njrat | 76f7d049dcc9d1ce18c0a6e9ecdb1330a4cc3c01338a4048a8d0801a0d54cf52

Analysis

max time kernel
270s
max time network
269s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lol.exe
Size

9.2MB
MD5

d34b17e6ea6ac4905395e642fccb4b41
SHA1

28077dd98405dc4d81ab23a5d4b8d3bd1641c1f7
SHA256

76f7d049dcc9d1ce18c0a6e9ecdb1330a4cc3c01338a4048a8d0801a0d54cf52
SHA512

db566fa061db5592329fe2719c4083c8c8d17f032f7f6a36c899c3c9aa02a4766edc4711547b0ad6bc8e6cb4d61d10a3961850fe9a8993bf5f4f2da617ee3909
SSDEEP

196608:tbVYKe7PTQhn5EQ9hNQAYzA5k6cTWDn7JKObS09BBI3:pzuQ5EWheYkv8LlB23

Score

10^/10

njrat umbral evasion persistence stealer trojan

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\SolaraBootstraper.exe	family_umbral

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Rover.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Program Files (x86)\\rover\\rover.exe"	Rover.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Rover.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rover.exe
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2780-36-0x0000000005EB0000-0x0000000006400000-memory.dmp	net_reactor
behavioral1/memory/2780-38-0x00000000069B0000-0x0000000006EFE000-memory.dmp	net_reactor
behavioral1/memory/2780-39-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-46-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-50-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-44-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-42-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-40-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-52-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-62-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-60-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-68-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-80-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-76-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-86-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-98-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-100-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-102-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-96-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-94-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-92-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-90-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-88-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-84-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-82-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-74-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-78-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-70-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-66-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-72-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-64-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-58-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-56-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-55-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor
behavioral1/memory/2780-48-0x00000000069B0000-0x0000000006EF9000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

loader.execmd.exelol.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	lol.exe

Executes dropped EXE 3 IoCs

Processes:

loader.exeRover.exepacker.exe

pid process

1388 loader.exe
2780 Rover.exe
4032 packer.exe

pid	process
1388	loader.exe
2780	Rover.exe
4032	packer.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Rover.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Rover.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Rover.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\ac3.exe	autoit_exe
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\jaffa.exe	autoit_exe

Drops file in Program Files directory 64 IoCs

Processes:

Rover.exe

description	ioc	process
File created	C:\Program Files (x86)\rover\_3Idle\_3Idle.014.png	Rover.exe
File created	C:\Program Files (x86)\rover\_5Idle\_5Idle.009.png	Rover.exe
File created	C:\Program Files (x86)\rover\Reading\Reading.008.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Slap\Slap.001.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.039.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.068.png	Rover.exe
File created	C:\Program Files (x86)\rover\_1Idle\_1Idle.003.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_9Idle\_9Idle.016.png	Rover.exe
File created	C:\Program Files (x86)\rover\Tired\Tired.010.png	Rover.exe
File created	C:\Program Files (x86)\rover\Speak\Speak.001.png	Rover.exe
File created	C:\Program Files (x86)\rover\Start_Speak\Start_Speak.003.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.054.png	Rover.exe
File created	C:\Program Files (x86)\rover\Exit\Exit.004.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_5Idle\_5Idle.003.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_5Idle\_5Idle.008.png	Rover.exe
File created	C:\Program Files (x86)\rover\_9Idle\_9Idle.026.png	Rover.exe
File created	C:\Program Files (x86)\rover\Speak\Speak.002.png	Rover.exe
File created	C:\Program Files (x86)\rover\RU_kill.txt	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.044.png	Rover.exe
File created	C:\Program Files (x86)\rover\_9Idle\_9Idle.035.png	Rover.exe
File created	C:\Program Files (x86)\rover\_10Idle\_10Idle.019.png	Rover.exe
File created	C:\Program Files (x86)\rover\Reading\Reading.018.png	Rover.exe
File created	C:\Program Files (x86)\rover\RU_gdi.txt	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.032.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.007.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.008.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Reading\Reading.006.png	Rover.exe
File created	C:\Program Files (x86)\rover\Speak\Speak.013.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.075.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.039.png	Rover.exe
File created	C:\Program Files (x86)\rover\_2Idle\_2Idle.015.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_2Idle\_2Idle.015.png	Rover.exe
File created	C:\Program Files (x86)\rover\_3Idle\_3Idle.012.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.040.png	Rover.exe
File created	C:\Program Files (x86)\rover\GetAttention\GetAttention.004.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_9Idle\_9Idle.012.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Sleep\Sleep.004.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.037.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_3Idle\_3Idle.011.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_9Idle\_9Idle.007.png	Rover.exe
File created	C:\Program Files (x86)\rover\Tired\Tired.013.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Come\Come.019.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.020.png	Rover.exe
File created	C:\Program Files (x86)\rover\_5Idle\_5Idle.008.png	Rover.exe
File created	C:\Program Files (x86)\rover\_9Idle\_9Idle.020.png	Rover.exe
File created	C:\Program Files (x86)\rover\Tired\Tired.003.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Tired\Tired.013.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\End_Speak\End_Speak.004.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_2Idle\_2Idle.010.png	Rover.exe
File created	C:\Program Files (x86)\rover\_3Idle\_3Idle.010.png	Rover.exe
File created	C:\Program Files (x86)\rover\_3Idle\_3Idle.018.png	Rover.exe
File created	C:\Program Files (x86)\rover\_9Idle\_9Idle.005.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.010.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.023.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.032.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.034.png	Rover.exe
File created	C:\Program Files (x86)\rover\_7Idle\_7Idle.006.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_8Idle\_8Idle.011.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.004.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_7Idle\_7Idle.014.png	Rover.exe
File created	C:\Program Files (x86)\rover\_10Idle\_10Idle.014.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.029.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\RU_other.txt	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Lick\Lick.015.png	Rover.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5960 4032 WerFault.exe packer.exe

pid	pid_target	process	target process
5960	4032	WerFault.exe	packer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1456 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

2988 msedge.exe
2988 msedge.exe
4060 msedge.exe
4060 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

4060 msedge.exe
4060 msedge.exe
4060 msedge.exe

pid	process
1456	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	cmd.exe

pid	process
2988	msedge.exe
2988	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exeRover.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	2780	Rover.exe
Token: 33	5152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5152	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

msedge.exeRover.exe

pid	process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
2780	Rover.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

lol.exeloader.execmd.execmd.exemsedge.exe

description	pid	process	target process
PID 2700 wrote to memory of 1388	2700	lol.exe	loader.exe
PID 2700 wrote to memory of 1388	2700	lol.exe	loader.exe
PID 1388 wrote to memory of 5092	1388	loader.exe	cmd.exe
PID 1388 wrote to memory of 5092	1388	loader.exe	cmd.exe
PID 5092 wrote to memory of 4568	5092	cmd.exe	cmd.exe
PID 5092 wrote to memory of 4568	5092	cmd.exe	cmd.exe
PID 4568 wrote to memory of 1456	4568	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 1456	4568	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 2780	4568	cmd.exe	Rover.exe
PID 4568 wrote to memory of 2780	4568	cmd.exe	Rover.exe
PID 4568 wrote to memory of 2780	4568	cmd.exe	Rover.exe
PID 4568 wrote to memory of 4060	4568	cmd.exe	msedge.exe
PID 4568 wrote to memory of 4060	4568	cmd.exe	msedge.exe
PID 4060 wrote to memory of 5000	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 5000	4060	msedge.exe	msedge.exe
PID 4568 wrote to memory of 4540	4568	cmd.exe	WScript.exe
PID 4568 wrote to memory of 4540	4568	cmd.exe	WScript.exe
PID 2700 wrote to memory of 4032	2700	lol.exe	packer.exe
PID 2700 wrote to memory of 4032	2700	lol.exe	packer.exe
PID 2700 wrote to memory of 4032	2700	lol.exe	packer.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4344	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 2988	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 2988	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4136	4060	msedge.exe	msedge.exe
PID 4060 wrote to memory of 4136	4060	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Rover.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1"	Rover.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Rover.exe

C:\Users\Admin\AppData\Local\Temp\lol.exe
"C:\Users\Admin\AppData\Local\Temp\lol.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\loader.exe
"C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\loader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\temp.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K main.cmd
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\system32\taskkill.exe
taskkill /f /im WindowsDefender.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\Rover.exe
Rover.exe
5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- System policy modification
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\web.htm
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc794846f8,0x7ffc79484708,0x7ffc79484718
6⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7586849205627030093,16458132150451674390,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
6⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7586849205627030093,16458132150451674390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,7586849205627030093,16458132150451674390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
6⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7586849205627030093,16458132150451674390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
6⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7586849205627030093,16458132150451674390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
6⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7586849205627030093,16458132150451674390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
6⤵
PID:3832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\helper.vbs"
5⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\e1b912c9-e2ff-4ac3-a389-09b5f81a2027\packer.exe
"C:\Users\Admin\AppData\Local\Temp\e1b912c9-e2ff-4ac3-a389-09b5f81a2027\packer.exe" "C:\Users\Admin\AppData\Local\Temp\e1b912c9-e2ff-4ac3-a389-09b5f81a2027\unpacker.exe" "C:\Users\Admin\AppData\Local\Temp\lol.exe" "loader.exe" "C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada" "" True True False 1 -repack
2⤵
- Executes dropped EXE
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1268
3⤵
- Program crash
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4032 -ip 4032
1⤵
PID:5332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x384
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\rover\Aslip.wav
Filesize
75KB

MD5
20579dcb70a7456194c7509046719703

SHA1
bffe8b9ad1adc167df69be86751c426350ceaa06

SHA256
322170ec4d40c3b504d1be3d133c3c27b9a844a581dce4a1eb1bc0e27e3f8a08

SHA512
7eacb0a6286faee3aca4d894f09984676836ade1f6f3fefefb13e3edbe39a5f290bf17065e247dda7009f25a66c5fd4ff6cc3de05d22356e39a3cbf79d6d1390

Download Submit
C:\Program Files (x86)\rover\Come\Come.001.png
Filesize
2KB

MD5
8d0dfb878717f45062204acbf1a1f54c

SHA1
1175501fc0448ad267b31a10792b2469574e6c4a

SHA256
8cf6a20422a0f72bcb0556b3669207798d8f50ceec6b301b8f0f1278b8f481f9

SHA512
e4f661ba8948471ffc9e14c18c6779dba3bd9dcc527d646d503c7d4bdff448b506a7746154380870262902f878275a8925bf6aa12a0b8c6eb8517f3a72405558

Download Submit
C:\Program Files (x86)\rover\Come\Come.002.png
Filesize
2KB

MD5
da104c1bbf61b5a31d566011f85ab03e

SHA1
a05583d0f814685c4bb8bf16fd02449848efddc4

SHA256
6b47ad7fe648620ea15b9c07e62880af48a504b83e8031b2521c25e508aa0ef1

SHA512
a8e27abefb0f5bfffe15a19fd882b2e112687abe6ac4bbd5187036cb6058b0124d6ce76fc9227970c8fe2f5768aa0d1faa3319d33b1f42413e8bdfe2ce15296d

Download Submit
C:\Program Files (x86)\rover\Come\Come.004.png
Filesize
2KB

MD5
f57ff98d974bc6b6d0df56263af5ca0d

SHA1
2786eb87cbe958495a0113f16f8c699935c74ef9

SHA256
9508d82995364556a882c54306210e885868a8df2f2ad93485c14f88c9f9e1b7

SHA512
1d4ca268d1c98ac545008b079076609e18bfdf22cd31b7b75b9218d03c6edb37b245298ff717e48309ca862f973a4383b101e43732a162b4d7f78573612c64ea

Download Submit
C:\Program Files (x86)\rover\Come\Come.005.png
Filesize
2KB

MD5
7fb2e99c5a3f7a30ba91cb156ccc19b7

SHA1
4b70de8bb59dca60fc006d90ae6d8c839eff7e6e

SHA256
40436d5ab3589d33dae09b470ccacd369422d2569804cf1532e5946fc7e45535

SHA512
c0d83325928d629abba648360c8687091d18d52991297d69625ccd4617d4d5add4aa16c288cc408b26c79cd37decf5ee2198e8b87b67ef5b88802afae93fb51a

Download Submit
C:\Program Files (x86)\rover\Come\Come.006.png
Filesize
3KB

MD5
a49c8996d20dfb273d03d2d37babd574

SHA1
96a93fd5aa1d5438217f17bffbc26e668d28feaf

SHA256
f4c568336894b3140f0ca7005a5751ad5a860422290b2b6e23d72656160862b1

SHA512
9abb666891fa00ae77801fe9b3aab62bca37402197d22983e98d8442e6d890b1091a47dc1eca1ac68caa52a633bb60c8c3248de65056a6435f4affb98f401a30

Download Submit
C:\Program Files (x86)\rover\Come\Come.007.png
Filesize
3KB

MD5
e65884abe6126db5839d7677be462aba

SHA1
4f7057385928422dc8ec90c2fc3488201a0287a8

SHA256
8956643da83aa74bc89b4d71db7b470200863de230be647a6881d8f3f60df3ac

SHA512
7285b8acca0210a85dd4317a7beab161708544c4c25a742ce7284b545fa4953be89eb685e62f30fba56d6cb2fc806062ccdf4a0e62516eea047097c6856900c2

Download Submit
C:\Program Files (x86)\rover\Come\Come.008.png
Filesize
3KB

MD5
f355305ada3929ac1294e6c38048b133

SHA1
a488065c32b92d9899b3125fb504d8a00d054e0e

SHA256
37de9b0126ffa3967455083dd72ba70501b1e4c92ae25eb0667f840911585775

SHA512
6082003d98022597007623ff7cdece9d9a14ad19bf55ac35afb2277fe22378c865899a5b28b4b5828d0d48fb7859fea82886d98d8d3a3813413f1e864e3849b2

Download Submit
C:\Program Files (x86)\rover\Come\Come.009.png
Filesize
3KB

MD5
1d812d808b4fd7ca678ea93e2b059e17

SHA1
c02b194f69cead015d47c0bad243a4441ec6d2cd

SHA256
e4e2fe6652557dec0e703da7325808cab4722961398dc9bf9fdae36c1de8841d

SHA512
a8781c78d7d23f70f7450e749732d2909447cfa194d8e49a899c77f808e735878da8d838eecb4e8db7470d040800ae45f977d5f208bfad6c15d62d6456611e84

Download Submit
C:\Program Files (x86)\rover\Come\Come.010.png
Filesize
3KB

MD5
e0436699f1df69af9e24efb9092d60a9

SHA1
d2c6eed1355a8428c5447fa2ecdd6a3067d6743e

SHA256
eeae94fa4ddca88b0fefec2e449064ea1c6d4c8772762bb900dc7752b68706e4

SHA512
d6b4adf98c9deb784be1f775a138a7252b558b9d9443a8a3d1435043196738b1ea32439cd09c507d0e2a074a5ba2973e7ffce6c41b26e17460b7695428666cbf

Download Submit
C:\Program Files (x86)\rover\Come\Come.011.png
Filesize
3KB

MD5
f45528dfb8759e78c4e933367c2e4ea8

SHA1
836962ef96ed4597dbc6daa38042c2438305693a

SHA256
31d92998e8e9de48700039027a935b5de3242afd4938e6b10509dc87d84eb758

SHA512
16561ca527e2081519decbc0fb04b9955b398eb97db7a3d442500b6aefcb4e620bebd87d7c8ddad2cf940035710fc5a000b59d7ed5d0aa06f3af87e9eebcb523

Download Submit
C:\Program Files (x86)\rover\Come\Come.012.png
Filesize
3KB

MD5
195bb4fe6012b2d9e5f695269970fce5

SHA1
a62ef137a9bc770e22de60a8f68b6cc9f36e343b

SHA256
afa59cb80b91e29360a95746979be494bdee659d9b8bfad65782b474273d5e62

SHA512
8fbe3ca2950261d976b80efd6a8d36d4a47b445a3e4669e100ce8c5d2a1f692e7b40ab324494a6de7847861d99194e13344a84aa135e458924b95fadf3905fd4

Download Submit
C:\Program Files (x86)\rover\Come\Come.013.png
Filesize
3KB

MD5
3c0ef957c7c8d205fca5dae28b9c7b10

SHA1
4b5927bf1cf8887956152665143f4589d0875d58

SHA256
3e6a44a4e993d70a2f8409b4194fa15551d5f7a3651a5d1e74d3c6b640da08c7

SHA512
bf2a5dd182c7cce4f6d00a4a1738f3a777b61c612c2449716b0fa62c62570ca1c21ac0063c221923e5db3b4101a4e7e32e711c9bfa075a2949ea9fa2e51ca704

Download Submit
C:\Program Files (x86)\rover\Come\Come.014.png
Filesize
3KB

MD5
2445d5c72c6344c48065349fa4e1218c

SHA1
89df27d1b534eb47fae941773d8fce0e0ee1d036

SHA256
694d6774638b36148f7a1b14809a025a16895ad4ec8645a6db2fe9cd5f784dbb

SHA512
d8134a66845c71d633f56e5fd656d545f09dad82d18ec21a7415f825cb6c0634ed775008c6fdea83dfec95ce659144e6de806edac620f389fcc3064683c3a7b3

Download Submit
C:\Program Files (x86)\rover\Come\Come.015.png
Filesize
3KB

MD5
678d78316b7862a9102b9245b3f4a492

SHA1
b272d1d005e06192de047a652d16efa845c7668c

SHA256
26fab597e882c877562abea6b13557c60d3ed07fd359314cdc3a558f8224266b

SHA512
cb6154e67ea75612dddd426e448f78c87946b123ff7b81f3fc83444adac4692bb5f3a04038291d9df7e102a301e41541a10e709e8adfde376016d86de15087db

Download Submit
C:\Program Files (x86)\rover\Come\Come.016.png
Filesize
3KB

MD5
aa4c8764a4b2a5c051e0d7009c1e7de3

SHA1
5e67091400cba112ac13e3689e871e5ce7a134fe

SHA256
1da7b39ec5f3cad19dc66f46fee90c22a5a023a541eca76325074bee5c5a7260

SHA512
eea254f7327639999f68f4f67308f4251d900adb725f62c71c198d83b62aa3215f2ce23bd679fddde6ac0c40a5c7b6b04800bc069f2940e21e173b830d5762e2

Download Submit
C:\Program Files (x86)\rover\Come\Come.017.png
Filesize
4KB

MD5
7c216e06c4cb8d9e499b21b1a05c3e4a

SHA1
d42dde78eb9548de2171978c525194f4fa2c413c

SHA256
0083bb52df2830f2fc0e03ffa861728916e3f1a6db3560e66adbca9716318ee3

SHA512
6ffbcc1c6ad1a0c01a35fdbf14918dfc9e2026a3021e3b6d761d56f4006b4218ffc2278eb2f820ae54722cd0c35fde40ca715154f6e2ae6c24aef0724d0ed004

Download Submit
C:\Program Files (x86)\rover\Come\Come.018.png
Filesize
4KB

MD5
e17061f9a7cb1006a02537a04178464d

SHA1
810b350f495f82587134cdf16f2bd5caebc36cf5

SHA256
9049038f58e048cc509bcc51434119465c376700ec45bedfd1d8f45440bdc32a

SHA512
d5b899109a16195d3fdb8f23382b48bab70dfcd0c823a03a0cdc4e50501812fc644b938839c3346e8aabc2925ce3bdebffad07ef2f90d291663275ba3d225ab3

Download Submit
C:\Program Files (x86)\rover\Come\Come.019.png
Filesize
3KB

MD5
63dbf53411402e2a121c3822194a1347

SHA1
86a2e77e667267791054021c459c1607c9b8dbb6

SHA256
47b80b828244964005bd947b80958f3aa6372b843dc088e33fbbd35ab3f785c5

SHA512
4b4603d88bddcb86e4282dafd55d8f00b852464daab588a554db829af566d5aa6baa3d575c58b133276be22203c014de73c0c3e35bfbe53570c356ef47bb5a50

Download Submit
C:\Program Files (x86)\rover\Scrape.wav
Filesize
602B

MD5
749f9cb77d6a793059b1e5fc38ad03f1

SHA1
e034574b49dcf816a555cdb95b7b580347863f64

SHA256
28506bdfd9975f45e634460f62099ea1e8728c100db73770470669757ba60101

SHA512
bfe51f4a4f3f0b3bb64223e89fd0b12377c4bde15a7bbee5c5528d391fbe8911ee816f44731cb7a9b22aa9ec5853da622fcd3ee3e88281b15fd858f55ac5ac78

Download Submit
C:\Program Files (x86)\rover\Slip.wav
Filesize
75KB

MD5
d2e3d2ad30622af6ea1b27aaa18a08ff

SHA1
d53748a465a083d6f67ce334d35b2723e054637e

SHA256
31550c03a8f0b83960668d8a80859715cdd833a280fc80e704402b96dd0e16b2

SHA512
814dd34cefa5196753201cbeaeae9b7fc2dcd4fdedf97aff187fede888425cd82ceeb98df6b29c9b7b1011f3ab40d332dbbdb659c091c5c0387d0f4c199d99bc

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.001.png
Filesize
3KB

MD5
0197012f782ed1195790f9bf0884ca0d

SHA1
fc0115826fbaf8cefa478e506b46b7b66a804f13

SHA256
c999fa6fd26a4a2af2155bd05522b44b54d6df90d1a9703a288bdf18b623c2cc

SHA512
614bce1f761871ba1113de49217725b7b6661c703b03864cef736f44e2d1e0c5fbe133966d24afb15900f0e4da16b24000a2a638b6d7839848874f386b3b81c1

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.002.png
Filesize
3KB

MD5
b45ff2750a41e0d8ca6a597fbcd41b57

SHA1
cf162e0371a1a394803a1f3145d5e9b7cddd5088

SHA256
727a2aac0697bcfecdc56dc4507516f9f64c5faa426f0ce69f7e607b74c4e1f4

SHA512
82a9a3fc7dfae0ed6bf665c4f369f053af372551c1871d6b3dc775f447ba727e921ab831f8acd712cc31b66156eac643859404f05386e2592a15954fb78d87a3

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.003.png
Filesize
3KB

MD5
95113a3147eeeb845523bdb4f6b211b8

SHA1
f817f20af3b5168a61982554bf683f3be0648da1

SHA256
800f0c501905bc4257415ee8bed738f897273600c721e80a15bcfbb2e2b3b847

SHA512
4e55d9ced90f255b20890595f8e07ccaeedcbe08aed6303336eae7f66df1e50429259b62c556d5d8b179f7f9be22216c1592ba772e2cebd257b3401109f45cc4

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.004.png
Filesize
3KB

MD5
8ce29c28d4d6bda14b90afb17a29a7f9

SHA1
94a28ce125f63fcd5c7598f7cb9e183732ebdc16

SHA256
eb9abbeddd27ce6fa82f1f7437309209450f9f8412eb395923a45d946d9c50b1

SHA512
037babd109af1a2c05d7db87536bec41e3075d1120a37384d66f9460d8790be5732f8bbe6a2a13db3d017806fed88945f2a98697b586284b62760252276a8077

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.005.png
Filesize
3KB

MD5
83ddcf0464fd3f42c5093c58beb8f941

SHA1
e8516b6468a42a450235bcc7d895f80f4f1ca189

SHA256
ebb3efda95b2d2588983742f96f51bdbcb9d87a6949f2c37ea11f509d236a536

SHA512
51a6925bc9558f9ba232b85623d78f975d1c18c1990ce62153aa57a742e0897c72fc0665213024f8d5af96e56cc47eb384ee8d231910fdef876a0889b52a59d8

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.006.png
Filesize
3KB

MD5
6f530b0a64361ef7e2ce6c28cb44b869

SHA1
ca087fc6ed5440180c7240c74988c99e4603ce35

SHA256
457626948266abd4f0dcda6a09c448bb20cce3596b52076b8d90e1c626037dc9

SHA512
dc3d809eab3bfa7c65c35a36d55097e09fbefa2f6de962ae02c58540f6c88b3ca9be3361f3ec37b8ce7927e020463055c455f2e93baa3a3c12096b55abcab6d3

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.007.png
Filesize
4KB

MD5
aac6fc45cfb83a6279e7184bcd4105d6

SHA1
b51ab2470a1eedad86cc3d93152360d72cb87549

SHA256
a59bb83276f003dd149c2143a5a70f012212c709e72af283209adfb85a0835b1

SHA512
7020ba8d918398bc2d5e6ea4aaea007d576d4c3577adab80259336505b06e8163d0afde5a7b4d802ba2dab9ec9c757e88eb37780246c35d38e5fed8648bbf3a1

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.008.png
Filesize
4KB

MD5
fa73c710edc1f91ecacba2d8016c780c

SHA1
19fafe993ee8db2e90e81dbb92e00eb395f232b9

SHA256
cca9c6b8e0df9e09523ab59021ffff62b29273cae487335c87b569e8483aaae2

SHA512
f73b2ee270348247db1d7fea937cd69125afa6aef926dc5c1cef14b955630711fe106d56270172448d739014ae4fd7d221007aaa422b3625aa524b812baa10a2

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.009.png
Filesize
4KB

MD5
3faefb490e3745520c08e7aa5cc0a693

SHA1
357ffa8b2d4797d8d6cf67c0c84818ebc746ce0a

SHA256
6ba5254c0b10b6939d5cd80f3ab87757143896d20fd8e014c3fcca35657e076b

SHA512
714d9d32ab070a992d84dc597a086afb7fe040300c33c25f9acdd27f5f8894145a5f9f8654b522c04a9cb1babeb25000fac25b01b1c820d4cfe8d67e40cd72a7

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.010.png
Filesize
3KB

MD5
1bed8b0629ce72b595017371336ac688

SHA1
9180c6c3d0bdd3470fa38854de8af238bcc31d42

SHA256
a8cc3da0e5b87f10e6acd766bbd096dbe40ca60507867ec8ea66c56436fa6cd7

SHA512
4483b0ac1e83ef94f982aa7cf92767a24165060e1d492a87290a2301bcd2654e1c2e5d5cd637151408cac576d74d529b7d05e7e12b27e02afd17e24029a92ceb

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.011.png
Filesize
3KB

MD5
c9eccb5ce7e65fd1eff7aba4a6fd43e8

SHA1
cd71011e1172a157627e1595cc7ce4888370a765

SHA256
a4045f846f5b3bb0856dbfdca78b5871433beefccb1416a2824e8dccce9f5975

SHA512
3b07f14cbc06f2a4a75067e09c04c760af324ebe2de5c51c88648b184337aad48d319c2753bc9987ebb2094719d92a0f87d7c0fd84c4d893dd8351e7dc6de3f8

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.001.png
Filesize
4KB

MD5
136be0b759f73a00e2d324a3073f63b7

SHA1
b3f03f663c8757ba7152f95549495e4914dc75db

SHA256
c9b925e1f1409ddaa3aadf1ae7c2fb3310b69fb931190b7dc2f274f517fe38fc

SHA512
263911753deffbce295dda3f311225edeb375555b1db2771477167600573bea78719f6294960dc5c5d95885194412dd0f133bae75a30e16556377263165b3723

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.002.png
Filesize
4KB

MD5
f8f8ea9dd52781d7fa6610484aff1950

SHA1
973f8c25b7b5e382820ce479668eac30ed2f5707

SHA256
209e9d1fb6a814edfa4f8128d4a2168b274ea0eeb965a57f3c8b9695417a1bf1

SHA512
4f4e379afff8850eec6e4f3d165eba60f6916569ee7561b8bbf5a6bfeda27dbbcc0687ce02bece412616204f89861d23a92055a226cea14a29c53c653919c094

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.003.png
Filesize
4KB

MD5
fb73acc1924324ca53e815a46765be0b

SHA1
62c0a21b74e7b72a064e4faf1f8799ed37466a19

SHA256
5488954fe5b4d87dee40dd68cc1d940d2395a52dc52d1c77f40cd2342b97efd8

SHA512
ea3ba299ca07850af45a29e2f88aece9163c13f4921a1fc05d930c008bc017b698c9fb987120147465a53fe0c0848926f543081716d5f877efa5a34b10822895

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.004.png
Filesize
4KB

MD5
6da7cf42c4bc126f50027c312ef9109a

SHA1
8b31ab8b7b01074257ec50eb4bc0b89259e63a31

SHA256
2ebdf7d755b442de775819b0bcfe7bdd06fda92f6ad36dcfdeaab107f58f23df

SHA512
5c9783a8c14c6654db2a9a7818d4376fc3b2aeab9820539d20353018d90f734652ebba8052184b62f0e17f8f094da28c2bdfc73a0c707036fb5f923ed25625d9

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.005.png
Filesize
4KB

MD5
d9d3c74ac593d5598c3b3bceb2f25b1d

SHA1
df14dee30599d5d6d67a34d397b993494e66700e

SHA256
2cba290a8c42f664a0e1a8e571e27bc846024fa7da9f7adc773a471ef74046bc

SHA512
de70858da11efb89e7db55762827f8c1d4b55aff14faea8ffd8a5f15d32d6956f6ca4a3fdd9ffd75906a818af81ba9c7ef056df7c8cec4076308df94ff3207ac

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.006.png
Filesize
4KB

MD5
3071c94f1209b190ec26913a36f30659

SHA1
d76fbfbc4ddd17383b6a716f24d137a8dc7ff610

SHA256
89868008f5e5c55e5dd5982c15f105d11b9d3603ab45395dde0ec1c5ce61e683

SHA512
bd21f269dd92ab826caa6085bf79f17b6c9b6c4b660d03913295611bae590f277a9a0a0e39fa281737fcd9cfbbb6a5c8f02287d316954badca394e730bad72f4

Download Submit
C:\Program Files (x86)\rover\_1Idle\_1Idle.003.png
Filesize
3KB

MD5
533bc8e9ad951ba6d05c35a829e89156

SHA1
2709a1e51dcfa820a064ee3f0f34dea9cbc4fdee

SHA256
0827a66c31995a144229ca6b9bee27de94fd5bba937d25efde961dfa544d5c91

SHA512
d1d31f38686caacbe9453cc92c0bb88c4b085903b7b8eb455241839bec6b5ec4de0a0747cdfbcccb7468bb3bc6ca654e34a748762bb1a71e8e4b90285d397201

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.001.png
Filesize
4KB

MD5
accb2d0ad9ec8a82ba2d00cc3d31cba5

SHA1
b7cee633b32fff638a2b542c3ba43fe9829fdf2a

SHA256
f643c2a2f4ce9391c9ead281fa79258f01073a125c320a16de0ef82ef7e364c6

SHA512
96a7fe09f33a59fa9d526fb1e8887f1616808f66f4933ee2de1f1aac1b0bb6d9216ac4c4e89f99c6a338dd6b706eea6dbcbd3237facf560793a6a1a3e6e93360

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.002.png
Filesize
3KB

MD5
be54410e53ba2932df414679d87afb80

SHA1
85030f3700e36870f122edbbacdd32bb74a645d9

SHA256
1d29522c75e7bdc436bef3eb80fedd642549a501d27ac860ccfc661ac38776ca

SHA512
b781e36b8190d49e0e34b4f7cf09b8bee986c0b1a686698cfc11f6495ab50a8b17b2c5f9a6a41358c21a38edb040a6d6b01daa50a55f34e9e19d9a75267228c9

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.003.png
Filesize
3KB

MD5
a0fad422cac2f06bfe7c6cfda19512c9

SHA1
6cf88a6ab9cc0184780fd78563c74a61a891e7f4

SHA256
1b4900fe61b6872a8bad759c70ae5dfdc2d83898cf0cbc2b8d01b089dbe15ad0

SHA512
effe619e26943a06a4c479691356a17014629da5f6511a28740cdd1fcff42980e2658a1af20b22e0cdbebd21f1ec1cf918047731083f525cd75beb8c1c4874a1

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.004.png
Filesize
3KB

MD5
e72eb39040d48e031daf791398868800

SHA1
d6f62de79660daaf369e7ad19552cab019ba6ef6

SHA256
cd61557c2635fc0dadab0cabcbe90274e329a4dbcb4d886f5a935c956024f4eb

SHA512
e8188b25ca6746e6b7d092ea213958a47fca4d6049828676f21c20f33f76be11ec86442eb6acd8d9b81e753bbd1f0d054dee10d34044cb542b727cf101fe5dc8

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.005.png
Filesize
3KB

MD5
7af44e05b63e87a6981bb0462c608960

SHA1
cfa83cda48b97a9ef8b88b30ad428c628632a661

SHA256
3de09340dbd974014789fe87003c781f708e33dd35d015f29c163f07699b8100

SHA512
e44c018ef0541eb68307a6c33b2c089b0ccc7095704d38410650449c36a118180fbe483d5c9123ddea32af8e641e47b2a21e8362b92484782c785e65e4bb86b7

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.006.png
Filesize
3KB

MD5
458e1048a899fb7ab75820c56aa4f343

SHA1
f58f817d82bdf52425a7b3e75e0c5a7c021bc3b2

SHA256
121e503d3d77cd44a601f1da705ef0d9876221b034a7bcff17d359a16b353b9b

SHA512
739f51461d9626b7b1479f4672b915185ec217116593e2a488ba58e5816f32317ca3f2118b2f6896fb99eeab00c844605366d5bb66a9b75c7ab0fb9e462dd634

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.007.png
Filesize
3KB

MD5
fa15b4a9ca62b903128c4c2207574370

SHA1
2746865a3ed132937f831bf5234f01dc08ea0467

SHA256
9aea0bc81aadd49e7bfc76169850cb076f00c7c297c47d444d58a1d27d68edd7

SHA512
b549432b8074309b55b87f3468820c1748174845e2e5069f6bc397127afda3479bef732c7386428bbea43debeaaf1da2caa2ebdaf9bcadf49154c9e420fe3036

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.008.png
Filesize
4KB

MD5
10e2ebf18bb2db2cf6853c837e417a61

SHA1
5c7d494abfed46173d4f6ae037064bf74651a12d

SHA256
07988cb52d932818c6b529018bd372f64f9a7436cbaefb8293e865e6d31c90aa

SHA512
8d49b340de56a7ed08500ac47157a44406da67fdf4b49070419ddfa06cfe685e6cc71bda6c9338a39959b3bac7f82dfb7c8715589a6912d4fdddbfb4c6fba88c

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.009.png
Filesize
3KB

MD5
008753a2b61067f22273c5cc1c3f1b28

SHA1
14b34c48f1b8c81f344bd39a7412e3bcd67920a8

SHA256
0cebf9d00332f973aa10bd7cdc58b449004d4df5d93b9c4268851b6a5543104a

SHA512
b21511d4c8663f9c16d8f3a470bfec90941e22c32a4e13e910a66b00c66cd3f91f606c8ec8d6f3fb037853125a393b16f6b67edfe6c03b2ba39b8a9d6a3a1083

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.010.png
Filesize
4KB

MD5
12ab9270bd2394206e4c3fa4542f6585

SHA1
f31772a5575e20db0dba4dbb6a9cb3429fc44bb7

SHA256
81ac79069b74058d3895ad392313f5c087ff32245cb8622491e0e79a8b041aaf

SHA512
20dc7379d6b7376cfc5f397aed8fd9648e28336d743ed0b12dada5f38dce6ce9d36314273ac799979bb77e162ba530d0bb8d93e39c389d61e2fa14025ec94fd9

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.011.png
Filesize
4KB

MD5
cb66cd1b1d57a64952ce8bc29d50faa7

SHA1
f03c39cc4756f8d5c185480026205601643a4a5f

SHA256
c28d22cee474a1d12a925a000ce4cc1615b787c69dd84311b9553a0b39b09902

SHA512
206ff3825746b09b5fd4459ce67848b56fc11255d8c3b0ff8f7305b84a153545f5572a119b4c33920366a7e3905179fee2b4587fb3f28bfa4fd9ab85b7fafbce

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.012.png
Filesize
4KB

MD5
d8a3457c4d6217674385c4cbd99bbbc0

SHA1
031e095c4bfa71139d5b824aea017bbdaed8728c

SHA256
71dcd0b036b4168be1637d4c3231c3d1771609a907e7fa35208eb2d2ab3a5ce0

SHA512
016bf7b49b15e7eb8e4ce4a30014f8c29c9f8426f2e3fe3cd9357bed5b1ac1354099fa77e56e30f18b48a1d3a57532ea941316a728bccc81e354fd704947d2f1

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.013.png
Filesize
4KB

MD5
100e90feb1883b51bc8989620e5d7475

SHA1
c3ea4129ab9e44206ae90bc911274300de602441

SHA256
0cc51d2d1cb961cc62039ab7d5366995f0c2a78e3916ca447d3dc7383264fac8

SHA512
712408973741cdcd77b9428ad9a63c1710ed719f1442b21bce6cde5d5d15dbe7a43d78ef63ec5efa01cc2d33115f4ae7fe601f9c876276707231b8d491d454ee

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.014.png
Filesize
4KB

MD5
3cf1b1a2a58fa914823dcac0814dac21

SHA1
fbdffb7e29aac6816587c207f1741fe549e57b37

SHA256
6dd5d3f36526a7fcdcbe6d5fa0743d35c008a43d13a5d01a1111f4707824e0c7

SHA512
40bae2f0eb33687921f24f7ec3c5d2bcc7db50a20d26c9015026c607cd3cc738c9b2083e7ac08fef62d0586a1d3073923d946c6b5bad2ede9245fab4a8257a5b

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.015.png
Filesize
4KB

MD5
6d022eff713d39b3370c17b6260f1d30

SHA1
6be194cf387b4520dc0a8315e74a2ad71615a483

SHA256
6113284a211f2366c665cf3c3f5e0687ffdf6dcceec0eff262c38d646eb8e9a4

SHA512
affef7099c81aad71a029ece04cbc9f63da3a1d1f3ede3cdfea00e96ae2d2faf418ae761971bcc3175a8b2a796c7fd416fb8663af9b75d95b38ed30363521c6d

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.001.png
Filesize
4KB

MD5
b00706960382815918c8ed9c2620be98

SHA1
687d41d0499a5b0f21f0c2480a305e4267775854

SHA256
00a8d4f366bb71d1d23e2bf08935e3321ea4552bf68b0e0eda475fa84bd5b1f4

SHA512
651944e3e7e560779810a6d7585da050b9e51c1e50c1a7aebfdda8a6f383e5f05b3304a53ae25a658cfbbae62d6cfb4f7b26166d50ed0227af71a9a7ae2d0947

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.002.png
Filesize
4KB

MD5
8143b3677c940c9a17cead5fc9152f7c

SHA1
f1ebe57d71a4af6a4909ebb239bbd131b5ec3577

SHA256
abe8caa8da0099dcc024a1993a117a7f73c66c6650df3c1430f09d7be19d27c0

SHA512
c0f7df7945e2626d164db1bbf11ad71a58462a5579716f43736475435a5da076f2cd868c85d6b587df4576b3d4aa9dcde4e53295589e0a554a349661f43fac7e

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.003.png
Filesize
4KB

MD5
f47b094e938bc3c67945d1a3591059f7

SHA1
7a4a9e7ff8344f6ea121c134b306c580bf8764f1

SHA256
f3e11eb38d48ab6572b68ed6dd387f081210bf49daee13653fb619f1af27a03e

SHA512
c22376cdf0fa47d7c9aab9c358b888d67d46fc84e3d479bf931d3d5b702881f19671ec562f7e6c5525e25e5bd8470c9a1dd55a671b9f96afe18de298188bbc12

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.004.png
Filesize
4KB

MD5
c1ad8b7c95808f4bd5088952fa081b78

SHA1
1eede17dc33e7be028486f64eb185021e9a58fab

SHA256
4d8af631170428eaf6ee72767a381e87935d5aead26b6a188fe8042a7628316c

SHA512
331581f48d5e44e7b79ea44ec3d87681830ddfc92c3ab49c66a2cfe0c46333cdfde014ead3e63d1e4f2d3c69edb76c3d390956b647642b378637b55a928b6af1

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.005.png
Filesize
4KB

MD5
310ea5ce731cb036506fe6d4652dc9d0

SHA1
39323884f9dcebf27a64d96d1f539cd73aad42cc

SHA256
2c0fe38c53562f1a915d1daeac11ae60f2c54e595817ea0a5c4a81bbe1341454

SHA512
d078b18330233229ca21e41e89ad139214cb8035ed681ac514c1458f25990c8c6ab0b3a7947715fea58ca549be0d18de74a33d4355b030143280aad210d32627

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.006.png
Filesize
4KB

MD5
71fdf5c9c2868f2ae00803e3766982da

SHA1
22a7625b8b3ab6d54357babf108f720b1b22f940

SHA256
4e7c68dbd0224cc83d8f03057138a09de8c119293c7c98cb4489f3a8ed30cc08

SHA512
a95f229ff6101807970f305e107748341c4c7ac858ded0da8b1de39467c522cf73553f34b9b3573feed71cb2cacd9098815c849c1817a6a0d274eed7df6f2708

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.007.png
Filesize
4KB

MD5
b89dea1aaafe105256de15f3262c9bb2

SHA1
ef7c8a2a454ed9ef554f713df761952fefbe6b22

SHA256
829b9cacf3ad245b195fb1a645ee3a467186095f13e444784e1452b4cad22f45

SHA512
ec196a33fff6017c13e328585961aa554e140f9c9df3bb8f0bea355adffb67bdd876cee896b5e6dfc1591e336779722ba78254a9b103d173b1bf074415bc6b84

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.008.png
Filesize
4KB

MD5
4950813fe5f739aa5a6b951023218c88

SHA1
61133194dd98eb877794bee2d38966e142e6fc16

SHA256
1ff42478829ec190fabe6dd3b8b6ead5e1eae8d533e72c59cb6dbc071bfc868e

SHA512
cdf4fe8c605490d4cc020e0d9bfb92614f2bd12806b1472d960729f2bc0b0bbe76b91747b7debd77f53959c659cbc290795f1548fa90d7e71d944e9ffacb9b82

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.009.png
Filesize
3KB

MD5
eb464c179bf729084cd858335f2f9dd6

SHA1
b410da8a574b62b055b957a762ce7ecd6cbab330

SHA256
d4b6e894c0b5b9e472664967933ab3913c57f818a2f96ef41e32e18016ec9352

SHA512
03fe5b9a763e45b5387297c47209570a337df9191aad9238fda1f1af5c08f59674d2642fd0fc0b0d7376f5ed2bcbb09d79489cfbb61e290175a926e5ab6b0be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5b7fb99191b0c460fa9bb39fa1fe44be

SHA1
686158d3b253a680f5d9fa7d841c6bf6ecf70ca6

SHA256
87757cebf06a81ab977d3e63bd90a12706f2ddf8100e1ae2f11eae76b4491e27

SHA512
13b326120ad43b26fb859c90d3bb0f9fee57151871123e311d3bf5f87955e20063eb294a632a7f734161a17881269783bc77836401fdc25d2adaf735b21110a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4c24a6c31a59dac9924357abf58d11aa

SHA1
40931a4b072618f8d3c41db9c3ea72abc82a5d1e

SHA256
598cd86f77a1d07f298b6c66f659d1d19f0700570c0d1de7390f008a5a2aa557

SHA512
fffdb5963310c5840a6391510ef0499a16a096d191cbe599e071f52ef361059ecbfbe4b6a58263fb029bcf5ea8f4224f9ca56fe828bfee74e08837004665ed70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b11306d385db22e112bbb3947d4e877b

SHA1
c81abc85132f2f7058a0ee9c684f47a3cc41ac42

SHA256
9b8e4a5831cc144aee2e51710e67fb7edee36d1ec0f51ebd91152c2d86c4bd10

SHA512
23b49a80c709ef52f61bfee136b79a40116cabb2da2940ecb1bb7148fea3c872ac8e8f940957bfd0efa3d1f8253b8447f5019a5f50e97d1de5f7cbc62894cbcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1b912c9-e2ff-4ac3-a389-09b5f81a2027\ProgressBarSplash.exe
Filesize
87KB

MD5
ed001288c24f331c9733acf3ca3520b0

SHA1
1e935afba79825470c54afaec238402d068ddefa

SHA256
6c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06

SHA512
e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1b912c9-e2ff-4ac3-a389-09b5f81a2027\packer.exe
Filesize
50KB

MD5
dfda8e40e4c0b4830b211530d5c4fefd

SHA1
994aca829c6adbb4ca567e06119f0320c15d5dba

SHA256
131fc2c07992321f9ba4045aba20339e122bab73609d41dd7114f105f77f572e

SHA512
104e64d6dd2fd549c22cd36a4be83ccb2e0c85f5cc6d88ba2729b3c7e5d5f50cd244053c8cb3bdd5e294d1a4a1964825f3a7b7df83ee855615019dfc2b49f43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1b912c9-e2ff-4ac3-a389-09b5f81a2027\unpacker.exe
Filesize
531KB

MD5
54c72f781ac4c2780371c5cc877754a7

SHA1
bb17dedf8eb82bd6a467e6d642aac20081e59779

SHA256
eb48c90f5cde797fbd475d80d3e08c857b3497a17996d9584b921faa54f6bb4b

SHA512
a9f014b54254aa666fa031e6475c1923f9410efc60f04fdd5297e82c9dc361201649d7c079d88be08234b261dda6beed70df22b57e255c420bdb2d8efb59d1db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6F694EC4D9644E8B8A64F20B9717F133.dat
Filesize
940B

MD5
5396413e4903bc32cc9958e7fefe433a

SHA1
5d2245398bff5561d54a131feb36da2800a90c61

SHA256
2071930266de8f1bf8727043c19e24dc60bec4dc7e1c487881578813815290e8

SHA512
527d764abf27e7423c4bc3a3be42404c4a9dc16d5cecf8922788957183827a750eeb0c15d154d79d4841d4d7ddf648eb2bd261b426e494165091892e9145227e

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\Rover.exe
Filesize
5.1MB

MD5
63d052b547c66ac7678685d9f3308884

SHA1
a6e42e6a86e3ff9fec137c52b1086ee140a7b242

SHA256
8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba

SHA512
565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\SolaraBootstraper.exe
Filesize
290KB

MD5
288a089f6b8fe4c0983259c6daf093eb

SHA1
8eafbc8e6264167bc73c159bea34b1cfdb30d34f

SHA256
3536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b

SHA512
c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\ac3.exe
Filesize
844KB

MD5
7ecfc8cd7455dd9998f7dad88f2a8a9d

SHA1
1751d9389adb1e7187afa4938a3559e58739dce6

SHA256
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

SHA512
cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\helper.vbs
Filesize
26B

MD5
7a97744bc621cf22890e2aebd10fd5c8

SHA1
1147c8df448fe73da6aa6c396c5c53457df87620

SHA256
153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709

SHA512
89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\jaffa.exe
Filesize
512KB

MD5
6b1b6c081780047b333e1e9fb8e473b6

SHA1
8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de

SHA256
e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac

SHA512
022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\jkka.exe
Filesize
1002KB

MD5
42e4b26357361615b96afde69a5f0cc3

SHA1
35346fe0787f14236296b469bf2fed5c24a1a53d

SHA256
e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb

SHA512
fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\loader.bat
Filesize
51B

MD5
e67249c010d7541925320d0e6b94a435

SHA1
66aa61cc4f66d5315e7c988988b319e0ab5f01f2

SHA256
4fc3cb68df5fc781354dcc462bf953b746584b304a84e2d21b340f62e4e330fc

SHA512
681698eb0aab92c2209cc06c7d32a34cbc209cc4e63d653c797d06ebf4d9342e4f882b3ab74c294eb345f62af454f5f3a721fe3dbc094ddbe9694e40c953df96

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\loader.exe
Filesize
5KB

MD5
3a66b8c04d1437b4c4da631053a76bb5

SHA1
bcf8f381932d376f3f8e53c82b2b13ff31ee097b

SHA256
c3aa0c8ff9e3c7e10bcd3829f3e63b4cf9c59eb4964a7576f3ef5fca50c77cdc

SHA512
b24f3fb34aa293293d4f7bef247ca746608cb9ae54d214492276e7ef0fe0032944ea082f2bbf42f200359d38ed2af69f51ef5f3cb969a0ffb7176b27e0279fcf

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\main.cmd
Filesize
854B

MD5
7ad382bfb87b18df8a0f8974a40b766a

SHA1
687d1fe653903f93172b1695b1f3f2038a991c13

SHA256
f07c70b2eeb0eb9b7977c62e105f6b097826cab9e4dc50be8a6964d71c5572fa

SHA512
4973fcfc3adf6d9889df9a1af41dd8330ed99879cf39381d13e33e11480611d81d0cf7db09b36db2469edcc2974381e9b017a063dbbeecfc774928a962f4f089

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\selfaware.exe
Filesize
797KB

MD5
5cb9ba5071d1e96c85c7f79254e54908

SHA1
3470b95d97fb7f1720be55e033d479d6623aede2

SHA256
53b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5

SHA512
70d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\spinner.gif
Filesize
44KB

MD5
324f8384507560259aaa182eb0c7f94a

SHA1
3b86304767e541ddb32fdda2e9996d8dbeca16ed

SHA256
f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5

SHA512
cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\temp.bat
Filesize
16B

MD5
683678b879bd775b775240fcb1cd495e

SHA1
10bc596b3d03e1ba328068305c8acee2745c731c

SHA256
64f28aef02c7fafbc9d80735a8b1d607c3996a2ddf9ba260d4c433c002efeaba

SHA512
3b2b9d231643a826183732a79489c6d2f4749ce25314c444364062c781627af59b572c082d811ae57a839cae94de77cf03eb81d99e1063e2191e884ccbaa0963

Download Submit
C:\Users\Admin\Desktop\lol_5d9624f2-ea8f-4ba5-8cf1-100f4d22cada\web.htm
Filesize
176B

MD5
1fab717c517da1c27e82a93edddf9390

SHA1
24b6cfda27c15c1d01ba5718106c18687ed77397

SHA256
bd035700f060a35c394600cabf0cf04c031927786c97cf41c55d78dddeffa11c

SHA512
5452938fa310396ecacae8eab64bdae624f617e19c0d742e10e088befb686c205b8db9ccec7d9de1c9360f341db8a701d5b8c6c4eb20aaa1c2deb831ab09fab5

Download Submit
\??\pipe\LOCAL\crashpad_4060_XIJYCGMGECOXWJZM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1388-25-0x00007FFC7C0A0000-0x00007FFC7CA41000-memory.dmp

Filesize
9.6MB

Download
memory/1388-29-0x00007FFC7C0A0000-0x00007FFC7CA41000-memory.dmp

Filesize
9.6MB

Download
memory/1388-24-0x00007FFC7C355000-0x00007FFC7C356000-memory.dmp

Filesize
4KB

Download
memory/1388-165-0x00007FFC7C0A0000-0x00007FFC7CA41000-memory.dmp

Filesize
9.6MB

Download
memory/2700-897-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/2700-4-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/2700-3-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/2700-2-0x00000000056A0000-0x00000000056C4000-memory.dmp

Filesize
144KB

Download
memory/2700-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x0000000000E00000-0x0000000000E8C000-memory.dmp

Filesize
560KB

Download
memory/2780-88-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-52-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-70-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-78-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-74-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-82-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-84-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-72-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-90-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-92-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-94-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-96-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-102-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-100-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-98-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-5688-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/2780-64-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-86-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-76-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-80-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-68-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-60-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-62-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-66-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-40-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-42-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-44-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-50-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-46-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-39-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-38-0x00000000069B0000-0x0000000006EFE000-memory.dmp

Filesize
5.3MB

Download
memory/2780-58-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-36-0x0000000005EB0000-0x0000000006400000-memory.dmp

Filesize
5.3MB

Download
memory/2780-56-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-55-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-48-0x00000000069B0000-0x0000000006EF9000-memory.dmp

Filesize
5.3MB

Download
memory/2780-7105-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/2780-3100-0x0000000005D20000-0x0000000005DB2000-memory.dmp

Filesize
584KB

Download
memory/2780-3101-0x0000000005E20000-0x0000000005E2A000-memory.dmp

Filesize
40KB

Download
memory/2780-3108-0x0000000007AF0000-0x0000000007B9A000-memory.dmp

Filesize
680KB

Download
memory/2780-3105-0x000000000BCA0000-0x000000000C380000-memory.dmp

Filesize
6.9MB

Download
memory/4032-974-0x0000000005C20000-0x0000000005C5C000-memory.dmp

Filesize
240KB

Download
memory/4032-888-0x0000000005410000-0x0000000005434000-memory.dmp

Filesize
144KB

Download
memory/4032-973-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

Filesize
72KB

Download
memory/4032-879-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download