stormkitty | hxxps://disk[.]yandex[.]ru/d/32mWEpqwMSyjAg

Resubmissions

02/08/2023, 15:47

230802-s777page7s 10

02/08/2023, 15:41

230802-s4xlsage5z 10

Analysis

max time kernel
239s
max time network
240s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/32mWEpqwMSyjAg

Score

10^/10

stormkitty stealer upx

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/memory/4620-422-0x0000000000070000-0x000000000019C000-memory.dmp	family_stormkitty
behavioral1/memory/1204-485-0x0000000000190000-0x00000000002B6000-memory.dmp	family_stormkitty
behavioral1/memory/3744-517-0x0000000000550000-0x000000000067C000-memory.dmp	family_stormkitty

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3588-515-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/3588-516-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
255	checkip.dyndns.org
293	checkip.dyndns.org

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133354645040069230"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
4396	chrome.exe
4396	chrome.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
3856	NSudoLC.exe
3856	NSudoLC.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe
4672	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2348	1164	chrome.exe	80
PID 1164 wrote to memory of 2348	1164	chrome.exe	80
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3244	1164	chrome.exe	87
PID 1164 wrote to memory of 3192	1164	chrome.exe	88
PID 1164 wrote to memory of 3192	1164	chrome.exe	88
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89
PID 1164 wrote to memory of 1132	1164	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://disk.yandex.ru/d/32mWEpqwMSyjAg
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefa159758,0x7ffefa159768,0x7ffefa159778
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:2
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4832 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6160 --field-trial-handle=1880,i,8095856637884612320,4302056320707639669,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4396

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3816

C:\Users\Admin\Desktop\Ä»Γ¿¼¿ºáµ¿∩ Windows.exe
"C:\Users\Admin\Desktop\Ä»Γ¿¼¿ºáµ¿∩ Windows.exe"
1⤵
PID:4620
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  PID:1740
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2852
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:4944
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:408
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
  2⤵
  PID:2372
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4188
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile name=65001 key=clear
    3⤵
    PID:4800
- - C:\Windows\system32\findstr.exe
    findstr Key
    3⤵
    PID:2100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Ç¬Γ¿óáµ¿∩ Windows ¿ Office.cmd" "
1⤵
PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:972
- C:\Windows\system32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:4132
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:3856
- C:\Windows\system32\choice.exe
  choice /C:123456789 /N /M "> Enter Your Choice in the Keyboard [1,2,3,4,5,6,7,8,9] : "
  2⤵
  PID:1088
- C:\Windows\system32\mode.com
  mode con cols=98 lines=32
  2⤵
  PID:1520
- C:\Windows\system32\choice.exe
  choice /C:1234567890 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8,9,0] : "
  2⤵
  PID:4836

C:\Users\Admin\Desktop\nvidiaProfileInspector\nvidiaProfileInspector.exe
"C:\Users\Admin\Desktop\nvidiaProfileInspector\nvidiaProfileInspector.exe"
1⤵
PID:1204
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  PID:2500
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3184
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:2024
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:1788
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
  2⤵
  PID:4724
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4492
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile name=65001 key=clear
    3⤵
    PID:3132
- - C:\Windows\system32\findstr.exe
    findstr Key
    3⤵
    PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\DefenderKiller.bat" "
1⤵
PID:4868
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19"
  2⤵
  PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>nul wmic UserAccount where "Domain='LMMMEQUO' and Name='Admin'" Get SID|find "-"
  2⤵
  PID:3996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic UserAccount where "Domain='LMMMEQUO' and Name='Admin'" Get SID
    3⤵
    PID:3516
- - C:\Windows\system32\find.exe
    find "-"
    3⤵
    PID:1956
- C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\ConX.exe
  ConX hide
  2⤵
  PID:800
- C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\NSudoLC.exe
  NSudoLC -U:T -P:E "C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\DefenderKiller.bat"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856

C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\NSudoLC.exe
"C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\NSudoLC.exe"
1⤵
PID:4760

C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\nircmd.exe
"C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\nircmd.exe"
1⤵
PID:4560

C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\ConX.exe
"C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\ConX.exe"
1⤵
PID:4836

C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\cecho.exe
"C:\Users\Admin\Desktop\ôñá½¿Γ∞ ºáΘ¿Γ¡¿¬ Windows\WorkFiles\cecho.exe"
1⤵
PID:3588

C:\Users\Admin\Desktop\Å«ñ«íαáΓ∞ ßá¼δ⌐ íδßΓαδÑ DNS ßÑαóÑα\DnsJumper.exe
"C:\Users\Admin\Desktop\Å«ñ«íαáΓ∞ ßá¼δ⌐ íδßΓαδÑ DNS ßÑαóÑα\DnsJumper.exe"
1⤵
PID:3744
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  PID:3968
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3464
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:1100
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:2100
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
  2⤵
  PID:3964
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:800
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile name=65001 key=clear
    3⤵
    PID:4492
- - C:\Windows\system32\findstr.exe
    findstr Key
    3⤵
    PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
409ce63d91435a5062296cf4f8d4b5f6

SHA1
391bd7cc58a9879a562842abcf11845ec0b36455

SHA256
2f56e4b72d884baa0d0f9229d1af2dc13bb909b852268695665fb5132c5f5121

SHA512
85d7418d7f22b0c15ab3fd7d06b64a67386e08ed1770e5da65fd02aedbabd9ea8da6daa63d4be7cb5156708074382fbd91be9144324347959676d14ca5d6ba3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
effcb0f306082bb1d942165b6573b5a6

SHA1
56377ca314bb0287e8c3f1a3a97fcf69c4c86421

SHA256
227d5b3dfb5fd8e66edd94b772f75e0f7242e5ebdacd715bfd2d02833b0df87c

SHA512
869db89f04dc121ab534b8f05aa494df6e20369d6f48a6c082d023e649581b307871d48f84b738e9a6bc38bcfe71098aafd78a49f115c0f7be5989441c56e619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
dde961b7593ac022177b16958a77a8af

SHA1
21681e928fd8624989534c17634d8195f6dc0b00

SHA256
7fd5031627f53877ead6fbb8baf329a82563e105a90e21d5b374c2eed06267cd

SHA512
31f0c796fa710ad497c6d2f61e6254dded9d38fab2247bfe99665e5b98a7205ca3dd8c8312df9c4b7801abe22daab8e3f80506a27bd1a2683a93bacbb3443beb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\06c65f11-f26d-4e98-b139-7d7a5c11d715.tmp

Filesize
6KB

MD5
613c7f2a3c889faeb3075d4988f3079f

SHA1
d512102a3aa919778946892973447b67b8dfe4e4

SHA256
0ac071e3c062588755a66dfcc12f23d95e80dae43a1cc345af8b23b546682cb8

SHA512
cfc182ed4d476b079229d1ec3e5c291fdc3aa8203abfb551ac89d99c0c4ecb1801e381e600c3ba2d0f799a3163029acf8b0e177088675b878f288af3e56819a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
58KB

MD5
62fbd3edaca201c0ab8e94e74b049437

SHA1
4be5c20507706717e920ef87771b7a16eb879e9a

SHA256
e65dd3210be4f8ceef24ae0056876c831e31f6b265a9402690a90237fc395660

SHA512
daaafe5f2389c813b5391eda5e3e9f95bdf11c4c63067c248319d79d2efd14ca64d578986b5a23ecd4056c6ec52fbc21d7d4015a3a9878df0e0e9198b6c33a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
cfa44c1fe796b63caf73680bd6c24ce7

SHA1
b67af825c366882c017cb16b629b6dec48dd3835

SHA256
821ef5f222060523f543d2a74cac23946d7bb5e62470fc56488938a67d0f543f

SHA512
8272884d7d965a0196997e6bf337f8a702537cac5a0351121fd48a381ab989665ab671dae48784c3154b4aa84cf3ce0ea90a57fc33262221bca7a04d214ba3c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
e274a7c5372bef472f721fc001017a10

SHA1
e130d90ee077be445de19bfa9d06365cb70b6de5

SHA256
b0abd7e32a5892c085517ccba3234597c98a1d9d83666780d5bb506576067a83

SHA512
93c033f5e2d31e1eb4ae659904f4a98489172a8aca2773e35fc4a5557bf324d75e8aa89b04dea118a95fd413f9cde87c88e4dec2197bf8b2ec6a15603aaab336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2f538557d49f357ec4b8967fb466d82c

SHA1
6ab9faa1137eabaea9781cd2128449639eb57d4d

SHA256
291378edc5c9c21eb7b0afcd650d9abbd6d9103de349d9834dd74f3a622cf669

SHA512
ea914b0c834a30daf7cd4b72a47a97abcb0bb85945c315910a5634011f323494adb79bb943a65eb572507c3230560958403faacc67486eeb2e2740764503ab2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
63dc247584d6998bec03e4a8fdff98fd

SHA1
8b1aec5e16a025b0e575bd4f549572b3c46aa53c

SHA256
3fa9b26f61442eac6282e23ada6ae5bd5e08f1ea00da1ab43ae5b3aaac565b36

SHA512
7db826ac469e7c9c3c18e59d47e871de2d35a8061be946d997c8eddb96e93598ae1b33ce9f3ebefc109538bc821608e0bf45400767d5efb712609dae101c509b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
93eb311d298e3c6e298755c2e49eeb3e

SHA1
0a5dff2e115baaa5df00aa0a11d3ec85a20229f2

SHA256
e1bd60915c9f32dec721c1c43aec8dbfed586c3b2f3f871fff6f0f5b4fd9eba3

SHA512
769be379028c171d08576205502161e24c9fa56156b7e95e687210ac6bec42e7e5f59a12cbc9d7446502dca6c96f396bf659490d281ae9ff578ab299e9895e20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3994c12fb8a1e416074ce995870ed4e0

SHA1
9b4a4ac5eb250469461df4b297b193ede204d093

SHA256
dfd3025f6a241cd6bc1a0b6ac3780b794bc18a0f0d9b7a27c0cbffa96a2b29b1

SHA512
954f49c6a58e9e2d153f83c6745efb269b57c79c4d9cefadb2e6867cc8c7b0553c5c541139f8f9c5881f3b8a61fea291e444db325a8f59d5218bc627157edd74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1f8dd7143ecc7ddee9cc9b1fae60ee06

SHA1
4c670d42c0c04a4ab8c443c2b2457e828a4b0b2f

SHA256
49f5c5367fcfee0cba0967adcb32a542f33405a9484793a6f08a0114865f9a73

SHA512
2240ab26a150a42cae5ade1cf14fa48dac062b8279454330c36a4d7fdc56a8c9ef5dd10427ee9061d1eeecf170f46745bfa8beeb116390625f2b953219bcf671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0849a09262f0d40a264ec1957f5157c2

SHA1
1d61feb219f82fa6807835388f453d14fa457bc6

SHA256
d242b7098df8925fb080200bbcdc954226ead5774b56a580ed8455352efd3368

SHA512
85d4172f97475ba2061e4679ba948a5f5b669ff66e4838f5e512b20085ebd50a34ed495828e6b203219870c518f9208a1e984c7c025fbcf659713049dd5a7b99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3db79c2f4b1f45c274e5bf43a92feebe

SHA1
46c8acdf514683971070941145d23b251da0933b

SHA256
7706f1b8a9884ece8ed2d921d87b81b37d57ea03336f62111ee73173fa1e1334

SHA512
c89dca4a9c4a014a8afd2895be443b3201f7305f2606f5324a1bfcb706bf0b8511aea41bd0c93cf5decbbdb38c8421df3683f34cc3eb6f98382b20a852a65da9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
68f60d769ff680e084d5a04452105a13

SHA1
aee3ff9143e2bf83f60c2949ce3db33d2eda52a7

SHA256
aa72e2403b64244364c3de4359960052d292b6a9f3df5ac43b7b6c8e3c4cb211

SHA512
a2ce874e6ff6ebcdf103b18bf510ddd045f74c2ad9e72189fd4490c24529e62b17f8b71123a8387e07f3004a743231d4c4338fc90b78b158f4c5cbffe92cd424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
03e9fc214ad78236c317b512265bba5e

SHA1
ee890b3c364950c4c551697ecce4515c8b5f2e0a

SHA256
fc0935c7e9f807cf8d4a0ee028dee186e2687bcfada66a53a9a11f8cb0cc2998

SHA512
55d87b360299793326c3e0b550d785481e5d4768d1134d74d07ce9013dc4705efac5697438a3da4f8ef0d460f4fc434cc6d4d35ec87737cd9802acfe209f9fef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
3c3364ccd84c60970605883e16367ade

SHA1
1033f2cd53b9c98ca190d4692db5e1b6d6e76c25

SHA256
dd7684bf20d23eb424d22b962f25a4eb2f11d7b23a2b0b53141d0d2cd26bad0f

SHA512
7d82baa4c12d3c1736aecc4510d58bd2e4aa04d222ccdcb0bcee3295542dedb2040d56afe7cd0e84ed9743524198d33ded412da3b1349d4faebe68b1f7a6ca0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Capture.jpg

Filesize
100KB

MD5
d1c7dd80c9dc28031dad3424ff7bebec

SHA1
0c1cb484dc915abcf288c35e7eef95e77aa8d77d

SHA256
5087c7b14d04239bc975c1b006e8b093b708f75e7458037b6922440e9cc8c172

SHA512
08705f6316be9e7f79db43a569d647d92852ed2a7e18c255051f387a90af149d52191fcd0a9700196cc99c8c71f6e5fcaed9f13d647e3ac1ad8252639a16ebb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Historicals.txt

Filesize
188B

MD5
fed5fc9cdcebaeb62c80d697046be8a0

SHA1
8fff2bb19c652e63627c8e0a9cfefed3d7479762

SHA256
47d528aeac78bed87b82339dc52c4656fb19557302fdb75a3053c13a51ebeee9

SHA512
04daa111da7f50d0ba86bd1bab1a69d68515c8e560f02d2e69ad69d77c7907ca39a39aff3c9bf3847c3b2d8ba2b42b3cc5c554fbbb804fa4ccf23a63282314fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Historicals.txt

Filesize
282B

MD5
829023a0cf0d0890060f17e6908a6a52

SHA1
a44c98ed32960360442e148d7f2af3ff85a9bad9

SHA256
08980d0a5711c8e810376855e5735ae0ae84fe1e05a83d70b1dec5fd585d7a41

SHA512
f6ffccbaa3311e502a7dd4cf71467dedceb5f83c2e566129ded2950c72b084d86595aeba1b5b47bb9efd4c730f3ec27ca6aacc286ac7db8940c1a32dcdc1cd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NordAccounts.txt

Filesize
8B

MD5
d5f3a22de66e2e5ae394d7fb2ff28f9d

SHA1
a17d58d1c2ed96f1605ad2525bc373c3fefce5a0

SHA256
bfdaf06c736251290c0ca8bf4c28808cbcb9959e381ed2bf24bccf473382bb20

SHA512
09d3b0fe75b28f782a19e8c83ce28bbe7892da32607035569447bea131990750a7ee8973d8e4a5296fb3b2f8db93bb8eae9ccffbb414a7925b9fc22603e56c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\NordAccounts.txt

Filesize
8B

MD5
d5f3a22de66e2e5ae394d7fb2ff28f9d

SHA1
a17d58d1c2ed96f1605ad2525bc373c3fefce5a0

SHA256
bfdaf06c736251290c0ca8bf4c28808cbcb9959e381ed2bf24bccf473382bb20

SHA512
09d3b0fe75b28f782a19e8c83ce28bbe7892da32607035569447bea131990750a7ee8973d8e4a5296fb3b2f8db93bb8eae9ccffbb414a7925b9fc22603e56c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\NordAccounts.txt

Filesize
8B

MD5
d5f3a22de66e2e5ae394d7fb2ff28f9d

SHA1
a17d58d1c2ed96f1605ad2525bc373c3fefce5a0

SHA256
bfdaf06c736251290c0ca8bf4c28808cbcb9959e381ed2bf24bccf473382bb20

SHA512
09d3b0fe75b28f782a19e8c83ce28bbe7892da32607035569447bea131990750a7ee8973d8e4a5296fb3b2f8db93bb8eae9ccffbb414a7925b9fc22603e56c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tokens.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tokens.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2B5.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA381.tmp.dat

Filesize
92KB

MD5
eea7769ad18b106d7e776bb0e1b1b97b

SHA1
37f14767bcd89b2aeb45e41785c557a0ec09a896

SHA256
3c1a735844b129ee2fbd7347f89e5fcb7b3e95f71e27241209ba66bdd439c421

SHA512
68086c5ec11c4b69b17067c4c49a6042b878689ef0e8fe0c8a22c414436590fa5fb44d5e898c062c919eb40477988ff0aff27338afa278b34970b01c162274b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA391.tmp.dat

Filesize
148KB

MD5
e274a7c5372bef472f721fc001017a10

SHA1
e130d90ee077be445de19bfa9d06365cb70b6de5

SHA256
b0abd7e32a5892c085517ccba3234597c98a1d9d83666780d5bb506576067a83

SHA512
93c033f5e2d31e1eb4ae659904f4a98489172a8aca2773e35fc4a5557bf324d75e8aa89b04dea118a95fd413f9cde87c88e4dec2197bf8b2ec6a15603aaab336

Download Submit
C:\Users\Admin\Downloads\Windows.zip

Filesize
5.1MB

MD5
e9b41c6a93437493e973efb0086d2ba6

SHA1
edd61e6f780b090ba655ab5169b9e2f1526ecc76

SHA256
6afa85b07a6613072408480b351eb900d4ac38ba3e3881ae96c66c004fe7ad4c

SHA512
95de21f0a0f7a31bce279be241bbc9e807e0ddbca9933bce133fba9d69ab95d9cad5ff7d0089e26fe4299a1abae9b94028631fee9f3a2999b94a97c451a333bb

Download Submit
memory/1204-514-0x00007FFEE5EA0000-0x00007FFEE6961000-memory.dmp

Filesize
10.8MB

Download
memory/1204-485-0x0000000000190000-0x00000000002B6000-memory.dmp

Filesize
1.1MB

Download
memory/1204-486-0x00007FFEE5EA0000-0x00007FFEE6961000-memory.dmp

Filesize
10.8MB

Download
memory/1204-487-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/3588-515-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3588-516-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3744-549-0x00007FFEE5EA0000-0x00007FFEE6961000-memory.dmp

Filesize
10.8MB

Download
memory/3744-518-0x00007FFEE5EA0000-0x00007FFEE6961000-memory.dmp

Filesize
10.8MB

Download
memory/3744-517-0x0000000000550000-0x000000000067C000-memory.dmp

Filesize
1.2MB

Download
memory/4620-450-0x000000001B3D0000-0x000000001B4D2000-memory.dmp

Filesize
1.0MB

Download
memory/4620-425-0x00000000022F0000-0x000000000230A000-memory.dmp

Filesize
104KB

Download
memory/4620-422-0x0000000000070000-0x000000000019C000-memory.dmp

Filesize
1.2MB

Download
memory/4620-423-0x00007FFEE5350000-0x00007FFEE5E11000-memory.dmp

Filesize
10.8MB

Download
memory/4620-424-0x000000001AEC0000-0x000000001AED0000-memory.dmp

Filesize
64KB

Download
memory/4620-447-0x000000001BE80000-0x000000001BE92000-memory.dmp

Filesize
72KB

Download
memory/4620-448-0x000000001C840000-0x000000001C87C000-memory.dmp

Filesize
240KB

Download
memory/4620-451-0x00007FFEE5350000-0x00007FFEE5E11000-memory.dmp

Filesize
10.8MB

Download
memory/4672-472-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download
memory/4672-473-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download
memory/4672-484-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download
memory/4672-474-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download
memory/4672-481-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download
memory/4672-478-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download
memory/4672-482-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download
memory/4672-483-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download
memory/4672-479-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download
memory/4672-480-0x00000197BEA30000-0x00000197BEA31000-memory.dmp

Filesize
4KB

Download