44caliber | hxxps://mega[.]nz/file/uSphgLgb#69aDrgtQ9tl8A82nUBWtqbVv1eVzsJYA8nH14y3Vyyk

Analysis

max time kernel
280s
max time network
278s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
02/04/2025, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/uSphgLgb#69aDrgtQ9tl8A82nUBWtqbVv1eVzsJYA8nH14y3Vyyk

Score

10^/10

44caliber xworm discovery persistence privilege_escalation pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

127.0.0.1:16843

animal-premium.gl.at.ply.gg:16843

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Extracted

Family

44caliber

https://discord.com/api/webhooks/1355968893453336801/MF72-4a-KZBP8oGrrbhLSD9XFGhNcZ7mDsIbWQyt_AVrZQXQ1aLujjdsWamWBDTUeX7X

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000028274-496.dat	family_xworm
behavioral1/memory/3880-509-0x00000000006E0000-0x00000000006F8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 4 IoCs

pid	Process
4548	Cheat.exe
4456	Cheat.exe
3880	svhost.exe
1444	Insidious.exe

Loads dropped DLL 48 IoCs

pid	Process
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe
4456	Cheat.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
79	ipinfo.io
80	ipinfo.io
82	ip-api.com
85	freegeoip.app
86	freegeoip.app

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000028257-417.dat	upx
behavioral1/memory/4456-421-0x00007FFEF1EA0000-0x00007FFEF230E000-memory.dmp	upx
behavioral1/files/0x0007000000028229-427.dat	upx
behavioral1/memory/4456-429-0x00007FFF0CD10000-0x00007FFF0CD34000-memory.dmp	upx
behavioral1/files/0x0007000000028248-430.dat	upx
behavioral1/files/0x0007000000028227-431.dat	upx
behavioral1/memory/4456-437-0x00007FFF0A530000-0x00007FFF0A55D000-memory.dmp	upx
behavioral1/files/0x000700000002822c-436.dat	upx
behavioral1/memory/4456-435-0x00007FFF0C0D0000-0x00007FFF0C0E9000-memory.dmp	upx
behavioral1/memory/4456-433-0x00007FFF0EF70000-0x00007FFF0EF7F000-memory.dmp	upx
behavioral1/files/0x0007000000028232-454.dat	upx
behavioral1/files/0x0007000000028230-452.dat	upx
behavioral1/files/0x0007000000028231-453.dat	upx
behavioral1/files/0x000700000002825b-457.dat	upx
behavioral1/files/0x000700000002825a-463.dat	upx
behavioral1/memory/4456-470-0x00007FFF05880000-0x00007FFF058AE000-memory.dmp	upx
behavioral1/memory/4456-473-0x00007FFF048A0000-0x00007FFF048CB000-memory.dmp	upx
behavioral1/files/0x0007000000028269-471.dat	upx
behavioral1/memory/4456-478-0x00007FFF02FB0000-0x00007FFF03068000-memory.dmp	upx
behavioral1/files/0x0007000000028249-477.dat	upx
behavioral1/memory/4456-479-0x00007FFEF1B20000-0x00007FFEF1E95000-memory.dmp	upx
behavioral1/memory/4456-476-0x00007FFF04870000-0x00007FFF0489E000-memory.dmp	upx
behavioral1/memory/4456-475-0x00007FFF0CD10000-0x00007FFF0CD34000-memory.dmp	upx
behavioral1/memory/4456-469-0x00007FFF03070000-0x00007FFF0312C000-memory.dmp	upx
behavioral1/memory/4456-468-0x00007FFF0A170000-0x00007FFF0A17D000-memory.dmp	upx
behavioral1/memory/4456-467-0x00007FFEF1EA0000-0x00007FFEF230E000-memory.dmp	upx
behavioral1/files/0x0007000000028259-466.dat	upx
behavioral1/files/0x000700000002822f-461.dat	upx
behavioral1/memory/4456-460-0x00007FFF0A4F0000-0x00007FFF0A524000-memory.dmp	upx
behavioral1/files/0x0007000000028255-459.dat	upx
behavioral1/memory/4456-458-0x00007FFF0C0C0000-0x00007FFF0C0CD000-memory.dmp	upx
behavioral1/memory/4456-456-0x00007FFF0C060000-0x00007FFF0C079000-memory.dmp	upx
behavioral1/files/0x000700000002822e-450.dat	upx
behavioral1/files/0x000700000002822d-449.dat	upx
behavioral1/files/0x000700000002822b-448.dat	upx
behavioral1/files/0x000700000002822a-447.dat	upx
behavioral1/files/0x0007000000028228-446.dat	upx
behavioral1/files/0x0007000000028226-445.dat	upx
behavioral1/files/0x0007000000028266-443.dat	upx
behavioral1/files/0x0007000000028265-442.dat	upx
behavioral1/files/0x0007000000028247-438.dat	upx
behavioral1/memory/4456-481-0x00007FFF05AE0000-0x00007FFF05AF5000-memory.dmp	upx
behavioral1/memory/4456-480-0x00007FFF0A530000-0x00007FFF0A55D000-memory.dmp	upx
behavioral1/memory/4456-483-0x00007FFF05C60000-0x00007FFF05C70000-memory.dmp	upx
behavioral1/memory/4456-482-0x00007FFF0C060000-0x00007FFF0C079000-memory.dmp	upx
behavioral1/memory/4456-484-0x00007FFF05720000-0x00007FFF05734000-memory.dmp	upx
behavioral1/memory/4456-485-0x00007FFF055A0000-0x00007FFF055BF000-memory.dmp	upx
behavioral1/memory/4456-487-0x00007FFF02E30000-0x00007FFF02FA1000-memory.dmp	upx
behavioral1/memory/4456-486-0x00007FFF03070000-0x00007FFF0312C000-memory.dmp	upx
behavioral1/memory/4456-491-0x00007FFF05870000-0x00007FFF05880000-memory.dmp	upx
behavioral1/memory/4456-488-0x00007FFF05880000-0x00007FFF058AE000-memory.dmp	upx
behavioral1/memory/4456-502-0x00007FFF02DF0000-0x00007FFF02E27000-memory.dmp	upx
behavioral1/memory/4456-501-0x00007FFF04870000-0x00007FFF0489E000-memory.dmp	upx
behavioral1/memory/4456-500-0x00007FFF033C0000-0x00007FFF033DC000-memory.dmp	upx
behavioral1/memory/4456-499-0x00007FFF05260000-0x00007FFF0526A000-memory.dmp	upx
behavioral1/memory/4456-511-0x00007FFF03310000-0x00007FFF0331B000-memory.dmp	upx
behavioral1/memory/4456-510-0x00007FFF02FB0000-0x00007FFF03068000-memory.dmp	upx
behavioral1/memory/4456-518-0x00007FFEFE710000-0x00007FFEFE71B000-memory.dmp	upx
behavioral1/memory/4456-522-0x00007FFF05C60000-0x00007FFF05C70000-memory.dmp	upx
behavioral1/memory/4456-521-0x00007FFEFC730000-0x00007FFEFC73D000-memory.dmp	upx
behavioral1/memory/4456-520-0x00007FFEFC740000-0x00007FFEFC74D000-memory.dmp	upx
behavioral1/memory/4456-519-0x00007FFF05AE0000-0x00007FFF05AF5000-memory.dmp	upx
behavioral1/memory/4456-517-0x00007FFF02D60000-0x00007FFF02D6B000-memory.dmp	upx
behavioral1/memory/4456-516-0x00007FFF02D70000-0x00007FFF02D7B000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a0000000281e5-306.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3584	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4764	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880697210584547"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
6068	chrome.exe
6068	chrome.exe
3952	wmic.exe
3952	wmic.exe
3952	wmic.exe
3952	wmic.exe
4068	powershell.exe
4068	powershell.exe
5968	powershell.exe
5968	powershell.exe
5212	7zFM.exe
5212	7zFM.exe
1444	Insidious.exe
1444	Insidious.exe
1444	Insidious.exe
1444	Insidious.exe
5212	7zFM.exe
5212	7zFM.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5212	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: 33	2972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2972	AUDIODG.EXE
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
5212	7zFM.exe
5212	7zFM.exe
5212	7zFM.exe
5212	7zFM.exe
5212	7zFM.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe
3968	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4032	1672	chrome.exe	82
PID 1672 wrote to memory of 4032	1672	chrome.exe	82
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 5944	1672	chrome.exe	83
PID 1672 wrote to memory of 4420	1672	chrome.exe	84
PID 1672 wrote to memory of 4420	1672	chrome.exe	84
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85
PID 1672 wrote to memory of 2024	1672	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/uSphgLgb#69aDrgtQ9tl8A82nUBWtqbVv1eVzsJYA8nH14y3Vyyk
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7fff04d6dcf8,0x7fff04d6dd04,0x7fff04d6dd10
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1952,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1500,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4304,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4252 /prefetch:2
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5176,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5340,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5168,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6004,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6176,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6184,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6228,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5688,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5844,i,6508639767825911448,4431731893579695277,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:640

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x43c 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:760

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\jjsploit.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5212
- C:\Users\Admin\AppData\Local\Temp\7zOC54965F8\Cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC54965F8\Cheat.exe"
  2⤵
  - Executes dropped EXE
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\7zOC54965F8\Cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC54965F8\Cheat.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5956
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5968
  - - C:\Windows\SYSTEM32\whoami.exe
      whoami
      4⤵
      PID:2940
  - - C:\Windows\SYSTEM32\whoami.exe
      whoami
      4⤵
      PID:5868
  - - C:\Windows\SYSTEM32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4764
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3584
- C:\Users\Admin\AppData\Local\Temp\7zOC543344B\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC543344B\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\7zOC549606B\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC549606B\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1444

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4024

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b0d9963fb17f40ef39dbc9197497d48c

SHA1
b06a87b0a556d2349335ec7a53d0d3ab761efa97

SHA256
362da4fddb5eb5e8417b93d3610ed2d0426b8d4cecb43de102ef0b6d37a58a02

SHA512
0cc36c6bbb7f09a4395c0e1abbf9d207e874cdd138885b8f3d64c57075dc4148e14c0e01350b2f79e59f10a6834c77774731dbe8045caf31a508ecff8710ba17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
5b1f1b83147cda39b607873d22cac55c

SHA1
0dd587c5435dbb89664f601e996b10c06c9cc4d3

SHA256
72f2c1a652c4b723c686cfff13dd8dcc83e353ef4561130f5b41ce7dd78d21ee

SHA512
8c4101c076b6c9e11f61f7695185cd87dcc229fbbd0685241c0ac12956a62af3b29c53c4957201acce468d38198bbbd8f6c1baa23317cd473a3d780ae1efae09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
876977270e11885c88a0cf68594d2b53

SHA1
fea2dffe9951cc3c1ac8e8945907b93a91280bff

SHA256
00b6f3fb7b9b6ff5eb64ee3b2161b5e85609ea89b44fac86d9f9ac50d4964f7f

SHA512
62587919ca6a78db6dcb8e2c7a6ee75e9133b6007c04275d3a2fc0e8d2e9c86edd330ba42b779b5bcca8d34661323d6c0c8d9bfda60a89634e1e529ad73f414e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
75e1fa673cf6ad97f683034b43836c61

SHA1
31456bd07c6d5a5e567d3ad7f2b5fa1b547e1baf

SHA256
44883660e6a631061071ca0c6d31346c42cedc0c306ddbdf7931f209542948f7

SHA512
b6dd368dc964fd84e4352ac82132da0585218d353974dbf5e3bc1082ef2751c59d9b7007aa4976e9e4b4cef038a482a2c5660089051fb12a4025f59645f25f0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aa558d1a28aa0d371b9ee483c3e30c69

SHA1
fff3161a325ac33a1501e9acb33c936ac6307da7

SHA256
52be37a0e3dd5c02b0348a2ad8e9efd623619bf6f28b214205d7bf70de38ac35

SHA512
a35d4a35adf0d526272478cc1fc1c108495988150b2807033ffd42423c7a63c9b15c80883d61ce01ca905eabefc989300757ff57084b40fefa5abda208ca40bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ffadd2e6992bf4f9a600acce3ed6b14c

SHA1
b9e6a165efc994093c90a60fe52e94b38ef2dda4

SHA256
ed643663baf223816ae8f9729bdd66717728667589b9647b6ef870f86974e80a

SHA512
c2d28465300f630be94a87c2b930fcd8fb5319e5d661ba8a30ef1650bcb337d712fcb75888b5689616f2ec0bbccf625298ad435900e540854dd4ca3f05291078

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
76f0edfba841a22c5f04b62b0db88e40

SHA1
17e364fb2371ed24e7af6989ef6603bc8851e9fb

SHA256
05c183c211ddbb5b7c6d8df8e23a3f1d0e1bb2b9908fc15ec87935e9f99ca440

SHA512
d12c684123a471f3854f534be8d0f69be1d5ff4d334272c78f444185a6e2fb47e4aeaac4874dbedc62f77ae5ba115c34756f0d9cdb5b0ec7c44dd40ee0c664c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1b903f53bdca84c267ec4afbaaebee53

SHA1
74cac0a6ce8fd140273dc79e5e8f5b6c5c56c568

SHA256
412f26d839fdb17189088269ccffca82d864a9912fb0604d0c531f87403daf53

SHA512
aa5b654340a81741f2f7df36b5f09ec593afc807298077b74200c4475ba08b9f719dfa6d44e675b25e941d9e64c1850bb8584a1f3a7545b32b6fbd67d0b5da45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
723ca46f3918cf7cd5435b0bbee1413d

SHA1
75581f927c2c6fa3d48dd93a7aa9c3a364067487

SHA256
06d393ffb9398f07c5a183d1aad7994d1ef36318961ca59b7021c1a9cbcab108

SHA512
594661c8b3b4423fbfe1d5c24f28bf025b8ffe14d89ca92807b2b426bda4ad650349d0bb621d7c74ec833ce39261d339b6b7ad097009e39dfc5225858a8031b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579ea1.TMP

Filesize
48B

MD5
b213d6b34b03389cd1c3aa9a08e389d4

SHA1
8ade0f90194b6e8f930b2ad5ac61ec6e72cc5271

SHA256
d1b80990fb603ebb04667ec76fcc54fe5fcb0034dfb49b2acd3bf650794e02bd

SHA512
1849eb96d6daab95836f86400faf939390314883310e24a1cbbc7e8f42a6f8d0e4cc1334a2d2d8eaf6797c0354ca9d19a4e026c0d7340f8d3a33136949885d26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
b267caf258e874ed62f92a4a7bb1753a

SHA1
0c5ec502e9efcefb0eef380b5f5685a647407380

SHA256
921f376abe9d52f31eb975a0951efaba3d7664fae4fa3ba48a27bd802f160588

SHA512
19a0c446da5e6b2157e6bee8170b15221060515bbe2010c596aee69bf3541fc9d7cb53a768ebe0cb895f45a866e3c2aa12e56db4aa79d785d31508a8f867578e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
495987b5a1c1db0f5d068d5386ca0e4e

SHA1
190e3eafe7f00fe435c455dcf108c848b3649d8f

SHA256
0b5d93de5bddd9125cc69b1148989bd675fb8ac95f2f12e87cefc6cbdc187018

SHA512
5db617ba347ea51c2c909851e0d01ff452fda8d9180de32e9a8ca80d536b9d524007b42a46317c9307dfb47260efc9add3ac12fdf9b31294a2b448dabb211495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
0ec44de4193c5844f0f3bd34ef5ec3ec

SHA1
760f26c32f3b9d0c60e9f2b2dabc8f0c85c524aa

SHA256
0bdceaeff7ac33670d8b53a6a95d15fe96f6296461ecf727694bc71ce1798212

SHA512
e1e608d492fd26d7e02456912c2143f992721f195285f9228eee42be84651d608af09af5ad520ada9affd5b122f820d0b985ff45e6de4a335b23b44c74aae2fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
d344879f5ed3ee75814c57b0572b846f

SHA1
f772169b8e21e6de586afa23aabfbe60cd8b53cc

SHA256
f070587e8419cea9ac5f60c4f534d128644bfe9ec0bfbba4fe7134b9364ea071

SHA512
e9c6d864dc6573376e017f331acca5ed842e567ace86a6e6df8e862f5fef465784f8b87a224c67d62c0d6cfd3494c6371becdab160376e4d425a7fe78f13a1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC543344B\svhost.exe

Filesize
70KB

MD5
20069815a0ef59f796a80fa65a737916

SHA1
0fd74bdf139a61ffa9a86165dd4dac980efe55b5

SHA256
afb37a371f37994254d949cfd2ef25379eddc16d9b95a61c3adff01a3c204b8b

SHA512
38015a0f9c7b6ba68b1c84c32e614bcc9130c0d1d2b1b50ff65bbd76db0604def9cb1d53f9a98eb67917a02458a1f82221100444566b55138a42c736da12c95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC549606B\Insidious.exe

Filesize
303KB

MD5
204ea9ea63131655135566491e07846b

SHA1
ce435d561e01eb5d9c8b997bede72dc390921dde

SHA256
62f55b973e80db8412fa28b45d5c4b0b944bed8b1aeaf7df0c57c921bb56d9f9

SHA512
74a86373bca561d042a4bed1b2067cdca8959f616dda8ebda21b4e1788dbbac2bc2e971f4578757590f77d1a3f61d77aee2d2ebce3a46190191dd391ab792d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC54965F8\Cheat.exe

Filesize
15.7MB

MD5
a8527331303a43777ae761f7f808854b

SHA1
88f235846d2751f65ea8744a24e437b4e8cad031

SHA256
9b83443a56fa467531fb907206d3062285fb18db6a873271bf4a669d792f6162

SHA512
486f060df4e1684621efc3a27d0597ab20403b68eb4b77cf8a5adb38fc39911518eef2bfaecf475a638c799d512cc5ad3a136fa82a1da495b7cde79447b64b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_asyncio.pyd

Filesize
34KB

MD5
233f9c811b60c49e06d453977fc41c65

SHA1
97ffeae5938c919c0733e4b60c79a47a1b173ac7

SHA256
548baa872c4f1031bc0a77813629c6ecb864e4ab2f653b221be6a7baf2e1fc83

SHA512
46c7172e37a019987ec5844913823211f84a093faea8a2d7fd5727486ab79886ea0898b19bed18cb7af9022febdaafa7e154cdba42423834208531bf79f58e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
33679f89426aa4adc27389505a53d468

SHA1
9fb8c15a9634e1a38c9f46dd9c9d375af03e3308

SHA256
4c224fecc1c848c56bb5c75a7bdf0f9712892929dcfd8cb663389a76e948b519

SHA512
bca8aba7a71ef4361ac57fe43a2401fac0b2c9f25e83486929373664bef6e00377da9d8c36db69337d3fa0b6aaebcf6fe1e94e4a7c7e8d8e40d463e1d23e86b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_multiprocessing.pyd

Filesize
25KB

MD5
3aadb93005d6c2ce4fba1dad0c99547f

SHA1
64aaeaf0a78ba60cf2c4324faf3dd94aeeacc297

SHA256
ec92fd9277bb5af0914c42f09d52651094793a7c4f79c35a4c9e4a2b6f955af3

SHA512
863a78664a5d43577cc6ffabe6028e8289201a94db81e00ebb29c301d996a46d496582779f22fd363820a0048245ac68e2af110231190d4fda2ab1e7b385bf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_overlapped.pyd

Filesize
30KB

MD5
9bd2b167101981c30c89d56492311553

SHA1
aa8e175a7894486a16a2d5d3a399c8894a7f1cae

SHA256
dd32ffbd9580876fb7fd1036f1fc3a6d9788627067ad9b0f3d366017b8865ccc

SHA512
0ec676e62f95b083142461745fdda699a7edf8597cea952ba4297f153a1d11abec621d5ce192d0ebdc52ebf3d745bf34f3161f87ad6593153cf1c95ecf474f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\base_library.zip

Filesize
859KB

MD5
b180f160e25c31a29751f02ffd6a05d4

SHA1
7837a2502b04b6e61a14ee3e3bee567d3c56bff3

SHA256
99d0f5e4c9deafbbfdaff0e288ac6045ce3a7a25ad83659e54c517221c6a9cab

SHA512
9b720c158a462ce7b314da6b5f8472edfe005faa03db889e3f8fe0eeae86e4a5b126638e43fa455f96943d08e48c9730b90273781347e83025646d32cb288d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\pyexpat.pyd

Filesize
86KB

MD5
0bcfd9aa6131d40693ea77fb593f6e2f

SHA1
8b837d663ac7e186c7e427a272c7403c880a9d5f

SHA256
0b966bb1c97b5947a01af98abbe636f34bd492edeba99ce0276108fbe07d2ea6

SHA512
683b9c2c5b810cfef68f684b2927a2123ff4acf2d5377b368fe1d69054ebd2d96e99e850bd8c77a2950d55ce96ada7ad7db81b6c309d0fe7058fd9fd7e2524b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\python3.dll

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\pywin32_system32\pythoncom310.dll

Filesize
194KB

MD5
e127ed268307680bdb3b940f270af87c

SHA1
568f850729df4fe86de87534749b6f5e69040094

SHA256
1fe1d0fd43420eb444d15db389a6692ddec9c012b165729bf82055cf1766c5cd

SHA512
2115287ff26715073810ab26f10a08fd9c18137b61bfbf13731f5fb67305391ecd3c095d7e6cc3e80ab46f828806a273b970493222aae5863389c6fa6f7c5570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\pywin32_system32\pywintypes310.dll

Filesize
62KB

MD5
fa17e958566acee186a282a59c4aeb90

SHA1
194cb4c0e44698cf530807a1c69f160ca18df878

SHA256
b93505ef333f71752a09ed23084bf811812c9a977ebdaa88ff2daaea50ee140c

SHA512
93f1b31970c139fa4c00acf8907ddc843e41c487af173ddf6bece8471c303a8f6269e65ffb9c7d04752ab1ed0abfcbb1270e4c9628a68419bee676afdca34b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\win32\win32api.pyd

Filesize
48KB

MD5
d8e99be696d590c53ca4249f164ee8b6

SHA1
eeefc5e9f12846a6f000839195c448b07cfb0213

SHA256
1ea511b355c4ad206bf420117598ebb5b6ba7b78ed0992ce20c5475ef88c6523

SHA512
cf70bff11360df2fd0232be7c6123103cf1aadebe0cc020d144c23b13d44baaaa61e26f358acb3258ea2ffec0ae27e4f8a41f734444395918150baa1a1f0cbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qc05at0n.v51.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\jjsploit.exe

Filesize
22.1MB

MD5
35cc243b458674269527614a1714edf8

SHA1
6e7d0359a6ceabe2efe20c71f08fe69adeda6550

SHA256
b3001158fff42f09543c1658bd35b020a9c5ad1c0c2d702448a0d313755adbe6

SHA512
308607cd730febb6bf54dd4170b86918e486aaef9875ceb168ea2edc85768dfe71e34b28d3719d05b72f73018c8c42d23d6a4abaa3c225e81d1ead950638a48a

Download Submit
memory/1444-573-0x000001EFC2600000-0x000001EFC2652000-memory.dmp

Filesize
328KB

Download
memory/3880-509-0x00000000006E0000-0x00000000006F8000-memory.dmp

Filesize
96KB

Download
memory/3968-607-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/3968-599-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/3968-610-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/3968-609-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/3968-608-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/3968-598-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/3968-606-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/3968-605-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/3968-604-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/3968-600-0x000001B066E90000-0x000001B066E91000-memory.dmp

Filesize
4KB

Download
memory/4068-538-0x000001B97B000000-0x000001B97B022000-memory.dmp

Filesize
136KB

Download
memory/4456-435-0x00007FFF0C0D0000-0x00007FFF0C0E9000-memory.dmp

Filesize
100KB

Download
memory/4456-535-0x00007FFEF6A40000-0x00007FFEF6A4B000-memory.dmp

Filesize
44KB

Download
memory/4456-480-0x00007FFF0A530000-0x00007FFF0A55D000-memory.dmp

Filesize
180KB

Download
memory/4456-483-0x00007FFF05C60000-0x00007FFF05C70000-memory.dmp

Filesize
64KB

Download
memory/4456-482-0x00007FFF0C060000-0x00007FFF0C079000-memory.dmp

Filesize
100KB

Download
memory/4456-484-0x00007FFF05720000-0x00007FFF05734000-memory.dmp

Filesize
80KB

Download
memory/4456-485-0x00007FFF055A0000-0x00007FFF055BF000-memory.dmp

Filesize
124KB

Download
memory/4456-487-0x00007FFF02E30000-0x00007FFF02FA1000-memory.dmp

Filesize
1.4MB

Download
memory/4456-486-0x00007FFF03070000-0x00007FFF0312C000-memory.dmp

Filesize
752KB

Download
memory/4456-491-0x00007FFF05870000-0x00007FFF05880000-memory.dmp

Filesize
64KB

Download
memory/4456-488-0x00007FFF05880000-0x00007FFF058AE000-memory.dmp

Filesize
184KB

Download
memory/4456-502-0x00007FFF02DF0000-0x00007FFF02E27000-memory.dmp

Filesize
220KB

Download
memory/4456-456-0x00007FFF0C060000-0x00007FFF0C079000-memory.dmp

Filesize
100KB

Download
memory/4456-501-0x00007FFF04870000-0x00007FFF0489E000-memory.dmp

Filesize
184KB

Download
memory/4456-500-0x00007FFF033C0000-0x00007FFF033DC000-memory.dmp

Filesize
112KB

Download
memory/4456-499-0x00007FFF05260000-0x00007FFF0526A000-memory.dmp

Filesize
40KB

Download
memory/4456-458-0x00007FFF0C0C0000-0x00007FFF0C0CD000-memory.dmp

Filesize
52KB

Download
memory/4456-511-0x00007FFF03310000-0x00007FFF0331B000-memory.dmp

Filesize
44KB

Download
memory/4456-510-0x00007FFF02FB0000-0x00007FFF03068000-memory.dmp

Filesize
736KB

Download
memory/4456-518-0x00007FFEFE710000-0x00007FFEFE71B000-memory.dmp

Filesize
44KB

Download
memory/4456-522-0x00007FFF05C60000-0x00007FFF05C70000-memory.dmp

Filesize
64KB

Download
memory/4456-521-0x00007FFEFC730000-0x00007FFEFC73D000-memory.dmp

Filesize
52KB

Download
memory/4456-520-0x00007FFEFC740000-0x00007FFEFC74D000-memory.dmp

Filesize
52KB

Download
memory/4456-519-0x00007FFF05AE0000-0x00007FFF05AF5000-memory.dmp

Filesize
84KB

Download
memory/4456-517-0x00007FFF02D60000-0x00007FFF02D6B000-memory.dmp

Filesize
44KB

Download
memory/4456-516-0x00007FFF02D70000-0x00007FFF02D7B000-memory.dmp

Filesize
44KB

Download
memory/4456-515-0x00007FFEFC750000-0x00007FFEFC75C000-memory.dmp

Filesize
48KB

Download
memory/4456-514-0x00007FFEFC760000-0x00007FFEFC76B000-memory.dmp

Filesize
44KB

Download
memory/4456-513-0x00007FFEFC770000-0x00007FFEFC77C000-memory.dmp

Filesize
48KB

Download
memory/4456-512-0x00007FFEF1B20000-0x00007FFEF1E95000-memory.dmp

Filesize
3.5MB

Download
memory/4456-531-0x00007FFF02E30000-0x00007FFF02FA1000-memory.dmp

Filesize
1.4MB

Download
memory/4456-533-0x00007FFEF6AB0000-0x00007FFEF6ABC000-memory.dmp

Filesize
48KB

Download
memory/4456-532-0x00007FFEF6AC0000-0x00007FFEF6AD2000-memory.dmp

Filesize
72KB

Download
memory/4456-481-0x00007FFF05AE0000-0x00007FFF05AF5000-memory.dmp

Filesize
84KB

Download
memory/4456-536-0x00007FFEF2380000-0x00007FFEF23A7000-memory.dmp

Filesize
156KB

Download
memory/4456-537-0x00007FFEF12B0000-0x00007FFEF13C8000-memory.dmp

Filesize
1.1MB

Download
memory/4456-534-0x00007FFF02DF0000-0x00007FFF02E27000-memory.dmp

Filesize
220KB

Download
memory/4456-530-0x00007FFF055A0000-0x00007FFF055BF000-memory.dmp

Filesize
124KB

Download
memory/4456-529-0x00007FFEF6AE0000-0x00007FFEF6AED000-memory.dmp

Filesize
52KB

Download
memory/4456-528-0x00007FFEF6AF0000-0x00007FFEF6AFB000-memory.dmp

Filesize
44KB

Download
memory/4456-527-0x00007FFEFBB80000-0x00007FFEFBB8B000-memory.dmp

Filesize
44KB

Download
memory/4456-526-0x00007FFEFBB90000-0x00007FFEFBB9B000-memory.dmp

Filesize
44KB

Download
memory/4456-525-0x00007FFEFC0E0000-0x00007FFEFC0EB000-memory.dmp

Filesize
44KB

Download
memory/4456-524-0x00007FFEFC720000-0x00007FFEFC72C000-memory.dmp

Filesize
48KB

Download
memory/4456-523-0x00007FFF05720000-0x00007FFF05734000-memory.dmp

Filesize
80KB

Download
memory/4456-460-0x00007FFF0A4F0000-0x00007FFF0A524000-memory.dmp

Filesize
208KB

Download
memory/4456-467-0x00007FFEF1EA0000-0x00007FFEF230E000-memory.dmp

Filesize
4.4MB

Download
memory/4456-468-0x00007FFF0A170000-0x00007FFF0A17D000-memory.dmp

Filesize
52KB

Download
memory/4456-469-0x00007FFF03070000-0x00007FFF0312C000-memory.dmp

Filesize
752KB

Download
memory/4456-587-0x00007FFF02FB0000-0x00007FFF03068000-memory.dmp

Filesize
736KB

Download
memory/4456-596-0x00007FFEF2380000-0x00007FFEF23A7000-memory.dmp

Filesize
156KB

Download
memory/4456-588-0x00007FFEF1B20000-0x00007FFEF1E95000-memory.dmp

Filesize
3.5MB

Download
memory/4456-586-0x00007FFF04870000-0x00007FFF0489E000-memory.dmp

Filesize
184KB

Download
memory/4456-574-0x00007FFEF1EA0000-0x00007FFEF230E000-memory.dmp

Filesize
4.4MB

Download
memory/4456-583-0x00007FFF05880000-0x00007FFF058AE000-memory.dmp

Filesize
184KB

Download
memory/4456-584-0x00007FFF03070000-0x00007FFF0312C000-memory.dmp

Filesize
752KB

Download
memory/4456-597-0x00007FFEF12B0000-0x00007FFEF13C8000-memory.dmp

Filesize
1.1MB

Download
memory/4456-475-0x00007FFF0CD10000-0x00007FFF0CD34000-memory.dmp

Filesize
144KB

Download
memory/4456-476-0x00007FFF04870000-0x00007FFF0489E000-memory.dmp

Filesize
184KB

Download
memory/4456-479-0x00007FFEF1B20000-0x00007FFEF1E95000-memory.dmp

Filesize
3.5MB

Download
memory/4456-478-0x00007FFF02FB0000-0x00007FFF03068000-memory.dmp

Filesize
736KB

Download
memory/4456-473-0x00007FFF048A0000-0x00007FFF048CB000-memory.dmp

Filesize
172KB

Download
memory/4456-470-0x00007FFF05880000-0x00007FFF058AE000-memory.dmp

Filesize
184KB

Download
memory/4456-433-0x00007FFF0EF70000-0x00007FFF0EF7F000-memory.dmp

Filesize
60KB

Download
memory/4456-437-0x00007FFF0A530000-0x00007FFF0A55D000-memory.dmp

Filesize
180KB

Download
memory/4456-429-0x00007FFF0CD10000-0x00007FFF0CD34000-memory.dmp

Filesize
144KB

Download
memory/4456-421-0x00007FFEF1EA0000-0x00007FFEF230E000-memory.dmp

Filesize
4.4MB

Download