daa053b4eda32444723099d6f54ecb22ff53581753ecd4ccb455f68c74dc8aa4

Analysis

max time kernel
240s
max time network
304s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-09-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

power systems ii.pdf.exe
Size

901.1MB
MD5

d3d8447da77feabf7a266b412da8cbde
SHA1

260a441639ead58821da8de6e501b2934deae78a
SHA256

105fd27d53a08971c376126b2a42f012210b99e9ffad0e6dedb2c04324684062
SHA512

f3944b3ecbd7f497c1ce062a5d6c17c41e45e32fcbb8ee768473e905c81d7920607025957122af38c912d9892393ab526ff0d4e5370a6dff030cb749d3ec48b5
SSDEEP

393216:tNV5braq2dLlOh0t1gtXDG3UT8DZdaP4kiMMlbZzU7uGFzwBXB:tNV5Paq2T12DG3IqZ6diMUbC7uIzYR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
492	Crash.pif
2468	Crash.pif

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.myip.com
1	ipinfo.io
4	api.myip.com
5	ipinfo.io

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2148	tasklist.exe
4768	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 492 set thread context of 2468	492	Crash.pif	92

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\NotreNr	power systems ii.pdf.exe
File opened for modification	C:\Windows\SpectrumNext	power systems ii.pdf.exe
File opened for modification	C:\Windows\StayOperating	power systems ii.pdf.exe
File opened for modification	C:\Windows\BrokerBaby	power systems ii.pdf.exe
File opened for modification	C:\Windows\SurelyCabin	power systems ii.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	power systems ii.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crash.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crash.pif

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
492	Crash.pif
492	Crash.pif
492	Crash.pif
492	Crash.pif
492	Crash.pif
492	Crash.pif
492	Crash.pif
492	Crash.pif
492	Crash.pif
492	Crash.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	4768	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
492	Crash.pif
492	Crash.pif
492	Crash.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
492	Crash.pif
492	Crash.pif
492	Crash.pif

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 1828	3472	power systems ii.pdf.exe	80
PID 3472 wrote to memory of 1828	3472	power systems ii.pdf.exe	80
PID 3472 wrote to memory of 1828	3472	power systems ii.pdf.exe	80
PID 1828 wrote to memory of 2148	1828	cmd.exe	82
PID 1828 wrote to memory of 2148	1828	cmd.exe	82
PID 1828 wrote to memory of 2148	1828	cmd.exe	82
PID 1828 wrote to memory of 4724	1828	cmd.exe	83
PID 1828 wrote to memory of 4724	1828	cmd.exe	83
PID 1828 wrote to memory of 4724	1828	cmd.exe	83
PID 1828 wrote to memory of 4768	1828	cmd.exe	85
PID 1828 wrote to memory of 4768	1828	cmd.exe	85
PID 1828 wrote to memory of 4768	1828	cmd.exe	85
PID 1828 wrote to memory of 3624	1828	cmd.exe	86
PID 1828 wrote to memory of 3624	1828	cmd.exe	86
PID 1828 wrote to memory of 3624	1828	cmd.exe	86
PID 1828 wrote to memory of 1552	1828	cmd.exe	87
PID 1828 wrote to memory of 1552	1828	cmd.exe	87
PID 1828 wrote to memory of 1552	1828	cmd.exe	87
PID 1828 wrote to memory of 3060	1828	cmd.exe	88
PID 1828 wrote to memory of 3060	1828	cmd.exe	88
PID 1828 wrote to memory of 3060	1828	cmd.exe	88
PID 1828 wrote to memory of 4920	1828	cmd.exe	89
PID 1828 wrote to memory of 4920	1828	cmd.exe	89
PID 1828 wrote to memory of 4920	1828	cmd.exe	89
PID 1828 wrote to memory of 492	1828	cmd.exe	90
PID 1828 wrote to memory of 492	1828	cmd.exe	90
PID 1828 wrote to memory of 492	1828	cmd.exe	90
PID 1828 wrote to memory of 784	1828	cmd.exe	91
PID 1828 wrote to memory of 784	1828	cmd.exe	91
PID 1828 wrote to memory of 784	1828	cmd.exe	91
PID 492 wrote to memory of 2468	492	Crash.pif	92
PID 492 wrote to memory of 2468	492	Crash.pif	92
PID 492 wrote to memory of 2468	492	Crash.pif	92
PID 492 wrote to memory of 2468	492	Crash.pif	92
PID 492 wrote to memory of 2468	492	Crash.pif	92

C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4724
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 57839
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1552
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "ComicHoRecruitingHabits" Voluntary
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4920
- - C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
    Crash.pif j
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
      C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2468
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\57839\j

Filesize
2.5MB

MD5
6f2a4dfc60f72b9025b045544856516d

SHA1
88b8695b7b9abe8531fbbc10ed1c3c34549a83c3

SHA256
dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea

SHA512
afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Affecting

Filesize
81KB

MD5
3f0c844167b93ec7fd2697de91790c4b

SHA1
81e9e8c129ef264c7981c49be22fc4f41e504c76

SHA256
43dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556

SHA512
54b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Author

Filesize
90KB

MD5
ff664f8979f694400b1973a4c9090640

SHA1
1f14c9bfec66926d43f9fcae51a531af3a1d95c3

SHA256
2944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355

SHA512
665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Behavioral

Filesize
69KB

MD5
ebe4b07bfed724aa5becd78901a6fe27

SHA1
5e8dd44ceac3ed195bfa3d1bb101c44f32e80be7

SHA256
6668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e

SHA512
8dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blogger

Filesize
67KB

MD5
378485e10e236ff814d839659433f06d

SHA1
5ae0565d277f6e85f58c8607d0b34db0a416025b

SHA256
aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245

SHA512
e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Challenge

Filesize
97KB

MD5
537268e78ee12bfbcc243c56a7d496fc

SHA1
0dfc9eccbddc26e4ae99349cbbabeff3319328ec

SHA256
2606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee

SHA512
4ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chester

Filesize
74KB

MD5
725acfd693506370739de020e9a887f5

SHA1
45649e96847f624b50ed75515922c1db47fc05da

SHA256
b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84

SHA512
89fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chicken

Filesize
80KB

MD5
20105d875df6d6c0a9a393613822417f

SHA1
36eea2d5499ab0a814f6352f5adfe0e5941fd221

SHA256
ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43

SHA512
092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cinema

Filesize
55KB

MD5
65570d0c36a8df76f5f0f290652d8832

SHA1
bc5e984dbb5045c6b3ff0e507fe2145644824430

SHA256
0161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670

SHA512
caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complicated

Filesize
76KB

MD5
6762d4e94c1b03d2c784c5fcc6078641

SHA1
3b1b5041616acacd1a3f2af9206dfb8836cbed8c

SHA256
05dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e

SHA512
0ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Convicted

Filesize
872KB

MD5
756ebe860d35cf35959526d533e1547b

SHA1
d739e66da9e6cea11d1df535210ad0dbf1bab2ea

SHA256
f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659

SHA512
264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650

Download Submit
C:\Users\Admin\AppData\Local\Temp\Diet

Filesize
53KB

MD5
7430584ab5031bd1784772da8a706f6e

SHA1
c299c3785cc742b5d224a500048230320b83eea3

SHA256
ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2

SHA512
82ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download

Filesize
50KB

MD5
e62c9797d10a365321d928e89954a5be

SHA1
612831de5d1cf5ebd90101617d78411cd5571e98

SHA256
565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03

SHA512
7c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Duplicate

Filesize
94KB

MD5
3bcc0c3847c9a8e1699947169eecb998

SHA1
9eebb699415d3166209f3b3fb86664911aab576d

SHA256
61c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f

SHA512
5ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations

Filesize
19KB

MD5
3281bcef02057c7c42ffc446180035d9

SHA1
b6f03015126215d02e2e0a299af9822df7080a0b

SHA256
a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713

SHA512
2dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explanation

Filesize
58KB

MD5
1570a1bee5b357710cc74f60ce825c22

SHA1
c515aeca6d025d65dc191a31755e87f54092acc5

SHA256
bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae

SHA512
cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726

Download Submit
C:\Users\Admin\AppData\Local\Temp\Features

Filesize
89KB

MD5
d745691d6cb303d913e41ce5e4b58c7c

SHA1
4d650125002e80e9134f13a50d517371ebb75690

SHA256
73ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8

SHA512
38217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Festival

Filesize
50KB

MD5
b7ad3cbdf401b3c7267cfc9711574142

SHA1
e7a0ceb17efd4038a20865e496bd4a5ba19fd77c

SHA256
643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78

SHA512
735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Highlighted

Filesize
90KB

MD5
64b4546e5c30703ec09d37d7b580a5f8

SHA1
32bd68a136801200bc147cfc4e554d63ceb35e80

SHA256
bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328

SHA512
a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Holy

Filesize
62KB

MD5
2d96b5acce1dec9f12612c247afd1863

SHA1
86a7951ea9243849382c4201407f2def3bc3c04e

SHA256
5b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035

SHA512
5dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Html

Filesize
71KB

MD5
60ac1993c088722394ffe200673bb477

SHA1
4bf6dbf1672272cc12ee9c66280ac15eb6621c0c

SHA256
ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95

SHA512
14adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jersey

Filesize
50KB

MD5
25f618dcd9a958e79913ec30f89f30c9

SHA1
52ce81a9f0d13373257382c67633b3726cd0e919

SHA256
859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12

SHA512
c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lady

Filesize
53KB

MD5
543168f1d78f27bc1e0a01a41fa841e8

SHA1
3adfd6f137aae243f115727ff34aef34ec4937d2

SHA256
1eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21

SHA512
54c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Live

Filesize
88KB

MD5
376e677f9a5afdf14a709ae45b3ac489

SHA1
12fcde474c530ae35dbd410374b811c3eeb69dbe

SHA256
742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a

SHA512
bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lucy

Filesize
89KB

MD5
1e19f8b5a5df8835b2c08291a28e2096

SHA1
a2573e83e5d52d4c30fad472131f75c73c666651

SHA256
6a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba

SHA512
65c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Massive

Filesize
67KB

MD5
a980747d497a8ee2ae7004c77f90733b

SHA1
68a73778039a85f26ae490bb1a53cf6f7f606d09

SHA256
29c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609

SHA512
f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Military

Filesize
61KB

MD5
7ae74abe58a6e55d07374af9c912645f

SHA1
ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3

SHA256
b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8

SHA512
73e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modifications

Filesize
73KB

MD5
ef01a057cc8722790ca29a4ebaa97d06

SHA1
a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc

SHA256
7b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c

SHA512
214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Monte

Filesize
76KB

MD5
5052be6a36baef4bc80fc0a25377991f

SHA1
f4d4d1226128ff8b76a2ff07cddb00132025da58

SHA256
deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952

SHA512
d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nissan

Filesize
87KB

MD5
4c1bf2e085c8294fdca893a02a568d67

SHA1
f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375

SHA256
cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891

SHA512
2c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reductions

Filesize
74KB

MD5
d203f6393a3903aa4d01f3f7f8fbdca1

SHA1
de0f58ca1f059366d86bfeb1ce91c44b60898bc9

SHA256
56362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd

SHA512
4fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rescue

Filesize
82KB

MD5
6b5b55e3f833053ac81fe00f0e0808f7

SHA1
8334f3338966eed623ab0bce20d3a52c417ee4a9

SHA256
78ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6

SHA512
c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rise

Filesize
73KB

MD5
396d0835e6878f2a72c2104950e072b4

SHA1
27750a5a4cc755abbda70173bad00e7b9d5d7fee

SHA256
b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a

SHA512
1ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Row

Filesize
92KB

MD5
bf39dfa471c242ee0ce4c1010af5854f

SHA1
7f50ac6e3939dde82d92b5c60ec2a724a8d840b9

SHA256
fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e

SHA512
bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Savage

Filesize
65KB

MD5
fb541151b9390f68c6c2401afc2d99c7

SHA1
a31a9d485725a9f86a1867f4f81a58d891a89738

SHA256
ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f

SHA512
5de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seven

Filesize
75KB

MD5
2edee24053811c6808c917363e0a36b1

SHA1
67335e45423653ceb25fda916f03906c7809ead2

SHA256
80bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030

SHA512
b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Si

Filesize
75KB

MD5
718c0e812f72e5bcbec91397f65a077d

SHA1
76068ad0af77a48d664e4b36133f17649b818648

SHA256
8f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860

SHA512
c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Signing

Filesize
51KB

MD5
13d7a9bf7a6a8ad1d7786ae78a0499ae

SHA1
d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288

SHA256
5a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8

SHA512
38da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411

Download Submit
C:\Users\Admin\AppData\Local\Temp\Voluntary

Filesize
523B

MD5
f9eb00df5045603dcd9bd10c9c2de5a6

SHA1
ec9430633bd4833a58c4d5cabdb4bd39115c3fee

SHA256
f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca

SHA512
1f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402

Download Submit
memory/2468-84-0x0000000001680000-0x0000000001860000-memory.dmp

Filesize
1.9MB

Download
memory/2468-85-0x0000000001680000-0x0000000001860000-memory.dmp

Filesize
1.9MB

Download
memory/2468-87-0x0000000001680000-0x0000000001860000-memory.dmp

Filesize
1.9MB

Download