2960a2d4d2fd6b7b85b8e3ea4c86ec0c13b93bfd3754a7e772a2c74f564b0009

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29.exe
Size

319KB
MD5

e8e59836a0fe2dfebcbde148711b5d56
SHA1

cd8fbf0dcdd429c06c80b124caf574334504e99a
SHA256

2960a2d4d2fd6b7b85b8e3ea4c86ec0c13b93bfd3754a7e772a2c74f564b0009
SHA512

0d0673c64f9e9e1c75e10ce6d02c4b5530831d1659ada88acf951e2bcbd56c38f0c59674b3eb7837fd882b23499eb350f2925fd67d3fdf51992d9a4312a02309
SSDEEP

6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BJXCcOS8W78U2kGHF4143nip:kANwRo+mv8QD4+0V167XDOSDN2JF41me

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.ru
Port:
587
Username:
[email protected]
Password:
9b0P96R6nBreNQrU3Cte

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe

Executes dropped EXE 31 IoCs

pid	Process
2704	RootDesign.exe
2880	RootDesign.exe
2600	RootDesign.exe
588	RootDesign.exe
2180	RootDesign.exe
1028	RootDesign.exe
2452	RootDesign.exe
3060	RootDesign.exe
2764	RootDesign.exe
2720	RootDesign.exe
2552	RootDesign.exe
2992	RootDesign.exe
1908	RootDesign.exe
836	RootDesign.exe
2324	RootDesign.exe
1924	RootDesign.exe
1056	RootDesign.exe
2336	RootDesign.exe
2176	RootDesign.exe
2696	RootDesign.exe
2536	RootDesign.exe
2924	RootDesign.exe
1664	RootDesign.exe
2608	RootDesign.exe
1712	RootDesign.exe
900	RootDesign.exe
2716	RootDesign.exe
1540	RootDesign.exe
1816	RootDesign.exe
1952	RootDesign.exe
780	RootDesign.exe

Loads dropped DLL 3 IoCs

pid	Process
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2164	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2768	powershell.exe
2744	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2600	RootDesign.exe
Token: SeDebugPrivilege	588	RootDesign.exe
Token: SeDebugPrivilege	2180	RootDesign.exe
Token: SeDebugPrivilege	1028	RootDesign.exe
Token: SeDebugPrivilege	2452	RootDesign.exe
Token: SeDebugPrivilege	3060	RootDesign.exe
Token: SeDebugPrivilege	2764	RootDesign.exe
Token: SeDebugPrivilege	2720	RootDesign.exe
Token: SeDebugPrivilege	2552	RootDesign.exe
Token: SeDebugPrivilege	2992	RootDesign.exe
Token: SeDebugPrivilege	1908	RootDesign.exe
Token: SeDebugPrivilege	836	RootDesign.exe
Token: SeDebugPrivilege	2324	RootDesign.exe
Token: SeDebugPrivilege	1924	RootDesign.exe
Token: SeDebugPrivilege	1056	RootDesign.exe
Token: SeDebugPrivilege	2336	RootDesign.exe
Token: SeDebugPrivilege	2176	RootDesign.exe
Token: SeDebugPrivilege	2696	RootDesign.exe
Token: SeDebugPrivilege	2536	RootDesign.exe
Token: SeDebugPrivilege	2924	RootDesign.exe
Token: SeDebugPrivilege	1664	RootDesign.exe
Token: SeDebugPrivilege	2608	RootDesign.exe
Token: SeDebugPrivilege	1712	RootDesign.exe
Token: SeDebugPrivilege	900	RootDesign.exe
Token: SeDebugPrivilege	2716	RootDesign.exe
Token: SeDebugPrivilege	1540	RootDesign.exe
Token: SeDebugPrivilege	1816	RootDesign.exe
Token: SeDebugPrivilege	1952	RootDesign.exe
Token: SeDebugPrivilege	780	RootDesign.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2164	2072	29.exe	30
PID 2072 wrote to memory of 2164	2072	29.exe	30
PID 2072 wrote to memory of 2164	2072	29.exe	30
PID 2072 wrote to memory of 2164	2072	29.exe	30
PID 2164 wrote to memory of 2768	2164	cmd.exe	32
PID 2164 wrote to memory of 2768	2164	cmd.exe	32
PID 2164 wrote to memory of 2768	2164	cmd.exe	32
PID 2164 wrote to memory of 2768	2164	cmd.exe	32
PID 2768 wrote to memory of 2744	2768	powershell.exe	33
PID 2768 wrote to memory of 2744	2768	powershell.exe	33
PID 2768 wrote to memory of 2744	2768	powershell.exe	33
PID 2768 wrote to memory of 2744	2768	powershell.exe	33
PID 2744 wrote to memory of 2704	2744	powershell.exe	34
PID 2744 wrote to memory of 2704	2744	powershell.exe	34
PID 2744 wrote to memory of 2704	2744	powershell.exe	34
PID 2744 wrote to memory of 2704	2744	powershell.exe	34
PID 2704 wrote to memory of 2880	2704	RootDesign.exe	37
PID 2704 wrote to memory of 2880	2704	RootDesign.exe	37
PID 2704 wrote to memory of 2880	2704	RootDesign.exe	37
PID 2704 wrote to memory of 2880	2704	RootDesign.exe	37
PID 2880 wrote to memory of 2600	2880	RootDesign.exe	38
PID 2880 wrote to memory of 2600	2880	RootDesign.exe	38
PID 2880 wrote to memory of 2600	2880	RootDesign.exe	38
PID 2880 wrote to memory of 2600	2880	RootDesign.exe	38
PID 2600 wrote to memory of 588	2600	RootDesign.exe	39
PID 2600 wrote to memory of 588	2600	RootDesign.exe	39
PID 2600 wrote to memory of 588	2600	RootDesign.exe	39
PID 2600 wrote to memory of 588	2600	RootDesign.exe	39
PID 588 wrote to memory of 2180	588	RootDesign.exe	41
PID 588 wrote to memory of 2180	588	RootDesign.exe	41
PID 588 wrote to memory of 2180	588	RootDesign.exe	41
PID 588 wrote to memory of 2180	588	RootDesign.exe	41
PID 2180 wrote to memory of 1028	2180	RootDesign.exe	43
PID 2180 wrote to memory of 1028	2180	RootDesign.exe	43
PID 2180 wrote to memory of 1028	2180	RootDesign.exe	43
PID 2180 wrote to memory of 1028	2180	RootDesign.exe	43
PID 1028 wrote to memory of 2452	1028	RootDesign.exe	44
PID 1028 wrote to memory of 2452	1028	RootDesign.exe	44
PID 1028 wrote to memory of 2452	1028	RootDesign.exe	44
PID 1028 wrote to memory of 2452	1028	RootDesign.exe	44
PID 2452 wrote to memory of 3060	2452	RootDesign.exe	45
PID 2452 wrote to memory of 3060	2452	RootDesign.exe	45
PID 2452 wrote to memory of 3060	2452	RootDesign.exe	45
PID 2452 wrote to memory of 3060	2452	RootDesign.exe	45
PID 3060 wrote to memory of 2764	3060	RootDesign.exe	46
PID 3060 wrote to memory of 2764	3060	RootDesign.exe	46
PID 3060 wrote to memory of 2764	3060	RootDesign.exe	46
PID 3060 wrote to memory of 2764	3060	RootDesign.exe	46
PID 2764 wrote to memory of 2720	2764	RootDesign.exe	47
PID 2764 wrote to memory of 2720	2764	RootDesign.exe	47
PID 2764 wrote to memory of 2720	2764	RootDesign.exe	47
PID 2764 wrote to memory of 2720	2764	RootDesign.exe	47
PID 2720 wrote to memory of 2552	2720	RootDesign.exe	48
PID 2720 wrote to memory of 2552	2720	RootDesign.exe	48
PID 2720 wrote to memory of 2552	2720	RootDesign.exe	48
PID 2720 wrote to memory of 2552	2720	RootDesign.exe	48
PID 2552 wrote to memory of 2992	2552	RootDesign.exe	49
PID 2552 wrote to memory of 2992	2552	RootDesign.exe	49
PID 2552 wrote to memory of 2992	2552	RootDesign.exe	49
PID 2552 wrote to memory of 2992	2552	RootDesign.exe	49
PID 2992 wrote to memory of 1908	2992	RootDesign.exe	51
PID 2992 wrote to memory of 1908	2992	RootDesign.exe	51
PID 2992 wrote to memory of 1908	2992	RootDesign.exe	51
PID 2992 wrote to memory of 1908	2992	RootDesign.exe	51

C:\Users\Admin\AppData\Local\Temp\29.exe
"C:\Users\Admin\AppData\Local\Temp\29.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c C:\TheDream\RootDesign.exe
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        36⤵
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TheDream\RootDesign.exe

Filesize
122KB

MD5
4dd7de6b45e46f8219cc73e9a934c0e7

SHA1
1c9629aeb0e6dbe48f9965d87c64a7b8750bbf93

SHA256
1be40e8ac11d6da8045bd03be3e57f0b36b6ab7dc390ff7208a0a4e7688b6b94

SHA512
5565da2ed0e5a9670dc4f909177ac324c3e4e02c449968a115653eabbdbcd4023e60629ce381268fe7f9d005dc2021fb896fba1ec659e30766fd485e7c54e3dc

Download Submit
C:\TheDream\log.txt

Filesize
222B

MD5
713b9c938fdca30556ac7adaef6a798b

SHA1
a7de02d3fbf13530680dfc8207f7418ddf1b9261

SHA256
dbd75bbf6c55e920dfe85e4143eb37e3a712cf0e1284d0708654754e98da1203

SHA512
6af08b5a22b846732ca8bdec06e353e7ee5a25274eac401391aca72647f848259197b35b2cfad5525a0f0d38f898cc2702bbb98821ca3381f48cc163b6d66cee

Download Submit
C:\TheDream\log.txt

Filesize
237B

MD5
f745284d52bf303eb21dd335ba68861f

SHA1
05932030f4f9fec8a081bdb4bdcb8bf052812714

SHA256
97502347a779a78f5321a640533ac1d6e47b6ba9ba4fbf4fae82e05cdca02dcf

SHA512
1c747b96164dabc213b056355e6e9b86b1ed15e7bc3754545e6078f9a0d8b5574f0e126eff0f2e79dec37a71f0bcc51dfd58e170324d6846d8da33ef7c434077

Download Submit
C:\TheDream\log.txt

Filesize
252B

MD5
7051d3d0b3ea82763db5cfb114cb8e73

SHA1
d7b91e3c8ff7a4ba138863f2be523a3ce5ac39d9

SHA256
0e52e53705a90716120178c3f5233cad45f8ce976372c703b54af0437df24729

SHA512
bf10efd94bea2204376f14145261ec6681768d8e56ed8e7ed3893c75334a33ef758c9a3d6b6726f29ead04836e6f9c43808ddc911ed4826d076f01f82332cef3

Download Submit
C:\TheDream\log.txt

Filesize
267B

MD5
9794c29029f19be205f04b79740c16da

SHA1
1c75286cd39bba60e410d46ab79e41f5634a5e9e

SHA256
70e85fc21d705babb7d66fea5a866341548554e0708f66a0f1629ad53b4deed7

SHA512
b5aec94ec02a89fcb4dc58256f1f64da21fa99cd5eb4f0afe07ad5a5492d618362bfdf97b87b3a4d4c90d16a56f551488cb2340ae0aebe8ff8abe5a607dd29a2

Download Submit
C:\TheDream\log.txt

Filesize
282B

MD5
3bd7927e142b931f02fdc92b33d65b03

SHA1
ca4e4ac12dd327a40670c67e4a4fa9ad10fc898d

SHA256
ee37628000ed1c410d32bf0770d110badd4a759c1ab93e0e98543f0e4a1bbdc8

SHA512
9edea2a1e350a978bf3fa0759a9854f408fd84d1bcbe8d696bf18d6b48a971d29a72149c8663600c3f400351862a680723c09f3363c5ae8c0311e1f209f64aa5

Download Submit
C:\TheDream\log.txt

Filesize
297B

MD5
dcc987eb71cb6c19a50c76a4ee823503

SHA1
f1c2288fb20e41d49f8a7a56675c6aa4941f78ff

SHA256
fbf76e9d2db3fbf2f3689008228f07b3a3f96261150c5de910301460686863d8

SHA512
96e882c04cbbb25550d441d7fe51905a1e60b55952d67d767939b005f76d4c69a7153b04f32598d71c213aa38c7dff95419001ea3a4ccc94e3e3aeb67cc483b3

Download Submit
C:\TheDream\log.txt

Filesize
312B

MD5
62a70841255614df72f2197a664cf302

SHA1
ccd03b0f8b3476040c42a53c23a07dfa3acdcbcf

SHA256
6e92e462b0a5c16c2c8096dfa846cba97d578f7037754c42550e25f676f2c991

SHA512
5b5b6f0a4f0eb2a421ea5f3d04d1eb27d9061be6c04a36bd31e63a2b9f15e51114735df35c0cedadbfb4cf786401773eafd64b5b83ea488d8c0526265eb63020

Download Submit
C:\TheDream\log.txt

Filesize
19B

MD5
7453af0163269cc7d73f0ab6249f0c44

SHA1
efddb08025b7f1265a26c2f975ef9eae79a30914

SHA256
f602f95f04559a02e9db7ad17a8bbfbfcb88508ea3088287206cf49559aa78e7

SHA512
8a295f780cc5d4b7a6e5193043b37bae1d905ed0353d248366b27215d3b2cf71d298aa0a83124ab1312fbdfae21c61a4a8e582183f90b8d762bd6defd00befd0

Download Submit
C:\TheDream\log.txt

Filesize
42B

MD5
8e2f3ea44a3109cd7c997e341fbb0848

SHA1
4e806989b5115e78fc285343c32799a0d956dd58

SHA256
1c05146ad5bfa97d97d9b9954a414e1574f4e880fe158935742c56fbba0dad97

SHA512
58fcae865fc791960488dadb19c03f9740dd2bb591bddb784f81aa19b5165bad19a90f48d76a9c664bddb099cb2c7190db73d22b5a438fca90363cda847103a7

Download Submit
C:\TheDream\log.txt

Filesize
57B

MD5
3e61e97c146d665ae013525ef2efc2bc

SHA1
20573ac5f24d92395bb180ec0163a462358e32a8

SHA256
c4c26827fc0cd29c87cc2285256468c5e2b0fa10aa221bfd4f8ed5e0e4fed445

SHA512
353a7fd519bc7806644086b41c1ce18db4479139a07b69f67d59e9441e2fc96959a97b7f7a046948c2dcb43aabcde06186e8c9671e672f5dcd63a44793e5bb9a

Download Submit
C:\TheDream\log.txt

Filesize
72B

MD5
b1516e5042906a480ceff78b8fbaaad0

SHA1
d04d9615958c75c158ffabb683b10fb54a2927e2

SHA256
69878e3879aa1e03e2b7f87fba6363f2c483b2ba59063f5b2ec9703b1e3de520

SHA512
72318e5732b3d08dde165ecba91c7de2f88f4514a91d9a06cfa3e2cfe40acf1789ce2920722c1d84b407438e61ceacfcc57d78f2951bffe1531a6e0e9fc3ebc4

Download Submit
C:\TheDream\log.txt

Filesize
87B

MD5
d78719fbc5e9f62664c9f9293bc428de

SHA1
52cd5018fca896f468b2eb12fa11e5506e7f01af

SHA256
fc36e711346081bad59231ce666766186f0a9eb2900a4dd298d2d031997eda9e

SHA512
2e2a2b9408e0075130a8a711c671563408778f100584ec25b6c7088376f7ea646a04d7179d5aa5f2f042e63628ef4a17288591cdba268ba11a185329a9bbc73b

Download Submit
C:\TheDream\log.txt

Filesize
102B

MD5
0807686feaa4927dd069eacd9033bd6f

SHA1
881a2f899685a08ef9ae966de52ffb4a466252ae

SHA256
e3d77fe6df37322304fbd84f0f2151c8a61dc552b81f9c1ab5795f7f8259ae3b

SHA512
ae5fc7e51697635bf9c91f79d3a731cd86f1b488a0106e385a8145c8fa43b7b02e54cc5c6fcc24e2f4fd53a3c576ccf9b997ddddfa602f2cdd832a43410425cc

Download Submit
C:\TheDream\log.txt

Filesize
117B

MD5
db862b536fe918ae2db5ceef2dadcec2

SHA1
246f2a25a6b843881b51238ea2f04953ec9f55c1

SHA256
7daae2af54fce003adc5eebe944776ce62a782ee467f91a7a3c70228b20dd4de

SHA512
88c4d5d525d5ecec596c879ccda97c29b48657d3476dcb4c4c2c04e5dc402551b6aa8a53c4b10e8abfbccdc62ff852266bb1b8c1f1d7320c9f060d05f94f8215

Download Submit
C:\TheDream\log.txt

Filesize
132B

MD5
7ced0b3f9f1274597368d8fecb485583

SHA1
b9ba92fe52804e9d639e89007fed2aedfa92c0d7

SHA256
fa45407c8270888036aefbc2dfcc0dab66833e64617adc495e3279545d0d489b

SHA512
c5464fb5eafa3117894ea520d12802b6a939771ec2f3954ca20ce1504a6af530cc9b5c2d5e90e6f3303631ea43d33fe52373c607399e224bd31669c21ecd4aa3

Download Submit
C:\TheDream\log.txt

Filesize
147B

MD5
d8cd589b53f6d74942d98d4c82512aad

SHA1
ff031dee15b3c980c360d52879928fbf8763c218

SHA256
821f223eedc119c7aef598145adacac40f23ca881c1e46c89b7d2991206fc879

SHA512
3d1f9d8f44320582191a79544c7e92984a719baa843c4d434dd352274b36e2c4ce2fd0635d35e3a7c8e3816a3e0f4d594dee1aea4dc39f559baee9de07d9d1a1

Download Submit
C:\TheDream\log.txt

Filesize
162B

MD5
dafb6093983599cc82131eba6af9bbbd

SHA1
4d5473a2e30f861de5c4660df14493165dbdb752

SHA256
2fc206c8f04c43dcd4bc812ab6c12d07a0ef7447b92118ae835ebc6c70322664

SHA512
ee21dd5493c03906bd32599fca7fa855aab13b1c081800b4712aef0e5f6df5efbf5a83d845f06b441b947f80baa37896a0ca34bf40931361ae08aefc2ae1818c

Download Submit
C:\TheDream\log.txt

Filesize
177B

MD5
3351ee38cfa00c4cc3000d5598ff682f

SHA1
0a41c241373539c0f605c7bfbd8fabb91b531f50

SHA256
153b89ecbd299f2784654af31dfbc453ed9cbb056d0b1cea555ade58e959cab6

SHA512
4c53d08d4a590d85443c4bdf06d4f8a93d0190dc7f39f04776a86c47e2eee923ee68b9648924756a6df117583142148cbf1b7b3a5892b47aef0fcf5a65e40a58

Download Submit
C:\TheDream\log.txt

Filesize
192B

MD5
8daeb4ba900bb5e03eab746a865ad656

SHA1
a8526976747823e663406671c732cc673a8998b8

SHA256
a52722599320b9f43fca351277e1037d24be2717476f94dea828740fc85d0c7d

SHA512
d1de28852bbd5540e5380db837f8826225c53cfca526192fbf04b614366089c857d9b91c121da0f9eb54fd1f142e268c4a4c3348b0a1cc499cb0422addc49541

Download Submit
C:\TheDream\log.txt

Filesize
207B

MD5
2c2cf75a6eebe3a18e39f3cc3b3526ad

SHA1
6f84185d58143f06bfa1fa2731a3f72ea61a65be

SHA256
c17dc344d54037839cd3aa3f42eb6bbf0c4e8f56a70c096dc0e16c779a5136cb

SHA512
5cad3db7c248c69c26059d5e3b78892114f9506f197414d4a0052aecc47526eeac9530c94fdfc47c0617e8b3a1316a15155bbf20a533e9aedbe8ef0dd7905dff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
eadf042ddab95df5ad2e49076b01d29d

SHA1
d4f12df89a89db2cb2044d51d9d5912b07208cd0

SHA256
5fdeabf15b7ed14faa4b72e246043a12220975b2b6209e89d1efc12c6ea64b12

SHA512
a74598caf2d6b43eed67ff127572f4c809cb3143513df803d6cb8cf125255f147e7520cc8338ea9236016c66121f9aca73f09e44fe53b85df6896c639147998b

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
7bd81fbdf14eec36d9010d939c543eed

SHA1
9ecf838859c6deede5704bd863414f2ce2c9d997

SHA256
0bf9b889297388aeca93fc5da8e2c1e59e921c4e78fd24f3086fbb8fcf52e75d

SHA512
e31fdbf19bf23a5f0eaaa7969afadfb84a8492e7c69de439bf2706d0ed93d014c8486b690bbb98c95fdb0eeeab4c5e3a83622400a3ef3d2c0d4ef903c1986d52

Download Submit
memory/2072-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-35-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2704-34-0x00000000011A0000-0x00000000011C6000-memory.dmp

Filesize
152KB

Download
memory/2768-17-0x0000000073A71000-0x0000000073A72000-memory.dmp

Filesize
4KB

Download
memory/2768-31-0x0000000073A70000-0x000000007401B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-20-0x0000000073A70000-0x000000007401B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-19-0x0000000073A70000-0x000000007401B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-18-0x0000000073A70000-0x000000007401B000-memory.dmp

Filesize
5.7MB

Download