povertystealer | 3eac7021a3fd361916c68f6cfd399bd40cf194822bac151a204366b920b240fa

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b579d3f20b566a0dadb01be496fefbb5.exe
Size

1.8MB
MD5

b579d3f20b566a0dadb01be496fefbb5
SHA1

5637b34c6966ac6651dc7ef08ba9136ee11e6d02
SHA256

3eac7021a3fd361916c68f6cfd399bd40cf194822bac151a204366b920b240fa
SHA512

597f8da6804c25377349b47cbd3ac3ee4d39bca77258a8ddfdd431eb629836d992bcdf93ebb0b4cfb3bfb73f76731ecd358e6d343318c77626ec6fba93faa079
SSDEEP

49152:P7IsGRFnxXZBZr5jQDq53E/ikpoHAU4B6UixDoNCuHt5:P0sGRF1V5jQD2ApoHAU4BADnM5

Score

10^/10

povertystealer persistence stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1400-70-0x0000000000CF0000-0x0000000000CFA000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 540 created 3448	540	Thick.pif	57

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b579d3f20b566a0dadb01be496fefbb5.exe

Executes dropped EXE 4 IoCs

pid	Process
540	Thick.pif
3020	Thick.pif
1400	calc.exe
4840	calc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\SysWoW64\\calc.exe"	powershell.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Thick.pif
File opened (read-only)	\??\s:	Thick.pif
File opened (read-only)	\??\b:	Thick.pif
File opened (read-only)	\??\E:	Thick.pif
File opened (read-only)	\??\G:	Thick.pif
File opened (read-only)	\??\J:	Thick.pif
File opened (read-only)	\??\K:	Thick.pif
File opened (read-only)	\??\m:	Thick.pif
File opened (read-only)	\??\U:	Thick.pif
File opened (read-only)	\??\e:	Thick.pif
File opened (read-only)	\??\i:	Thick.pif
File opened (read-only)	\??\o:	Thick.pif
File opened (read-only)	\??\q:	Thick.pif
File opened (read-only)	\??\R:	Thick.pif
File opened (read-only)	\??\Z:	Thick.pif
File opened (read-only)	\??\z:	Thick.pif
File opened (read-only)	\??\D:	Thick.pif
File opened (read-only)	\??\h:	Thick.pif
File opened (read-only)	\??\M:	Thick.pif
File opened (read-only)	\??\P:	Thick.pif
File opened (read-only)	\??\u:	Thick.pif
File opened (read-only)	\??\Y:	Thick.pif
File opened (read-only)	\??\A:	Thick.pif
File opened (read-only)	\??\g:	Thick.pif
File opened (read-only)	\??\l:	Thick.pif
File opened (read-only)	\??\Q:	Thick.pif
File opened (read-only)	\??\y:	Thick.pif
File opened (read-only)	\??\t:	Thick.pif
File opened (read-only)	\??\I:	Thick.pif
File opened (read-only)	\??\k:	Thick.pif
File opened (read-only)	\??\L:	Thick.pif
File opened (read-only)	\??\N:	Thick.pif
File opened (read-only)	\??\r:	Thick.pif
File opened (read-only)	\??\S:	Thick.pif
File opened (read-only)	\??\H:	Thick.pif
File opened (read-only)	\??\T:	Thick.pif
File opened (read-only)	\??\v:	Thick.pif
File opened (read-only)	\??\W:	Thick.pif
File opened (read-only)	\??\a:	Thick.pif
File opened (read-only)	\??\w:	Thick.pif
File opened (read-only)	\??\x:	Thick.pif
File opened (read-only)	\??\X:	Thick.pif
File opened (read-only)	\??\B:	Thick.pif
File opened (read-only)	\??\F:	Thick.pif
File opened (read-only)	\??\j:	Thick.pif
File opened (read-only)	\??\n:	Thick.pif
File opened (read-only)	\??\p:	Thick.pif
File opened (read-only)	\??\V:	Thick.pif

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 540 set thread context of 3020	540	Thick.pif	103
PID 3020 set thread context of 1400	3020	Thick.pif	104
PID 3020 set thread context of 4840	3020	Thick.pif	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4464	tasklist.exe
1296	tasklist.exe

GoLang User-Agent 7 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	48	Go-http-client/1.1
HTTP User-Agent header	49	Go-http-client/1.1
HTTP User-Agent header	58	Go-http-client/1.1
HTTP User-Agent header	59	Go-http-client/1.1
HTTP User-Agent header	67	Go-http-client/1.1
HTTP User-Agent header	68	Go-http-client/1.1
HTTP User-Agent header	69	Go-http-client/1.1

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3748	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
540	Thick.pif
540	Thick.pif
540	Thick.pif
540	Thick.pif
540	Thick.pif
540	Thick.pif
540	Thick.pif
540	Thick.pif
3020	Thick.pif
3020	Thick.pif
3020	Thick.pif
3020	Thick.pif
3020	Thick.pif
3020	Thick.pif
2164	powershell.exe
2164	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	tasklist.exe
Token: SeDebugPrivilege	1296	tasklist.exe
Token: SeDebugPrivilege	2164	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
540	Thick.pif
540	Thick.pif
540	Thick.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
540	Thick.pif
540	Thick.pif
540	Thick.pif

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 3860	2044	b579d3f20b566a0dadb01be496fefbb5.exe	85
PID 2044 wrote to memory of 3860	2044	b579d3f20b566a0dadb01be496fefbb5.exe	85
PID 2044 wrote to memory of 3860	2044	b579d3f20b566a0dadb01be496fefbb5.exe	85
PID 3860 wrote to memory of 4464	3860	cmd.exe	87
PID 3860 wrote to memory of 4464	3860	cmd.exe	87
PID 3860 wrote to memory of 4464	3860	cmd.exe	87
PID 3860 wrote to memory of 1588	3860	cmd.exe	88
PID 3860 wrote to memory of 1588	3860	cmd.exe	88
PID 3860 wrote to memory of 1588	3860	cmd.exe	88
PID 3860 wrote to memory of 1296	3860	cmd.exe	90
PID 3860 wrote to memory of 1296	3860	cmd.exe	90
PID 3860 wrote to memory of 1296	3860	cmd.exe	90
PID 3860 wrote to memory of 4756	3860	cmd.exe	91
PID 3860 wrote to memory of 4756	3860	cmd.exe	91
PID 3860 wrote to memory of 4756	3860	cmd.exe	91
PID 3860 wrote to memory of 3660	3860	cmd.exe	92
PID 3860 wrote to memory of 3660	3860	cmd.exe	92
PID 3860 wrote to memory of 3660	3860	cmd.exe	92
PID 3860 wrote to memory of 4916	3860	cmd.exe	93
PID 3860 wrote to memory of 4916	3860	cmd.exe	93
PID 3860 wrote to memory of 4916	3860	cmd.exe	93
PID 3860 wrote to memory of 1940	3860	cmd.exe	94
PID 3860 wrote to memory of 1940	3860	cmd.exe	94
PID 3860 wrote to memory of 1940	3860	cmd.exe	94
PID 3860 wrote to memory of 540	3860	cmd.exe	95
PID 3860 wrote to memory of 540	3860	cmd.exe	95
PID 3860 wrote to memory of 3748	3860	cmd.exe	96
PID 3860 wrote to memory of 3748	3860	cmd.exe	96
PID 3860 wrote to memory of 3748	3860	cmd.exe	96
PID 540 wrote to memory of 3020	540	Thick.pif	103
PID 540 wrote to memory of 3020	540	Thick.pif	103
PID 540 wrote to memory of 3020	540	Thick.pif	103
PID 540 wrote to memory of 3020	540	Thick.pif	103
PID 3020 wrote to memory of 1400	3020	Thick.pif	104
PID 3020 wrote to memory of 1400	3020	Thick.pif	104
PID 3020 wrote to memory of 1400	3020	Thick.pif	104
PID 3020 wrote to memory of 1400	3020	Thick.pif	104
PID 3020 wrote to memory of 4840	3020	Thick.pif	106
PID 3020 wrote to memory of 4840	3020	Thick.pif	106
PID 3020 wrote to memory of 4840	3020	Thick.pif	106
PID 3020 wrote to memory of 4840	3020	Thick.pif	106
PID 4840 wrote to memory of 2164	4840	calc.exe	107
PID 4840 wrote to memory of 2164	4840	calc.exe	107
PID 4840 wrote to memory of 2164	4840	calc.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\b579d3f20b566a0dadb01be496fefbb5.exe
  "C:\Users\Admin\AppData\Local\Temp\b579d3f20b566a0dadb01be496fefbb5.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Broke Broke.bat & Broke.bat & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4464
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 9354
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 9354\Thick.pif + Slave + Lens + Imagine + Reasoning + Gloves + Trivia + Published 9354\Thick.pif
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Production + With + Cognitive + Injection + Expenditures + Fog + Reviewer + Vatican + Factor + Assisted + Bind + Idaho 9354\Q
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif
      9354\Thick.pif 9354\Q
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:540
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3748
- C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif
  C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWoW64\calc.exe
    C:\Windows\SysWoW64\calc.exe
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Windows\SysWoW64\calc.exe
    C:\Windows\SysWoW64\calc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\SysWoW64\calc.exe\" }"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9354\Q

Filesize
2.7MB

MD5
a6c1dc61c97a0d8e91154ef816cb73f0

SHA1
b96acd664261083dad4e8ebcc47c0c3c0f5d341d

SHA256
a086fab2dcb7d4ff2fc105cccb1bedaba248a4c0e9831bd135f26a1e53cec817

SHA512
95ac3641d7ea4c980ceec6b35f4adcadb8f0a1d3d07c50340192d1af747f6f01db2ceb31fcb8081943677236030621020ec9fbb5d9951ca84dcc90a265b7301a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif

Filesize
1.0MB

MD5
bfa84dbde0df8f1cad3e179bd46a6e34

SHA1
06ae3c38d4b2f8125656268925ebde9eca6a1f9e

SHA256
6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314

SHA512
edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assisted

Filesize
253KB

MD5
30070892755e82c18e97a8101aeeebe8

SHA1
f87b3c6c608e682cf70d19127952a18eb3dee3a6

SHA256
ca3c29995177c45876cb4f5ec9a4b36be010b7c220c3f1e0184f5b4c8428af91

SHA512
c0a1429b989c19385554d27c499be8b5404f7dc59187cb80a08b61a388b3bec2486ee4cf498a5d3a4e556f7289ddbc3f0584ab7e73c7d2206e89df5680fe0c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bind

Filesize
224KB

MD5
d8b42df3623b4213f6456e5afb5e5b68

SHA1
979e5dffbb01f547caa628cbd305ec6ee9d9082d

SHA256
bee1837ce4229533f4cef01a10e6cfe20f181247a5624d7fc29bd9d6ff418a8a

SHA512
1cc5bd1575e51d5931a71663847ad94b210ddc21c81fa2ed896abf47de12015e9c6187078c47348a5eead27b38ca402fbfb4b3847c55a782574420aee3cf1b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broke

Filesize
16KB

MD5
27c3f756e3a72033d024ec71fc43f076

SHA1
9c57caeed8712ade53fc0459a2e1fed58cb1d0f3

SHA256
7886d1739b5fda883880ea492c5392c710dc07850f8dffcdd73164d07414b8df

SHA512
999e0293c270fcffb4b20811fd77502cab9da1460f5ff10a3a5ab71d066d176cb384a9ca25ac21d4106c4833597f198f5e6990ba91e54d2c900aec4418f35d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cognitive

Filesize
211KB

MD5
3392c08e28d207e359dc077593b23a9f

SHA1
c30ae8c64011339c06f7a6d12c1358e962d6a7e8

SHA256
59131a08ddc6d16fb52eff8c39967b4b79fc76d1d78a74d631b03832909d1f39

SHA512
deace558965555b6bc9de3a2dbfe3edcbe10242519dae0ff95455abbbb50d80cba782faf9875f0742112ff1da547c9b55150403a141aafc8d7438bb8e1b886fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expenditures

Filesize
278KB

MD5
1493b7d4446e697b31e8114a292f149f

SHA1
54226821033c836f8fd31d65bcd31db08eb9a755

SHA256
c9282cea4f45972a642d74e417642ad29f4907879ff2ff3dd61cc99f1944c75d

SHA512
a31eeed0fd658322302ad09997bb9f784833cc0a9b7a84fc30f50ad029232b65ef7d108e68af81d672614969b92eac868b771a7dc80e177eeff9a302b7a53baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Factor

Filesize
205KB

MD5
73682a58e11c7817a9b7714c040706bf

SHA1
a0ad7c38837099f21c15592a8a3ef8bd5df9c2c3

SHA256
d8f972f0789de58eabe51fa35d0a36150b6a7928c9deda8a8be58c0a406c1a55

SHA512
830b30a2309d982f55063e658de278b395ee7ad85d29ee4b740040245d896553f2d1d5c4d19bff1cdaf8c7ebe8cab75c7b1ab511b072c053c6cf7d88dd7834df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fog

Filesize
237KB

MD5
a3e7c9e4df993b4c7d86ce86dc85769d

SHA1
9a66306613524c2b926c4bda65f476268a9f6537

SHA256
68597722de33c61d9ae225424cde7a05de84a50d1aba19e3b9cb5253b19f9f9a

SHA512
c7b7e3d20eb879d4da6f29ff9837735e000ead32601cbb37d4e705aac663698dd8cbc90e4bab913ca1da8826d56dad7cc663cbe7220c9b561909c8d02d1b4802

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gloves

Filesize
127KB

MD5
b48cf59f6caca58e37f392e60ad92bed

SHA1
c080347107b8980e213af4640652d052f75cea8c

SHA256
9ebc1d3631fbaaa65576d7c9fe34b9e164455225ed2f2e3413609c52370b9dff

SHA512
0a424303d0e723207bd8b31bccca6a4492ee723d6e069a10f75206364587715e35e5fba2a3fdebd4bcb8e43d6bbd4f1584113cc4917781fe42b192a19c145c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Idaho

Filesize
64KB

MD5
a899d54a59f583a25d66a4e6ad2cccaf

SHA1
cbfe400c2bc08c8048eadfb90018dcf2dec625f0

SHA256
403fb144c3a4b5c42fc52a0342f55ceca3d4146ce4f93050d75cad908cb11df3

SHA512
ee52cf433b104ba2737e63514f3f41017d5d27ffb7166aed1b417887e25dc54eb8a5a7be2be418cf5e53b6ce18ab85301bd7aff2a0418b53d8ccec4fe0d76dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Imagine

Filesize
221KB

MD5
a53104ea25667d7279abdd0c80d7ad9f

SHA1
784858f4486c69b799f929c861dc647b39de76b6

SHA256
5dcc5955e3abfba16c951139f3544d8a6855e8a558867277c8ef030c9c09575e

SHA512
d91cb360178af8095c60ecd6325ffbf7bfbc56f440ddc8b1e2d3d56f106143330ec4ea8ac77320cd63332bb40a849b3690e919fea0e100d95a589650bbd9c758

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injection

Filesize
290KB

MD5
8c3d2a19eb8d84c9affcc8fbf5f6a05d

SHA1
d37d3b019166d91d8a92d5c31cf1adc478ef7cfb

SHA256
fe15baa11fc431bacfb2159905398df008bf3f43dfad27087213428052640135

SHA512
d49abdc241c77e16985ebe78161f9b126c1fb6bd5974c1a5664592fd4d6d004a0a52ccbcd53043e44dd9e9e141d68d53e8577fb5e1289d8e4a342eff05a1ce39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lens

Filesize
123KB

MD5
c5fd0522ace7ddbba48aadb97ce387ef

SHA1
6170dff7fda6fb94be868aa8d9acbfc522220bc7

SHA256
d639d35f9c58c821aa582c41545c5cfd7ec80deb0d4f0f2573f3837f62381c80

SHA512
995381892a6cc38a4dbf47495a76a88451bf9d9c62c6bb2b12812556febd8e32b4eb8f00f343a4cc1cf48d53746990d8ff808f03386c73ec1533f9267e94663b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Production

Filesize
253KB

MD5
aa3e99150f69205bfd78614da336de11

SHA1
6d6ab6b46f363c91a5b9f02a055f86331bda277d

SHA256
1d6d6a85ad3b5589593a6ce0387e6fabeae43df990c28902835f966536e3ea42

SHA512
ec69f164fcde8d2cda2a9dfdc9e9e325b601d37923eee609cd9f329e4320ebd62fe8d8159f05912750a7c3dbe315ffef550b1fad1345b8224edadf63a29e5ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Published

Filesize
32KB

MD5
eebbe9e1b98c15530fbf6c43af7f2c0d

SHA1
5f252ce9b88bf90add7f8afc34069f3b9f69ecb9

SHA256
182c7c63737c7943979d2d8170d2a0456810617cf74632dce0261131748b5bad

SHA512
7ac0d1375201782c4a042db66ad3aa950085fdde1f9995a086d72e2caa7b16c2f3f7f515e58efb0f22139f775af594a92d69998b9497b070d9e7bde0beda5b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reasoning

Filesize
281KB

MD5
b16e584b33b095c459ddb58f5a5f0a7f

SHA1
6ef4f525f17889b5413c67457bfedee1f6e6ee06

SHA256
69dfc8caf7ed1b37a4517246e1afba532dba5e32284810240083e1214f64fd44

SHA512
de8d8c0c9fa3b11848d1d6d7dfa67d991a7f8cc2f4346286bbc756e22c0aa49b38554bea19ede1cef8ce924b71a38be8cb0f8b5eaa5e663f751db0e055c6abf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reviewer

Filesize
278KB

MD5
6d7acfd7141f20365df49374ae882397

SHA1
9161d8e36d246a31160b5f9a372298848a9d050a

SHA256
0947ddbd41d1374fb261a0fcd7b43e7d2213f124e2f83e1590a48f463307bb41

SHA512
65a30168f725ab8787712ca58f3a9cfffba18d0eaf3127f662f90345598da562181abbda5c629f44268798cdbf7787b7c28f1368edc328efeab8dd7e65faf457

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slave

Filesize
158KB

MD5
e0336ac22a857113dda2889f8bb3c409

SHA1
b6d2c689cdcc2b7a45b2cb60d50ddad7b06c6d55

SHA256
c10a233765bdc12913765ee35dd7ec545e41ebef43c48551d8c448f498908a73

SHA512
102bf16b24e1c02c0a1723cfa239822aab85429d31e86edac92211eaf70caf8674ee0ae4d97c499ba67b11eab2b87c0764a60fd7babec4d0fce89b5b93573216

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trivia

Filesize
104KB

MD5
7efeb34649e1493ef313a9e0c72aee0a

SHA1
598efa5f4eb540a463e1e9ec57ffdd962f5448c6

SHA256
7871ff9abc7ff3debd7ae4bdea9c236d666273becd24c929886a91ed3cfdbf3b

SHA512
cf1ea0ce4ea840c4d2bf59010049e37913dacd5c9d58f622a5f949ae5eee5b6ad468a14f5784bdd1f1400679891c48c5e0783a00c23046b43d2644e25cdfab0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vatican

Filesize
240KB

MD5
1634bce137a0cfc4f5ab57159cbe6004

SHA1
6f8ed62cbc4c4aa00262cf2a1bd1a9c66adf01a3

SHA256
ee9a688893abd912cd6559b34029c44de6b954094fae5e43bfbd15c7cdfefcbd

SHA512
ff93f494120d7e6777a248a59f89fb3744e186ef39bb52b337217ed7f143fbb6e9a7ef395595261975ccb6d83a5e2b39270b4e33f6b020aa4fcc4265803cc955

Download Submit
C:\Users\Admin\AppData\Local\Temp\With

Filesize
217KB

MD5
bcaf009e5bc9c6352fb04b9cec015e4f

SHA1
1be02565593bc43e6ae783d50e3a23966691a927

SHA256
9c66a0c2f56b84aff34d1b87274331effb5cfeb87be3b5a75ca6a1c6e28c207e

SHA512
6bde0bd71344375ac25084da10c04958df35c0015c94d4a2c168fb96a7b53c9289dcf41f58ea2566dc092157e3b401603f34ebe16683392e966daae047f39326

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rr4cld3.rdr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/540-47-0x0000013780FA0000-0x0000013780FA1000-memory.dmp

Filesize
4KB

Download
memory/1400-70-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/1400-65-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/2164-75-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/2164-74-0x0000000005990000-0x00000000059B2000-memory.dmp

Filesize
136KB

Download
memory/2164-95-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/2164-92-0x0000000008070000-0x0000000008614000-memory.dmp

Filesize
5.6MB

Download
memory/2164-91-0x0000000006D70000-0x0000000006D92000-memory.dmp

Filesize
136KB

Download
memory/2164-90-0x0000000006D20000-0x0000000006D3A000-memory.dmp

Filesize
104KB

Download
memory/2164-89-0x0000000007A20000-0x0000000007AB6000-memory.dmp

Filesize
600KB

Download
memory/2164-88-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/2164-87-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/2164-86-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download
memory/2164-68-0x0000000003260000-0x0000000003296000-memory.dmp

Filesize
216KB

Download
memory/2164-69-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/2164-76-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/2164-71-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/2164-72-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/2164-73-0x0000000005A40000-0x0000000006068000-memory.dmp

Filesize
6.2MB

Download
memory/3020-53-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-55-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-52-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-49-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-58-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-54-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-63-0x000001D4B35A0000-0x000001D4B35A3000-memory.dmp

Filesize
12KB

Download
memory/3020-60-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-56-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-50-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-59-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/3020-57-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp

Filesize
1.7MB

Download
memory/4840-96-0x0000000000EF0000-0x000000000170C000-memory.dmp

Filesize
8.1MB

Download
memory/4840-99-0x0000000000EF0000-0x000000000170C000-memory.dmp

Filesize
8.1MB

Download
memory/4840-103-0x0000000000EF0000-0x000000000170C000-memory.dmp

Filesize
8.1MB

Download
memory/4840-104-0x0000000000EF0000-0x000000000170C000-memory.dmp

Filesize
8.1MB

Download
memory/4840-107-0x0000000000EF0000-0x000000000170C000-memory.dmp

Filesize
8.1MB

Download