asyncrat | 661958d0aa5bf8ac6fbc5c6bae19df1047041fa64819d523b4d10e6c922e26cf

Analysis

max time kernel
16s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-12-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta.v3.0.cracked.rar
Size

6.1MB
MD5

80f0209c71e159a12b284e9070782736
SHA1

6ebcec184f833642c8be195f0299e3c36d8ddbd2
SHA256

661958d0aa5bf8ac6fbc5c6bae19df1047041fa64819d523b4d10e6c922e26cf
SHA512

fed7a1b5f686b4ffa2a8ae191a8c21e345033a7773fad2b2b1cf35887659e4b7797a73e27790023fe59a32a587f66ed2e338f9d168450e7cb0a36bfb2a0c954f
SSDEEP

98304:sLr46ag4zz8RUciao7lMPVpIUoOdHZAqSRGMIqMOUwHcJ0DfkzKWLKXKgL/b:Qjag4zoigpIUBHoRUOUwE9GXagv

Score

10^/10

asyncrat stormkitty default discovery ransomware rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6097463381:AAFE6EI5D2TfE07x6OlKgJrWRj4KUyXcsn0/sendMessage?chat_id=5761333594

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab7d-20.dat	family_stormkitty
behavioral1/files/0x001900000002ab8c-46.dat	family_stormkitty
behavioral1/memory/692-75-0x0000000000CA0000-0x0000000000CDE000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002ab8c-46.dat	family_asyncrat

Executes dropped EXE 23 IoCs

pid	Process
3552	Panel GUI.exe
3844	BUILDER.EXE
812	META.EXE
692	SYSTEM CONFIG.EXE
2908	winlogon.exe
1280	winlogon.exe
4648	rundll32.exe
1972	winlogon.exe
2368	winlogon.exe
960	winlogon.exe
1704	winlogon.exe
2108	winlogon.exe
4784	winlogon.exe
4628	winlogon.exe
4480	winlogon.exe
128	winlogon.exe
3140	winlogon.exe
1312	winlogon.exe
4856	winlogon.exe
2728	winlogon.exe
2140	winlogon.exe
3792	winlogon.exe
4760	winlogon.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	META.EXE
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\config\winlogon.exe	META.EXE
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\config\winlogon.exe	winlogon.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cVtwImhMO.jpg"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panel GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM CONFIG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	META.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4620	netsh.exe
3172	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2380	7zFM.exe
Token: 35	2380	7zFM.exe
Token: SeSecurityPrivilege	2380	7zFM.exe
Token: SeDebugPrivilege	3844	BUILDER.EXE
Token: SeDebugPrivilege	4648	rundll32.exe
Token: SeDebugPrivilege	692	SYSTEM CONFIG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2380	7zFM.exe
2380	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3844	3552	Panel GUI.exe	82
PID 3552 wrote to memory of 3844	3552	Panel GUI.exe	82
PID 3552 wrote to memory of 812	3552	Panel GUI.exe	83
PID 3552 wrote to memory of 812	3552	Panel GUI.exe	83
PID 3552 wrote to memory of 812	3552	Panel GUI.exe	83
PID 3552 wrote to memory of 692	3552	Panel GUI.exe	84
PID 3552 wrote to memory of 692	3552	Panel GUI.exe	84
PID 3552 wrote to memory of 692	3552	Panel GUI.exe	84
PID 812 wrote to memory of 2908	812	META.EXE	85
PID 812 wrote to memory of 2908	812	META.EXE	85
PID 812 wrote to memory of 2908	812	META.EXE	85
PID 2908 wrote to memory of 1280	2908	winlogon.exe	86
PID 2908 wrote to memory of 1280	2908	winlogon.exe	86
PID 2908 wrote to memory of 1280	2908	winlogon.exe	86
PID 3844 wrote to memory of 4648	3844	BUILDER.EXE	87
PID 3844 wrote to memory of 4648	3844	BUILDER.EXE	87
PID 1280 wrote to memory of 1972	1280	winlogon.exe	88
PID 1280 wrote to memory of 1972	1280	winlogon.exe	88
PID 1280 wrote to memory of 1972	1280	winlogon.exe	88
PID 1972 wrote to memory of 2368	1972	winlogon.exe	89
PID 1972 wrote to memory of 2368	1972	winlogon.exe	89
PID 1972 wrote to memory of 2368	1972	winlogon.exe	89
PID 2368 wrote to memory of 960	2368	winlogon.exe	90
PID 2368 wrote to memory of 960	2368	winlogon.exe	90
PID 2368 wrote to memory of 960	2368	winlogon.exe	90
PID 960 wrote to memory of 1704	960	winlogon.exe	91
PID 960 wrote to memory of 1704	960	winlogon.exe	91
PID 960 wrote to memory of 1704	960	winlogon.exe	91
PID 1704 wrote to memory of 2108	1704	winlogon.exe	142
PID 1704 wrote to memory of 2108	1704	winlogon.exe	142
PID 1704 wrote to memory of 2108	1704	winlogon.exe	142
PID 2108 wrote to memory of 4784	2108	winlogon.exe	93
PID 2108 wrote to memory of 4784	2108	winlogon.exe	93
PID 2108 wrote to memory of 4784	2108	winlogon.exe	93
PID 4784 wrote to memory of 4628	4784	winlogon.exe	116
PID 4784 wrote to memory of 4628	4784	winlogon.exe	116
PID 4784 wrote to memory of 4628	4784	winlogon.exe	116
PID 4628 wrote to memory of 4480	4628	winlogon.exe	120
PID 4628 wrote to memory of 4480	4628	winlogon.exe	120
PID 4628 wrote to memory of 4480	4628	winlogon.exe	120
PID 4480 wrote to memory of 128	4480	winlogon.exe	96
PID 4480 wrote to memory of 128	4480	winlogon.exe	96
PID 4480 wrote to memory of 128	4480	winlogon.exe	96
PID 128 wrote to memory of 3140	128	winlogon.exe	97
PID 128 wrote to memory of 3140	128	winlogon.exe	97
PID 128 wrote to memory of 3140	128	winlogon.exe	97
PID 3140 wrote to memory of 1312	3140	winlogon.exe	98
PID 3140 wrote to memory of 1312	3140	winlogon.exe	98
PID 3140 wrote to memory of 1312	3140	winlogon.exe	98
PID 1312 wrote to memory of 4856	1312	winlogon.exe	99
PID 1312 wrote to memory of 4856	1312	winlogon.exe	99
PID 1312 wrote to memory of 4856	1312	winlogon.exe	99
PID 4856 wrote to memory of 2728	4856	winlogon.exe	101
PID 4856 wrote to memory of 2728	4856	winlogon.exe	101
PID 4856 wrote to memory of 2728	4856	winlogon.exe	101
PID 2728 wrote to memory of 2140	2728	winlogon.exe	102
PID 2728 wrote to memory of 2140	2728	winlogon.exe	102
PID 2728 wrote to memory of 2140	2728	winlogon.exe	102
PID 2140 wrote to memory of 3792	2140	winlogon.exe	103
PID 2140 wrote to memory of 3792	2140	winlogon.exe	103
PID 2140 wrote to memory of 3792	2140	winlogon.exe	103
PID 3792 wrote to memory of 4760	3792	winlogon.exe	251
PID 3792 wrote to memory of 4760	3792	winlogon.exe	251
PID 3792 wrote to memory of 4760	3792	winlogon.exe	251

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Meta.v3.0.cracked.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:848

C:\Users\Admin\Desktop\Meta v3.0 cracked\Panel\Panel GUI.exe
"C:\Users\Admin\Desktop\Meta v3.0 cracked\Panel\Panel GUI.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE
  "C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Local\rundll32.exe
    "C:\Users\Admin\AppData\Local\rundll32.exe"
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- C:\Users\Admin\AppData\Local\Temp\META.EXE
  "C:\Users\Admin\AppData\Local\Temp\META.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\config\winlogon.exe
    "C:\Windows\system32\config\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\config\winlogon.exe
      "C:\Windows\system32\config\winlogon.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:128
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        21⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        22⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        23⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        24⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        25⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        26⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        27⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        28⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        29⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        30⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        31⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        32⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        33⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        34⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        35⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        36⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        37⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        38⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        39⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        40⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        41⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        42⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        43⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        44⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        45⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        46⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        47⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        48⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        49⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        50⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        51⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        52⤵
        
        PID:416
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        53⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        54⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        55⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        56⤵
        
        PID:340
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        57⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        58⤵
        
        PID:712
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        59⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        60⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        61⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        62⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        63⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        64⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        65⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        66⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        67⤵
        
        PID:672
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        68⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        69⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        70⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        71⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        72⤵
        
        PID:252
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        73⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        74⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        75⤵
        
        PID:956
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        76⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        77⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        78⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        79⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        80⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        81⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        82⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        83⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        84⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        85⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        86⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        87⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        88⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        89⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        90⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        91⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        92⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        93⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        94⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        95⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        96⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        97⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        98⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        99⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        100⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        101⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        102⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        103⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        104⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        105⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        106⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        107⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        108⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        109⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        110⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        111⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        112⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        113⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        114⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        115⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        116⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        117⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        118⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        119⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        120⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        121⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        122⤵
        
        PID:244
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        123⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        124⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        125⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        126⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        127⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        128⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        129⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        130⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        131⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        132⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        133⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        134⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        135⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        136⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        137⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        138⤵
        
        PID:568
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        139⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        140⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        141⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        142⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        143⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        144⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        145⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        146⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        147⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        148⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        149⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        150⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        151⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        152⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        153⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        154⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        155⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        156⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        157⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        158⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        159⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        160⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        161⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        162⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        163⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        164⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        165⤵
        
        PID:896
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        166⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        167⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        168⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        169⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        170⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        171⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\config\winlogon.exe
        
        "C:\Windows\system32\config\winlogon.exe"
        172⤵
        
        PID:4656
- C:\Users\Admin\AppData\Local\Temp\SYSTEM CONFIG.EXE
  "C:\Users\Admin\AppData\Local\Temp\SYSTEM CONFIG.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3172
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:488
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4620
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:3480
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE

Filesize
25KB

MD5
d58c2eb07d73be0bf7f5250fd9fc3fd4

SHA1
943bff3ed6c437e21da4f87ca01a8a8482d9e20c

SHA256
439f34b6d77b9a855d2222702c33e9a371d9049ed0b2efb73a250870a528543a

SHA512
ab7cfdd74a60d1f47757f1379a2c3e6f109e2fd1b1413bba929f9f3b3cc268bf6d3c7cecbbb809e42d79756b6dc994a127ab5828016168ef51e4a20c5f67969c

Download Submit
C:\Users\Admin\AppData\Local\Temp\META.EXE

Filesize
24KB

MD5
e76934f75af405d4bcd3e0a05c2d67f0

SHA1
149d8a1dc25dcf45bbe073c6ccd703986112fbca

SHA256
a703f8ce4fa6c99abf4f7452aa08fe6ed9e70e5222dc568210f282eb0360cae0

SHA512
b95c018224071e31f26a4ff8b4468ac4f1b733fa7f722af4d99594bd8f9668ed3066d73a8dcf909b4ad8faa2d08d6862fc2d3e4e833363cf736b3c15e5ac680a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM CONFIG.EXE

Filesize
226KB

MD5
1118383134df27d89ce8494a8689674d

SHA1
3a647a129b41442b9530d7a6246ef67542498f11

SHA256
f512ad1cd824f55f00459f371ac553c81c87e11b9e1ca3ac778139e90059aca2

SHA512
4a7ba4e519f0e95dcb4bae6d8824560c4527d5c1c41c53222242d0732765ee8195a5317dc73e87d3378548645671730ad771e345f43cbebe79900ec264aa0760

Download Submit
C:\Users\Admin\AppData\Local\c66e18ce0db1d1a60852026ec511a6cc\Admin@FEBLIQTI_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\c66e18ce0db1d1a60852026ec511a6cc\Admin@FEBLIQTI_en-US\System\Process.txt

Filesize
4KB

MD5
056cc74f389e114713c275fc23be9e6e

SHA1
0b6f5979f4ae4f707aca7866240fb402caaa1276

SHA256
d8286031a0ad1bda82aecbf7256f89ceafcf1bab4db6f60f9571e8690c0d33c3

SHA512
1e975344abf22c023fc01fb47e5608756cbd76e4514be0fc6d1cba05ce0fd1bbe5535d7fb83de75f697dcf5edc0a26e98766fde7b3bb937ed7d20bf5923ecb7f

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\FAQ.txt

Filesize
14KB

MD5
3a7a104a15a2ad25c90973e760b9b8ad

SHA1
b2ecf775bbff16e4f79930ebf742396fa8903e52

SHA256
e7d908df98ffe710780f9fd77269adb77216f1449d4084d018c50e1b3cd3a4e4

SHA512
6018491f59ae341c37f21cdf2bebbb263cf42dffdd552860fcf8ae430da9b620af725ab12d0cb271b2a02d00e7a4d004c30117789ca8da7002da908ed598bbe3

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\Panel\IF PANEL NOT WORKING\Builder.exe

Filesize
25KB

MD5
4756f792bca9c27fa6d559cacc9fb20a

SHA1
23a3859335ee71de88c3211ba55f8a23aacf3cd5

SHA256
169a6db1aeffa5065267e79bc5ba30afb3d0180e0c6a1057b00d8b0c6b50e2ba

SHA512
25246fe1f220d9ad57b8469f0fcc7d1189c041d224c8fda7560a26763bf741eec858ce6b96db513bbf9ba744e71caeb3364b5aa7d26b51428dc340aff0768248

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\Panel\IF PANEL NOT WORKING\Meta.exe

Filesize
24KB

MD5
5d7c625e4d733ba202a78b1d7aee94e8

SHA1
d02551b44015aa2ff5e44066fb908e3a5cfcef92

SHA256
0f831d6ffde04c4b26a23de8e79c6bf3b5758a3b5bd9038f45914ab0507973d8

SHA512
f84f6a05527f6d1d517ff7264e2cea22b39d3341018ae5c99870becdfaa150698671ea639536d3e9bf19dfe65f004ec64dd350dced220b12da49de06c12bdda5

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\Panel\Panel GUI.exe

Filesize
329KB

MD5
4a99128f0391d9a6bfa44ee0aae30321

SHA1
93c6a4fa4b52d9f895d52077078f3d9bd8ff0049

SHA256
4c70d9f44321b2d13cbb274de9b6d86b0404e797e1e2b08d4d6d3e08bb6c2eaa

SHA512
1a5d5c17cc2e170c507297f0a9327e6a633482fac148d29378046b692e9f005129bd0420e84dada96bfb25db341e117e814a2791210e6f85a079cf4f26a0573d

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\Panel\Panel GUI.exe.config

Filesize
27KB

MD5
b4bc596d48f7b29422d115dd754fac67

SHA1
a9f64d4aedb2a6f4d689d36c815a5159ff7c4d76

SHA256
3f92ed1ac6bfa526bb7557796aa351b1e69dcd40c6a9559d0033bc732874026d

SHA512
7d345856d8d564fcaf3aa4a31bc2ef55c3284a5f9a002ccecd229536b67210d2f02fc4ca35ed127c42ea82115d1d1d297ec95f3dc19df4004db7e0d10276da13

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\Panel\README.txt

Filesize
512B

MD5
fcbe5ba2f3a201b3f7f4b4c221df94db

SHA1
0ba0f8e8f6adae84a03a0df6b9104a7d132603d2

SHA256
c41607e353c5acd188a0fdd96adf280b0b505cc14a75b6ea705fd30f3a9251d7

SHA512
a1169e7fca1907f5a4b408dbec386beecf622e77a01cc696f5d18f028d3481c1862d2cd0d337d2ee4d6d8217756b91363045816dcddf56b3ca477699d74adc46

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\Setup\Chrome.exe

Filesize
1.1MB

MD5
5589afa21cc658065d94a311ddca3a7d

SHA1
c5522d3a378da1db229e68d26fe7ca7d04940bdd

SHA256
0a55de5d6673170c66bc6164931f8f4229188bc94bb314aec46151d70225480e

SHA512
6e77fa41ccff18a3f40b2afe017fddcfab8091e752400a0269d6ac49c483ca877b13e7039634e848abde57df72987b46ee87e9cd2f30fb83d08369992938f034

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\Setup\KeyCreator.exe

Filesize
707KB

MD5
0f2abb66f03c6736001f30ae6af5e1b0

SHA1
615627a87e26ed7f63519f5f21390da0b8c1f69e

SHA256
9b39e5fcbd2771294a531eca5f16724a2fb375c5b5e2248f717b4d7b308b1190

SHA512
b3f9715a7e7ad24dc42304ffa2586e1b9612a279f7b0a1849e62f05e2ffbfdd982e42bbc52327a1cb58289a4310abe9f6003703e46e78f609c42ab9fc4178e88

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\Setup\NetFramework48.exe

Filesize
1.4MB

MD5
e1b23f12576a4fdf7c763ef9f67bb655

SHA1
d9959d764ed298dba8f5f179eb46758a21916f60

SHA256
5420e97ed86d384b9aa4281c652fe0c912cfe634de7df6f0f3f5aa4a18f69e43

SHA512
0f3bb1c950a06d7d887f7a8c8f247940da4d06f54401b8d91449fb83c8fdec3324a65c8301125d564e448edc4b81cedbe5ffa840e8c338dfc2a2de220e2964bb

Download Submit
C:\Users\Admin\Desktop\Meta v3.0 cracked\Setup\WinRar.exe

Filesize
3.2MB

MD5
a73a605d29fe8cec1582a9a05cb061f8

SHA1
4fe2092e6d23114fe718cbf76994f5704b597a94

SHA256
13891080c43c4374bd7cbcc728b06d72b273c4ed66b5b8ccb722ef7e0fa075d8

SHA512
e103f063d01ab87ab339e9295783a0218ab4dfc19685c2c9a120e653d6e8f72ae7f3f999db222bef0648b132a013415678d5c0751dee26374bedc2e0e83cd5d0

Download Submit
C:\Users\Admin\Documents\Readme.txt

Filesize
1KB

MD5
1b4e320e3ba3745c7019252400e98940

SHA1
2af029ed5fddeb22badae337045f1b8d13e17017

SHA256
01f8f522371771f37f77df3152ccd3f2d12d8ea5437b4f3812d4ae9e1db29325

SHA512
4f231ecc038ceb6d3f1623e20a15f9e8e139aa637080070d91f26a386308ef968c3a4a0cf46270164e228845fce91c9e2221ad01c7f639f7f3e9e49bb5b9f42f

Download Submit
memory/128-377-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/252-604-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/340-572-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/416-565-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/672-594-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/692-545-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/692-75-0x0000000000CA0000-0x0000000000CDE000-memory.dmp

Filesize
248KB

Download
memory/712-576-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/812-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/812-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/956-653-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/956-668-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/960-186-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/960-211-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1012-503-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1104-511-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1128-590-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1184-531-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1184-527-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1240-540-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-82-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1288-559-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1312-453-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1408-555-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1420-553-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1488-581-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1532-548-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1536-681-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1552-596-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1612-519-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1612-522-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1676-570-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1704-208-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1704-240-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-479-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1936-592-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1972-173-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2032-689-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2056-588-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2108-269-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2108-574-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2140-463-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2140-458-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2144-693-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2368-171-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2368-188-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2420-598-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2440-491-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2464-686-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2560-568-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-460-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2840-476-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2848-485-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2908-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2988-482-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3012-586-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3012-582-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3112-698-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3112-694-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3140-414-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3792-468-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3808-563-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3828-557-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3828-561-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3844-44-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/3848-494-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3852-534-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3852-529-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3916-474-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4032-526-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4032-523-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4032-600-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4036-537-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4040-488-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4048-577-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4480-513-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4480-344-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4480-518-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4524-500-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4568-497-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4608-584-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4628-505-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4628-302-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4660-602-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4688-551-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4752-543-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4752-541-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4760-466-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4760-679-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4760-471-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4784-270-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4784-285-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4788-508-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4804-515-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4848-567-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4852-556-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4856-456-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4892-606-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5004-701-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5008-579-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5016-649-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download