Overview

overview

10

Static

static

10

2025-03-02...ch.exe

windows7-x64

1

2025-03-02...ch.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2025, 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-02_4d20db0bfded7146b49934bc064e055e_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe

  • Size

    14.1MB

  • MD5

    4d20db0bfded7146b49934bc064e055e

  • SHA1

    c0ae8d11c306dab8e17d07424c82cf44719adb85

  • SHA256

    19e8bb6559c77ea1c127538eb917303191bd9b51b8cf6c8ac4a2af84aeea0d4d

  • SHA512

    f07a004b179739e53b7b98f9ac244aafb627632fb82eadbfaf79e3f369d86b3b1add50f1ef09fc270abee88dedf29375cd2db06014a3ef7b713ad7b543aa1a08

  • SSDEEP

    98304:L7gCHjx7UjQutriizduJI/Zff3ssQQjz47NsUaE4JXe6JmwQc5V1Y1XDYOq2:Ltd7UjQutFzEyfBzUH4JmeV1I9

Score
9/10
credential_accessdefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    defense_evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    defense_evasion
  • Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    defense_evasion
  • Looks for Parallels drivers on disk. 2 TTPs 6 IoCs
    defense_evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    defense_evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
    defense_evasion
  • Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    defense_evasion
  • Looks for VMWare drivers on disk 2 TTPs 2 IoCs
    defense_evasion
  • Looks for VMWare services registry key. 1 TTPs 7 IoCs
    defense_evasion
  • Looks for Xen service registry key. 1 TTPs 5 IoCs
    defense_evasion
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Maps connected drives based on registry 3 TTPs 5 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks system information in the registry 2 TTPs 1 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Kills process with taskkill 7 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-02_4d20db0bfded7146b49934bc064e055e_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-02_4d20db0bfded7146b49934bc064e055e_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"
    1⤵
    • Enumerates VirtualBox DLL files
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Xen via ACPI registry values (likely anti-VM)
    • Looks for Parallels drivers on disk.
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VirtualBox drivers on disk
    • Looks for VirtualBox executables on disk
    • Looks for VMWare Tools registry key
    • Looks for VMWare drivers on disk
    • Looks for VMWare services registry key.
    • Looks for Xen service registry key.
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks system information in the registry
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\explorer.exe
      explorer C:\Users\Admin\AppData\Local\Temp\preview_1.mp4
      2⤵
        PID:4848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty Name"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-WmiObject Win32_OperatingSystem | Select-Object -ExpandProperty TotalVisibleMemorySize"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        PID:1664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-Process | Select-Object Id, ProcessName | ConvertTo-Json | Out-File -FilePath \"C:\Users\Admin\AppData\Local\Temp\Goignwej\ProcessSnapshot.json\" -Encoding utf8"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3120
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3536
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM msedge.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:676
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM firefox.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1600
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4548
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" https://greyshare.pics/home
        2⤵
        • Uses browser remote debugging
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd61efcc40,0x7ffd61efcc4c,0x7ffd61efcc58
          3⤵
            PID:2700
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1444,i,17339296424275493785,1392253818213652557,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1328 /prefetch:2
            3⤵
              PID:2996
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1648,i,17339296424275493785,1392253818213652557,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1644 /prefetch:3
              3⤵
                PID:1356
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --remote-debugging-port=49422 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=1808,i,17339296424275493785,1392253818213652557,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1800 /prefetch:1
                3⤵
                • Uses browser remote debugging
                • Drops file in Program Files directory
                PID:1936
            • C:\Windows\system32\taskkill.exe
              taskkill /F /IM chrome.exe
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3096
            • C:\Windows\system32\taskkill.exe
              taskkill /F /IM msedge.exe
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3716
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" https://greyshare.pics/home
              2⤵
              • Uses browser remote debugging
              PID:2960
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd61f046f8,0x7ffd61f04708,0x7ffd61f04718
                3⤵
                  PID:2268
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,759081772909138873,5818887879559268062,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1484 /prefetch:2
                  3⤵
                    PID:4164
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,759081772909138873,5818887879559268062,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1868 /prefetch:3
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2156
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49422 --allow-pre-commit-input --field-trial-handle=1456,759081772909138873,5818887879559268062,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2044 /prefetch:1
                    3⤵
                    • Uses browser remote debugging
                    PID:4672
                • C:\Windows\system32\taskkill.exe
                  taskkill /F /IM msedge.exe
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2328
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                1⤵
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2300
                • C:\Program Files\VideoLAN\VLC\vlc.exe
                  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\preview_1.mp4"
                  2⤵
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:5000
              • C:\Windows\system32\AUDIODG.EXE
                C:\Windows\system32\AUDIODG.EXE 0x474 0x304
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3912
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:1360

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Persistence

                Modify Authentication Process

                1
                T1556

                Privilege Escalation

                Defense Evasion

                Modify Authentication Process

                1
                T1556

                Modify Registry

                1
                T1112

                Subvert Trust Controls

                1
                T1553

                Install Root Certificate

                1
                T1553.004

                Virtualization/Sandbox Evasion

                12
                T1497

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Modify Authentication Process

                1
                T1556

                Steal Web Session Cookie

                1
                T1539

                Unsecured Credentials

                3
                T1552

                Credentials In Files

                3
                T1552.001

                Discovery

                Browser Information Discovery

                1
                T1217

                File and Directory Discovery

                5
                T1083

                Peripheral Device Discovery

                1
                T1120

                Query Registry

                9
                T1012

                System Information Discovery

                4
                T1082

                Virtualization/Sandbox Evasion

                12
                T1497

                Lateral Movement

                Collection

                Data from Local System

                2
                T1005

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  3KB

                  MD5

                  bb924686a541b7af75d0e50e21a24963

                  SHA1

                  59f75e51e57a62c4fac4f476bbe1984101a05d9a

                  SHA256

                  fdb0779ff9d463998ff9f3bd1d63562212dc4669cd921826eee6a992429925bc

                  SHA512

                  becf83de8dd36d81a0389d8844819bac185377f17504c548d989975bc579444cf50a157dd7bc625d26619936bd1d009fd1df650a12f3394897ad513891a7272d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  5dfb3e86f895056b34c3b685f46464df

                  SHA1

                  9a955177aaf9abb00beee23ff570d8e8bdc08046

                  SHA256

                  f95f92b0b130cd43434d2a1996ac22b81d0fb2c9c543b27f01649a9de7968081

                  SHA512

                  e8deded4a37c6626c0d848f33ff3c61ce5e8eeb2436ad75548be8c9e273e2b0c0a8d5c94918a537511a365282ba5f00ee904bd9885c8d78e42afd6bef03735bc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  3523cf2254ecc0e5201d285ac26b6558

                  SHA1

                  8c51b038249d00f2e3db9a59b7566c1d9a3dd8eb

                  SHA256

                  fe6dbcf09a063aa5ef77e97bc10769484e465688f5d91e2485f4478539bd426b

                  SHA512

                  4cca0430edf887f85e83c2eeb73ee0b3dbfa7a1fdaa6edf1d991a87fea51d4eb5e4def1514baa28ac51da34bed1dcc0623c1a9a53bf254312b06095197ff67f4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  d221db4c51d194007e73e0803c799522

                  SHA1

                  d758c137944f764fa8a31bd4f229fb818f63a99b

                  SHA256

                  bdd1e2931430c30f8f9267961e6fefb9906beb141deb39ff4e0a8e18a7043ae6

                  SHA512

                  ec48034f3db9dfa66a0701b6e2caef43ad515de40141d2878a2b9345829ee2e5e333640d0133f54851aa7246f1ef2fccd61fa8e54dd37c22dd49ee52a52c110d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  c23eafb18fc7b4d393d1a2b005acf6a1

                  SHA1

                  8f4e8135eedc72254daa513607ac85c2af7e3068

                  SHA256

                  6d1ffb37f8e778378788d3e859cb26f6947a267faecf8b4152547aedc6cbaf37

                  SHA512

                  4ccef206d65c2adb0b3e1ca00f1c7b33ce8c6e6d50b459a365e0aa745056a694f32a6f776cf90d0b5810ec2bdb62aba6b82afe5cb396a6966d08f0178823f1af

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Goignwej\ProcessSnapshot.json
                  Filesize

                  6KB

                  MD5

                  177ae3f66161caedd25d37cb3e019a31

                  SHA1

                  d6bb15a6e5f6e78f1478d32c891df6f1a2a11884

                  SHA256

                  9ab9271c3b208f8d1a5d894ea0b8691a53867e5480c051df534caebb5c60d172

                  SHA512

                  d5f588990813f3272ad29db8c0b6182ba74a6347c30d22cc5b07149c20201ae91874591a6d8c4d677da20c7f37f2acbba3cc2ba5437f2193652355e6d7d09edd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\MANIFEST-000001
                  Filesize

                  41B

                  MD5

                  5af87dfd673ba2115e2fcf5cfdb727ab

                  SHA1

                  d5b5bbf396dc291274584ef71f444f420b6056f1

                  SHA256

                  f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                  SHA512

                  de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.bak
                  Filesize

                  16B

                  MD5

                  46295cac801e5d4857d09837238a6394

                  SHA1

                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                  SHA256

                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                  SHA512

                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdpvtw0o.ggr.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\preview_1.mp4
                  Filesize

                  831KB

                  MD5

                  68cc711207098a3eceba85a915c9b7c5

                  SHA1

                  b5dc2fbf612a2f42a9bb6de3f1e62ac103b50f5d

                  SHA256

                  f07ae91ec92d78ec20532e6b49665945f6e572b3461a116b26343066a6a50de7

                  SHA512

                  3224209542c6472b1105c70b4ac16c6835733bcb1920ac2d0ea79df3e6554b3bf1cc6e4de55215b118aae9ea3a26e4fab8322168128fc40c704bd1f56e5867fb

                  Download Submit

                • memory/3120-227-0x0000021F78840000-0x0000021F78D68000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/3120-226-0x0000021F78140000-0x0000021F78302000-memory.dmp

                  Filesize

                  1.8MB

                  Download

                • memory/3676-11-0x00000289D9000000-0x00000289D9022000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/5000-33-0x00007FFD63580000-0x00007FFD63836000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5000-51-0x00007FFD63580000-0x00007FFD63836000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5000-44-0x00007FFD72BA0000-0x00007FFD72BB8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/5000-43-0x00007FFD72FE0000-0x00007FFD73001000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/5000-42-0x00007FFD73010000-0x00007FFD73051000-memory.dmp

                  Filesize

                  260KB

                  Download

                • memory/5000-37-0x00007FFD72FB0000-0x00007FFD72FC7000-memory.dmp

                  Filesize

                  92KB

                  Download

                • memory/5000-36-0x00007FFD774F0000-0x00007FFD77501000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/5000-35-0x00007FFD77600000-0x00007FFD77617000-memory.dmp

                  Filesize

                  92KB

                  Download

                • memory/5000-34-0x00007FFD78870000-0x00007FFD78888000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/5000-45-0x00007FFD72B80000-0x00007FFD72B91000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/5000-46-0x00007FFD72B60000-0x00007FFD72B71000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/5000-47-0x00007FFD72AA0000-0x00007FFD72AB1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/5000-48-0x00007FFD729D0000-0x00007FFD729EB000-memory.dmp

                  Filesize

                  108KB

                  Download

                • memory/5000-41-0x00007FFD63180000-0x00007FFD6338B000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/5000-38-0x00007FFD73910000-0x00007FFD73921000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/5000-39-0x00007FFD736A0000-0x00007FFD736BD000-memory.dmp

                  Filesize

                  116KB

                  Download

                • memory/5000-40-0x00007FFD732F0000-0x00007FFD73301000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/5000-32-0x00007FFD73370000-0x00007FFD733A4000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/5000-31-0x00007FF76DDA0000-0x00007FF76DE98000-memory.dmp

                  Filesize

                  992KB

                  Download