Malware Analysis Report

2025-01-03 03:00

Sample ID 241123-mffepszjbk
Target 1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe
SHA256 1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79
Tags
babadeda cryptbot crypter discovery loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79

Threat Level: Known bad

The file 1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe was found to be: Known bad.

Malicious Activity Summary

babadeda cryptbot crypter discovery loader spyware stealer

Babadeda

CryptBot

Babadeda family

Babadeda Crypter

Cryptbot family

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 10:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 10:24

Reported

2024-11-23 10:26

Platform

win7-20241010-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Babadeda family

babadeda

CryptBot

spyware stealer cryptbot

Cryptbot family

cryptbot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\﮴7㱴睿㲣睿丳磌ˀļƔ> C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f777ef0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8318.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f777ef3.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f777ef0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8037.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8151.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI821D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8403.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8EAE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f777ef3.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2432 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2432 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2432 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2432 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2432 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2432 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2432 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2736 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 1456 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 2892 wrote to memory of 1456 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 2892 wrote to memory of 1456 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 2892 wrote to memory of 1456 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 1456 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2264 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2264 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2264 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe

"C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3371B28117B18EB6462DBBD4DB81C9C9 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\adv1.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732097969 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 718251F427BA0004D9D9DFDED0B12920

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe

"C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\XuYnHTIxKtPZ & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

N/A

Files

\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\decoder.dll

MD5 454418ebd68a4e905dc2b9b2e5e1b28c
SHA1 a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA256 73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512 171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\adv1.msi

MD5 a24f6550da192a1c86d26e0c854f62ac
SHA1 c15aad1b470bf4415413cc44ce67a87d711577ba
SHA256 333585539f51f0148f6504355ed637cdcfe705b238843d594c4b83f6f2cca9d5
SHA512 069e833a9817fe3c002b132604c73a0db850f47d1048fc7c971d563ae75539a2dba0c35a693a2c1fe5e64a150c28e26e819cf90e60fcf07b9fae23d2a7d74b61

C:\Users\Admin\AppData\Local\Temp\MSI7A2F.tmp

MD5 3d24a2af1fb93f9960a17d6394484802
SHA1 ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA256 8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512 f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

C:\Users\Admin\AppData\Local\Temp\MSI7BF4.tmp

MD5 0be6e02d01013e6140e38571a4da2545
SHA1 9149608d60ca5941010e33e01d4fdc7b6c791bea
SHA256 3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512 f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

C:\Windows\Installer\MSI8403.tmp

MD5 2a6c81882b2db41f634b48416c8c8450
SHA1 f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256 245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512 e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\icuuc60.dll

MD5 30c5af589e5d07d36843621374b187cf
SHA1 b0ae0e3bf0613bf29111bcf751d83268d2f07e27
SHA256 e56f06482facd06d17d41ebbd799c1aad0fb8a44c08b2a83d7e05f894a41baf4
SHA512 7639476bf93ba2e89ca854cbd4cdbfc09eb179fe364829aac9d9aa95cd12d402e9eeb1636a620421eb9676a102ddb451eb185865723391108e63b5a0f627e9a2

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\nugcenter.exe

MD5 906367f4b07ecd1cd01e228b4b5b39c0
SHA1 a669b5c8d6bc2a48acd90e65ad2422e8bf14048e
SHA256 5004fbe85b883d6cb6592c00746964e7baa0f792be4d666a5f21a82845601d2d
SHA512 a1451396402502bec3a21dde6c12e4018c164b5ea499753835245991e83e1cfd7115023c5acc062d97a42b58b9073ece6bd93630d973a6c95ce8fe12205c874a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\il

MD5 d3af0cb8d35e7613882c0d09c65541e6
SHA1 2cd1f8c1aacb16a31f283fea15653c93460a7b19
SHA256 9c45c14a29e89ed4c1bb9069a0ef6fee5352400a8e517ba86d6eaadda13fab57
SHA512 c0e6c41aafd546a8492a8c7168d7c0f40f14e9597f65db4a6c0ce4a49f240d1f89797d1b358a4c98125eef18008773876b9e12da1549bbe50091dc55d57d493b

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\plugin_core.dll

MD5 b79d7159ba735958c18148dcdf543571
SHA1 d7d4d4aedf7897092665dfc573e9fe9c313c2fe4
SHA256 638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52
SHA512 79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\skin_draw.dll

MD5 72ad6c45aaf461326f5a512afb4b33b0
SHA1 4b6791aa02c76e96256bf19ec9ff828303a308b8
SHA256 dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305
SHA512 5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\clock_common.dll

MD5 85d02f053f1151ac4d3fdda5ea10adc6
SHA1 a134e20a33387a3bfe256b36585d9ccb6113a29f
SHA256 989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564
SHA512 146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Qt5TextToSpeech.dll

MD5 3cdb361b43a3ce45145df5bad519df63
SHA1 8f7cfe31068584151bf913171c82949fd7a945f2
SHA256 8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13
SHA512 88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\libEGL.dll

MD5 b84df33197a94abb399c7e08fcd1fcae
SHA1 5b6d24397dafcfab12dda13921d12e1f20439a19
SHA256 900ebaee275fcddc81cce3b04c6a1e13dba18670c0aba82d54eeefa76355edfa
SHA512 83ffb35a026b4e72de3f024243d630fd17ce498f9d552db0a3292199899c7520c01f9a5e1d4709ab7f7e8b2cb9c5168a93e8b3d9f3b98b32a28329f99714321e

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Interop.IWshRuntimeLibrary.dll

MD5 9569c5ddd9ab1e7bfd24e41250a67903
SHA1 304afddbbaac26843cf53b9713e09a85fe525cac
SHA256 6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83
SHA512 7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\LICENSE.txt

MD5 fc292eaec94367e0775fa0638880ebce
SHA1 fa5ff95ef7e8f5ad9cfc77738f5e6c0ca96572dd
SHA256 971f1733cb237ddd626e579954938c6fc0e925ccbf885074ad5fcf19b4efbe2e
SHA512 4f3ceb0d390f47fae7294db5399177a1128dd196cf58a45768984c1783ae4e0c0d0746aae716b2a08f7058df214494a7fb20c8bc982d0e3b8cb3d70ccef7917f

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\postinstall_readme.txt

MD5 24ac8ba156f8fbfd86a4292e4f44631b
SHA1 081d1ec03058bba9ff43b40f39891b82a3cb3b6e
SHA256 37c45cea617294e1aff68e83fdf0ff14ca454049f9896b5ccd2bdeb22140fa1e
SHA512 9874047be537596921ee8375e274499dce122f45257c714c0bcab5ba5e9a91540c37578b9f96e4a9a3376c3a311ef934b85758db1aa8d71329dce74ed17f6581

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\README.txt

MD5 7539e219a0d2331524b97605c4fe641d
SHA1 718d7c209915ff4944a81ef38701542d63ea30e2
SHA256 3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b
SHA512 c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\CHANGES.txt

MD5 109e9d23496dc406050f895409be2531
SHA1 5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef
SHA256 b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2
SHA512 548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Mono.Cecil.Mdb.dll

MD5 a269c436d17634aecf2ac0e95c44728c
SHA1 3dae54046aa5edbcf58ff38acc1d12682e3442b5
SHA256 f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27
SHA512 bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\TurboJpegWrapper.dll

MD5 f5639d78d8c860df0176b1499695e8b3
SHA1 a70f699d75903ca2ae31098f4687add23245804d
SHA256 9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2
SHA512 2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\COPYING.txt

MD5 3c34afdc3adf82d2448f12715a255122
SHA1 7713a1753ce88f2c7e6b054ecc8e4c786df76300
SHA256 0b383d5a63da644f628d99c33976ea6487ed89aaa59f0b3257992deac1171e6b
SHA512 4937848b94f5b50ea16c51f9e98fdcd3953aca63d63ca3bb05d8a62c107e382b71c496838d130ae504a52032398630b957acaea6c48032081a6366d27cba5ea9

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\AForge.dll

MD5 02c63f568e598aad85dd401d7b26e82a
SHA1 2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
SHA256 966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
SHA512 da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\fonts\fonts.conf

MD5 4291285924e90d1a1fcf1ddfc51adad3
SHA1 74f2d9b2f9665a1ff083701456a0fbfe351f855a
SHA256 68011bc3741ebcea48f08ff2aed8519762a946f3e0fb9c224b1d3810ebf5bf4b
SHA512 80b570051324f0987f388b78f2b2b2a50df2ece82eb6c003ed4ab5fc1456789fdb4a616c3be760580d30f48aef656eb3604cbd0a7808c49f03b347f2d4388cee

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pango\pango.modules

MD5 7a7327019610dfb25d5fafb2d2b0f3ab
SHA1 812af1f65174c63c4a90dd72d29d6e1180075a6e
SHA256 cab115828e04766fbf8e20b5ca6e5632e089f407b338832081d8b42f62fea38a
SHA512 9d7d7fd408d0e0cbe8df24cf1184aa9c24f41dc94d98e7262d04e617b7252381e6845b9e2724557246af8696a5e0cb99f1d15b3889aebd7887fac99e68b79849

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\black.png

MD5 a875753fd4e92edad63f5d8b9a79426b
SHA1 241b7f8bc325993b8044498ec4a6c03d576c6b48
SHA256 d09f2e254540dc26a948cf49ac09de2ffea210ad9d8fb77ab7a943ce938b5570
SHA512 b04ee55b20c42a36e6125ef883161eaae11a990a99042b7fefccf0433455e35c621b8f10587a6292adc0f71ccf9a896c0264c8607614196d311de86b28c338dc

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\blue.png

MD5 b8ea81eb3944bd027399ca0fcb30352c
SHA1 7cc576da81018985c254d717f5b5d1df92501676
SHA256 bc0824b76bf4a3340f9314795d6d7bb91d768ccde49ce559a409db35d79c7a31
SHA512 7ac010c47be59bda5c805101f482e5c5ec2a4246685985a2452a0fcb368bcedfabf0e1a45d195049c8c45088242bd5d63aa62d2187d839be92e3f7b028f4069b

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\default-pen.png

MD5 c4955d57acd2624a50c575f6caa260b5
SHA1 4628d5e10edbe3756f663dde3fdfaf9e3293d9c3
SHA256 e743ec338f096a7169823d00a2d84ff60f8f88e85fc4ceb4f056335256e29636
SHA512 296bbdcc4dce24281240c798719cd819b8a2d0e0f2a3dc862adfba7dc9c8e1d1055cb01fc422ae8cd683d88b4ba5256b90b84248d290adb04f57172f5c04dcd1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\eraser.png

MD5 965f4596779c9396a0d16ab2d81a81dc
SHA1 1eb33e421405af7a7fdbb8f5866b75ccd0faaf5b
SHA256 8b38c37c750492f3984c64e9f0ac8ba5832b2b29800b945f43f1ade9ddcd2f1b
SHA512 beb7ade2bff13258f337bc42c7dcd55629330270e28e01449f30b2f9eb5a184f5c6b3547d4ab22748c8790ce162b22692b23c5b9430fa1b103172fe9ecc8eec4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\fullscreen.png

MD5 04caf9e7479493621e6962147e092540
SHA1 5de82e54ea9b1fc4998103931646f254d507b472
SHA256 f44df404099bd1c100bc9dcb678b717374ea854ea031a1c128391a087c6eb7ab
SHA512 30b9bf1d7178555a1edea44a1bf93e87863f83bac8d545860477207c8463b01323306288eb4cadd086d1bd1f0990596d1c78eee34a834e63f3a9a3c6d799b404

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\gray.png

MD5 c89a78efc324ac45ab7f3e4d945ef35b
SHA1 fdfdf1971f8094b6b4ee86754ad72566766614ea
SHA256 42645af572363377e59ba2628987d439b6ec124d86026e7e8991ed9ba269d402
SHA512 1378aa65ea69ee55acf5b90952323aa50c6f5353c00df0a81c6fc26e98f376b2b8badc6993bccb81cf463570781a9ea53366f2de5ac05bf3a18c576a22f42a5d

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\green.png

MD5 307c26bd60cd59634672c8b139921428
SHA1 7ce1006156580c340f75c2514e60734b55b18cd0
SHA256 5507b254b0eb434dc49c85f5d1bff54bf427f7419636dace91ed2c583db84b8c
SHA512 96fea9bf2b9c2ea3a6a1be7556f28f12ddea77a5490af57d3d2ca7334861f92a7ed43ee53093e5fee9c65c66cd16caf51437a01e5b76b0176565b1bb581251b5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\hand.png

MD5 5477c6f1b114884d907cd215adde9e84
SHA1 5fc527a9e978c506a6971ba628bdb5f4f147b459
SHA256 06d42e7dd5e554cfc3075d3222234633b15811786ca69a732f0b369632b02292
SHA512 5abf754e51ce74280000bd6a567b64ba339b396fb9315ed79acfa98331f754c45587325a17a0f9b36a532880502dba2b28cdf2eaf53658732c84a7ecd07bb0cd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\highlighter.png

MD5 9145636a155628aa5b08f50d241b5162
SHA1 9c58534e13496d4979e9c7baa1d8d2eeb85e450e
SHA256 e4dba621d326a8faf3639c102b82909737d26e176bf4a95fd7dcc901bce715bd
SHA512 7b2949a005a063abc68fd6aed7be8f69f369d73075bd75dd89bc2f2fa66c20b2976dc7f079bbb9ba165a6582b795f2d99e705f867d53de99084e59028ee4fb84

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lasso.png

MD5 9b8bd91306bf3a0f15b9a1ad41d81eb1
SHA1 59c0690f6740edde06b7263f4da7ec64a7fc38b3
SHA256 1eb68b3a86580821bb6500df0d5b5d2ba4df33dbe50b4e6b3f5de5b452b8cf80
SHA512 f751c47abbe210877dfc5101c0a4a4c7d392c5a5885c344904ba72b3b55c000508999442d1dfc670f5ba5d491df87a420b87eb88e63194ad8b12107916be6fc5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lightblue.png

MD5 9b810e6318fe4d7ccea2370934167157
SHA1 2db4d6f6c38bc26aa27ea2af8901e491f27a2774
SHA256 4fbe3e58c531bb3b7286c28882a0051a39c6381b5a68d2303b9d3f114964e790
SHA512 d8665bd27eb797b017f9b63cc1a558fc612e9beecbc9ba4d69551fe18da335554ab8f0da1d4289c1a9ef5866892f68f7a4dabe7bb88cce18b054053038702945

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lightgreen.png

MD5 90a9382db46c60f9a3093c33b52dc260
SHA1 7fe3d05123b4547c8dfca90230b908f5a4ebb9e8
SHA256 e9a7a05f3bc1e15cad99814666d53169047294efb41c20a1f28cff6a6a65a15e
SHA512 76ef977dd27aec97722e73b3fcad6633feb16a0317d26b6be72a4406c265b58e6e89e39a87592fa0f2effe6101f435097d210fae4ee2cbfacacb0be49f4ea5e5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\magenta.png

MD5 c83c2fcc196e434b12c26e6b9c21ab3b
SHA1 8078e6fb3302cb2d54b48d1709429c14926a8f14
SHA256 b3d5848f1b4fea9070ab8ffc0b6e30c81eda6691bc5f16ddd375506e9191101e
SHA512 e49893f19254ba6e451cdfe2e0915615272c18f3fce1d122ed52453051f4231cc8fe9e11bc2a1242e437ff5681065cea960fe06635dfb6b46cc3a9a08084808a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\medium.png

MD5 4e6ca2356866781fac9205631a107697
SHA1 55a0846403d3dcadefef218772383072e59f2adb
SHA256 13b92c015aee903af3bdeaa3964fdc5891006756da507bcdc491369703fb2d30
SHA512 3c3dc97ca9cd38bd71b977d3401a4a8bdfdf6257c50ef59382ff468881b9ff38f02b0cc97a0eb3f55882cb471e99425b811d3d404d83fad9788ebc79a20b13c1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\orange.png

MD5 508e1009dc053e2033a9018023b48868
SHA1 02e1e20fa7472df9f21c8d18566ada54ff8c5560
SHA256 e9a1c3ebd4822747a4c83607746d6cc68ac5ed80d7f08ade928dc178f798dd32
SHA512 f43cc7e62dda86b89d9b690465f2307a9f89bdd30231ac5cf0fc21c7ac2daf89e42d0178f08a0951c4c5a957ee37fd20d60ce36d58726d53e2729f530ffbcb54

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\pencil.png

MD5 6b7b424063281d6cb8e2df80cba76791
SHA1 9d8e5d192fab8046e9219aaad20f3ce276817c21
SHA256 7c4849fda63d3763fee76de774edd8f6c77b7ef8261bbcd21891d80c90ce9fbf
SHA512 b679061edd4b6895dc24f2827d4cbae6f9d61862bc69891b2e5de32b8ad00d7de3bc41a4c43903537ae5601251dea59acb61db75bab0e40c4251fb38baf7e964

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\rect-select.png

MD5 a67ac11b8f0eea1e8e27e8b61297e3af
SHA1 2055985d7541c81f98995a440beaecf0142551d7
SHA256 eaf67416c03a312b3eb5c3703b3fbf5f476ac95d22c34a51c1f7cbdb865291dd
SHA512 2e68ff37757aedaf1b905d3703dd4983bad4af340bfd3d413d72ad45f47bf6c4ba516ea8dc7c5536cc8757e52a7a8b613c1d6e09afac6bf7652eb10c1f8bb0c4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\recycled.png

MD5 7322708be2ae626e52dd7d4e77ffcbfa
SHA1 93a599f563c1ca627eb5d88035281a219945f0a6
SHA256 09d333773e220796de744c07a26f1d47a83f1b4af7ca178a1eeb401f30616ee4
SHA512 bdc06bcb84e67ae248925ddcd66c05f1dbc355b66e57120d2efe640961fa1269bdd2a3737642a95609aece5d7a3699034bb75a2c27efef1a389541c8c5002713

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\red.png

MD5 4429c43e6311344a001bb13e87a1dff1
SHA1 81457c4f184a810fd20cb10a999ba63c847901c4
SHA256 f4fce83ea044803d1937627fa184afd3ee33c950870dfc9e7bf34219b04db890
SHA512 d66f718a00d5bdfc91726fbec2222cf8e08ec7422efae026a2858300223a00ed967a7f4e9f51af99e15b60fd95afdcd2de8ce1cf2927107d3481fd2c8194f515

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\ruler.png

MD5 5d4e0ec1713b88ed37b1f26d8d3a320d
SHA1 a14da950083e432a1d5ac4e65ad883dce631074a
SHA256 c1c3e2fb2eab3817dd9731fefc0f67472a58bfca76aefe682b2340c47e4fcc88
SHA512 451dacc9db2146838190385acf1fd352df391179856c66bfe5afddd1e0dda6f6fd37bd5e94e6f5aea59b60ca9862ad8d927ee1280ae070516c696670c1613221

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\shapes.png

MD5 703e47707419d42fbc7a4988b7fc3718
SHA1 c6c0351539032039297981b6918dbe720b3515dd
SHA256 5314fddb320e575a345a2ba5a922372e086a31ad4baddbd6d4ab30681f2134dc
SHA512 32f751c7fc7cc69646e17b7cae36adff39ff86e60e838fb829208e3a9473dc0c5df18cd48b98464304481b98ab10e7e5dd9ea91b6864d48946c54f91cf8d2fd7

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\stretch.png

MD5 bce2634a256fd6867ab4f14314703dc2
SHA1 2443ff633542f24a3f3a8156f95be17db7caad63
SHA256 34e361bba70c3e6a529168c4da9b993da0acb2340d7d359aa90b3d8e12246fe1
SHA512 64ad0d757b90adb3567416a89cc51811a5a3bb5089a6281d8c782d6bbf0762d2b2464c1ad9986ab9aaee212bf94191eaf25ac74aa81ffb22d949a5600bb892d0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\text-tool.png

MD5 e3cc1e3c18736f878b9ab29dc394154a
SHA1 6c39034c129cd67daba66d7c5e802305d8785e1a
SHA256 bd3ca6f179a339d9ab9b2b697405b8044da02477e7f3d15061f2f0462f034b35
SHA512 c92f164bce4932008854e9445440eafc7894ddb1a6d3c577a600ccfd632b276e197643b254b3a5dc27dbb908940d77d2d86f5653b15075a160d7ac1c0b78cdc0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\thick.png

MD5 b0f6c5b9fa3cf9bf30821e843498da65
SHA1 7c63f23b482fda6e69c538274452e97b91f54c0e
SHA256 a8978068717670985253392e3ce16ebc8cbe7174f5c3eaae536cc8d5ff147bd8
SHA512 e415b836b331ee1a997656c2b11ad5c4657bf356d1f7cb6b14c058a5359c8496315b3c6d963b8cbec626266c6031b9e88924485e00cea83aafd3712cf920a9a4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\thin.png

MD5 84052d7c35de51d8313eb1bae0820cf1
SHA1 5ee2f2d28a7f3cf2a623d290ed1d2dba356cb145
SHA256 37171b854b71ca80640330d677dfb1a91fbe2c0cdc46ecaf8ab04c95b74a5719
SHA512 5f12b94adb92f7e9965ef297aeff78c9afb4e82e3cf7570c5faa59972394f880dd6bbb0afe2705b42c10836095bf1d78c86201b6ca61e18564a0f86d89d10d56

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\white.png

MD5 88c0945ad5267821a7fb8d2ac1867048
SHA1 48ad986c0cae9f77ae43947be027468a81a813ff
SHA256 651228240bc2be9b32549d8f6cd3f665b2207fefdaf5cd5f9cc8e05b0cc678fc
SHA512 a64da3280d8daf60cbfd809da7bd0c0b7a38adc5de1fbf1e47a8123abb3ee8b138ff99e5b7e8ee3e6202a7b07278a0b16064e62f756fd13646239c90fc527b9a

C:\Config.Msi\f777ef4.rbs

MD5 d8ca16f9957bc610f5342442982fb520
SHA1 07f0a77188fb39aeca01ba69a1d708094d105ad7
SHA256 c4c96524dd2f0fc04691d38543a5df36c88f0fb09b776c4413c9995ce8a1558a
SHA512 85a6540e5085c736c5038ee2c3abd063e7ea101a8acea6de83df33844c45b58fd3cd12d0a3cc54c6a53dc2a2c8fe40791bdc38279db789dfab3682299c7fcdb1

memory/1456-215-0x00000000011A0000-0x0000000001416000-memory.dmp

memory/1456-221-0x00000000011A0000-0x0000000001416000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-23 10:24

Reported

2024-11-23 10:26

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Babadeda family

babadeda

CryptBot

spyware stealer cryptbot

Cryptbot family

cryptbot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\捘ĥĤ꬘Ĥ C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI7E96.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7FF1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8011.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e577e38.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7F14.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7F82.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8031.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{A28D9264-E002-4A94-A388-6DD939F4409D} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8449.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577e38.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4088 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4088 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4088 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 464 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 464 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 464 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 4088 wrote to memory of 5004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4088 wrote to memory of 5004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4088 wrote to memory of 5004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4088 wrote to memory of 2584 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 4088 wrote to memory of 2584 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 4088 wrote to memory of 2584 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe

"C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 638512F701EE875BD9170F8EB85F5D43 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\adv1.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732116841 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 95F48051765DBC551D591292262E4AF6

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe

"C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp

Files

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\decoder.dll

MD5 454418ebd68a4e905dc2b9b2e5e1b28c
SHA1 a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA256 73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512 171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\adv1.msi

MD5 a24f6550da192a1c86d26e0c854f62ac
SHA1 c15aad1b470bf4415413cc44ce67a87d711577ba
SHA256 333585539f51f0148f6504355ed637cdcfe705b238843d594c4b83f6f2cca9d5
SHA512 069e833a9817fe3c002b132604c73a0db850f47d1048fc7c971d563ae75539a2dba0c35a693a2c1fe5e64a150c28e26e819cf90e60fcf07b9fae23d2a7d74b61

C:\Users\Admin\AppData\Local\Temp\MSI7BD8.tmp

MD5 3d24a2af1fb93f9960a17d6394484802
SHA1 ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA256 8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512 f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

C:\Users\Admin\AppData\Local\Temp\MSI7C75.tmp

MD5 0be6e02d01013e6140e38571a4da2545
SHA1 9149608d60ca5941010e33e01d4fdc7b6c791bea
SHA256 3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512 f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

C:\Windows\Installer\MSI8031.tmp

MD5 2a6c81882b2db41f634b48416c8c8450
SHA1 f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256 245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512 e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\icuuc60.dll

MD5 30c5af589e5d07d36843621374b187cf
SHA1 b0ae0e3bf0613bf29111bcf751d83268d2f07e27
SHA256 e56f06482facd06d17d41ebbd799c1aad0fb8a44c08b2a83d7e05f894a41baf4
SHA512 7639476bf93ba2e89ca854cbd4cdbfc09eb179fe364829aac9d9aa95cd12d402e9eeb1636a620421eb9676a102ddb451eb185865723391108e63b5a0f627e9a2

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\nugcenter.exe

MD5 906367f4b07ecd1cd01e228b4b5b39c0
SHA1 a669b5c8d6bc2a48acd90e65ad2422e8bf14048e
SHA256 5004fbe85b883d6cb6592c00746964e7baa0f792be4d666a5f21a82845601d2d
SHA512 a1451396402502bec3a21dde6c12e4018c164b5ea499753835245991e83e1cfd7115023c5acc062d97a42b58b9073ece6bd93630d973a6c95ce8fe12205c874a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lightgreen.png

MD5 90a9382db46c60f9a3093c33b52dc260
SHA1 7fe3d05123b4547c8dfca90230b908f5a4ebb9e8
SHA256 e9a7a05f3bc1e15cad99814666d53169047294efb41c20a1f28cff6a6a65a15e
SHA512 76ef977dd27aec97722e73b3fcad6633feb16a0317d26b6be72a4406c265b58e6e89e39a87592fa0f2effe6101f435097d210fae4ee2cbfacacb0be49f4ea5e5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lightblue.png

MD5 9b810e6318fe4d7ccea2370934167157
SHA1 2db4d6f6c38bc26aa27ea2af8901e491f27a2774
SHA256 4fbe3e58c531bb3b7286c28882a0051a39c6381b5a68d2303b9d3f114964e790
SHA512 d8665bd27eb797b017f9b63cc1a558fc612e9beecbc9ba4d69551fe18da335554ab8f0da1d4289c1a9ef5866892f68f7a4dabe7bb88cce18b054053038702945

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\highlighter.png

MD5 9145636a155628aa5b08f50d241b5162
SHA1 9c58534e13496d4979e9c7baa1d8d2eeb85e450e
SHA256 e4dba621d326a8faf3639c102b82909737d26e176bf4a95fd7dcc901bce715bd
SHA512 7b2949a005a063abc68fd6aed7be8f69f369d73075bd75dd89bc2f2fa66c20b2976dc7f079bbb9ba165a6582b795f2d99e705f867d53de99084e59028ee4fb84

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\stretch.png

MD5 bce2634a256fd6867ab4f14314703dc2
SHA1 2443ff633542f24a3f3a8156f95be17db7caad63
SHA256 34e361bba70c3e6a529168c4da9b993da0acb2340d7d359aa90b3d8e12246fe1
SHA512 64ad0d757b90adb3567416a89cc51811a5a3bb5089a6281d8c782d6bbf0762d2b2464c1ad9986ab9aaee212bf94191eaf25ac74aa81ffb22d949a5600bb892d0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\hand.png

MD5 5477c6f1b114884d907cd215adde9e84
SHA1 5fc527a9e978c506a6971ba628bdb5f4f147b459
SHA256 06d42e7dd5e554cfc3075d3222234633b15811786ca69a732f0b369632b02292
SHA512 5abf754e51ce74280000bd6a567b64ba339b396fb9315ed79acfa98331f754c45587325a17a0f9b36a532880502dba2b28cdf2eaf53658732c84a7ecd07bb0cd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\green.png

MD5 307c26bd60cd59634672c8b139921428
SHA1 7ce1006156580c340f75c2514e60734b55b18cd0
SHA256 5507b254b0eb434dc49c85f5d1bff54bf427f7419636dace91ed2c583db84b8c
SHA512 96fea9bf2b9c2ea3a6a1be7556f28f12ddea77a5490af57d3d2ca7334861f92a7ed43ee53093e5fee9c65c66cd16caf51437a01e5b76b0176565b1bb581251b5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\recycled.png

MD5 7322708be2ae626e52dd7d4e77ffcbfa
SHA1 93a599f563c1ca627eb5d88035281a219945f0a6
SHA256 09d333773e220796de744c07a26f1d47a83f1b4af7ca178a1eeb401f30616ee4
SHA512 bdc06bcb84e67ae248925ddcd66c05f1dbc355b66e57120d2efe640961fa1269bdd2a3737642a95609aece5d7a3699034bb75a2c27efef1a389541c8c5002713

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\gray.png

MD5 c89a78efc324ac45ab7f3e4d945ef35b
SHA1 fdfdf1971f8094b6b4ee86754ad72566766614ea
SHA256 42645af572363377e59ba2628987d439b6ec124d86026e7e8991ed9ba269d402
SHA512 1378aa65ea69ee55acf5b90952323aa50c6f5353c00df0a81c6fc26e98f376b2b8badc6993bccb81cf463570781a9ea53366f2de5ac05bf3a18c576a22f42a5d

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\fullscreen.png

MD5 04caf9e7479493621e6962147e092540
SHA1 5de82e54ea9b1fc4998103931646f254d507b472
SHA256 f44df404099bd1c100bc9dcb678b717374ea854ea031a1c128391a087c6eb7ab
SHA512 30b9bf1d7178555a1edea44a1bf93e87863f83bac8d545860477207c8463b01323306288eb4cadd086d1bd1f0990596d1c78eee34a834e63f3a9a3c6d799b404

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\white.png

MD5 88c0945ad5267821a7fb8d2ac1867048
SHA1 48ad986c0cae9f77ae43947be027468a81a813ff
SHA256 651228240bc2be9b32549d8f6cd3f665b2207fefdaf5cd5f9cc8e05b0cc678fc
SHA512 a64da3280d8daf60cbfd809da7bd0c0b7a38adc5de1fbf1e47a8123abb3ee8b138ff99e5b7e8ee3e6202a7b07278a0b16064e62f756fd13646239c90fc527b9a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\eraser.png

MD5 965f4596779c9396a0d16ab2d81a81dc
SHA1 1eb33e421405af7a7fdbb8f5866b75ccd0faaf5b
SHA256 8b38c37c750492f3984c64e9f0ac8ba5832b2b29800b945f43f1ade9ddcd2f1b
SHA512 beb7ade2bff13258f337bc42c7dcd55629330270e28e01449f30b2f9eb5a184f5c6b3547d4ab22748c8790ce162b22692b23c5b9430fa1b103172fe9ecc8eec4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\default-pen.png

MD5 c4955d57acd2624a50c575f6caa260b5
SHA1 4628d5e10edbe3756f663dde3fdfaf9e3293d9c3
SHA256 e743ec338f096a7169823d00a2d84ff60f8f88e85fc4ceb4f056335256e29636
SHA512 296bbdcc4dce24281240c798719cd819b8a2d0e0f2a3dc862adfba7dc9c8e1d1055cb01fc422ae8cd683d88b4ba5256b90b84248d290adb04f57172f5c04dcd1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\blue.png

MD5 b8ea81eb3944bd027399ca0fcb30352c
SHA1 7cc576da81018985c254d717f5b5d1df92501676
SHA256 bc0824b76bf4a3340f9314795d6d7bb91d768ccde49ce559a409db35d79c7a31
SHA512 7ac010c47be59bda5c805101f482e5c5ec2a4246685985a2452a0fcb368bcedfabf0e1a45d195049c8c45088242bd5d63aa62d2187d839be92e3f7b028f4069b

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\medium.png

MD5 4e6ca2356866781fac9205631a107697
SHA1 55a0846403d3dcadefef218772383072e59f2adb
SHA256 13b92c015aee903af3bdeaa3964fdc5891006756da507bcdc491369703fb2d30
SHA512 3c3dc97ca9cd38bd71b977d3401a4a8bdfdf6257c50ef59382ff468881b9ff38f02b0cc97a0eb3f55882cb471e99425b811d3d404d83fad9788ebc79a20b13c1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\text-tool.png

MD5 e3cc1e3c18736f878b9ab29dc394154a
SHA1 6c39034c129cd67daba66d7c5e802305d8785e1a
SHA256 bd3ca6f179a339d9ab9b2b697405b8044da02477e7f3d15061f2f0462f034b35
SHA512 c92f164bce4932008854e9445440eafc7894ddb1a6d3c577a600ccfd632b276e197643b254b3a5dc27dbb908940d77d2d86f5653b15075a160d7ac1c0b78cdc0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\thick.png

MD5 b0f6c5b9fa3cf9bf30821e843498da65
SHA1 7c63f23b482fda6e69c538274452e97b91f54c0e
SHA256 a8978068717670985253392e3ce16ebc8cbe7174f5c3eaae536cc8d5ff147bd8
SHA512 e415b836b331ee1a997656c2b11ad5c4657bf356d1f7cb6b14c058a5359c8496315b3c6d963b8cbec626266c6031b9e88924485e00cea83aafd3712cf920a9a4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\COPYING.txt

MD5 3c34afdc3adf82d2448f12715a255122
SHA1 7713a1753ce88f2c7e6b054ecc8e4c786df76300
SHA256 0b383d5a63da644f628d99c33976ea6487ed89aaa59f0b3257992deac1171e6b
SHA512 4937848b94f5b50ea16c51f9e98fdcd3953aca63d63ca3bb05d8a62c107e382b71c496838d130ae504a52032398630b957acaea6c48032081a6366d27cba5ea9

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\CHANGES.txt

MD5 109e9d23496dc406050f895409be2531
SHA1 5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef
SHA256 b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2
SHA512 548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\shapes.png

MD5 703e47707419d42fbc7a4988b7fc3718
SHA1 c6c0351539032039297981b6918dbe720b3515dd
SHA256 5314fddb320e575a345a2ba5a922372e086a31ad4baddbd6d4ab30681f2134dc
SHA512 32f751c7fc7cc69646e17b7cae36adff39ff86e60e838fb829208e3a9473dc0c5df18cd48b98464304481b98ab10e7e5dd9ea91b6864d48946c54f91cf8d2fd7

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\README.txt

MD5 7539e219a0d2331524b97605c4fe641d
SHA1 718d7c209915ff4944a81ef38701542d63ea30e2
SHA256 3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b
SHA512 c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\postinstall_readme.txt

MD5 24ac8ba156f8fbfd86a4292e4f44631b
SHA1 081d1ec03058bba9ff43b40f39891b82a3cb3b6e
SHA256 37c45cea617294e1aff68e83fdf0ff14ca454049f9896b5ccd2bdeb22140fa1e
SHA512 9874047be537596921ee8375e274499dce122f45257c714c0bcab5ba5e9a91540c37578b9f96e4a9a3376c3a311ef934b85758db1aa8d71329dce74ed17f6581

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\magenta.png

MD5 c83c2fcc196e434b12c26e6b9c21ab3b
SHA1 8078e6fb3302cb2d54b48d1709429c14926a8f14
SHA256 b3d5848f1b4fea9070ab8ffc0b6e30c81eda6691bc5f16ddd375506e9191101e
SHA512 e49893f19254ba6e451cdfe2e0915615272c18f3fce1d122ed52453051f4231cc8fe9e11bc2a1242e437ff5681065cea960fe06635dfb6b46cc3a9a08084808a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\LICENSE.txt

MD5 fc292eaec94367e0775fa0638880ebce
SHA1 fa5ff95ef7e8f5ad9cfc77738f5e6c0ca96572dd
SHA256 971f1733cb237ddd626e579954938c6fc0e925ccbf885074ad5fcf19b4efbe2e
SHA512 4f3ceb0d390f47fae7294db5399177a1128dd196cf58a45768984c1783ae4e0c0d0746aae716b2a08f7058df214494a7fb20c8bc982d0e3b8cb3d70ccef7917f

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lasso.png

MD5 9b8bd91306bf3a0f15b9a1ad41d81eb1
SHA1 59c0690f6740edde06b7263f4da7ec64a7fc38b3
SHA256 1eb68b3a86580821bb6500df0d5b5d2ba4df33dbe50b4e6b3f5de5b452b8cf80
SHA512 f751c47abbe210877dfc5101c0a4a4c7d392c5a5885c344904ba72b3b55c000508999442d1dfc670f5ba5d491df87a420b87eb88e63194ad8b12107916be6fc5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\share\themes\Raleigh\gtk-2.0\gtkrc

MD5 5fc9003ddc2c64b110b1161259f61923
SHA1 4ecddbcceddbd90a3a654d3788ec3aef8c197a8a
SHA256 6d9beaf039092aec5c1fbc23a62402bcd0704c45c430189a6ac69ae8aa797a67
SHA512 5c90f3f1037fff9f10aa2030bed2c670edd528482532e617549db2133e26cf801bdec56d4543feb024cdec1c0026909ca9a21b378ec3b89489c18c395660c9fc

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\share\themes\MS-Windows\gtk-2.0\gtkrc

MD5 94d104680cec5f3d8bbec56258d0c926
SHA1 72ede372fcb34b29754f20ad44f49bc8605cf22c
SHA256 e9dd3015f76e05f185ebe7564d364aef8b8168b05e62421c99875e14e4597977
SHA512 cf7d04304fa58e2dd9a8492b31b065c03c1f7ea96ab71d7d3d212eb17436c7c181470c23296fa3f599f1ef56c6b243921ed7f0a92ad3e0a6cd40a5fe857955a9

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\share\themes\Emacs\gtk-2.0-key\gtkrc

MD5 4b600a3c3c2ac37f7d0c13c4d86ac752
SHA1 d1da549c070d74aa9f9456c4c1e0ccbdde5256c8
SHA256 4214bee389645edcc7c9971ba35dc4d96e8c135ebc92c51c05b0c7dd36abd8e5
SHA512 d4ece8e39a80073bec016b375a75bb5ff5c697aff560e5d4aafc6031f26451f8d3ef32faf1a0b2be3470450eb2ea3ae8978cc444ee0e2d2ef374ef43340e64ba

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\share\locale\locale.alias

MD5 c26bd884605e7cb04a295fbf331e11a3
SHA1 7330ab3dc0410db503eba19976f027cf49eaeafe
SHA256 67cd91edbb01ea1eeb59f25c0a8cb6dfe90653fb5fc437d3d32cd0814804075a
SHA512 f88bbd4ce7ef42b710071efc5b3aa99f18b5da1e18b3e0d5b051acf125809a9eb94bcac9d91639660246a2406c30e93449d1ff81eace9caf18c6cd5e52ad85dd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\black.png

MD5 a875753fd4e92edad63f5d8b9a79426b
SHA1 241b7f8bc325993b8044498ec4a6c03d576c6b48
SHA256 d09f2e254540dc26a948cf49ac09de2ffea210ad9d8fb77ab7a943ce938b5570
SHA512 b04ee55b20c42a36e6125ef883161eaae11a990a99042b7fefccf0433455e35c621b8f10587a6292adc0f71ccf9a896c0264c8607614196d311de86b28c338dc

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pango\pango.modules

MD5 7a7327019610dfb25d5fafb2d2b0f3ab
SHA1 812af1f65174c63c4a90dd72d29d6e1180075a6e
SHA256 cab115828e04766fbf8e20b5ca6e5632e089f407b338832081d8b42f62fea38a
SHA512 9d7d7fd408d0e0cbe8df24cf1184aa9c24f41dc94d98e7262d04e617b7252381e6845b9e2724557246af8696a5e0cb99f1d15b3889aebd7887fac99e68b79849

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\fonts\fonts.conf

MD5 4291285924e90d1a1fcf1ddfc51adad3
SHA1 74f2d9b2f9665a1ff083701456a0fbfe351f855a
SHA256 68011bc3741ebcea48f08ff2aed8519762a946f3e0fb9c224b1d3810ebf5bf4b
SHA512 80b570051324f0987f388b78f2b2b2a50df2ece82eb6c003ed4ab5fc1456789fdb4a616c3be760580d30f48aef656eb3604cbd0a7808c49f03b347f2d4388cee

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\AForge.dll

MD5 02c63f568e598aad85dd401d7b26e82a
SHA1 2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
SHA256 966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
SHA512 da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\TurboJpegWrapper.dll

MD5 f5639d78d8c860df0176b1499695e8b3
SHA1 a70f699d75903ca2ae31098f4687add23245804d
SHA256 9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2
SHA512 2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Mono.Cecil.Mdb.dll

MD5 a269c436d17634aecf2ac0e95c44728c
SHA1 3dae54046aa5edbcf58ff38acc1d12682e3442b5
SHA256 f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27
SHA512 bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Interop.IWshRuntimeLibrary.dll

MD5 9569c5ddd9ab1e7bfd24e41250a67903
SHA1 304afddbbaac26843cf53b9713e09a85fe525cac
SHA256 6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83
SHA512 7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\libEGL.dll

MD5 b84df33197a94abb399c7e08fcd1fcae
SHA1 5b6d24397dafcfab12dda13921d12e1f20439a19
SHA256 900ebaee275fcddc81cce3b04c6a1e13dba18670c0aba82d54eeefa76355edfa
SHA512 83ffb35a026b4e72de3f024243d630fd17ce498f9d552db0a3292199899c7520c01f9a5e1d4709ab7f7e8b2cb9c5168a93e8b3d9f3b98b32a28329f99714321e

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Qt5TextToSpeech.dll

MD5 3cdb361b43a3ce45145df5bad519df63
SHA1 8f7cfe31068584151bf913171c82949fd7a945f2
SHA256 8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13
SHA512 88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\clock_common.dll

MD5 85d02f053f1151ac4d3fdda5ea10adc6
SHA1 a134e20a33387a3bfe256b36585d9ccb6113a29f
SHA256 989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564
SHA512 146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\skin_draw.dll

MD5 72ad6c45aaf461326f5a512afb4b33b0
SHA1 4b6791aa02c76e96256bf19ec9ff828303a308b8
SHA256 dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305
SHA512 5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\plugin_core.dll

MD5 b79d7159ba735958c18148dcdf543571
SHA1 d7d4d4aedf7897092665dfc573e9fe9c313c2fe4
SHA256 638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52
SHA512 79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\il

MD5 d3af0cb8d35e7613882c0d09c65541e6
SHA1 2cd1f8c1aacb16a31f283fea15653c93460a7b19
SHA256 9c45c14a29e89ed4c1bb9069a0ef6fee5352400a8e517ba86d6eaadda13fab57
SHA512 c0e6c41aafd546a8492a8c7168d7c0f40f14e9597f65db4a6c0ce4a49f240d1f89797d1b358a4c98125eef18008773876b9e12da1549bbe50091dc55d57d493b

C:\Config.Msi\e577e3b.rbs

MD5 79f604452d6f65047b01e2415710bedf
SHA1 5bdd4c75270a9fe9b7dcdf6dd4c1f830ccf55e1a
SHA256 07e3e4d552237ccf85bf2ac6b91f5b844154716bc7c20093d162c98d8ab180e1
SHA512 73dcf0e8d9426d9e5ae809d2897eeaa00bbdb98790e45940607ea546a406aac2e7a5e4dce298384bd64606fe7496b4a366e91a97d1116270b4705cdceeaad642

memory/2584-221-0x00000000008A0000-0x0000000000B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RnsGOvrHcYHxE\_Files\_Screen_Desktop.jpeg

MD5 48e966eba20016e27131c6ca24e68c39
SHA1 abc8399492c751e0b19e169a8a10dd6e9444ce32
SHA256 dce66c1d722b836af42bebe26d2b03e8588ccabb751cd4e51feccb2718b9665e
SHA512 9dd0d4476a877f412311c6df2f8bdcbe6eb516dff46579c5e2aba0f8206b1cae106305c4c894c5616fd525aa2a7eac142ef726f65d3d8a270ee3993d800e96db

C:\Users\Admin\AppData\Local\Temp\RnsGOvrHcYHxE\_Files\_Information.txt

MD5 0ccfa44cf63190e610e23f130cb02a65
SHA1 b6cc6e0cace36573a1fc2c0f4a45e81a2cd8ee24
SHA256 7a9aea2f1f94eeaab7409481cf840b49ecdec781f4e702962e09e0c5b7d7bb0b
SHA512 fcb08047d54ed8387ad4ec16876a8c312146d9ac74e43bbfc98d4ada7e4d33ee7cd8cda109ebb3a40871a5d6cbe627ce5117b10393c11f16db4305539d9d5a08

C:\Users\Admin\AppData\Local\Temp\RnsGOvrHcYHxE\lMxCpuHGcUpKFx.zip

MD5 e6030bc08ff626bc1847fd274ac857a2
SHA1 a4b76299f04801359ca9e1a0a576a90ce623c8cb
SHA256 32fc316feef5a6375a7b8703abf1976f14093cd38a39eba38de76ded3b9051ec
SHA512 afc9d1ee5d572aa7069ad9dea94a355ba6ba51a5f4a575523af126af333f9391b84da5067b9b6820fa5a927acb8512f313e0404f1137958f31d05062c98d1885

memory/2584-351-0x00000000008A0000-0x0000000000B16000-memory.dmp