Malware Analysis Report

2025-01-03 03:00

Sample ID 241123-mm6kgazjhq
Target 1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe
SHA256 1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79
Tags
babadeda cryptbot crypter discovery loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79

Threat Level: Known bad

The file 1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe was found to be: Known bad.

Malicious Activity Summary

babadeda cryptbot crypter discovery loader spyware stealer

Cryptbot family

CryptBot

Babadeda family

Babadeda

Babadeda Crypter

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Checks installed software on the system

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 10:35

Reported

2024-11-23 10:38

Platform

win7-20241010-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Babadeda family

babadeda

CryptBot

spyware stealer cryptbot

Cryptbot family

cryptbot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIC89F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c584.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c581.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c581.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC7C4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID36A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c584.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC65B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC708.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC9B9.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 1976 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 1976 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 1976 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 1976 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 1976 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 1976 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 1976 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2380 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2380 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2380 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2380 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2380 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2380 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 2380 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 1980 wrote to memory of 2776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 2776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 2776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 2776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 2776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 2776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 2776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1980 wrote to memory of 800 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 1980 wrote to memory of 800 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 1980 wrote to memory of 800 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 1980 wrote to memory of 800 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 800 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2300 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2300 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2300 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe

"C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 962976A7F852AAF54ED94954175C2427 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\adv1.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732098724 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C1120EB705CF4274E928463F53075EAC

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe

"C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\opZtVtxOdFDjy & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\decoder.dll

MD5 454418ebd68a4e905dc2b9b2e5e1b28c
SHA1 a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA256 73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512 171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\adv1.msi

MD5 a24f6550da192a1c86d26e0c854f62ac
SHA1 c15aad1b470bf4415413cc44ce67a87d711577ba
SHA256 333585539f51f0148f6504355ed637cdcfe705b238843d594c4b83f6f2cca9d5
SHA512 069e833a9817fe3c002b132604c73a0db850f47d1048fc7c971d563ae75539a2dba0c35a693a2c1fe5e64a150c28e26e819cf90e60fcf07b9fae23d2a7d74b61

C:\Users\Admin\AppData\Local\Temp\MSIC16B.tmp

MD5 3d24a2af1fb93f9960a17d6394484802
SHA1 ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA256 8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512 f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

C:\Users\Admin\AppData\Local\Temp\MSIC2F2.tmp

MD5 0be6e02d01013e6140e38571a4da2545
SHA1 9149608d60ca5941010e33e01d4fdc7b6c791bea
SHA256 3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512 f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

C:\Windows\Installer\MSIC9B9.tmp

MD5 2a6c81882b2db41f634b48416c8c8450
SHA1 f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256 245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512 e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\icuuc60.dll

MD5 30c5af589e5d07d36843621374b187cf
SHA1 b0ae0e3bf0613bf29111bcf751d83268d2f07e27
SHA256 e56f06482facd06d17d41ebbd799c1aad0fb8a44c08b2a83d7e05f894a41baf4
SHA512 7639476bf93ba2e89ca854cbd4cdbfc09eb179fe364829aac9d9aa95cd12d402e9eeb1636a620421eb9676a102ddb451eb185865723391108e63b5a0f627e9a2

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\nugcenter.exe

MD5 906367f4b07ecd1cd01e228b4b5b39c0
SHA1 a669b5c8d6bc2a48acd90e65ad2422e8bf14048e
SHA256 5004fbe85b883d6cb6592c00746964e7baa0f792be4d666a5f21a82845601d2d
SHA512 a1451396402502bec3a21dde6c12e4018c164b5ea499753835245991e83e1cfd7115023c5acc062d97a42b58b9073ece6bd93630d973a6c95ce8fe12205c874a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\il

MD5 d3af0cb8d35e7613882c0d09c65541e6
SHA1 2cd1f8c1aacb16a31f283fea15653c93460a7b19
SHA256 9c45c14a29e89ed4c1bb9069a0ef6fee5352400a8e517ba86d6eaadda13fab57
SHA512 c0e6c41aafd546a8492a8c7168d7c0f40f14e9597f65db4a6c0ce4a49f240d1f89797d1b358a4c98125eef18008773876b9e12da1549bbe50091dc55d57d493b

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\plugin_core.dll

MD5 b79d7159ba735958c18148dcdf543571
SHA1 d7d4d4aedf7897092665dfc573e9fe9c313c2fe4
SHA256 638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52
SHA512 79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\skin_draw.dll

MD5 72ad6c45aaf461326f5a512afb4b33b0
SHA1 4b6791aa02c76e96256bf19ec9ff828303a308b8
SHA256 dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305
SHA512 5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\clock_common.dll

MD5 85d02f053f1151ac4d3fdda5ea10adc6
SHA1 a134e20a33387a3bfe256b36585d9ccb6113a29f
SHA256 989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564
SHA512 146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Qt5TextToSpeech.dll

MD5 3cdb361b43a3ce45145df5bad519df63
SHA1 8f7cfe31068584151bf913171c82949fd7a945f2
SHA256 8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13
SHA512 88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\libEGL.dll

MD5 b84df33197a94abb399c7e08fcd1fcae
SHA1 5b6d24397dafcfab12dda13921d12e1f20439a19
SHA256 900ebaee275fcddc81cce3b04c6a1e13dba18670c0aba82d54eeefa76355edfa
SHA512 83ffb35a026b4e72de3f024243d630fd17ce498f9d552db0a3292199899c7520c01f9a5e1d4709ab7f7e8b2cb9c5168a93e8b3d9f3b98b32a28329f99714321e

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Interop.IWshRuntimeLibrary.dll

MD5 9569c5ddd9ab1e7bfd24e41250a67903
SHA1 304afddbbaac26843cf53b9713e09a85fe525cac
SHA256 6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83
SHA512 7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\LICENSE.txt

MD5 fc292eaec94367e0775fa0638880ebce
SHA1 fa5ff95ef7e8f5ad9cfc77738f5e6c0ca96572dd
SHA256 971f1733cb237ddd626e579954938c6fc0e925ccbf885074ad5fcf19b4efbe2e
SHA512 4f3ceb0d390f47fae7294db5399177a1128dd196cf58a45768984c1783ae4e0c0d0746aae716b2a08f7058df214494a7fb20c8bc982d0e3b8cb3d70ccef7917f

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\postinstall_readme.txt

MD5 24ac8ba156f8fbfd86a4292e4f44631b
SHA1 081d1ec03058bba9ff43b40f39891b82a3cb3b6e
SHA256 37c45cea617294e1aff68e83fdf0ff14ca454049f9896b5ccd2bdeb22140fa1e
SHA512 9874047be537596921ee8375e274499dce122f45257c714c0bcab5ba5e9a91540c37578b9f96e4a9a3376c3a311ef934b85758db1aa8d71329dce74ed17f6581

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\README.txt

MD5 7539e219a0d2331524b97605c4fe641d
SHA1 718d7c209915ff4944a81ef38701542d63ea30e2
SHA256 3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b
SHA512 c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\CHANGES.txt

MD5 109e9d23496dc406050f895409be2531
SHA1 5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef
SHA256 b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2
SHA512 548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Mono.Cecil.Mdb.dll

MD5 a269c436d17634aecf2ac0e95c44728c
SHA1 3dae54046aa5edbcf58ff38acc1d12682e3442b5
SHA256 f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27
SHA512 bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\TurboJpegWrapper.dll

MD5 f5639d78d8c860df0176b1499695e8b3
SHA1 a70f699d75903ca2ae31098f4687add23245804d
SHA256 9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2
SHA512 2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\COPYING.txt

MD5 3c34afdc3adf82d2448f12715a255122
SHA1 7713a1753ce88f2c7e6b054ecc8e4c786df76300
SHA256 0b383d5a63da644f628d99c33976ea6487ed89aaa59f0b3257992deac1171e6b
SHA512 4937848b94f5b50ea16c51f9e98fdcd3953aca63d63ca3bb05d8a62c107e382b71c496838d130ae504a52032398630b957acaea6c48032081a6366d27cba5ea9

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\AForge.dll

MD5 02c63f568e598aad85dd401d7b26e82a
SHA1 2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
SHA256 966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
SHA512 da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\fonts\fonts.conf

MD5 4291285924e90d1a1fcf1ddfc51adad3
SHA1 74f2d9b2f9665a1ff083701456a0fbfe351f855a
SHA256 68011bc3741ebcea48f08ff2aed8519762a946f3e0fb9c224b1d3810ebf5bf4b
SHA512 80b570051324f0987f388b78f2b2b2a50df2ece82eb6c003ed4ab5fc1456789fdb4a616c3be760580d30f48aef656eb3604cbd0a7808c49f03b347f2d4388cee

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pango\pango.modules

MD5 7a7327019610dfb25d5fafb2d2b0f3ab
SHA1 812af1f65174c63c4a90dd72d29d6e1180075a6e
SHA256 cab115828e04766fbf8e20b5ca6e5632e089f407b338832081d8b42f62fea38a
SHA512 9d7d7fd408d0e0cbe8df24cf1184aa9c24f41dc94d98e7262d04e617b7252381e6845b9e2724557246af8696a5e0cb99f1d15b3889aebd7887fac99e68b79849

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\black.png

MD5 a875753fd4e92edad63f5d8b9a79426b
SHA1 241b7f8bc325993b8044498ec4a6c03d576c6b48
SHA256 d09f2e254540dc26a948cf49ac09de2ffea210ad9d8fb77ab7a943ce938b5570
SHA512 b04ee55b20c42a36e6125ef883161eaae11a990a99042b7fefccf0433455e35c621b8f10587a6292adc0f71ccf9a896c0264c8607614196d311de86b28c338dc

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\blue.png

MD5 b8ea81eb3944bd027399ca0fcb30352c
SHA1 7cc576da81018985c254d717f5b5d1df92501676
SHA256 bc0824b76bf4a3340f9314795d6d7bb91d768ccde49ce559a409db35d79c7a31
SHA512 7ac010c47be59bda5c805101f482e5c5ec2a4246685985a2452a0fcb368bcedfabf0e1a45d195049c8c45088242bd5d63aa62d2187d839be92e3f7b028f4069b

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\default-pen.png

MD5 c4955d57acd2624a50c575f6caa260b5
SHA1 4628d5e10edbe3756f663dde3fdfaf9e3293d9c3
SHA256 e743ec338f096a7169823d00a2d84ff60f8f88e85fc4ceb4f056335256e29636
SHA512 296bbdcc4dce24281240c798719cd819b8a2d0e0f2a3dc862adfba7dc9c8e1d1055cb01fc422ae8cd683d88b4ba5256b90b84248d290adb04f57172f5c04dcd1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\eraser.png

MD5 965f4596779c9396a0d16ab2d81a81dc
SHA1 1eb33e421405af7a7fdbb8f5866b75ccd0faaf5b
SHA256 8b38c37c750492f3984c64e9f0ac8ba5832b2b29800b945f43f1ade9ddcd2f1b
SHA512 beb7ade2bff13258f337bc42c7dcd55629330270e28e01449f30b2f9eb5a184f5c6b3547d4ab22748c8790ce162b22692b23c5b9430fa1b103172fe9ecc8eec4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\fullscreen.png

MD5 04caf9e7479493621e6962147e092540
SHA1 5de82e54ea9b1fc4998103931646f254d507b472
SHA256 f44df404099bd1c100bc9dcb678b717374ea854ea031a1c128391a087c6eb7ab
SHA512 30b9bf1d7178555a1edea44a1bf93e87863f83bac8d545860477207c8463b01323306288eb4cadd086d1bd1f0990596d1c78eee34a834e63f3a9a3c6d799b404

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\gray.png

MD5 c89a78efc324ac45ab7f3e4d945ef35b
SHA1 fdfdf1971f8094b6b4ee86754ad72566766614ea
SHA256 42645af572363377e59ba2628987d439b6ec124d86026e7e8991ed9ba269d402
SHA512 1378aa65ea69ee55acf5b90952323aa50c6f5353c00df0a81c6fc26e98f376b2b8badc6993bccb81cf463570781a9ea53366f2de5ac05bf3a18c576a22f42a5d

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\green.png

MD5 307c26bd60cd59634672c8b139921428
SHA1 7ce1006156580c340f75c2514e60734b55b18cd0
SHA256 5507b254b0eb434dc49c85f5d1bff54bf427f7419636dace91ed2c583db84b8c
SHA512 96fea9bf2b9c2ea3a6a1be7556f28f12ddea77a5490af57d3d2ca7334861f92a7ed43ee53093e5fee9c65c66cd16caf51437a01e5b76b0176565b1bb581251b5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\hand.png

MD5 5477c6f1b114884d907cd215adde9e84
SHA1 5fc527a9e978c506a6971ba628bdb5f4f147b459
SHA256 06d42e7dd5e554cfc3075d3222234633b15811786ca69a732f0b369632b02292
SHA512 5abf754e51ce74280000bd6a567b64ba339b396fb9315ed79acfa98331f754c45587325a17a0f9b36a532880502dba2b28cdf2eaf53658732c84a7ecd07bb0cd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\highlighter.png

MD5 9145636a155628aa5b08f50d241b5162
SHA1 9c58534e13496d4979e9c7baa1d8d2eeb85e450e
SHA256 e4dba621d326a8faf3639c102b82909737d26e176bf4a95fd7dcc901bce715bd
SHA512 7b2949a005a063abc68fd6aed7be8f69f369d73075bd75dd89bc2f2fa66c20b2976dc7f079bbb9ba165a6582b795f2d99e705f867d53de99084e59028ee4fb84

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lasso.png

MD5 9b8bd91306bf3a0f15b9a1ad41d81eb1
SHA1 59c0690f6740edde06b7263f4da7ec64a7fc38b3
SHA256 1eb68b3a86580821bb6500df0d5b5d2ba4df33dbe50b4e6b3f5de5b452b8cf80
SHA512 f751c47abbe210877dfc5101c0a4a4c7d392c5a5885c344904ba72b3b55c000508999442d1dfc670f5ba5d491df87a420b87eb88e63194ad8b12107916be6fc5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lightblue.png

MD5 9b810e6318fe4d7ccea2370934167157
SHA1 2db4d6f6c38bc26aa27ea2af8901e491f27a2774
SHA256 4fbe3e58c531bb3b7286c28882a0051a39c6381b5a68d2303b9d3f114964e790
SHA512 d8665bd27eb797b017f9b63cc1a558fc612e9beecbc9ba4d69551fe18da335554ab8f0da1d4289c1a9ef5866892f68f7a4dabe7bb88cce18b054053038702945

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lightgreen.png

MD5 90a9382db46c60f9a3093c33b52dc260
SHA1 7fe3d05123b4547c8dfca90230b908f5a4ebb9e8
SHA256 e9a7a05f3bc1e15cad99814666d53169047294efb41c20a1f28cff6a6a65a15e
SHA512 76ef977dd27aec97722e73b3fcad6633feb16a0317d26b6be72a4406c265b58e6e89e39a87592fa0f2effe6101f435097d210fae4ee2cbfacacb0be49f4ea5e5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\magenta.png

MD5 c83c2fcc196e434b12c26e6b9c21ab3b
SHA1 8078e6fb3302cb2d54b48d1709429c14926a8f14
SHA256 b3d5848f1b4fea9070ab8ffc0b6e30c81eda6691bc5f16ddd375506e9191101e
SHA512 e49893f19254ba6e451cdfe2e0915615272c18f3fce1d122ed52453051f4231cc8fe9e11bc2a1242e437ff5681065cea960fe06635dfb6b46cc3a9a08084808a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\medium.png

MD5 4e6ca2356866781fac9205631a107697
SHA1 55a0846403d3dcadefef218772383072e59f2adb
SHA256 13b92c015aee903af3bdeaa3964fdc5891006756da507bcdc491369703fb2d30
SHA512 3c3dc97ca9cd38bd71b977d3401a4a8bdfdf6257c50ef59382ff468881b9ff38f02b0cc97a0eb3f55882cb471e99425b811d3d404d83fad9788ebc79a20b13c1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\orange.png

MD5 508e1009dc053e2033a9018023b48868
SHA1 02e1e20fa7472df9f21c8d18566ada54ff8c5560
SHA256 e9a1c3ebd4822747a4c83607746d6cc68ac5ed80d7f08ade928dc178f798dd32
SHA512 f43cc7e62dda86b89d9b690465f2307a9f89bdd30231ac5cf0fc21c7ac2daf89e42d0178f08a0951c4c5a957ee37fd20d60ce36d58726d53e2729f530ffbcb54

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\pencil.png

MD5 6b7b424063281d6cb8e2df80cba76791
SHA1 9d8e5d192fab8046e9219aaad20f3ce276817c21
SHA256 7c4849fda63d3763fee76de774edd8f6c77b7ef8261bbcd21891d80c90ce9fbf
SHA512 b679061edd4b6895dc24f2827d4cbae6f9d61862bc69891b2e5de32b8ad00d7de3bc41a4c43903537ae5601251dea59acb61db75bab0e40c4251fb38baf7e964

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\rect-select.png

MD5 a67ac11b8f0eea1e8e27e8b61297e3af
SHA1 2055985d7541c81f98995a440beaecf0142551d7
SHA256 eaf67416c03a312b3eb5c3703b3fbf5f476ac95d22c34a51c1f7cbdb865291dd
SHA512 2e68ff37757aedaf1b905d3703dd4983bad4af340bfd3d413d72ad45f47bf6c4ba516ea8dc7c5536cc8757e52a7a8b613c1d6e09afac6bf7652eb10c1f8bb0c4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\recycled.png

MD5 7322708be2ae626e52dd7d4e77ffcbfa
SHA1 93a599f563c1ca627eb5d88035281a219945f0a6
SHA256 09d333773e220796de744c07a26f1d47a83f1b4af7ca178a1eeb401f30616ee4
SHA512 bdc06bcb84e67ae248925ddcd66c05f1dbc355b66e57120d2efe640961fa1269bdd2a3737642a95609aece5d7a3699034bb75a2c27efef1a389541c8c5002713

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\red.png

MD5 4429c43e6311344a001bb13e87a1dff1
SHA1 81457c4f184a810fd20cb10a999ba63c847901c4
SHA256 f4fce83ea044803d1937627fa184afd3ee33c950870dfc9e7bf34219b04db890
SHA512 d66f718a00d5bdfc91726fbec2222cf8e08ec7422efae026a2858300223a00ed967a7f4e9f51af99e15b60fd95afdcd2de8ce1cf2927107d3481fd2c8194f515

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\ruler.png

MD5 5d4e0ec1713b88ed37b1f26d8d3a320d
SHA1 a14da950083e432a1d5ac4e65ad883dce631074a
SHA256 c1c3e2fb2eab3817dd9731fefc0f67472a58bfca76aefe682b2340c47e4fcc88
SHA512 451dacc9db2146838190385acf1fd352df391179856c66bfe5afddd1e0dda6f6fd37bd5e94e6f5aea59b60ca9862ad8d927ee1280ae070516c696670c1613221

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\shapes.png

MD5 703e47707419d42fbc7a4988b7fc3718
SHA1 c6c0351539032039297981b6918dbe720b3515dd
SHA256 5314fddb320e575a345a2ba5a922372e086a31ad4baddbd6d4ab30681f2134dc
SHA512 32f751c7fc7cc69646e17b7cae36adff39ff86e60e838fb829208e3a9473dc0c5df18cd48b98464304481b98ab10e7e5dd9ea91b6864d48946c54f91cf8d2fd7

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\stretch.png

MD5 bce2634a256fd6867ab4f14314703dc2
SHA1 2443ff633542f24a3f3a8156f95be17db7caad63
SHA256 34e361bba70c3e6a529168c4da9b993da0acb2340d7d359aa90b3d8e12246fe1
SHA512 64ad0d757b90adb3567416a89cc51811a5a3bb5089a6281d8c782d6bbf0762d2b2464c1ad9986ab9aaee212bf94191eaf25ac74aa81ffb22d949a5600bb892d0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\text-tool.png

MD5 e3cc1e3c18736f878b9ab29dc394154a
SHA1 6c39034c129cd67daba66d7c5e802305d8785e1a
SHA256 bd3ca6f179a339d9ab9b2b697405b8044da02477e7f3d15061f2f0462f034b35
SHA512 c92f164bce4932008854e9445440eafc7894ddb1a6d3c577a600ccfd632b276e197643b254b3a5dc27dbb908940d77d2d86f5653b15075a160d7ac1c0b78cdc0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\thick.png

MD5 b0f6c5b9fa3cf9bf30821e843498da65
SHA1 7c63f23b482fda6e69c538274452e97b91f54c0e
SHA256 a8978068717670985253392e3ce16ebc8cbe7174f5c3eaae536cc8d5ff147bd8
SHA512 e415b836b331ee1a997656c2b11ad5c4657bf356d1f7cb6b14c058a5359c8496315b3c6d963b8cbec626266c6031b9e88924485e00cea83aafd3712cf920a9a4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\thin.png

MD5 84052d7c35de51d8313eb1bae0820cf1
SHA1 5ee2f2d28a7f3cf2a623d290ed1d2dba356cb145
SHA256 37171b854b71ca80640330d677dfb1a91fbe2c0cdc46ecaf8ab04c95b74a5719
SHA512 5f12b94adb92f7e9965ef297aeff78c9afb4e82e3cf7570c5faa59972394f880dd6bbb0afe2705b42c10836095bf1d78c86201b6ca61e18564a0f86d89d10d56

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\white.png

MD5 88c0945ad5267821a7fb8d2ac1867048
SHA1 48ad986c0cae9f77ae43947be027468a81a813ff
SHA256 651228240bc2be9b32549d8f6cd3f665b2207fefdaf5cd5f9cc8e05b0cc678fc
SHA512 a64da3280d8daf60cbfd809da7bd0c0b7a38adc5de1fbf1e47a8123abb3ee8b138ff99e5b7e8ee3e6202a7b07278a0b16064e62f756fd13646239c90fc527b9a

C:\Config.Msi\f76c585.rbs

MD5 e8d2d8f7fc9879e226e60cc35949247a
SHA1 d6b7afe5a8fd3fe3e9200762bc15677db125a33e
SHA256 4460a5d54f6551b34356e03966e1f0c0eaf38e80411f19b3d4ce7ac406043f95
SHA512 2bd13bafccf71bac44d3d7231a74d894687e8893c0bba44dcb98a9b455b4dc889642f988c76a34678ebd8220861ceb19629c59c0b34eb402a0af4bed41a8b0f3

memory/800-215-0x00000000003C0000-0x0000000000636000-memory.dmp

memory/800-220-0x00000000003C0000-0x0000000000636000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-23 10:35

Reported

2024-11-23 10:38

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Babadeda family

babadeda

CryptBot

spyware stealer cryptbot

Cryptbot family

cryptbot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e578e84.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e578e84.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8FAE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8FE0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{A28D9264-E002-4A94-A388-6DD939F4409D} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI935D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8F40.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8FBF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8FCF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8FF1.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 3648 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4764 wrote to memory of 3648 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4764 wrote to memory of 3648 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 372 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 372 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 372 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe C:\Windows\SysWOW64\msiexec.exe
PID 4764 wrote to memory of 2744 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4764 wrote to memory of 2744 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4764 wrote to memory of 2744 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4764 wrote to memory of 4804 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 4764 wrote to memory of 4804 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe
PID 4764 wrote to memory of 4804 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe

"C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6B5C2D17A9F0DAD0B91A3D5825F26349 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\adv1.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1377deaa157a92de3c0a896f06f4cf24133e33cf2429a4119a8cb45ec2e84f79.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732117542 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5FA1D8EFABFD24E6B9C610C443CD26EA

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe

"C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer\nugcenter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 35.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp
US 8.8.8.8:53 veoimd43.top udp

Files

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\decoder.dll

MD5 454418ebd68a4e905dc2b9b2e5e1b28c
SHA1 a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA256 73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512 171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\adv1.msi

MD5 a24f6550da192a1c86d26e0c854f62ac
SHA1 c15aad1b470bf4415413cc44ce67a87d711577ba
SHA256 333585539f51f0148f6504355ed637cdcfe705b238843d594c4b83f6f2cca9d5
SHA512 069e833a9817fe3c002b132604c73a0db850f47d1048fc7c971d563ae75539a2dba0c35a693a2c1fe5e64a150c28e26e819cf90e60fcf07b9fae23d2a7d74b61

C:\Users\Admin\AppData\Local\Temp\MSI8C62.tmp

MD5 3d24a2af1fb93f9960a17d6394484802
SHA1 ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA256 8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512 f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

C:\Users\Admin\AppData\Local\Temp\MSI8CF0.tmp

MD5 0be6e02d01013e6140e38571a4da2545
SHA1 9149608d60ca5941010e33e01d4fdc7b6c791bea
SHA256 3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512 f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

C:\Windows\Installer\MSI8FF1.tmp

MD5 2a6c81882b2db41f634b48416c8c8450
SHA1 f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256 245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512 e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\icuuc60.dll

MD5 30c5af589e5d07d36843621374b187cf
SHA1 b0ae0e3bf0613bf29111bcf751d83268d2f07e27
SHA256 e56f06482facd06d17d41ebbd799c1aad0fb8a44c08b2a83d7e05f894a41baf4
SHA512 7639476bf93ba2e89ca854cbd4cdbfc09eb179fe364829aac9d9aa95cd12d402e9eeb1636a620421eb9676a102ddb451eb185865723391108e63b5a0f627e9a2

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\nugcenter.exe

MD5 906367f4b07ecd1cd01e228b4b5b39c0
SHA1 a669b5c8d6bc2a48acd90e65ad2422e8bf14048e
SHA256 5004fbe85b883d6cb6592c00746964e7baa0f792be4d666a5f21a82845601d2d
SHA512 a1451396402502bec3a21dde6c12e4018c164b5ea499753835245991e83e1cfd7115023c5acc062d97a42b58b9073ece6bd93630d973a6c95ce8fe12205c874a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lightgreen.png

MD5 90a9382db46c60f9a3093c33b52dc260
SHA1 7fe3d05123b4547c8dfca90230b908f5a4ebb9e8
SHA256 e9a7a05f3bc1e15cad99814666d53169047294efb41c20a1f28cff6a6a65a15e
SHA512 76ef977dd27aec97722e73b3fcad6633feb16a0317d26b6be72a4406c265b58e6e89e39a87592fa0f2effe6101f435097d210fae4ee2cbfacacb0be49f4ea5e5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lightblue.png

MD5 9b810e6318fe4d7ccea2370934167157
SHA1 2db4d6f6c38bc26aa27ea2af8901e491f27a2774
SHA256 4fbe3e58c531bb3b7286c28882a0051a39c6381b5a68d2303b9d3f114964e790
SHA512 d8665bd27eb797b017f9b63cc1a558fc612e9beecbc9ba4d69551fe18da335554ab8f0da1d4289c1a9ef5866892f68f7a4dabe7bb88cce18b054053038702945

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\highlighter.png

MD5 9145636a155628aa5b08f50d241b5162
SHA1 9c58534e13496d4979e9c7baa1d8d2eeb85e450e
SHA256 e4dba621d326a8faf3639c102b82909737d26e176bf4a95fd7dcc901bce715bd
SHA512 7b2949a005a063abc68fd6aed7be8f69f369d73075bd75dd89bc2f2fa66c20b2976dc7f079bbb9ba165a6582b795f2d99e705f867d53de99084e59028ee4fb84

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\stretch.png

MD5 bce2634a256fd6867ab4f14314703dc2
SHA1 2443ff633542f24a3f3a8156f95be17db7caad63
SHA256 34e361bba70c3e6a529168c4da9b993da0acb2340d7d359aa90b3d8e12246fe1
SHA512 64ad0d757b90adb3567416a89cc51811a5a3bb5089a6281d8c782d6bbf0762d2b2464c1ad9986ab9aaee212bf94191eaf25ac74aa81ffb22d949a5600bb892d0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\hand.png

MD5 5477c6f1b114884d907cd215adde9e84
SHA1 5fc527a9e978c506a6971ba628bdb5f4f147b459
SHA256 06d42e7dd5e554cfc3075d3222234633b15811786ca69a732f0b369632b02292
SHA512 5abf754e51ce74280000bd6a567b64ba339b396fb9315ed79acfa98331f754c45587325a17a0f9b36a532880502dba2b28cdf2eaf53658732c84a7ecd07bb0cd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\green.png

MD5 307c26bd60cd59634672c8b139921428
SHA1 7ce1006156580c340f75c2514e60734b55b18cd0
SHA256 5507b254b0eb434dc49c85f5d1bff54bf427f7419636dace91ed2c583db84b8c
SHA512 96fea9bf2b9c2ea3a6a1be7556f28f12ddea77a5490af57d3d2ca7334861f92a7ed43ee53093e5fee9c65c66cd16caf51437a01e5b76b0176565b1bb581251b5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\recycled.png

MD5 7322708be2ae626e52dd7d4e77ffcbfa
SHA1 93a599f563c1ca627eb5d88035281a219945f0a6
SHA256 09d333773e220796de744c07a26f1d47a83f1b4af7ca178a1eeb401f30616ee4
SHA512 bdc06bcb84e67ae248925ddcd66c05f1dbc355b66e57120d2efe640961fa1269bdd2a3737642a95609aece5d7a3699034bb75a2c27efef1a389541c8c5002713

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\gray.png

MD5 c89a78efc324ac45ab7f3e4d945ef35b
SHA1 fdfdf1971f8094b6b4ee86754ad72566766614ea
SHA256 42645af572363377e59ba2628987d439b6ec124d86026e7e8991ed9ba269d402
SHA512 1378aa65ea69ee55acf5b90952323aa50c6f5353c00df0a81c6fc26e98f376b2b8badc6993bccb81cf463570781a9ea53366f2de5ac05bf3a18c576a22f42a5d

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\fullscreen.png

MD5 04caf9e7479493621e6962147e092540
SHA1 5de82e54ea9b1fc4998103931646f254d507b472
SHA256 f44df404099bd1c100bc9dcb678b717374ea854ea031a1c128391a087c6eb7ab
SHA512 30b9bf1d7178555a1edea44a1bf93e87863f83bac8d545860477207c8463b01323306288eb4cadd086d1bd1f0990596d1c78eee34a834e63f3a9a3c6d799b404

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\white.png

MD5 88c0945ad5267821a7fb8d2ac1867048
SHA1 48ad986c0cae9f77ae43947be027468a81a813ff
SHA256 651228240bc2be9b32549d8f6cd3f665b2207fefdaf5cd5f9cc8e05b0cc678fc
SHA512 a64da3280d8daf60cbfd809da7bd0c0b7a38adc5de1fbf1e47a8123abb3ee8b138ff99e5b7e8ee3e6202a7b07278a0b16064e62f756fd13646239c90fc527b9a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\eraser.png

MD5 965f4596779c9396a0d16ab2d81a81dc
SHA1 1eb33e421405af7a7fdbb8f5866b75ccd0faaf5b
SHA256 8b38c37c750492f3984c64e9f0ac8ba5832b2b29800b945f43f1ade9ddcd2f1b
SHA512 beb7ade2bff13258f337bc42c7dcd55629330270e28e01449f30b2f9eb5a184f5c6b3547d4ab22748c8790ce162b22692b23c5b9430fa1b103172fe9ecc8eec4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\default-pen.png

MD5 c4955d57acd2624a50c575f6caa260b5
SHA1 4628d5e10edbe3756f663dde3fdfaf9e3293d9c3
SHA256 e743ec338f096a7169823d00a2d84ff60f8f88e85fc4ceb4f056335256e29636
SHA512 296bbdcc4dce24281240c798719cd819b8a2d0e0f2a3dc862adfba7dc9c8e1d1055cb01fc422ae8cd683d88b4ba5256b90b84248d290adb04f57172f5c04dcd1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\blue.png

MD5 b8ea81eb3944bd027399ca0fcb30352c
SHA1 7cc576da81018985c254d717f5b5d1df92501676
SHA256 bc0824b76bf4a3340f9314795d6d7bb91d768ccde49ce559a409db35d79c7a31
SHA512 7ac010c47be59bda5c805101f482e5c5ec2a4246685985a2452a0fcb368bcedfabf0e1a45d195049c8c45088242bd5d63aa62d2187d839be92e3f7b028f4069b

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\medium.png

MD5 4e6ca2356866781fac9205631a107697
SHA1 55a0846403d3dcadefef218772383072e59f2adb
SHA256 13b92c015aee903af3bdeaa3964fdc5891006756da507bcdc491369703fb2d30
SHA512 3c3dc97ca9cd38bd71b977d3401a4a8bdfdf6257c50ef59382ff468881b9ff38f02b0cc97a0eb3f55882cb471e99425b811d3d404d83fad9788ebc79a20b13c1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\text-tool.png

MD5 e3cc1e3c18736f878b9ab29dc394154a
SHA1 6c39034c129cd67daba66d7c5e802305d8785e1a
SHA256 bd3ca6f179a339d9ab9b2b697405b8044da02477e7f3d15061f2f0462f034b35
SHA512 c92f164bce4932008854e9445440eafc7894ddb1a6d3c577a600ccfd632b276e197643b254b3a5dc27dbb908940d77d2d86f5653b15075a160d7ac1c0b78cdc0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\thick.png

MD5 b0f6c5b9fa3cf9bf30821e843498da65
SHA1 7c63f23b482fda6e69c538274452e97b91f54c0e
SHA256 a8978068717670985253392e3ce16ebc8cbe7174f5c3eaae536cc8d5ff147bd8
SHA512 e415b836b331ee1a997656c2b11ad5c4657bf356d1f7cb6b14c058a5359c8496315b3c6d963b8cbec626266c6031b9e88924485e00cea83aafd3712cf920a9a4

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\COPYING.txt

MD5 3c34afdc3adf82d2448f12715a255122
SHA1 7713a1753ce88f2c7e6b054ecc8e4c786df76300
SHA256 0b383d5a63da644f628d99c33976ea6487ed89aaa59f0b3257992deac1171e6b
SHA512 4937848b94f5b50ea16c51f9e98fdcd3953aca63d63ca3bb05d8a62c107e382b71c496838d130ae504a52032398630b957acaea6c48032081a6366d27cba5ea9

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\CHANGES.txt

MD5 109e9d23496dc406050f895409be2531
SHA1 5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef
SHA256 b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2
SHA512 548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\shapes.png

MD5 703e47707419d42fbc7a4988b7fc3718
SHA1 c6c0351539032039297981b6918dbe720b3515dd
SHA256 5314fddb320e575a345a2ba5a922372e086a31ad4baddbd6d4ab30681f2134dc
SHA512 32f751c7fc7cc69646e17b7cae36adff39ff86e60e838fb829208e3a9473dc0c5df18cd48b98464304481b98ab10e7e5dd9ea91b6864d48946c54f91cf8d2fd7

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\README.txt

MD5 7539e219a0d2331524b97605c4fe641d
SHA1 718d7c209915ff4944a81ef38701542d63ea30e2
SHA256 3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b
SHA512 c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\postinstall_readme.txt

MD5 24ac8ba156f8fbfd86a4292e4f44631b
SHA1 081d1ec03058bba9ff43b40f39891b82a3cb3b6e
SHA256 37c45cea617294e1aff68e83fdf0ff14ca454049f9896b5ccd2bdeb22140fa1e
SHA512 9874047be537596921ee8375e274499dce122f45257c714c0bcab5ba5e9a91540c37578b9f96e4a9a3376c3a311ef934b85758db1aa8d71329dce74ed17f6581

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\magenta.png

MD5 c83c2fcc196e434b12c26e6b9c21ab3b
SHA1 8078e6fb3302cb2d54b48d1709429c14926a8f14
SHA256 b3d5848f1b4fea9070ab8ffc0b6e30c81eda6691bc5f16ddd375506e9191101e
SHA512 e49893f19254ba6e451cdfe2e0915615272c18f3fce1d122ed52453051f4231cc8fe9e11bc2a1242e437ff5681065cea960fe06635dfb6b46cc3a9a08084808a

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\LICENSE.txt

MD5 fc292eaec94367e0775fa0638880ebce
SHA1 fa5ff95ef7e8f5ad9cfc77738f5e6c0ca96572dd
SHA256 971f1733cb237ddd626e579954938c6fc0e925ccbf885074ad5fcf19b4efbe2e
SHA512 4f3ceb0d390f47fae7294db5399177a1128dd196cf58a45768984c1783ae4e0c0d0746aae716b2a08f7058df214494a7fb20c8bc982d0e3b8cb3d70ccef7917f

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\lasso.png

MD5 9b8bd91306bf3a0f15b9a1ad41d81eb1
SHA1 59c0690f6740edde06b7263f4da7ec64a7fc38b3
SHA256 1eb68b3a86580821bb6500df0d5b5d2ba4df33dbe50b4e6b3f5de5b452b8cf80
SHA512 f751c47abbe210877dfc5101c0a4a4c7d392c5a5885c344904ba72b3b55c000508999442d1dfc670f5ba5d491df87a420b87eb88e63194ad8b12107916be6fc5

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\share\themes\Raleigh\gtk-2.0\gtkrc

MD5 5fc9003ddc2c64b110b1161259f61923
SHA1 4ecddbcceddbd90a3a654d3788ec3aef8c197a8a
SHA256 6d9beaf039092aec5c1fbc23a62402bcd0704c45c430189a6ac69ae8aa797a67
SHA512 5c90f3f1037fff9f10aa2030bed2c670edd528482532e617549db2133e26cf801bdec56d4543feb024cdec1c0026909ca9a21b378ec3b89489c18c395660c9fc

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\share\themes\MS-Windows\gtk-2.0\gtkrc

MD5 94d104680cec5f3d8bbec56258d0c926
SHA1 72ede372fcb34b29754f20ad44f49bc8605cf22c
SHA256 e9dd3015f76e05f185ebe7564d364aef8b8168b05e62421c99875e14e4597977
SHA512 cf7d04304fa58e2dd9a8492b31b065c03c1f7ea96ab71d7d3d212eb17436c7c181470c23296fa3f599f1ef56c6b243921ed7f0a92ad3e0a6cd40a5fe857955a9

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\share\themes\Emacs\gtk-2.0-key\gtkrc

MD5 4b600a3c3c2ac37f7d0c13c4d86ac752
SHA1 d1da549c070d74aa9f9456c4c1e0ccbdde5256c8
SHA256 4214bee389645edcc7c9971ba35dc4d96e8c135ebc92c51c05b0c7dd36abd8e5
SHA512 d4ece8e39a80073bec016b375a75bb5ff5c697aff560e5d4aafc6031f26451f8d3ef32faf1a0b2be3470450eb2ea3ae8978cc444ee0e2d2ef374ef43340e64ba

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\share\locale\locale.alias

MD5 c26bd884605e7cb04a295fbf331e11a3
SHA1 7330ab3dc0410db503eba19976f027cf49eaeafe
SHA256 67cd91edbb01ea1eeb59f25c0a8cb6dfe90653fb5fc437d3d32cd0814804075a
SHA512 f88bbd4ce7ef42b710071efc5b3aa99f18b5da1e18b3e0d5b051acf125809a9eb94bcac9d91639660246a2406c30e93449d1ff81eace9caf18c6cd5e52ad85dd

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pixmaps\black.png

MD5 a875753fd4e92edad63f5d8b9a79426b
SHA1 241b7f8bc325993b8044498ec4a6c03d576c6b48
SHA256 d09f2e254540dc26a948cf49ac09de2ffea210ad9d8fb77ab7a943ce938b5570
SHA512 b04ee55b20c42a36e6125ef883161eaae11a990a99042b7fefccf0433455e35c621b8f10587a6292adc0f71ccf9a896c0264c8607614196d311de86b28c338dc

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\pango\pango.modules

MD5 7a7327019610dfb25d5fafb2d2b0f3ab
SHA1 812af1f65174c63c4a90dd72d29d6e1180075a6e
SHA256 cab115828e04766fbf8e20b5ca6e5632e089f407b338832081d8b42f62fea38a
SHA512 9d7d7fd408d0e0cbe8df24cf1184aa9c24f41dc94d98e7262d04e617b7252381e6845b9e2724557246af8696a5e0cb99f1d15b3889aebd7887fac99e68b79849

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\fonts\fonts.conf

MD5 4291285924e90d1a1fcf1ddfc51adad3
SHA1 74f2d9b2f9665a1ff083701456a0fbfe351f855a
SHA256 68011bc3741ebcea48f08ff2aed8519762a946f3e0fb9c224b1d3810ebf5bf4b
SHA512 80b570051324f0987f388b78f2b2b2a50df2ece82eb6c003ed4ab5fc1456789fdb4a616c3be760580d30f48aef656eb3604cbd0a7808c49f03b347f2d4388cee

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\AForge.dll

MD5 02c63f568e598aad85dd401d7b26e82a
SHA1 2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
SHA256 966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
SHA512 da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\TurboJpegWrapper.dll

MD5 f5639d78d8c860df0176b1499695e8b3
SHA1 a70f699d75903ca2ae31098f4687add23245804d
SHA256 9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2
SHA512 2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Mono.Cecil.Mdb.dll

MD5 a269c436d17634aecf2ac0e95c44728c
SHA1 3dae54046aa5edbcf58ff38acc1d12682e3442b5
SHA256 f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27
SHA512 bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Interop.IWshRuntimeLibrary.dll

MD5 9569c5ddd9ab1e7bfd24e41250a67903
SHA1 304afddbbaac26843cf53b9713e09a85fe525cac
SHA256 6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83
SHA512 7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\libEGL.dll

MD5 b84df33197a94abb399c7e08fcd1fcae
SHA1 5b6d24397dafcfab12dda13921d12e1f20439a19
SHA256 900ebaee275fcddc81cce3b04c6a1e13dba18670c0aba82d54eeefa76355edfa
SHA512 83ffb35a026b4e72de3f024243d630fd17ce498f9d552db0a3292199899c7520c01f9a5e1d4709ab7f7e8b2cb9c5168a93e8b3d9f3b98b32a28329f99714321e

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\Qt5TextToSpeech.dll

MD5 3cdb361b43a3ce45145df5bad519df63
SHA1 8f7cfe31068584151bf913171c82949fd7a945f2
SHA256 8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13
SHA512 88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\clock_common.dll

MD5 85d02f053f1151ac4d3fdda5ea10adc6
SHA1 a134e20a33387a3bfe256b36585d9ccb6113a29f
SHA256 989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564
SHA512 146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\skin_draw.dll

MD5 72ad6c45aaf461326f5a512afb4b33b0
SHA1 4b6791aa02c76e96256bf19ec9ff828303a308b8
SHA256 dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305
SHA512 5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\plugin_core.dll

MD5 b79d7159ba735958c18148dcdf543571
SHA1 d7d4d4aedf7897092665dfc573e9fe9c313c2fe4
SHA256 638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52
SHA512 79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

C:\Users\Admin\AppData\Roaming\Rebex CR\NuGet Installer 1.8.3\install\9F4409D\il

MD5 d3af0cb8d35e7613882c0d09c65541e6
SHA1 2cd1f8c1aacb16a31f283fea15653c93460a7b19
SHA256 9c45c14a29e89ed4c1bb9069a0ef6fee5352400a8e517ba86d6eaadda13fab57
SHA512 c0e6c41aafd546a8492a8c7168d7c0f40f14e9597f65db4a6c0ce4a49f240d1f89797d1b358a4c98125eef18008773876b9e12da1549bbe50091dc55d57d493b

memory/4804-221-0x0000000000B60000-0x0000000000DD6000-memory.dmp

C:\Config.Msi\e578e87.rbs

MD5 4d660ee767d8139be7cbc9d2ff0481bc
SHA1 d9dd8ff2277dd2505193a37d0381cbad00ffe080
SHA256 31aad0676885a9afd834ebe0a436e710c32697d3a79b3ee50414f9fd31a1119f
SHA512 802136bf6c9cbc70a8f2ffde45bf01f20f36e69c10783dd00a8152b85125a437be18c2ae28f030aae44a4ffac56c3f8caf617d991cc68f743a4de23cee95ed8b

C:\Users\Admin\AppData\Local\Temp\tIAAQYvxKhB\_Files\_Screen_Desktop.jpeg

MD5 7e21f8bdcad34519be53298dab72a8fa
SHA1 e57180add667569f723578758cd8b881c16195fd
SHA256 92f909083d5ebe83e868cb0dbf006a39cf1d30a54df43d4b6c7da1cbd4dba211
SHA512 f04801e29b5c8a0436acba907501b3d40256c3351a8048f41defee5e7bf1a865067fc7ed6687825f843bb286f024e4b013c85a97142fda97e5350569a648d74f

C:\Users\Admin\AppData\Local\Temp\tIAAQYvxKhB\_Files\_Information.txt

MD5 0e4fac302051ec8a70b09b96af75bff6
SHA1 911be37c57ae52a5a825e8beac6729a027c17b75
SHA256 e767c1def511bef6dd77d0a2d6c7900f72204471659f0eff3d38e683fa62bb1a
SHA512 6b0aca2695da7d808a7f53a568bd0a28c65609450f1b7ab36c153a00b57ac1833942bd677cdc45f52360d246200a601fc57fa000e8b5c6f31e735fd177431835

C:\Users\Admin\AppData\Local\Temp\tIAAQYvxKhB\QBAdFGKhYLFcN.zip

MD5 5ad2292c906e53c5844b6beb17b82a30
SHA1 ac9d0f893b2a788489c8a446e1760e1c11f239e0
SHA256 93386d0cf1640b5c4f28c2d68aa0213388b2f93ae93156d8f5d3f5311f65a93c
SHA512 ff3201f28dda04eaa5382cb3d3eb05848dccde8d3df073e6e6a319828815df5fe9ea818b65e35c6714aae823b384600b5db464e37c4d2df88c2d389535abbb6f

memory/4804-349-0x0000000000B60000-0x0000000000DD6000-memory.dmp