blackguard | 2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b

Analysis

max time kernel
140s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe
Size

9.8MB
MD5

8f31cb1de574e7070f0b756474968456
SHA1

680aba2b6b0a4cfa1d106c3c8f732a89d261e265
SHA256

2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b
SHA512

825a889b23884c8cb3fbaf06de6184b387c087bf24bdca17380f0442523d49c97762a6b6150a8276d1ff414799728a340e9f9e114f36b045d865d7d2e5912b57
SSDEEP

196608:iwumqqo5Kpjc4bSmpcxZJMI3LDbbxI0T1SwgfWtjen+7VMHFRMY:iwumRoApjc4bJKxzMcbbX2WNen++Hp

Score

10^/10

blackguard spyware stealer upx vmprotect

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot7160282613:AAFbC1FSQC-98qkDv63fGJWl04i7irG3A2w/sendMessage?chat_id=5314341717

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-27.dat	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-27.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing common artifacts observed in infostealers 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-27.dat	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral2/memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Detects executables packed with VMProtect. 4 IoCs

resource	yara_rule
behavioral2/files/0x00020000000228bf-6.dat	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/1320-11-0x0000000000400000-0x00000000014CE000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/1320-17-0x0000000000400000-0x00000000014CE000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/1320-45-0x0000000000400000-0x00000000014CE000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Detects executables referencing Discord tokens regular expressions 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-27.dat	INDICATOR_SUSPICIOUS_EXE_Discord_Regex
behavioral2/memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex

Detects executables referencing credit card regular expressions 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-27.dat	INDICATOR_SUSPICIOUS_EXE_CC_Regex
behavioral2/memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_CC_Regex

Detects executables referencing many VPN software clients. Observed in infosteslers 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-27.dat	INDICATOR_SUSPICIOUS_EXE_References_VPN
behavioral2/memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_VPN

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-27.dat	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-27.dat	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables using Telegram Chat Bot 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-27.dat	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral2/memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral2/files/0x00030000000228bc-48.dat	UPX
behavioral2/memory/452-61-0x0000000000400000-0x0000000000446000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	SharpBuild.exe

Executes dropped EXE 4 IoCs

pid	Process
1320	SharpBuild.exe
4412	sharp_build.exe
452	Firefo.exe
4044	setup-stub.exe

Loads dropped DLL 8 IoCs

pid	Process
4044	setup-stub.exe
4044	setup-stub.exe
4044	setup-stub.exe
4044	setup-stub.exe
4044	setup-stub.exe
4044	setup-stub.exe
4412	sharp_build.exe
4044	setup-stub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00030000000228bc-48.dat	upx
behavioral2/memory/452-61-0x0000000000400000-0x0000000000446000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00020000000228bf-6.dat	vmprotect
behavioral2/memory/1320-11-0x0000000000400000-0x00000000014CE000-memory.dmp	vmprotect
behavioral2/memory/1320-17-0x0000000000400000-0x00000000014CE000-memory.dmp	vmprotect
behavioral2/memory/1320-45-0x0000000000400000-0x00000000014CE000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	ip-api.com
22	api.ipify.org
23	api.ipify.org
27	freegeoip.app
28	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1320	SharpBuild.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\nsoC3DE.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsoC3DF.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsoC3DE.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsoC3E0.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsoC3E1.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsoC3E0.tmp\	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4620	4044	WerFault.exe	97

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sharp_build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	sharp_build.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1320	SharpBuild.exe
1320	SharpBuild.exe
1320	SharpBuild.exe
1320	SharpBuild.exe
4412	sharp_build.exe
4412	sharp_build.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	sharp_build.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4044	setup-stub.exe
4044	setup-stub.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 1320	456	2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe	89
PID 456 wrote to memory of 1320	456	2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe	89
PID 456 wrote to memory of 1320	456	2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe	89
PID 1320 wrote to memory of 4412	1320	SharpBuild.exe	93
PID 1320 wrote to memory of 4412	1320	SharpBuild.exe	93
PID 456 wrote to memory of 452	456	2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe	95
PID 456 wrote to memory of 452	456	2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe	95
PID 456 wrote to memory of 452	456	2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe	95
PID 452 wrote to memory of 4044	452	Firefo.exe	97
PID 452 wrote to memory of 4044	452	Firefo.exe	97
PID 452 wrote to memory of 4044	452	Firefo.exe	97

C:\Users\Admin\AppData\Local\Temp\2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe
"C:\Users\Admin\AppData\Local\Temp\2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\SharpBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SharpBuild.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\sharp_build.exe
    "C:\Users\Admin\AppData\Local\Temp\sharp_build.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Firefo.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Firefo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\7zS4C172CE7\setup-stub.exe
    .\setup-stub.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:4044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 2520
      4⤵
      Program crash
      PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4044 -ip 4044
1⤵
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4C172CE7\setup-stub.exe

Filesize
551KB

MD5
5fd46fbfb36b47f608282ae8d55abf6e

SHA1
81470ec69b0bf36fa80e08c6fde624af4c77b236

SHA256
2e73a71335a1d0d90abaca7885a4de92077092400764ecaebe47c8fc8846b4b3

SHA512
e589cb3cf54fba262a57332a034b4aadfbb57ba1fb746c7fc013bb07d53c00e0207fd418d9f02d1caa834dde193f6635dd6959799bd88536657d47b4557c6c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BouncyCastle.Crypto.dll

Filesize
3.2MB

MD5
0cf454b6ed4d9e46bc40306421e4b800

SHA1
9611aa929d35cbd86b87e40b628f60d5177d2411

SHA256
e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

SHA512
85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Firefo.exe

Filesize
342KB

MD5
f48a8bcd6a286303feedc0912b34eaf9

SHA1
461b7e1e6d0359b480c82802724c6b316d19c291

SHA256
17ab9465b0ead4ba02d2d68a03f34cd04144db5dd2ce73d6a35c71566d1574b7

SHA512
58b98b4e8cbf44cef124ec71ec305419fa8f049d1a1e78cdcfddc9ba18a7f893b35198b04bb5e311de2a91e58ac49e9047c962debefc7896918005d640f4b201

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SharpBuild.exe

Filesize
9.4MB

MD5
25759c878c892572e611027fecda3c12

SHA1
e135b3537c01f7811fed683aa0650246fe5d9d30

SHA256
319e0029327f1eeb479f4272213bbe7d01e66416152ee33cc4916cd7e4421d96

SHA512
8e3b70589b5799a7762c6420f8f2f34cb5929d05e97a843d62951f5b77e0941801b9041a622c6fcff636c82262ead7d8f88fc29fa0d46f2eac55fd480f9a50c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.7MB

MD5
a73fdfb6815b151848257eca042a42ef

SHA1
73f18e6b4d1f638e7ce2a7ad36635018482f2c55

SHA256
10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

SHA512
111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
402KB

MD5
b0911d27918a1e20088b4e6b6ec29ad3

SHA1
93a285c96a4d391ea4fe6655caaa0bbf2ee52683

SHA256
24043ef4472d9d035cd1a8294f68d2bbfdf76f5455af80c09c89e64f6ed15917

SHA512
518da2e73b849be38570d7db218adeb47f85fde89c15dac577eb1446a9a55bb4cfaf31d371428b9c4f0c69c0be3e2cb10fafcadbec24e8ab793b639392e3f029

Download Submit
C:\Users\Admin\AppData\Local\Temp\c902c383-d72a-42f2-9fdb-bc19997f9f1f

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\CityHash.dll

Filesize
53KB

MD5
2021acc65fa998daa98131e20c4605be

SHA1
2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

SHA256
c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

SHA512
cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\InetBgDL.dll

Filesize
17KB

MD5
97c607f5d0add72295f8d0f27b448037

SHA1
dfb9a1aa1d3b1f7821152afaac149cad38c8ce3c

SHA256
dc98ed352476af459c91100b8c29073988da19d3adc73e2c2086d25f238544a5

SHA512
ad759062152869089558389c741876029198c5b98fa725e2d2927866dc8b416ae2de871cb2479f614f6d29b6f646bf7191d02837c3cabc15b8185b563bc46268

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\WebBrowser.dll

Filesize
103KB

MD5
b53cd4ad8562a11f3f7c7890a09df27a

SHA1
db66b94670d47c7ee436c2a5481110ed4f013a48

SHA256
281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

SHA512
bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\profile_cleanup.html

Filesize
1KB

MD5
1cb97b5f8c5f2728b26742d1d0669899

SHA1
bb5ab1b8c00810fcb18184a996573c5accdc72c3

SHA256
dec82e9caa154300e1aa44f550c16b455a2025be4fb1c3155cb75fe04a6b6611

SHA512
768ed2b070485f3bbcf457aefdc0ef8f1737ad8ac4a2703e2feaff424f9a2c69a2f5928a3be898932ef4976a44ea829a099d090bd9941a24d045d5c8ac8b7b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\profile_cleanup.js

Filesize
1KB

MD5
d845e8f4c0edb3cab17e6a30090ac5b8

SHA1
654f058570f0868f0acc5f0595147f3385a9c265

SHA256
1adcfdd9768242c6c639b10e4f0bcda24f6a957a169c1dede265e40336ecbd4f

SHA512
401d800c484b74401b90c3285d8b6cc0018baf4979d6ec7bb174f7810d3f60adfa6b4cebeafcee20d5a7c3597447f755af19c5fecf1863e2438fe427dbdf9fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\stub_common.js

Filesize
815B

MD5
efce3dce0165b3f6551db47e5c0ac8d6

SHA1
1e15f6bb688e3d645092c1aa5ee3136f8de65312

SHA256
dab39cbae31848cce0b5c43fddd2674fef4dea5b7a3dacdaabdc78a8a931817e

SHA512
cec12da07f52822aaed340b1b751153efa43e5c3d747fa39f03bb2800bf53e9416020d654a818a6088acb2cf5581714433d818537f04af150e6bfb6861c03988

Download Submit
C:\Users\Admin\AppData\Local\Temp\sharp_build.exe

Filesize
384KB

MD5
6ef54f1c226c282e6042cd24f0e7e7ab

SHA1
4a8906557438a27379d7243d05d03743a07c7551

SHA256
42efd817539480fb44da60d797908869af796df6bfb700980709ccf483e92b96

SHA512
2a6a0f1da35c27a1df09983a96b79720579cc17eb3609845ff05788503a064c578156d8db87d10a7b554a9acbd220e5bc2aa0ae11a68df3a9998637c0f3acb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA04.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA17.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Roaming\sharp\Process.txt

Filesize
1KB

MD5
0ad6adef7224c4a0075c882f67df2ed1

SHA1
ed2edac299f9d2c591ea0a78b7dd1bc2a29dbc5a

SHA256
98525defcb03b9f6a644b0d2ef06999f2bcc8bd3ef22e50dd3fecdf1d6fde877

SHA512
716535787a54e4cf063632f5b03854c9bd2f359504fe7107cbfbdd4da8e7f1cc25d9a7e796a249a105b300f6d0f9115cf08786bdac6873929e3cd4f08d6337c5

Download Submit
C:\Users\Admin\AppData\Roaming\sharp\Process.txt

Filesize
1KB

MD5
c9ce23321fc9caa95fb88d59ff8660ec

SHA1
6aaf2d530067f4556612bbaae13c43a88931a3c0

SHA256
58fb750f0c461e1f3dfa5e069e4f35f0ac16e927ef0ea4a85999761930a20c72

SHA512
acdc05317f1b8fa10b46081680e63e792527fda1beb843829565cae181cc02f10322506f946f1b75b0fb0940f22a23104a9210e011393aab821509360c370363

Download Submit
memory/452-61-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1320-45-0x0000000000400000-0x00000000014CE000-memory.dmp

Filesize
16.8MB

Download
memory/1320-20-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/1320-19-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1320-16-0x0000000001B20000-0x0000000001B21000-memory.dmp

Filesize
4KB

Download
memory/1320-18-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/1320-17-0x0000000000400000-0x00000000014CE000-memory.dmp

Filesize
16.8MB

Download
memory/1320-15-0x0000000001B10000-0x0000000001B11000-memory.dmp

Filesize
4KB

Download
memory/1320-14-0x0000000001B00000-0x0000000001B01000-memory.dmp

Filesize
4KB

Download
memory/1320-12-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/1320-13-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/1320-11-0x0000000000400000-0x00000000014CE000-memory.dmp

Filesize
16.8MB

Download
memory/4412-107-0x000002CDF4BE0000-0x000002CDF4C92000-memory.dmp

Filesize
712KB

Download
memory/4412-165-0x000002CDF5110000-0x000002CDF543E000-memory.dmp

Filesize
3.2MB

Download
memory/4412-176-0x000002CDF4BA0000-0x000002CDF4BDA000-memory.dmp

Filesize
232KB

Download
memory/4412-163-0x000002CDF4D20000-0x000002CDF4D86000-memory.dmp

Filesize
408KB

Download
memory/4412-186-0x000002CDF4DE0000-0x000002CDF4E06000-memory.dmp

Filesize
152KB

Download
memory/4412-161-0x000002CDF4B20000-0x000002CDF4B42000-memory.dmp

Filesize
136KB

Download
memory/4412-196-0x000002CDF6E40000-0x000002CDF7002000-memory.dmp

Filesize
1.8MB

Download
memory/4412-120-0x000002CDF4CA0000-0x000002CDF4D16000-memory.dmp

Filesize
472KB

Download
memory/4412-160-0x000002CDF4D90000-0x000002CDF4DE0000-memory.dmp

Filesize
320KB

Download
memory/4412-59-0x000002CDF3CE0000-0x000002CDF3CF0000-memory.dmp

Filesize
64KB

Download
memory/4412-58-0x00007FF90F6E0000-0x00007FF9101A1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-40-0x000002CDF16D0000-0x000002CDF1736000-memory.dmp

Filesize
408KB

Download
memory/4412-318-0x000002CDF4E30000-0x000002CDF4E4E000-memory.dmp

Filesize
120KB

Download
memory/4412-320-0x00007FF90F6E0000-0x00007FF9101A1000-memory.dmp

Filesize
10.8MB

Download