ae553c3a4f4fec78c4d30db4ee0c775d90bb0b0059780a884afa2df2d255caee

Resubmissions

10-05-2024 17:50

240510-wep27ahf7t 4

07-05-2024 17:47

240507-wcvvnabb95 8

Analysis

max time kernel
590s
max time network
453s
platform
windows10-2004_x64
resource
win10v2004-20240426-es
resource tags

arch:x64arch:x86image:win10v2004-20240426-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
10-05-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XPPenWin_3.4.12.231011.exe
Size

28.8MB
MD5

25128030c18bc1be2472b9d972d310d2
SHA1

dcdd5fcfc27a95afeed9f6f00cf224bb4cde9c79
SHA256

ae553c3a4f4fec78c4d30db4ee0c775d90bb0b0059780a884afa2df2d255caee
SHA512

543282b848148a40a99beaed131d1b881c2f5df42970930ee45d38846eb4b1d04ca70fe1ded53ee3dbd5f426d84607429ef7d65eea1f597a1b411704a28790a3
SSDEEP

786432:lzYs7Y0vrsR/WYMZE9FVgc5DvznZA1JD4:VY+Y51WJZqgc5DNA1e

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4184	XPPenWin_3.4.12.231011.tmp
2604	Listdlls.exe
3556	Listdlls64.exe

Loads dropped DLL 4 IoCs

pid	Process
4184	XPPenWin_3.4.12.231011.tmp
4184	XPPenWin_3.4.12.231011.tmp
4184	XPPenWin_3.4.12.231011.tmp
4184	XPPenWin_3.4.12.231011.tmp

Kills process with taskkill 2 IoCs

evasion

pid	Process
2920	taskkill.exe
4936	taskkill.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe
3556	Listdlls64.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	3556	Listdlls64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4184	1080	XPPenWin_3.4.12.231011.exe	84
PID 1080 wrote to memory of 4184	1080	XPPenWin_3.4.12.231011.exe	84
PID 1080 wrote to memory of 4184	1080	XPPenWin_3.4.12.231011.exe	84
PID 4184 wrote to memory of 4536	4184	XPPenWin_3.4.12.231011.tmp	87
PID 4184 wrote to memory of 4536	4184	XPPenWin_3.4.12.231011.tmp	87
PID 4184 wrote to memory of 1948	4184	XPPenWin_3.4.12.231011.tmp	88
PID 4184 wrote to memory of 1948	4184	XPPenWin_3.4.12.231011.tmp	88
PID 4536 wrote to memory of 4936	4536	cmd.exe	91
PID 4536 wrote to memory of 4936	4536	cmd.exe	91
PID 4536 wrote to memory of 2920	4536	cmd.exe	94
PID 4536 wrote to memory of 2920	4536	cmd.exe	94
PID 4536 wrote to memory of 4320	4536	cmd.exe	95
PID 4536 wrote to memory of 4320	4536	cmd.exe	95
PID 4320 wrote to memory of 2604	4320	cmd.exe	96
PID 4320 wrote to memory of 2604	4320	cmd.exe	96
PID 4320 wrote to memory of 2604	4320	cmd.exe	96
PID 2604 wrote to memory of 3556	2604	Listdlls.exe	97
PID 2604 wrote to memory of 3556	2604	Listdlls.exe	97
PID 4536 wrote to memory of 1588	4536	cmd.exe	98
PID 4536 wrote to memory of 1588	4536	cmd.exe	98
PID 4536 wrote to memory of 4716	4536	cmd.exe	99
PID 4536 wrote to memory of 4716	4536	cmd.exe	99
PID 4536 wrote to memory of 4860	4536	cmd.exe	100
PID 4536 wrote to memory of 4860	4536	cmd.exe	100
PID 4536 wrote to memory of 3396	4536	cmd.exe	101
PID 4536 wrote to memory of 3396	4536	cmd.exe	101
PID 4536 wrote to memory of 3504	4536	cmd.exe	102
PID 4536 wrote to memory of 3504	4536	cmd.exe	102
PID 4536 wrote to memory of 3632	4536	cmd.exe	103
PID 4536 wrote to memory of 3632	4536	cmd.exe	103
PID 4536 wrote to memory of 2748	4536	cmd.exe	104
PID 4536 wrote to memory of 2748	4536	cmd.exe	104
PID 4536 wrote to memory of 4692	4536	cmd.exe	105
PID 4536 wrote to memory of 4692	4536	cmd.exe	105
PID 4536 wrote to memory of 1564	4536	cmd.exe	106
PID 4536 wrote to memory of 1564	4536	cmd.exe	106
PID 4536 wrote to memory of 2584	4536	cmd.exe	107
PID 4536 wrote to memory of 2584	4536	cmd.exe	107
PID 4536 wrote to memory of 2548	4536	cmd.exe	108
PID 4536 wrote to memory of 2548	4536	cmd.exe	108
PID 4536 wrote to memory of 4208	4536	cmd.exe	109
PID 4536 wrote to memory of 4208	4536	cmd.exe	109
PID 4536 wrote to memory of 3512	4536	cmd.exe	110
PID 4536 wrote to memory of 3512	4536	cmd.exe	110
PID 4536 wrote to memory of 4420	4536	cmd.exe	111
PID 4536 wrote to memory of 4420	4536	cmd.exe	111
PID 4536 wrote to memory of 2984	4536	cmd.exe	112
PID 4536 wrote to memory of 2984	4536	cmd.exe	112
PID 4536 wrote to memory of 4864	4536	cmd.exe	113
PID 4536 wrote to memory of 4864	4536	cmd.exe	113
PID 4536 wrote to memory of 3528	4536	cmd.exe	114
PID 4536 wrote to memory of 3528	4536	cmd.exe	114
PID 4536 wrote to memory of 3664	4536	cmd.exe	115
PID 4536 wrote to memory of 3664	4536	cmd.exe	115
PID 4536 wrote to memory of 2624	4536	cmd.exe	116
PID 4536 wrote to memory of 2624	4536	cmd.exe	116
PID 4536 wrote to memory of 640	4536	cmd.exe	117
PID 4536 wrote to memory of 640	4536	cmd.exe	117
PID 4536 wrote to memory of 4912	4536	cmd.exe	118
PID 4536 wrote to memory of 4912	4536	cmd.exe	118
PID 4536 wrote to memory of 4920	4536	cmd.exe	119
PID 4536 wrote to memory of 4920	4536	cmd.exe	119
PID 4536 wrote to memory of 880	4536	cmd.exe	120
PID 4536 wrote to memory of 880	4536	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\XPPenWin_3.4.12.231011.exe
"C:\Users\Admin\AppData\Local\Temp\XPPenWin_3.4.12.231011.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\is-DJQG9.tmp\XPPenWin_3.4.12.231011.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DJQG9.tmp\XPPenWin_3.4.12.231011.tmp" /SL5="$401D6,29571559,243200,C:\Users\Admin\AppData\Local\Temp\XPPenWin_3.4.12.231011.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\EndWintab.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im PenTablet.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4936
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im PentabletService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c listdlls.exe -d wintab32.dll /accepteula
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\Listdlls.exe
        
        listdlls.exe -d wintab32.dll /accepteula
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\Listdlls64.exe
        
        listdlls.exe -d wintab32.dll /accepteula
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Listdlls v3.2 - Listdlls "
      4⤵
      PID:1588
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:4716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Copyright (C) 1997-2016 Mark Russinovich "
      4⤵
      PID:4860
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:3396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Sysinternals "
      4⤵
      PID:3504
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:3632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening System(4): "
      4⤵
      PID:2748
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:1564
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:2584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening Registry(92): "
      4⤵
      PID:2548
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:4208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:3512
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening smss.exe(356): "
      4⤵
      PID:2984
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:4864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:3528
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:3664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening csrss.exe(444): "
      4⤵
      PID:2624
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:4912
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening wininit.exe(528): "
      4⤵
      PID:880
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:2916
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:4300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening csrss.exe(536): "
      4⤵
      PID:2824
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:1872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:2580
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:2352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening services.exe(668): "
      4⤵
      PID:1492
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:4296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:1932
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening svchost.exe(2924): "
      4⤵
      PID:4272
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:872
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:2156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening sppsvc.exe(4752): "
      4⤵
      PID:3308
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:3984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:3968
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:1088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening upfc.exe(2992): "
      4⤵
      PID:2188
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:5088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:4448
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Error opening svchost.exe(1812): "
      4⤵
      PID:3328
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Acceso denegado. "
      4⤵
      PID:3956
  - - C:\Windows\system32\find.exe
      find "pid:"
      4⤵
      PID:1956
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\PSCC.bat""
    3⤵
    PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\CheckBox.png

Filesize
1KB

MD5
7ea47ed54747036e41a62026de56a1f8

SHA1
53ae143706dbdd7f93052cead30d88b6fcd67055

SHA256
45158a0042b2fcd325633a896256be8e94c35b852e8c671197709ab13fbd05e4

SHA512
3ac7bf0a96ff09a5085d763daab88e3ed274202e4baa1c15e27c925d7d5a0d0e02ed0f858eff1bc1ce0450fa79fefa96e1b8912d3d6920c2d32343fe247b666b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\EndWintab.bat

Filesize
482B

MD5
aa9693d32653eaa7181228624b2dfd57

SHA1
9c9833ca082b288040ff6880471603fa90a4b64d

SHA256
d9fa3ad5a5385b7b5bdd1c314e06983ba324421bc72e595f820daa32882543ca

SHA512
63ad5c283db43fe06aac71d12fcf688002aa9fc3e6457525f9c3ac42e542d8a4d43af0035768386d722994023d5920b1796a7d448c532b75a8c52ce650b5972d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\Listdlls.exe

Filesize
414KB

MD5
60a2331a2b28968585c7c7229d2424a8

SHA1
fbac538166d61b4f10db934bd4bc1b86c81e56fb

SHA256
b0f6800b2bb4c86e091120e9087c75f9b1b3e46b89cf65744d65cf5ab01fd385

SHA512
159542a30195f58a6957d70282bd2dff79708bd2228ebebf7db48e25d80e68ea17714b518a029d2e21acf564d37982b43850249c944e99ce1b38864ffa00b009

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\Listdlls64.exe

Filesize
215KB

MD5
8336396d50dcc9d5a5f66b078a8460dc

SHA1
42bf0bb282512e4c638b8f03617dd973ee09afd9

SHA256
29d23bc492e48a5ae68444302d3430e07d08e04278d53aa70d9367d9cf8bceb7

SHA512
08f34405f8d5ebf695391f9cb1deb6eb22b318b698ce9540d37eae45d36476a96d379e9f338c64d5f2f3e9674751bdb7f3661845530605b8fb1eb14ee91702e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\PSCC.bat

Filesize
5KB

MD5
9f58c6d0c2df352780fc4960e5a4be68

SHA1
01849dbb5c2481634da0591bd3b5afced38fd741

SHA256
25c48326d60c85f597ffff9b3a372dc2f1abf6d2b0e2c6f1e56a661d56783fe5

SHA512
439eced46752714fe85ca5b9b933204a2fe3bfb4582c1d2945f36524b967efae7949e7ac124285fff65173d379b4d16df148422093c6da23f6fb3b90fd24fa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\bg-0.png

Filesize
20KB

MD5
20e203c37ee4bcf269482351ba932161

SHA1
e5d38f4b243802ed3666874508836ce1cdef7b48

SHA256
603153d8a66c6856a754bb193e6913b2b17b204ad95bef7b377254d58e0badbd

SHA512
84e13d72fc08cf7f310f36b3496445efe84c93e4e3ef41cf7bab63d3dd26edb0f8a7da6a475b304a4e68a8fd7d852fe85b55d023fef34f6cc20bd8b63392ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\cancel.png

Filesize
1KB

MD5
534089c776bc92e993af7e368aae385c

SHA1
e4f22f7f2d42426fccc374095f527df253e8f223

SHA256
10e841f828b1f7f431b2ddb365a7f3bbf2eeeab31ea1055cded0a4313b7599f8

SHA512
5d87bde5bd52b5d0f3323f67568820edd2ffdef607bf8996ee7656e03bd8be8ade6243e13cfd0a9e6c729089166bb6966dba132552160e374844e26d948329d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\close.png

Filesize
3KB

MD5
174b07ef2ae13cd5a5ab5c98614b103d

SHA1
5f306f5f76dc716d0ddb0cbdfe16d3095b414f3e

SHA256
b28e0f0c69ebfce0aa58855f4025bfbfb5d5b9db28d3827540aee6b15fe35ec5

SHA512
d77dc378c0842935a84cd7bbb87f6e7f1d6ef72611406391039026efbdff560690a6f1462c1119c0622e0c7024131229ffbea7385bccb3bf5c18f9d709d4a2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\close1.png

Filesize
2KB

MD5
d1e3352e50f72bad50fd132916ced4d1

SHA1
41003a5584567af79e026a1151de6b3bfbc6846a

SHA256
e41b99177ec33b2f792e0e62e7c16d697bfb2c48e11355145bfc861f17c7285c

SHA512
7d1a90c24e24443f6b68ba5e1cdd1eedc788d421d98dcded50857add8c12ef4d512b2a3e28c41f870807c0133d5eeb9f75a5ff04b4d6c98282ef1b0d07960a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\min.png

Filesize
1KB

MD5
078b75c0a8fa8985e3f53ae93f47e1ad

SHA1
43c1764265a799159086d8b65bacc89bc8c09db0

SHA256
c3c8d47b23ed1f1c83f127fdddb0d5eceed49b0093519a8d380a584f2d56766b

SHA512
0335de5fd69067976816f0aa1e56c66659cd9e0af7bcbd1bc68fb24ca556bb0a68cb8480b1e98675dade0cdd6099ed3bfb70325a98e672420a976c58e618e436

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\min1.png

Filesize
2KB

MD5
8f2e387abeb395e9c522fc6335cc5260

SHA1
fd8ca1e505fb7f19ba82ef37991d8736b2250e12

SHA256
a4acc8052a83451c134f3aac53c2e127e688cb0a79e40103ce5d30df6c3b5b32

SHA512
d8e6e8dfc761d6b40fbab1c38519167da14cacf2ba6f98460c1fa528768648b3094532a12302b2522b4f1512c659278241074647dd2e1292d9a2d52185d09a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\sure.png

Filesize
1KB

MD5
913fa36eeb162a71a7e67b67ee961cb6

SHA1
1cb8236a13f50dff258952e9247abbd25d338a27

SHA256
de87b27d9791ddcb9e17c0fee10b5e0183c056e9d9f5688f26d067869a91dfe3

SHA512
1656fd8b653baa1e85063f12f01b31d4ce37bb6dcb44b677957f8e747eb266a3687fa229ad0c244a30032474da5451dc8494f2739df5825f75a820c71638e265

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54HHL.tmp\y3.png

Filesize
1KB

MD5
783830fae37797be4cc7da458f4743ef

SHA1
299d5e6c6dd37d1896093a08ce8848000e45262c

SHA256
faea15d0bd60f1f03aaed420b0ddeee81d63aa5106d1f21f735a949673137772

SHA512
d0e3dcaa63ab7ea8e7696f36ec21aa339a95197db7f777b4310e3c21f0703b64d22c0864139c68a3707043d252577b3aca9453bdf69967923d34d8da227ba245

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DJQG9.tmp\XPPenWin_3.4.12.231011.tmp

Filesize
1.6MB

MD5
68776ba968510663851ac80597e0e7a1

SHA1
8d7f075507dcf7009b4b5fbddf26961698a66bf0

SHA256
60b1768fe5b088637619a1856e85bb4ce82cd7b7d25c3446c7d0fd92842e9076

SHA512
7c391541ad9dc0e8f329ee90ff51f1e9d3216171ec71aa0304460f6f071b8fcbdf67062bff09987e453c5518226c1f150930d01b360ad7a60f5ed22aa0acb6ae

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Photoshop 2020\Adobe Photoshop 2020 Settings\PSUserConfig.txt

Filesize
40B

MD5
f964a6935fd7d756d0748478ce379a48

SHA1
f1fc5974d11b865a618877320bf550a02c6ba395

SHA256
d9554821d24574b452300af92bc6ef720fa76d8b0b632423c44d8741697e60c9

SHA512
2c05647c46623b7810db735ab807cc34490a3b3421c13620dabbb49cabbe0d817ac1d9e635b01e9e780d96dce8c9cfca745c08d07a21f7a667b7c9392f71635e

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Photoshop CC 2015.5\Adobe Photoshop CC 2015.5 Settings\PSUserConfig.txt

Filesize
35B

MD5
cfbae69a02791a83f9fb55416d66edab

SHA1
ec985f0c82d60fa0778a693a432264ea21cf6844

SHA256
d95d8a57a9b4b3f91e84aab71a9ba4a46d0cb38f7ad61611fb5058becd275497

SHA512
77c9c511e10c29c66f6dae71383023d6998c9849efcd54c25858dcc9bc8ac5368109b457ee6320dd4b10b812ce50aefc5ae59bbcfc6c585fbeaa54989e62c5aa

Download Submit
memory/1080-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1080-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1080-165-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4184-7-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/4184-17-0x0000000003510000-0x000000000351E000-memory.dmp

Filesize
56KB

Download
memory/4184-25-0x0000000003520000-0x0000000003535000-memory.dmp

Filesize
84KB

Download
memory/4184-168-0x0000000003520000-0x0000000003535000-memory.dmp

Filesize
84KB

Download
memory/4184-166-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/4184-167-0x0000000003510000-0x000000000351E000-memory.dmp

Filesize
56KB

Download
memory/4184-176-0x0000000003520000-0x0000000003535000-memory.dmp

Filesize
84KB

Download
memory/4184-175-0x0000000003510000-0x000000000351E000-memory.dmp

Filesize
56KB

Download
memory/4184-224-0x0000000003520000-0x0000000003535000-memory.dmp

Filesize
84KB

Download