b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/GPSHees.exe
Size

8.7MB
MD5

01de1a88bc8d6f160e83fcef880aa862
SHA1

7a25ae98fa37f8e530d6f0d83587c78768f68fe0
SHA256

fda6a7fbc787ee0d370f4eec0fb7f8cb43e85c09b4a8c48d73555c3de1b7ed63
SHA512

552187bcc2adda2133135a8cdf036cd0ba8d16d921d3d8c2014bea5807bab719a69df2fc068f20a0c699e10ce6668a529f7d55ce8c8c0999d86b752267cd5714
SSDEEP

196608:hQ4w8JPHv6Mi7OEaQF8zbI3Ddz+e6b9yK3SiRFhCac5E2z:hUeaMi7Za2I0Jzr4xvCaGEM

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1648 created 3476	1648	Bands.com	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	GPSHees.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WilliamMate.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WilliamMate.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1648	Bands.com
3524	Bands.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3448	tasklist.exe
4692	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 3524	1648	Bands.com	109

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SalariesOe	GPSHees.exe
File opened for modification	C:\Windows\PoetActing	GPSHees.exe
File opened for modification	C:\Windows\AliceDear	GPSHees.exe
File opened for modification	C:\Windows\ExtentPuzzles	GPSHees.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GPSHees.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com
1648	Bands.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	tasklist.exe
Token: SeDebugPrivilege	4692	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1648	Bands.com
1648	Bands.com
1648	Bands.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1648	Bands.com
1648	Bands.com
1648	Bands.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2312	4612	GPSHees.exe	86
PID 4612 wrote to memory of 2312	4612	GPSHees.exe	86
PID 4612 wrote to memory of 2312	4612	GPSHees.exe	86
PID 2312 wrote to memory of 3448	2312	cmd.exe	94
PID 2312 wrote to memory of 3448	2312	cmd.exe	94
PID 2312 wrote to memory of 3448	2312	cmd.exe	94
PID 2312 wrote to memory of 4588	2312	cmd.exe	95
PID 2312 wrote to memory of 4588	2312	cmd.exe	95
PID 2312 wrote to memory of 4588	2312	cmd.exe	95
PID 2312 wrote to memory of 4692	2312	cmd.exe	96
PID 2312 wrote to memory of 4692	2312	cmd.exe	96
PID 2312 wrote to memory of 4692	2312	cmd.exe	96
PID 2312 wrote to memory of 4648	2312	cmd.exe	97
PID 2312 wrote to memory of 4648	2312	cmd.exe	97
PID 2312 wrote to memory of 4648	2312	cmd.exe	97
PID 2312 wrote to memory of 832	2312	cmd.exe	98
PID 2312 wrote to memory of 832	2312	cmd.exe	98
PID 2312 wrote to memory of 832	2312	cmd.exe	98
PID 2312 wrote to memory of 3084	2312	cmd.exe	99
PID 2312 wrote to memory of 3084	2312	cmd.exe	99
PID 2312 wrote to memory of 3084	2312	cmd.exe	99
PID 2312 wrote to memory of 4944	2312	cmd.exe	100
PID 2312 wrote to memory of 4944	2312	cmd.exe	100
PID 2312 wrote to memory of 4944	2312	cmd.exe	100
PID 2312 wrote to memory of 4872	2312	cmd.exe	101
PID 2312 wrote to memory of 4872	2312	cmd.exe	101
PID 2312 wrote to memory of 4872	2312	cmd.exe	101
PID 2312 wrote to memory of 4556	2312	cmd.exe	102
PID 2312 wrote to memory of 4556	2312	cmd.exe	102
PID 2312 wrote to memory of 4556	2312	cmd.exe	102
PID 2312 wrote to memory of 1648	2312	cmd.exe	103
PID 2312 wrote to memory of 1648	2312	cmd.exe	103
PID 2312 wrote to memory of 3508	2312	cmd.exe	104
PID 2312 wrote to memory of 3508	2312	cmd.exe	104
PID 2312 wrote to memory of 3508	2312	cmd.exe	104
PID 1648 wrote to memory of 4252	1648	Bands.com	105
PID 1648 wrote to memory of 4252	1648	Bands.com	105
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109
PID 1648 wrote to memory of 3524	1648	Bands.com	109

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\quarantine\GPSHees.exe
  "C:\Users\Admin\AppData\Local\Temp\quarantine\GPSHees.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Lesson.bin Lesson.bin.bat & Lesson.bin.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4588
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4692
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 788229
      4⤵
      System Location Discovery: System Language Discovery
      PID:832
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Feeds.bin
      4⤵
      System Location Discovery: System Language Discovery
      PID:3084
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "Isa" Indeed
      4⤵
      System Location Discovery: System Language Discovery
      PID:4944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 788229\Bands.com + Intermediate + Semi + Poetry + Specialty + Oakland + Mercury + Legally + Pipe + Bra + Readings + Smilies + That + Virus 788229\Bands.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:4872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Legal.bin + ..\Concentration.bin + ..\Invite.bin + ..\Clearance.bin + ..\Mileage.bin + ..\Seal.bin + ..\Activation.bin + ..\Thu.bin + ..\Diesel.bin + ..\Ppm.bin + ..\Sword.bin o
      4⤵
      System Location Discovery: System Language Discovery
      PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\788229\Bands.com
      Bands.com o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Users\Admin\AppData\Local\Temp\788229\Bands.com
        
        C:\Users\Admin\AppData\Local\Temp\788229\Bands.com
        5⤵
        Executes dropped EXE
        
        PID:3524
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3508
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WilliamMate.url" & echo URL="C:\Users\Admin\AppData\Local\SmartFleet Technologies\WilliamMate.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WilliamMate.url" & exit
  2⤵
  - Drops startup file
  PID:4252

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\788229\Bands.com

Filesize
62KB

MD5
5e2ce723456e3f015fd6718426b20619

SHA1
dcf1c6879313209d3a8dcdf74a07278570ce1441

SHA256
7077b3afe140a553e80f249fad083ff8046ecbacd42e027a1f0508713cf3c91a

SHA512
d6745d462ba230d99cca9cfe808cc2fd55b51635d9e7fe58c4305ba49c461d0227f75746f9ef05dd7119cfd2fac31dcb6a54c181d317e787603c08810a69439e

Download Submit
C:\Users\Admin\AppData\Local\Temp\788229\Bands.com

Filesize
1.0MB

MD5
c63860691927d62432750013b5a20f5f

SHA1
03678170aadf6bab2ac2b742f5ea2fd1b11feca3

SHA256
69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

SHA512
3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

Download Submit
C:\Users\Admin\AppData\Local\Temp\788229\o

Filesize
7.9MB

MD5
4e5daa009dde4e85d2d102aaab4790aa

SHA1
a635d46785b9d3af2071ec1e63e28ab953763a74

SHA256
2d198cb86ea24cbf20b60ab8e461dd4a1c35e4583d510569cff57a8bcbc2036e

SHA512
0de01cfacb3607877026008ecf0fac204020c2b3934624f006eea6bf3966fd68251ae1c510ddbbd18e45806ce649168efd9673075b436dedd855567b05bea464

Download Submit
C:\Users\Admin\AppData\Local\Temp\Activation.bin

Filesize
793KB

MD5
0d12a10e21554c09a3cee6d5f58d9d36

SHA1
adb3ca4a0ccd978b93b20bc1d45313b0b0573d44

SHA256
d0f0c692865bb83fb0fadc2522f20e8f7b6cc83503d83bcdde4af9fda9aad012

SHA512
2b13fa20d881af8cc3316bff67827d6a39fda635e3dc9c59b49580c3c0ca0a7e78803177cdd5eddc451c4a02ff319f35acaa71545f9a85a5a1acef014bbccded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bra

Filesize
88KB

MD5
b95088474aecadd5ba4cf95eaca00c9a

SHA1
8a3755c427fc17d5570c6b1e0c37bb37d01e0756

SHA256
fd2e6454be35ea566aaeaa51c6524330dfaf233e21c98789e480f3408dd2a896

SHA512
e59b64b698297cb522da2442a93c04fdd3307155891f95a7746179c9282cd5c8d8efa648e03e7d86371284c947d7c7dad3a86b10c319010b2d97a488b2d21229

Download Submit
C:\Users\Admin\AppData\Local\Temp\Clearance.bin

Filesize
742KB

MD5
2f2bf6a0dfbd0d6859dc61f3691e1273

SHA1
3234f4176f1c951811756018f359ab2ce301258d

SHA256
ae367600a5aa633cba3cfa84a0f747d8b398a10440c802f9afd0230eb1f6cb1c

SHA512
223c6b9e67839c79ef1832320ac009b7b443ff73887b45e9cf80a3863acec6f0d213f38235957ae44484cb8c7660734b78b56a06c0badcf0c026c71423145439

Download Submit
C:\Users\Admin\AppData\Local\Temp\Concentration.bin

Filesize
630KB

MD5
e99390921bab5f2058833720112f246f

SHA1
4718caa4fb218deb5badb5ce0e69638974b26cdb

SHA256
4a74cf359b577e789a2e40f6ada60116565bdef034651674635e0a6f919a1649

SHA512
d37ad13eb4bc82bc0f74cb673be8a13dca4941adb105df7dc8a737ba52ce1e38e605a0ac9cf04f3aa8c457db877ebf6b112ab94dc8aa4d74f077b7a952addf1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Diesel.bin

Filesize
740KB

MD5
49af8e0dd967674ceaf1f6e1f00d5290

SHA1
b90bd71b9c3a8edd8c62c2ed523b0b37d5c4fd6d

SHA256
e1ad6dbebe6baaf3dafc7c84fd14c8ce00c5ad9f4e62cd50b441c65f55d5e4d0

SHA512
d81c6af409bb4840d4e041278fcdd17f9f3fe8c2ccb62d95d19c2e6e8f4692f7c46ff534dd97e3301c9fce0536a24719b4e59532262d0dc66acab29f27d34b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feeds.bin

Filesize
511KB

MD5
4a6af13e6cb0bc8467d48ba265779de0

SHA1
418f4653203d05f892096ebdb70364d4afdd692c

SHA256
63f7e144847b21e9b8fa69d144e1d5a9e1f680701e89cd2849a8eb3db3eb4508

SHA512
a9920c2079e38337d4be9dc1fe85520554c29e13810c08f8bb5b525952d10077e2dfc8ad271c7ba8af5c8dc21cdace4843cfdc538270a6829d17c5076fd736f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Indeed

Filesize
1KB

MD5
17cf8f88823d26452d7adc219749fe42

SHA1
e3317161cca6748e8e4443b178b0d0e9a0ea76eb

SHA256
c9695a94379ddb22eb11192cf6063c4fb683c44e137fee0c8f8ce4a57b784dc2

SHA512
d16ad54c3972968d7fa95c42c6e0c816f7d99ada671917e86296685b337fef085a90ade91ec10c8439f2573ba7c57e43eb3b30c32f9449ca3259ff59597ac29b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intermediate

Filesize
61KB

MD5
9caf3478fc56e2f4562ef87f449d45cc

SHA1
b9cd9b16fcd877241591a016dd4dcd0557cdb2f8

SHA256
5157c4b94c628ca5fd2f4cc110312caf8cf51da23a746c389370b238f6f25b5e

SHA512
7a8a715910d9b2eda3d481400d11456e46f81995505af90cfdf73bddad01c8576bc2e159f0b5e3e6ecb5edbde6921b8f7726e24cdae66aa315af09c866b471c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invite.bin

Filesize
624KB

MD5
bd6cd6a112fd168723034bef7a4e9eec

SHA1
4bea5f2e1c394f74b7c4df74ea3322b9c24cfc03

SHA256
ecf059abc19f83e152b20bb99d975e7ee2f15c1c2242f5096fd83860b24c4741

SHA512
e03dbd8b6a426199fd91473d03919b628449490309d9bb0720ea5683aad89439b45bac0e92a114e5937a06a5c87d4f86a02df28cb3ed9d16bcc42e1145bc97b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Legal.bin

Filesize
610KB

MD5
849dcc7820c9ee399d0860369419db4b

SHA1
e03cd26ec9d7850e1a9ba18dc21d5fbfa931db69

SHA256
fe55c42c3d979556a70cae137defdccc98b0841f8059e26ccfc3729cdfc68438

SHA512
21c150f6162c7ca7da1c9e9fc2e1fd4b8f0e29c2862b0a5c9e2021d39eb76b77c6f70f023b8de3a1f040c6b899ff5ee6866b50252e4b5a55610177c21caeec48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Legally

Filesize
52KB

MD5
b72fe2bf9716c6d673c8d479dd244532

SHA1
ae693bfdbd89d87fa78023c9ff11b7192e1102db

SHA256
76d95bbc04286c3edfc7980f5aebe7693ee145f5c3c395af1c06757ee7a21181

SHA512
9dda13512a90371b35dd66e6a919d16ec5a76e0174596f0a825c1563fb25c2263a139f9d6944fe7d063a32f2c01780ba9429bb2657ec3a8eeaa76baae582c86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lesson.bin

Filesize
27KB

MD5
40cf9b186ff57af61d9cf09c2351e0e4

SHA1
dadca7a70e4954c05f39d129e00c6802c666b4df

SHA256
b2531e17d41252e15401e3175c28233904fac886278c1fb41e699b42c78f3eac

SHA512
0bfffdf0b8637780eee58c8c8f4a222cc706a41764974b8bf9cd54da25ead51ba4ee6b5c6219b658eee8ef289ab9eef67e06ef83c9e760e781e64c38a2af6749

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mercury

Filesize
53KB

MD5
7f8844ee81878366164233510d7873a0

SHA1
942b8cd49627af70a8503d5ab8258724b043d574

SHA256
5db7d4a81677069a541bdf48be349ab75d3fb09c6efc7dd635bb68a8ba2bd59d

SHA512
3f4e75b60075ff455b8245ecb5ce1caa79e8344b17cf94bc2bca9ca824a4c4ae87bf16c835eaf0295e9ddbb486653ad36f3bf1309160501650ea516a2cbd0872

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mileage.bin

Filesize
990KB

MD5
89587fda0d472c4fecdbcf5a3603887d

SHA1
8a61b067fe8e538de45fe69781f9409579ac0c43

SHA256
6de18796e7384f4cd3001818078515ed9c0ccb7d0adb9b2737902075b4210b3c

SHA512
87293ab44a39d0195ccdfb09b31471049b21a06e155f30c35c1a44d618b3f24db3ac90fd2497c1da6e9354c2ce2c542ee6766e1d247e16843ff0cb8c214ceb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oakland

Filesize
61KB

MD5
64562f2ed84b0ec00ca6ef0ca366afc8

SHA1
d8289b53657f8a4f5e94dd4707318ff611144486

SHA256
978a971441e489774af33f6b1d000fede313075190add78a08f48df427a9fed4

SHA512
b456124d41ae0a33fb783e28bc8558780c394c66f60c6cc57e519e7d85221c8b383fa53140b375798e1879ab3caff0d1fcc91b34f0608a56b3c46119e761bf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pipe

Filesize
86KB

MD5
2ec70804da0aadca1cc218fb609ae9bf

SHA1
78b316844f1f15a03ae6d29218130ac109e04b50

SHA256
63af4f74e34344f29ee810654d278b9d5979981a050add81d94deb6ffadfc885

SHA512
6a1a7124f0ea7983f119dcd5859a47433390c1beb7686961677021fd104fcf317ed722b65c68fbf021bba52cee13bed8a4e4ee3a700ffb85f9046ea271fe6a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Poetry

Filesize
107KB

MD5
adb589d3a25ebcca20fa9234fb8e78e8

SHA1
636aea22c87131c94100a6b8ceaf2c3ab161a2de

SHA256
86b19ef3015461b4dedf8168ac4f2aa9c788dfa8ba55e8281925a0fe1205988e

SHA512
18959728504e0f15d991bdbde22d2c53aef7b2051bd17e462e4237ce3b8ad56592877b2aab185ea94d494e153e79bd12a8f51d7180b586054d545f59c9f6a8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ppm.bin

Filesize
918KB

MD5
43d91c0a2ad10bc1c4f77b794ffc3e18

SHA1
e3b644d61d636e215cd2ec193a26c00d3216ad27

SHA256
fcbe4ccccfb830196a79a526d5dd64206e19797eff3df0e69d9c6fb7efabc586

SHA512
d66dc32770a9c4bc9cfb800e5651a9fba8c1730ac645bced78840afaaf8be02adf5f7aab1ef0d2d3525c8ed838fd0797f052e7676f3093c5d0eab63e3b5de558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Readings

Filesize
145KB

MD5
b72048b98b1cb5b0519a47979dc4560f

SHA1
ab6627afe7983e9cf21b893667fdc8056fa7f9d5

SHA256
5a55a917d5c8dc2b8703dca3890e97d5e49f10a9cc74cea504bbc1b3018c277a

SHA512
ed5bac322003b6d49a50a3a8489efeb4ffbd755a08237bc614b2610eae02bd529cb5a4c6434cd1c70ad763373f228d54242009d87f5420f32aa605b0586c288b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seal.bin

Filesize
818KB

MD5
6b567de0fa2043ba40b9694e1cc35fde

SHA1
6f7eadec020abe01a24065fe29fb9e0ffcc9c0b6

SHA256
d026467d464de63bbf096da130fdb4f0345f493e94e683bc3369c2339a34f535

SHA512
bdd0f8a2a584f42122950f65854973b170ac066db218eff71a08595b19a25b007b8f2365228a9eb874c11c0cfe08a7577a7cca49085e3b3a5a78ebf6d4960b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Semi

Filesize
93KB

MD5
68e8272a455ba3477ee2e54fadc6f0d9

SHA1
bf4416004f53e730aab802f7e353f20a96f4ab14

SHA256
c15684e841d2f2693970dba3184da38327c3e98f2c338bc0b7db11b09a329446

SHA512
0295ddcfa2ea393e5e8b669f898c4962ec44c10b7aa923923d704eda922b0ad0ecc215ff1ac8615f7e636ab2d4453c4d042594901c7852e2f1757735808c59c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smilies

Filesize
51KB

MD5
955370221afb4f8366cea97584e4fb9e

SHA1
347eb4793406f1ac57a76e0a2b4ea0efd0dce5e5

SHA256
5c41a5a7fb742f093aedf0170607d34492e26a9fd795a5e95908d2d55f44b753

SHA512
dd171aea526b8470024e526663446efddb9923caba7d13df7e74896a1fe7ac242b99a42664a23a2f7b0096fc4d0ef627ef9b4703a5df94d2beaf76a71b5a7d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Specialty

Filesize
141KB

MD5
1e0992e86a1d2acc071c81435b3c625d

SHA1
b3de592193b4d14ddcca16f06855e67178de38ef

SHA256
c6041224aa93562c3b8af5e217c6df0fb24d6753f6498ee048209d9699ea04c4

SHA512
e8507cdc70cf9c9f023a331aa6785594bcb4e56daf4ac03765ff685a788a8630b8562e4398d18a9a431cb1158e8ab48cda9ff5d7871660de696ba81cf3391ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sword.bin

Filesize
735KB

MD5
e7a9bebf16e3f2a59101c48cf3b9a08b

SHA1
8f4f29dea6907de6dca5e868914453362939da11

SHA256
8ac3c3d2377e54623eac72ffc425d257acbe6e54e488e5ca9f401a684a8a6d5a

SHA512
a188b41899b18ade3d1e97de9630b66e810a19b36ea52eb3f55523a29c76f879d151512278ac6ea7aca74b0d57d86879135616b90bd3e861e55e0556e74bde0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\That

Filesize
71KB

MD5
bb6eb52f9a6b7a97e3d00cc6ad439363

SHA1
cbd54758748f740c1b6a5ac6764bcda480aea375

SHA256
e23dea9e4e66502cd9700876e4ce01dddab6b09187f741c272f22772d22bd16c

SHA512
f1da879cb685f57fc62c0991f0cefd9ca1d2367b9a665b3181ec8cb51948584a7a0e11c93087b4d5eef869e88cd43c475943f375fe0bcabe7479849e187d9c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thu.bin

Filesize
534KB

MD5
08eb93449928a45c44f75f16db6c0885

SHA1
f05e568239ebe529c091eff369975243dc51eecd

SHA256
3f74caf313e71781874e5c6c60495d049c08b0a2436b6174361d60a78d140afd

SHA512
1f17e6d07b43c4c24fa9b2d5acb6c6b79f4788babc9ac3f3d8514870e899775bde761e7f3fb9533c58661f6d493becbb753e3e2f857825d3d3c3058d29cdcd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus

Filesize
29KB

MD5
4d7e01791a3cfdea5bec1bb070215ccb

SHA1
1b05ea1ce5965c752ec88bbf98e1bf2896020c9a

SHA256
545c74d304217274bb4e2c8fab65231cb12aeae3cf405ed8751605b1e69a2ef4

SHA512
0e8bbc2b3de9549e9044d7129daf38a2b69d2591274f7829d4c243fcd34d69132c9469dbc4e092f3dac83b46888af58439ac30a8febb9e298e1ffc83a1e43458

Download Submit
memory/3524-688-0x00000184E0180000-0x00000184E0923000-memory.dmp

Filesize
7.6MB

Download
memory/3524-689-0x00000184E0180000-0x00000184E0923000-memory.dmp

Filesize
7.6MB

Download
memory/3524-693-0x00000184E0180000-0x00000184E0923000-memory.dmp

Filesize
7.6MB

Download
memory/3524-692-0x00000184E0180000-0x00000184E0923000-memory.dmp

Filesize
7.6MB

Download
memory/3524-691-0x00000184E0180000-0x00000184E0923000-memory.dmp

Filesize
7.6MB

Download
memory/3524-694-0x00000184E0180000-0x00000184E0923000-memory.dmp

Filesize
7.6MB

Download