firewall

Reads user/profile data of web browsers

Clipboard Data

Loads dropped DLL

Enumerates connected drives

Looks up external IP address via web service

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Network Service Discovery

Enumerates processes with tasklist

UPX packed file

Hide Artifacts: Hidden Files and Directories

Drops file in Windows directory

Launches sc.exe

Detects Pyinstaller

System Network Connections Discovery

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

System Location Discovery: System Language Discovery

Permission Groups Discovery: Local Groups

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Gathers network information

Views/modifies file attributes

Suspicious behavior: AddClipboardFormatListener

Runs net.exe

Detects videocard installed

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Collects information from the system

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Gathers system information

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-19 05:44

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 05:44

Reported

2024-11-19 05:47

Platform

win10ltsc2021-20241023-en

Max time kernel

71s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe"

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe" C:\Windows\system32\reg.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 192 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe
PID 192 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe
PID 1824 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 3756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1752 wrote to memory of 3756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4620 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4620 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4760 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4760 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1824 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 3652 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3652 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1824 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1616 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1616 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3852 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3852 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1824 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3340 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1824 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 4808 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4808 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1824 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 4584 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 4956 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4956 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1824 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe C:\Windows\system32\cmd.exe
PID 1988 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1988 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1276 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1276 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4440 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4012 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4012 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1096 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1096 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe

"C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe"

C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe

"C:\Users\Admin\AppData\Local\Temp\Kasperipee.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RevokeOptimize.aifc"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7be9a240-b956-4c99-8cb8-0562ab933f3c} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9a8b400-c833-46e0-874b-ec7eeb20b50f} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2936 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2840 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42d6e681-104a-4b5a-8ade-58ccfe307adc} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b652a10f-6aab-41c4-9c4d-336498d65dea} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4788 -prefMapHandle 4876 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {221f21e7-f89b-4e07-a2c1-21933c6ec4be} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de653586-998c-4fe7-861e-696fc78e1514} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0523eb91-f20a-4bfc-b105-1c964568726d} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e15de9e-1bd0-40f9-995a-4d6d4d39822a} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" tab

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:49911 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:49921 tcp
N/A 127.0.0.1:49927 tcp
N/A 127.0.0.1:49931 tcp
N/A 127.0.0.1:49933 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.242.104:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:50090 tcp
N/A 127.0.0.1:50092 tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:50288 tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 98.64.12.52.in-addr.arpa udp
N/A 127.0.0.1:50298 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI1922\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI1922\python311.dll

MD5 db09c9bbec6134db1766d369c339a0a1
SHA1 c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256 b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

C:\Users\Admin\AppData\Local\Temp\_MEI1922\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

memory/1824-90-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI1922\base_library.zip

MD5 83d235e1f5b0ee5b0282b5ab7244f6c4
SHA1 629a1ce71314d7abbce96674a1ddf9f38c4a5e9c
SHA256 db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0
SHA512 77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

C:\Users\Admin\AppData\Local\Temp\_MEI1922\_ctypes.pyd

MD5 b4c41a4a46e1d08206c109ce547480c7
SHA1 9588387007a49ec2304160f27376aedca5bc854d
SHA256 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA512 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

C:\Users\Admin\AppData\Local\Temp\_MEI1922\python3.DLL

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

memory/1824-98-0x00007FFBD5540000-0x00007FFBD5564000-memory.dmp

memory/1824-100-0x00007FFBDEBC0000-0x00007FFBDEBCF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI1922\libffi-8.dll

MD5 decbba3add4c2246928ab385fb16a21e
SHA1 5f019eff11de3122ffa67a06d52d446a3448b75e
SHA256 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

C:\Users\Admin\AppData\Local\Temp\_MEI1922\_lzma.pyd

MD5 bfca96ed7647b31dd2919bedebb856b8
SHA1 7d802d5788784f8b6bfbb8be491c1f06600737ac
SHA256 032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e
SHA512 3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

memory/1824-151-0x00007FFBD58B0000-0x00007FFBD58C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI1922\select.pyd

MD5 c39459806c712b3b3242f8376218c1e1
SHA1 85d254fb6cc5d6ed20a04026bff1158c8fd0a530
SHA256 7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9
SHA512 b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

memory/1824-155-0x00007FFBD5170000-0x00007FFBD5193000-memory.dmp

memory/1824-156-0x00007FFBC5CB0000-0x00007FFBC5E23000-memory.dmp

memory/1824-154-0x00007FFBD51A0000-0x00007FFBD51CD000-memory.dmp

memory/1824-153-0x00007FFBD51D0000-0x00007FFBD51E9000-memory.dmp

memory/1824-152-0x00007FFBDDC10000-0x00007FFBDDC1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI1922\_hashlib.pyd

MD5 0629bdb5ff24ce5e88a2ddcede608aee
SHA1 47323370992b80dafb6f210b0d0229665b063afb
SHA256 f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8
SHA512 3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

C:\Users\Admin\AppData\Local\Temp\_MEI1922\_decimal.pyd

MD5 e9501519a447b13dcca19e09140c9e84
SHA1 472b1aa072454d065dfe415a05036ffd8804c181
SHA256 6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c
SHA512 ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

C:\Users\Admin\AppData\Local\Temp\_MEI1922\_cffi_backend.cp311-win_amd64.pyd

MD5 3ee19e638459380934a44073c184b5c0
SHA1 6849d2f9e0920564e7a82f365616d6b763b1386f
SHA256 d26943222b0645c4d00f29fb4e0fb234ab2b963d8d48f616f204d8ae644c7322
SHA512 a7985b0acc57b635ed88b4945e72919c48c203bdea2f85659f0169ad3778ffb405e579d4bfcd9fc8d9752d10bec2f1cc793ac4e0c2cb84f4ce5b2297cd468d09

C:\Users\Admin\AppData\Local\Temp\_MEI1922\_bz2.pyd

MD5 80c69a1d87f0c82d6c4268e5a8213b78
SHA1 bae059da91d48eaac4f1bb45ca6feee2c89a2c06
SHA256 307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87
SHA512 542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

C:\Users\Admin\AppData\Local\Temp\_MEI1922\_asyncio.pyd

MD5 1b8ce772a230a5da8cbdccd8914080a5
SHA1 40d4faf1308d1af6ef9f3856a4f743046fd0ead5
SHA256 fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f
SHA512 d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

C:\Users\Admin\AppData\Local\Temp\_MEI1922\unicodedata.pyd

MD5 06a5e52caf03426218f0c08fc02cc6b8
SHA1 ae232c63620546716fbb97452d73948ebfd06b35
SHA256 118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a
SHA512 546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

C:\Users\Admin\AppData\Local\Temp\_MEI1922\sqlite3.dll

MD5 895f001ae969364432372329caf08b6a
SHA1 4567fc6672501648b277fe83e6b468a7a2155ddf
SHA256 f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7
SHA512 05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

C:\Users\Admin\AppData\Local\Temp\_MEI1922\pyexpat.pyd

MD5 fe0e32bfe3764ed5321454e1a01c81ec
SHA1 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb
SHA256 b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92
SHA512 d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

C:\Users\Admin\AppData\Local\Temp\_MEI1922\libssl-1_1.dll

MD5 6cd33578bc5629930329ca3303f0fae1
SHA1 f2f8e3248a72f98d27f0cfa0010e32175a18487f
SHA256 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0
SHA512 c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

C:\Users\Admin\AppData\Local\Temp\_MEI1922\libcrypto-1_1.dll

MD5 86cfc84f8407ab1be6cc64a9702882ef
SHA1 86f3c502ed64df2a5e10b085103c2ffc9e3a4130
SHA256 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307
SHA512 b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-utility-l1-1-0.dll

MD5 a0776b3a28f7246b4a24ff1b2867bdbf
SHA1 383c9a6afda7c1e855e25055aad00e92f9d6aaff
SHA256 2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9
SHA512 7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-time-l1-1-0.dll

MD5 001e60f6bbf255a60a5ea542e6339706
SHA1 f9172ec37921432d5031758d0c644fe78cdb25fa
SHA256 82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945
SHA512 b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-string-l1-1-0.dll

MD5 115e8275eb570b02e72c0c8a156970b3
SHA1 c305868a014d8d7bbef9abbb1c49a70e8511d5a6
SHA256 415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004
SHA512 b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-stdio-l1-1-0.dll

MD5 96498dc4c2c879055a7aff2a1cc2451e
SHA1 fecbc0f854b1adf49ef07beacad3cec9358b4fb2
SHA256 273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d
SHA512 4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-runtime-l1-1-0.dll

MD5 20c0afa78836b3f0b692c22f12bda70a
SHA1 60bb74615a71bd6b489c500e6e69722f357d283e
SHA256 962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc
SHA512 65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-process-l1-1-0.dll

MD5 272c0f80fd132e434cdcdd4e184bb1d8
SHA1 5bc8b7260e690b4d4039fe27b48b2cecec39652f
SHA256 bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d
SHA512 94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-math-l1-1-0.dll

MD5 b8f0210c47847fc6ec9fbe2a1ad4debb
SHA1 e99d833ae730be1fedc826bf1569c26f30da0d17
SHA256 1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7
SHA512 992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-locale-l1-1-0.dll

MD5 650435e39d38160abc3973514d6c6640
SHA1 9a5591c29e4d91eaa0f12ad603af05bb49708a2d
SHA256 551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0
SHA512 7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-heap-l1-1-0.dll

MD5 d5d77669bd8d382ec474be0608afd03f
SHA1 1558f5a0f5facc79d3957ff1e72a608766e11a64
SHA256 8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8
SHA512 8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 5107487b726bdcc7b9f7e4c2ff7f907c
SHA1 ebc46221d3c81a409fab9815c4215ad5da62449c
SHA256 94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade
SHA512 a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-environment-l1-1-0.dll

MD5 f9235935dd3ba2aa66d3aa3412accfbf
SHA1 281e548b526411bcb3813eb98462f48ffaf4b3eb
SHA256 2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200
SHA512 ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-convert-l1-1-0.dll

MD5 edf71c5c232f5f6ef3849450f2100b54
SHA1 ed46da7d59811b566dd438fa1d09c20f5dc493ce
SHA256 b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc
SHA512 481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-crt-conio-l1-1-0.dll

MD5 d4fba5a92d68916ec17104e09d1d9d12
SHA1 247dbc625b72ffb0bf546b17fb4de10cad38d495
SHA256 93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5
SHA512 d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-util-l1-1-0.dll

MD5 0f129611a4f1e7752f3671c9aa6ea736
SHA1 40c07a94045b17dae8a02c1d2b49301fad231152
SHA256 2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f
SHA512 6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-timezone-l1-1-0.dll

MD5 d12403ee11359259ba2b0706e5e5111c
SHA1 03cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256 f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA512 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 fd46c3f6361e79b8616f56b22d935a53
SHA1 107f488ad966633579d8ec5eb1919541f07532ce
SHA256 0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df
SHA512 3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-synch-l1-2-0.dll

MD5 1281e9d1750431d2fe3b480a8175d45c
SHA1 bc982d1c750b88dcb4410739e057a86ff02d07ef
SHA256 433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa
SHA512 a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-synch-l1-1-0.dll

MD5 225d9f80f669ce452ca35e47af94893f
SHA1 37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50
SHA256 61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232
SHA512 2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-string-l1-1-0.dll

MD5 2666581584ba60d48716420a6080abda
SHA1 c103f0ea32ebbc50f4c494bce7595f2b721cb5ad
SHA256 27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328
SHA512 befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 a0c2dbe0f5e18d1add0d1ba22580893b
SHA1 29624df37151905467a223486500ed75617a1dfd
SHA256 3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f
SHA512 3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-profile-l1-1-0.dll

MD5 f3ff2d544f5cd9e66bfb8d170b661673
SHA1 9e18107cfcd89f1bbb7fdaf65234c1dc8e614add
SHA256 e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f
SHA512 184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-processthreads-l1-1-1.dll

MD5 517eb9e2cb671ae49f99173d7f7ce43f
SHA1 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA256 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-processthreads-l1-1-0.dll

MD5 c3632083b312c184cbdd96551fed5519
SHA1 a93e8e0af42a144009727d2decb337f963a9312e
SHA256 be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125
SHA512 8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 0462e22f779295446cd0b63e61142ca5
SHA1 616a325cd5b0971821571b880907ce1b181126ae
SHA256 0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e
SHA512 07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 321a3ca50e80795018d55a19bf799197
SHA1 df2d3c95fb4cbb298d255d342f204121d9d7ef7f
SHA256 5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f
SHA512 3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-memory-l1-1-0.dll

MD5 3c38aac78b7ce7f94f4916372800e242
SHA1 c793186bcf8fdb55a1b74568102b4e073f6971d6
SHA256 3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d
SHA512 c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-localization-l1-2-0.dll

MD5 724223109e49cb01d61d63a8be926b8f
SHA1 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA256 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA512 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 1f2a00e72bc8fa2bd887bdb651ed6de5
SHA1 04d92e41ce002251cc09c297cf2b38c4263709ea
SHA256 9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142
SHA512 8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-interlocked-l1-1-0.dll

MD5 c6024cc04201312f7688a021d25b056d
SHA1 48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd
SHA256 8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500
SHA512 d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-heap-l1-1-0.dll

MD5 accc640d1b06fb8552fe02f823126ff5
SHA1 82ccc763d62660bfa8b8a09e566120d469f6ab67
SHA256 332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f
SHA512 6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-handle-l1-1-0.dll

MD5 e89cdcd4d95cda04e4abba8193a5b492
SHA1 5c0aee81f32d7f9ec9f0650239ee58880c9b0337
SHA256 1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238
SHA512 55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-file-l1-2-0.dll

MD5 1c58526d681efe507deb8f1935c75487
SHA1 0e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256 ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA512 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-file-l1-1-0.dll

MD5 efad0ee0136532e8e8402770a64c71f9
SHA1 cda3774fe9781400792d8605869f4e6b08153e55
SHA256 3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed
SHA512 69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 eb0978a9213e7f6fdd63b2967f02d999
SHA1 9833f4134f7ac4766991c918aece900acfbf969f
SHA256 ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e
SHA512 6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-debug-l1-1-0.dll

MD5 33bbece432f8da57f17bf2e396ebaa58
SHA1 890df2dddfdf3eeccc698312d32407f3e2ec7eb1
SHA256 7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e
SHA512 619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-datetime-l1-1-0.dll

MD5 cfe0c1dfde224ea5fed9bd5ff778a6e0
SHA1 5150e7edd1293e29d2e4d6bb68067374b8a07ce6
SHA256 0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e
SHA512 b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

C:\Users\Admin\AppData\Local\Temp\_MEI1922\api-ms-win-core-console-l1-1-0.dll

MD5 e8b9d74bfd1f6d1cc1d99b24f44da796
SHA1 a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452
SHA256 b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59
SHA512 b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

memory/1824-157-0x00007FFBD5140000-0x00007FFBD516E000-memory.dmp

memory/1824-158-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp

memory/1824-159-0x00007FFBC5BF0000-0x00007FFBC5CA8000-memory.dmp

memory/1824-162-0x00007FFBD5540000-0x00007FFBD5564000-memory.dmp

memory/1824-161-0x00007FFBC5870000-0x00007FFBC5BE5000-memory.dmp

memory/1824-160-0x000002A31BA30000-0x000002A31BDA5000-memory.dmp

memory/1824-165-0x00007FFBD47A0000-0x00007FFBD47B4000-memory.dmp

memory/1824-164-0x00007FFBD47C0000-0x00007FFBD47D4000-memory.dmp

memory/1824-163-0x00007FFBD4B80000-0x00007FFBD4B95000-memory.dmp

memory/1824-172-0x00007FFBCBBC0000-0x00007FFBCBBDE000-memory.dmp

memory/1824-176-0x00007FFBD2EC0000-0x00007FFBD2ED7000-memory.dmp

memory/1824-175-0x00007FFBD47E0000-0x00007FFBD47F2000-memory.dmp

memory/1824-174-0x00007FFBD58B0000-0x00007FFBD58C9000-memory.dmp

memory/1824-173-0x00007FFBC4DF0000-0x00007FFBC5591000-memory.dmp

memory/1824-177-0x00007FFBCBAE0000-0x00007FFBCBB16000-memory.dmp

memory/1824-171-0x00007FFBD52A0000-0x00007FFBD52AA000-memory.dmp

memory/1824-170-0x00007FFBCC2B0000-0x00007FFBCC2C1000-memory.dmp

memory/1824-169-0x00007FFBCC2D0000-0x00007FFBCC31D000-memory.dmp

memory/1824-168-0x00007FFBCCD40000-0x00007FFBCCD59000-memory.dmp

memory/1824-167-0x00007FFBCFCB0000-0x00007FFBCFCD2000-memory.dmp

memory/1824-166-0x00007FFBC55A0000-0x00007FFBC56BC000-memory.dmp

memory/1824-225-0x00007FFBD5170000-0x00007FFBD5193000-memory.dmp

memory/1824-226-0x00007FFBD4790000-0x00007FFBD479D000-memory.dmp

memory/2104-229-0x0000027CBD900000-0x0000027CBD922000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jqsltoi.nbe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1824-243-0x00007FFBC5CB0000-0x00007FFBC5E23000-memory.dmp

memory/1824-244-0x00007FFBD5140000-0x00007FFBD516E000-memory.dmp

memory/1824-245-0x000002A31BA30000-0x000002A31BDA5000-memory.dmp

memory/1824-246-0x00007FFBC5BF0000-0x00007FFBC5CA8000-memory.dmp

memory/1824-247-0x00007FFBC5870000-0x00007FFBC5BE5000-memory.dmp

memory/1824-248-0x00007FFBD4B80000-0x00007FFBD4B95000-memory.dmp

memory/1824-251-0x00007FFBCC2D0000-0x00007FFBCC31D000-memory.dmp

memory/1824-250-0x00007FFBCCD40000-0x00007FFBCCD59000-memory.dmp

memory/1824-249-0x00007FFBCFCB0000-0x00007FFBCFCD2000-memory.dmp

memory/1824-252-0x00007FFBC4DF0000-0x00007FFBC5591000-memory.dmp

memory/1824-281-0x00007FFBD2EC0000-0x00007FFBD2ED7000-memory.dmp

memory/1824-280-0x00007FFBD47E0000-0x00007FFBD47F2000-memory.dmp

memory/1824-278-0x00007FFBCBAE0000-0x00007FFBCBB16000-memory.dmp

memory/1824-253-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp

memory/1824-254-0x00007FFBD5540000-0x00007FFBD5564000-memory.dmp

memory/1824-317-0x00007FFBD4B80000-0x00007FFBD4B95000-memory.dmp

memory/1824-324-0x00007FFBCCD40000-0x00007FFBCCD59000-memory.dmp

memory/1824-322-0x00007FFBCFCB0000-0x00007FFBCFCD2000-memory.dmp

memory/1824-316-0x00007FFBC5870000-0x00007FFBC5BE5000-memory.dmp

memory/1824-315-0x00007FFBC5BF0000-0x00007FFBC5CA8000-memory.dmp

memory/1824-314-0x00007FFBD5140000-0x00007FFBD516E000-memory.dmp

memory/1824-305-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BlockPop.xlsx

MD5 e109c0741f67697b59720aa5ae564de3
SHA1 dfda58e64f860e6a8252ba1acb2f326348368cd6
SHA256 02fa3d790052635acc9460bf2bf88e145843ec2f51c65144a524bcf4447fb477
SHA512 eeb14eac933cfc8ca7e966431d1814730fcd2d18c62118a6f0f47971fe346be0837de83448a966dd9e5d87f9f0c0a7004986ce58e6f559aee50b900bbcf91eb9

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\PopInitialize.jpeg

MD5 e1b447d5c6ed339a69992ab0bec09730
SHA1 e6e103f3be319390bce9c1bef6dabb774655ca19
SHA256 16192351f1c1bfd18e7b1df0fbfcfe70dac9125e03d536de37aae222affe5d9c
SHA512 2374b716fff6a3a1d5a5686474ac11fdc865cdc1853edf478f474decce7fa2bbb7f3285871f2a21cf1f0c961eaeddf1ecc7d1b5486141c8c92b1f5f22eda97c8

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UndoWatch.mp3

MD5 1a0db5f9a058fd453166743b135b85e4
SHA1 9303e4bb7011b8621725937285444cb87551d574
SHA256 e12a66a7491d6d1441291b6723db563f252f6e0c3687dc6d0bbb3b67b0a3ebdf
SHA512 8900707cdd8d3c5f8c4cabad1830c72d34318084485a9869e521988dce5679ab8f9722bfdfb82e501536c148c70072a8b06224e492deb5f91ae24cbee84006ee

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RemoveMerge.docx

MD5 61e96170b55cb9f826fd9d1b68ddc6ac
SHA1 43f310836d62669ce9dfbeb057336da1b1ed9acc
SHA256 af8f9251f98161ee5e724038b41e71e6858f51edd2c772a84bb37a49f6e0a3a3
SHA512 56c1faaa9ddb33d5a63ee3cb0a17062cf3c991f8078b0a3a2c7701e9cd72a2052d4eff28b1243e267c852f9b036ba8af74eb10af0feb7f42da255dc72bdce92d

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\InstallRevoke.xlsx

MD5 8b0ba480586b3ac80389493f8848d469
SHA1 735f9e19c7fef89cf5876afc20a3e5ce8a8522a7
SHA256 ebe7db0abea9574b159264f8524799445842ac8638d2f38da885f4c97b0c41d9
SHA512 71071480b30b4e8434204e4afa3f087bc8ee80e54e904b710d4b4980da58b8d12c566c68a610d030afff40b77a7a245e59288e870d8a1032d5498391a95e877e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BlockFormat.xlsx

MD5 85c0d47ee7eb2542cc5f98c5c3468840
SHA1 974c41513cdecdbab2f798811337083dc6d59413
SHA256 cf37508ba948dba8cd60728dab68b668dcd2e6e5a65de5f0d7ba0bdff0cb0fc2
SHA512 0cc492d1221c27b9d56457a4a573a7d7d192ebfc373242fc1f2e24c4449c9f03a8d4a64f1e7e19fa1cf86a8aee5e36210fc4aaf199f26a063339e59fd5deb6af

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResizeRestore.docx

MD5 0fd192359ce2d90102e3fdf9a0ce019f
SHA1 6f8740a6f3b926eb33aa898f7b956d78ad076ced
SHA256 778914e052cc5ae5df64853f0d2dae6f17a4150b960a7b1a6f740d7db520fd63
SHA512 bd58cfcc84fb16e9a0c2bc4d8b15f41590285870a23528c32a7e583c712fcadc8e1eb92a5f8ce67b3b76e0f3b02a5c73da78e1f8a656d17740ce86e94dbf1d0e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RequestClear.xlsx

MD5 5de39c927e2dc72d76f80c8405afefa7
SHA1 d1838861f03009738610b9871671c515b30bd22b
SHA256 00b4c309251dd18eb4fe7ea9edca42bf1329c3af549a478b97a2e816923e3b04
SHA512 a9888822387b6bc402bf129dd0ba923b34267d8eee14ead09cbbffbc0f3f311759cbd5877e6ea4513d4005ff3b0b98bc25aa0f7a05af6f911de68f4bfd39c284

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RegisterUnregister.txt

MD5 bd7d2dcfd1ff9d55f115572aa98f9c94
SHA1 eef2c4ca9ad33ac3fa9d2c0a43edcedb86218469
SHA256 6dd6c2d17a4e79939a8291ee88ce1111aea22efaafd897139a497e79d566eee0
SHA512 761e345afc23becd9cf834405ebf282a05c120217c9d026c7a0b2c4d67c5ed3e684e221163a43c7069e0941daa8c9e0150c628b95c887ba0035bec5b40698a51

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\MeasureEdit.docx

MD5 e3e8752e23dcab3bc572f5f1eace242a
SHA1 07311f8b370cb29521fad52efedeff605a8f2016
SHA256 07c25c51e9fa642a13557543081a260e12f82de483c215afdfe0c985edbfe42c
SHA512 689d5370748b1b2d8663e725268f305b844339ceb27a96f6cf425ce8f2b0da923326204300d853a9d4c0eb118dd240208f170bfacf15b1d2d8defd81aa7a2325

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UpdateRedo.docx

MD5 1dddc649d543dddc41fe9e4ed4f1b6d0
SHA1 907d2db5f403882fcaa290bd66bbeb0443879625
SHA256 fb51ea6985199638d5224797cfe4ee0dd12db5352f68e597fe3cf552cf6e3cab
SHA512 c9fd315f33ecf140672a23d7eeb311a3537111281a9d381015a09e7083df20f622ae2ccbb9e767a1b35320600dba6dfd8d88ffad0a13df0a1ccb4788b84ddce0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupLock.lnk

MD5 6ac7d534cd9430463c6317bdb5b6508d
SHA1 cb3c16016b84c894e631bfd2eca6ee4713826600
SHA256 f7d5da74eec9e9704f3629a152272cad5011d95ebcffef4a60c80d67b84481ab
SHA512 54c9a51144542e96f8aeb597792655f4f923f8da4bb30bc2514439f22230160d9b1215e3902300e8afba13d59bd5fd750cbb95f828c0ca6d5e38b6a06e9fb486

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SyncWatch.xlsx

MD5 064ab4326071b127bff3378189e46757
SHA1 a81ea66ce53be2bed556adc59952db43bee544d2
SHA256 88973e3375ec0aa2495ec488747fd0734b0f9e44def320d03fe66b7ae077997b
SHA512 1c753f928d993a333e1e234697693edc45ea5f21b77fb34600a96ad6a622e158d264b1dd6f0fda08f803f6ebc325bddcebe0598a99505b038a72b095f7127966

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\SendRepair.zip

MD5 a3e78a53d80364efabd969532778d012
SHA1 eb43e040634b28ac407b3e03ce3d9ededdb231da
SHA256 4a8eb0d3b70a74026d1ba587cc24382af1a7a930f8a3e1c1b5e52de3259bc5b2
SHA512 2fac3a666617b6cfc0a2b76ff30bb1515fd1b3350ba34ee3c91ce10e93df5755d46f20f64611e510db0e9fc164dd6bd65ec4caf04c1881dcf3d8c2e7158e67c9

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\AssertEnter.jpeg

MD5 ad14313665d7efdbcc65127d059c11a7
SHA1 68ba44b4858d755b7259a1c3ea5834a2cfd75a1c
SHA256 c2035bccf30d8cd4e8cea7017854ba1d84c9a02470e577501629b2817409b391
SHA512 b1f46bb1e715415f95eff43d9279f2e5432f2b5019c4808929a6de6f728c7f1952bf8666ceacd251779cd59b82bd501b87b1c79e52ed4959e4fe2495a2c07cc2

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\MoveRevoke.png

MD5 ba9fc6a0a401b8c780abef9967821b99
SHA1 b661f384ad57e5309e51b3919b9f479de521845b
SHA256 57d32cd8e86c5c6545f1510e21f62dc4b6a025e0ff1b439b57d03dcea59265f1
SHA512 7fd2520e363e6357d7d699d4ea07feaa9b7be0177ac569a45e7b5ee26a504aadec311d8bca2728dc8c4b7172a56fe58c578a37de5f469a43fb179d1c10db4783

memory/816-447-0x00007FFBC3E10000-0x00007FFBC3E44000-memory.dmp

memory/816-446-0x00007FF6BCD70000-0x00007FF6BCE68000-memory.dmp

memory/816-448-0x00007FFBC3B50000-0x00007FFBC3E06000-memory.dmp

memory/816-449-0x00007FFBC0EB0000-0x00007FFBC1F60000-memory.dmp

memory/1824-469-0x00007FFBC5E30000-0x00007FFBC6418000-memory.dmp

memory/1824-496-0x00007FFBC5870000-0x00007FFBC5BE5000-memory.dmp

memory/1824-504-0x00007FFBC5CB0000-0x00007FFBC5E23000-memory.dmp

memory/1824-517-0x00007FFBCBBC0000-0x00007FFBCBBDE000-memory.dmp

memory/1824-521-0x00007FFBD4790000-0x00007FFBD479D000-memory.dmp

memory/1824-520-0x00007FFBCBAE0000-0x00007FFBCBB16000-memory.dmp

memory/1824-519-0x00007FFBC55A0000-0x00007FFBC56BC000-memory.dmp

memory/1824-518-0x00007FFBC4DF0000-0x00007FFBC5591000-memory.dmp

memory/1824-516-0x00007FFBD52A0000-0x00007FFBD52AA000-memory.dmp

memory/1824-515-0x00007FFBCC2B0000-0x00007FFBCC2C1000-memory.dmp

memory/1824-514-0x00007FFBCC2D0000-0x00007FFBCC31D000-memory.dmp

memory/1824-513-0x00007FFBCCD40000-0x00007FFBCCD59000-memory.dmp

memory/1824-512-0x00007FFBCFCB0000-0x00007FFBCFCD2000-memory.dmp

memory/1824-511-0x00007FFBD2EC0000-0x00007FFBD2ED7000-memory.dmp

memory/1824-510-0x00007FFBD47A0000-0x00007FFBD47B4000-memory.dmp

memory/1824-509-0x00007FFBD47C0000-0x00007FFBD47D4000-memory.dmp

memory/1824-508-0x00007FFBD4B80000-0x00007FFBD4B95000-memory.dmp

memory/1824-507-0x00007FFBD47E0000-0x00007FFBD47F2000-memory.dmp

memory/1824-506-0x00007FFBC5BF0000-0x00007FFBC5CA8000-memory.dmp

memory/1824-505-0x00007FFBD5140000-0x00007FFBD516E000-memory.dmp

memory/1824-503-0x00007FFBD5170000-0x00007FFBD5193000-memory.dmp

memory/1824-502-0x00007FFBD51A0000-0x00007FFBD51CD000-memory.dmp

memory/1824-501-0x00007FFBD51D0000-0x00007FFBD51E9000-memory.dmp

memory/1824-500-0x00007FFBDDC10000-0x00007FFBDDC1D000-memory.dmp

memory/1824-499-0x00007FFBD58B0000-0x00007FFBD58C9000-memory.dmp

memory/1824-498-0x00007FFBDEBC0000-0x00007FFBDEBCF000-memory.dmp

memory/1824-497-0x00007FFBD5540000-0x00007FFBD5564000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\pending_pings\3f78098a-a1ef-4a59-a7ab-b872c2592ecc

MD5 b32e207bad8a7d438aea14e7d1242812
SHA1 497a57f523d32e2e8f327b88ba8ba3ee4f6c359a
SHA256 dedea83ed3aa528b4fe7cb14080a9420a484ce2567c229c074f851c85e44f8ef
SHA512 9d3f00ead485586936bed7f680754a51e20b2612ace968e3825b0c48e3ccd711ac8774bdfa096f2c72c63a72207c6b94c7b7d4af6d898eee2275c84cadceb353

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\pending_pings\4d64e4be-effb-4d0f-92d2-1741cb74fadc

MD5 a155a968da1383a0eb7b347192cac740
SHA1 1eee021c835f8ff4fb6f6affcc4d4afb0fa0e603
SHA256 274fb91126a167ef9054457b595011b6bf33b998bc0f3acdfd1c1f425d0b7026
SHA512 f8a15f68082ef1fe6712c28bfa226aa1e6579079dfde45dcc5d9096e7cf9c39cac9cb49d46e18e6e6acf70b5212573eb0d869ce31872ce100dc99dad025597ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\db\data.safe.tmp

MD5 18b59b5fafa4b22362d0a6358605fb31
SHA1 967db2c9e102eb0149ea59f99f8f06bcac2f9260
SHA256 b2e5480d131189ca6cf298c9cf602bcddf6a752869660d5741e1c406f9fec1d4
SHA512 3296fa49f70ba2a0a8c7f1736455170bd6d2a8fbd2e1df9c7f5bd20efb6df16e474710bb0722c69e6b07150d30889df80546aa3aab5e6b9f5e3df31f8289713b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\enjqfdim.default-release\activity-stream.discovery_stream.json

MD5 3cb5082b56d541f82169dbf0d3c162e8
SHA1 10d9618843742fedae8c09460a966301910d6ec3
SHA256 6d46e44bec83349de8626cddf38eb6afb6193d7d0e154fb855d0bd7261f6f7b9
SHA512 8331fb1d36bbe48496e9e159476ac23692725ce7a35212bb77fc6a15443bf0df5ccfcbb40418aff00aa8c9ebb6d3141e8ad1c3d11760d7704db500308a77ca76

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\db\data.safe.tmp

MD5 216569920b1b72c8cf54797f20d23241
SHA1 18d2327a223718a2610fe2c986ee324f1cacae47
SHA256 cdc8f2bbdc793d3df8530c6cd81c9b4a5c296ca4c15bd0c74ca4c404ae1e2cbc
SHA512 2f0912dc84cc3f2f586cf1d27f3626907a52da3930720a4fa9f298e94c1d5a2d00ead75fc94a77195b5dd1a13beda7c4573d84829871a4690f1aa048b13fc489

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\prefs.js

MD5 85cf1f103a0c7f945e29d557b25d2578
SHA1 a0f4ad0566661dc86291966ceb49d55e9d983ed8
SHA256 2ae1d7584d2a7b71b1ce7d02d334548d52206b9d20f2fa3eb536e4f36d7334d2
SHA512 bf2c855490fcbb1478977eb7aab5879d442ff46390bf2b3166326cd3287f3c2e2e2db48d4a155de84736dab6f7df0969991a61e5fdc808c276ac2b0459d1e91d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\datareporting\glean\pending_pings\bb36b317-8011-4208-b39f-be73a366441e

MD5 5eb7469f140aaf29666b4468b0d4bb23
SHA1 1ef903fb774038897da7dcbc811d3ce8d13ce76f
SHA256 84a7c76beec410f1ec38a1e2f70f407b51c51cc65d1617a394d95bba1d0bc2c1
SHA512 792454cc1de04c15bd2551ade80640d0085fdedf126e3bf1bc7c9c878ab316fb93a6d5e625e2b49dbaa1a908cd78f67f986866840451c116558338b2a57014fa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\prefs-1.js

MD5 c04cf80131b11eae867fbd0a86b35326
SHA1 09de7fec91781916a1f8ca5c4549ad4e69892adb
SHA256 f4cebfeceb9fc4ba54e8a649d7239c343e6be928a74cca6781670c4390cdca7c
SHA512 a617af3b999b5bc3181b8b2c5b972a64d5f4d04763f5c47db601ece536de5ec9eb73fe6398b096ba6fd7f64477da069782b0c8087c4bfd6288b107ff0b9da162

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\enjqfdim.default-release\sessionCheckpoints.json

MD5 e6c20f53d6714067f2b49d0e9ba8030e
SHA1 f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA256 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 0715d82a3387aa3bb5e5c673882a01c0
SHA1 aa243ee94a0fd91d73130897227085ebd91c4900
SHA256 d56989fd5608250743410bec9a7b629ad4760371b53f2a84cd3ff7cb330dbbc8
SHA512 b73e047427f8cff2e49ef6007e5db749d4024fbef08d6550c6596743f589013712997427d02b2b4a321baca9e9c315a5fd61dd4ca6f8fccc0ede8b05e808753c

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 fe3ba87843946e149f9bd3f1810acfaf
SHA1 dede1a628b38a925399c5e15eab7a7c8e084a118
SHA256 ab76565058a4d5acfa0464782a7ada6f05bea94ad30475b7be947c0906e57422
SHA512 723c6cd7657a4b2e71374521751d76b2b8e3153bf2b4ed3acf6491f87ec3ab8b9347623f8f84d3313197364fc6b6114fb4598a956d5ef0b08774f1f7ddf888f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

MD5 afb9982784cb1735c227348023c24f9e
SHA1 a070b4fd0be3ac65e0c8c6ef39fd9eecf5ce837a
SHA256 47c1edb9ce57c25cddb0d3c0e657b111254553d5ff8360c752ba05d31a4ce344
SHA512 72f012d6f6f4dd0037bc5fb16aa86300866a19b06d663e24bdbcc97bd89ab2fa7ee7c770290e31320466683cd36cfe2d49ba183d3d3c2889e5506ca430fdbbba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

MD5 1ba78c4f57c90c132bec8dd0850358b5
SHA1 8b37d552a50dc65da460ac47b4b749a506a9c983
SHA256 25e6204f5619dbf4c311c88bee8aed881563f366adee051342412a49954da7b1
SHA512 99ba71157cb801364b5a44edf6687c7135b1352d87ae7221c42ffe8c04b15c8a4d29d3f604759fcb1b4d28ed5111f7e5bb47a21f467619a54fd1ef67a6e58c61