lumma | d0343c3575a7f1caf5d53ce8322ff8a748e009af9dcc924b6ecb75524d000b21

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
Size

1.6MB
MD5

e221de400b5cfb955cb0973e189da049
SHA1

af8000af453527e4901fb534143c455a4e68e9ce
SHA256

0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1
SHA512

aba03236398d59ca93bb56f8a7f512f9b7fc4aa279c70332287b35833d9840eee5a1067c3800e3def9be81f51a3bee5bac71c35423606f047b427f295fb5b387
SSDEEP

24576:WKMlgd2tUtSuoL3Mj+B4OrUgeAI7GiFsJ9FU+Z6ehMFxY+bSQzMwRaZOrD:RAtUguoL3Mj+ZIgqGi+FU+ZZz+eQzwOH

Score

10^/10

lumma spyware stealer upx

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 2 IoCs

Processes:

Engine.exePatrol.exe.pif

pid process

4104 Engine.exe
1864 Patrol.exe.pif
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4104	Engine.exe
1864	Patrol.exe.pif

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\Engine.exe	upx
behavioral2/memory/4104-154-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral2/memory/4104-227-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral2/memory/4104-230-0x0000000000400000-0x0000000000557000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{B8664FC2-A1E7-4627-8EE6-68108F58D8CD}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{38B9C573-1C32-487D-BBFB-1CFD417ABA6F}	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1176 PING.EXE

pid	process
1176	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exepowershell.exepowershell.exePatrol.exe.pif

pid	process
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
4464	powershell.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
4464	powershell.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
4464	powershell.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1480	powershell.exe
1480	powershell.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1480	powershell.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1864	Patrol.exe.pif
1864	Patrol.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4464 powershell.exe
Token: SeDebugPrivilege 1480 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Patrol.exe.pif

pid process

1864 Patrol.exe.pif
1864 Patrol.exe.pif
1864 Patrol.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Patrol.exe.pif

pid process

1864 Patrol.exe.pif
1864 Patrol.exe.pif
1864 Patrol.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

3992 OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe

pid	process
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif

pid	process
1864	Patrol.exe.pif
1864	Patrol.exe.pif
1864	Patrol.exe.pif

pid	process
3992	OpenWith.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exeEngine.exeCmD.execmd.exe

description	pid	process	target process
PID 2472 wrote to memory of 4104	2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 2472 wrote to memory of 4104	2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 2472 wrote to memory of 4104	2472	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 4104 wrote to memory of 4160	4104	Engine.exe	CmD.exe
PID 4104 wrote to memory of 4160	4104	Engine.exe	CmD.exe
PID 4104 wrote to memory of 4160	4104	Engine.exe	CmD.exe
PID 4160 wrote to memory of 5072	4160	CmD.exe	cmd.exe
PID 4160 wrote to memory of 5072	4160	CmD.exe	cmd.exe
PID 4160 wrote to memory of 5072	4160	CmD.exe	cmd.exe
PID 5072 wrote to memory of 4464	5072	cmd.exe	powershell.exe
PID 5072 wrote to memory of 4464	5072	cmd.exe	powershell.exe
PID 5072 wrote to memory of 4464	5072	cmd.exe	powershell.exe
PID 5072 wrote to memory of 1480	5072	cmd.exe	powershell.exe
PID 5072 wrote to memory of 1480	5072	cmd.exe	powershell.exe
PID 5072 wrote to memory of 1480	5072	cmd.exe	powershell.exe
PID 5072 wrote to memory of 1732	5072	cmd.exe	findstr.exe
PID 5072 wrote to memory of 1732	5072	cmd.exe	findstr.exe
PID 5072 wrote to memory of 1732	5072	cmd.exe	findstr.exe
PID 5072 wrote to memory of 1864	5072	cmd.exe	Patrol.exe.pif
PID 5072 wrote to memory of 1864	5072	cmd.exe	Patrol.exe.pif
PID 5072 wrote to memory of 1864	5072	cmd.exe	Patrol.exe.pif
PID 5072 wrote to memory of 1176	5072	cmd.exe	PING.EXE
PID 5072 wrote to memory of 1176	5072	cmd.exe	PING.EXE
PID 5072 wrote to memory of 1176	5072	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
"C:\Users\Admin\AppData\Local\Temp\0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\SETUP_29934\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\Engine.exe /TH_ID=_2380 /OriginExe="C:\Users\Admin\AppData\Local\Temp\0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\CmD.exe
C:\Windows\system32\CmD.exe /c cmd < Dynamics
3⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^paceEasterSuccessfulAmongTt$" Failing
5⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\qgkk2rvj.bgz\28728\Patrol.exe.pif
28728\\Patrol.exe.pif 28728\\k
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1864

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 8
5⤵
- Runs ping.exe
PID:1176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
beef0e0d393bd7f60d48781a860fc2a7

SHA1
5ffd79fbb4913e395fde812bee2048f14238da87

SHA256
25e38ddb2f12aba999dff1fb3ca0be331685c527608230bbf0cf0c4c28c33ac9

SHA512
d77ccd47a19d018d1209c8d93257cfed0fcc3a087eb298e56cb234ce244c828f45dbee4d182aad2d7bfaed83832382408bc07423a04d82d168d48f0f354e126f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00000#All
Filesize
13KB

MD5
b760db51ea80f3affb6d560363467cc6

SHA1
1fc7dfdf6e7ab710e8fb72e7b811a8b0733bc437

SHA256
5265907c3206d6997cf7948e09527f87d82893ea6f282009d16207020951e32a

SHA512
1ed267cbb86675130fc3cfcad54f2978d6448bb9638c9e8b12e76bf43700de9c2ddfec1ffdd4675cd962e4ec5762f297d249aa3447026b74f822e899aea748f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00001#Bow
Filesize
149KB

MD5
480593e4e45c2aae97d43acfd72cc303

SHA1
7d410fedb3638039e3acb6dab7fbd87c11d3f569

SHA256
fd5ea03406b9219d335f2333081d085e5b3619ca3328fba6c1fe8d648912766e

SHA512
5b8016abe13de58925cbdb41f7e4693ad14aaed14d25640b9c98ce6fd29b89f5e512b3afc45c0d2d185045100ad0f6d8c6285e21ac780efad2c0e0be4ac02e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00002#Bumper
Filesize
16KB

MD5
7d6f12a386d1c9e6cf9916c3173c5932

SHA1
6f19920c185eb9e549a9c5732e10296f36f5e4a4

SHA256
056e281b03196c827913481ddd2c0299daef2668b76779a1dbb612e42f74fae2

SHA512
345ad236b57f89b0b0c3f1f26f692fdea3933b73dd993e4960cd46593ea99e4b59b848e967ec53e0332141b1527c5c524a500e469f572c02777bcb0d386a2b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00003#Dynamics
Filesize
14KB

MD5
8287ce1d975af35e954e923b5921457a

SHA1
fd61d52c8d2776b874f2508fff0384f985f7cf97

SHA256
492308217b40ff311e9775bc71d8b42fbf781add2660f3cf5ece897cbe280078

SHA512
ab95b1b072d1adaef6b90cabf3ebdbd3a3d413da688b728a4cb277dad317d19c9e2c7b4f8eecd703392ba7157805e1bb122bb84b207b072d5b2785223190a9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00004#Immunology
Filesize
151KB

MD5
aa17279505ac32160034f8a8839e8f80

SHA1
b49b784bdde5a031ac5d48e46d933f46cee6927c

SHA256
534059d1faebac35160fbe7f8faef0b9eec47aaeebf42137bdca98e8fd972242

SHA512
4f55c0c355cb619056e415a9cc1762515a878b1fa9ccc9ed521b5f54c3684ac577ca7bb2a22fd87ea255767299d828a27b5a19f264d9ac4da36b716f240397cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00005#Manga
Filesize
1.1MB

MD5
56a8a8e2e85abe12c648ae6eee609f43

SHA1
fac9d4f4f0de4dba79a22990eb689eceaaf37192

SHA256
d3f732f5b4878880012ab6edcd21b761a317ea2abbc25e510f9f1c3932d2cb71

SHA512
bcd3b99219efbfc4b2aee914ce031dd5327687cd197c4c0fa69ed11bb3559288ec046680b6e5113bc1237be29ff515af32c198a4f7341973ca93e3ca8cc57c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00006#Memory
Filesize
44KB

MD5
e7e32c2a8485d1a2e30168429aba09db

SHA1
328513ea848a9ba4b05ad7b35f738a71a5e46b06

SHA256
8bba3408bea12bdf541766bbb2a9ddf8dfa022143544ea2b38ca41c6e506ea21

SHA512
1c0fa5062dccf716baa9ea3d84be60029a7985bd183ee302095bcf533f9745e3364852dce566c067fd3ac02cefb243558a7cf353cffa1c0528c00701c47f875d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00007#Placing
Filesize
99KB

MD5
055856c7f7226fe771420003504e17df

SHA1
97c63783438858506c09e0c2a970dade78ce3e3b

SHA256
326bb3ac0eab85a22ff6a44605a90981677de22ebe17e91ba4040a53dc3477b9

SHA512
2b14994236ae3d150ef1901354f5cad326faec15158d9b54a4eb137a1be6f7d1d0cb388508a230318c2c29886a1370a90767a24e9b1148c5d0b69ebd337a43ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00008#Qatar
Filesize
142KB

MD5
42a92fad3aa782c144303db85e9b6160

SHA1
93478cb63986524c2dbd41fcede84da181bac4fd

SHA256
95e4a393a2ce9a18b1fbb23e4c5a07b357b508fb3c31179cc419cdbb7ed75535

SHA512
b2b76f91f578cea2aa5df6673bc5183b5ae99cafb654d660c6dcc0987d0d11558e6d32fbfc559de143979577bf1f80be7b2f4b9fa9e397a0e71b66d46ce49d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00009#Queue
Filesize
43KB

MD5
840d3174c45bcc69db130dbc34d3498d

SHA1
76c644e82095263e26c2190cd90c15875824a315

SHA256
e6e611a76be9a29768c8f33e6bdb1e70d5ce5a61146e129413e4679ff9e8f97b

SHA512
adb7e724b8acf30a8da90a93e4916703a57f3a77aa2471f50b430b5d41b20e82ceece4fb122421a27811b1b955e73c4087b88ebe5b7168a69b46a743bef6c473

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00010#Solutions
Filesize
154KB

MD5
14895da525fc0a0d06ecf2bcb92dbc1f

SHA1
f163aaa6c2e31a0e3d98812991896e6aa7bd2008

SHA256
313af3d2356141806da23dc7039e7ea2d03234db3e308146f2eed1b731a29a87

SHA512
3ae4f2d2e4c93e5000e7148bf63a0b209a9fcc53b1006be20fc6067a0de1656504323a1d9e4bba4fbd1cb3d41f4b3fd477eb0c2def634d74de89c4d11416842b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\00011#Sox
Filesize
114KB

MD5
aafe487839ee160aa8ee5a2da5f1e0f0

SHA1
1e403c7a922a44f032d1e080f5601d43ee669eba

SHA256
3708f149999be9e4ead2209ba82259ae2b8b45fd29edcd878343e312f9b48dc1

SHA512
c9884c782ccb69745680c877d5ad9177084af1ac01fa7ac0ce690372856cb763839cba5e38ed989a26074c79bccf7cb10f19689ba44643bb27baece8bd52cd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\Engine.exe
Filesize
429KB

MD5
7b596c0cbb9056107ed4783184805501

SHA1
a6397b178a3c51dbc987eca124f0f8a64a5c2115

SHA256
ce5ccd3d4effb9c453d8847bfb4d056f874d92593d816bcd39ba5ad15be738c9

SHA512
1d20386dbbf4cc7effa449fcfe5d9880d712a1678cb5f3c10ac5789cf29034a998a23802f5694c8d6eaf5d9b1f8d703fad179d7dacad2cf5f8d16c30792fc248

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\Engine.exe
Filesize
429KB

MD5
7b596c0cbb9056107ed4783184805501

SHA1
a6397b178a3c51dbc987eca124f0f8a64a5c2115

SHA256
ce5ccd3d4effb9c453d8847bfb4d056f874d92593d816bcd39ba5ad15be738c9

SHA512
1d20386dbbf4cc7effa449fcfe5d9880d712a1678cb5f3c10ac5789cf29034a998a23802f5694c8d6eaf5d9b1f8d703fad179d7dacad2cf5f8d16c30792fc248

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29934\Setup.txt
Filesize
2KB

MD5
45168af3c3c98607fbb30dbc1092a9d2

SHA1
95b16f76585e4f2be132dcef3157ce6bd8f98d07

SHA256
693ddfd2143b7b238ee2b0a7a75a11dcb269d9555e5da9c43c71fb1b1809c845

SHA512
c2e70115924d8153ceab6c3f4b707f9b43fc9a17f2a630c1c4ff0c46df1b359c76b997f25ecef1f842dc768e538274b2c01530af3797d7dd67376f2c84f57050

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bopmg1lg.om5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgkk2rvj.bgz\28728\Patrol.exe.pif
Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgkk2rvj.bgz\Failing
Filesize
925KB

MD5
b31f34ca7a70e8793dbe4657341a99d2

SHA1
cbc483b20a0f2541e87af96a067325ad52c1d59e

SHA256
c2738e1e043bee5bf68c0f6975de3e6ca1a6b0c0d862c7004a41328ccf8ca17c

SHA512
eff0402705f0de0cf8b4dd4640a46afb3dcdc509eecaacf9a1e98e2833094aa800183e58c9e18d41a9828d0558b97f3dab74f09cebe1029abd6e9960c9424e31

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1480-218-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1480-219-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1864-239-0x0000000001440000-0x00000000014A4000-memory.dmp

Filesize
400KB

Download
memory/1864-238-0x0000000001440000-0x00000000014A4000-memory.dmp

Filesize
400KB

Download
memory/1864-237-0x0000000001440000-0x00000000014A4000-memory.dmp

Filesize
400KB

Download
memory/1864-236-0x0000000001440000-0x00000000014A4000-memory.dmp

Filesize
400KB

Download
memory/1864-234-0x0000000001440000-0x00000000014A4000-memory.dmp

Filesize
400KB

Download
memory/1864-235-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1864-233-0x0000000001440000-0x00000000014A4000-memory.dmp

Filesize
400KB

Download
memory/1864-232-0x0000000001440000-0x00000000014A4000-memory.dmp

Filesize
400KB

Download
memory/1864-231-0x0000000001440000-0x00000000014A4000-memory.dmp

Filesize
400KB

Download
memory/2472-200-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4104-154-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4104-227-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4104-230-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4104-228-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4104-155-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4464-204-0x0000000007EF0000-0x0000000008494000-memory.dmp

Filesize
5.6MB

Download
memory/4464-192-0x00000000062F0000-0x0000000006356000-memory.dmp

Filesize
408KB

Download
memory/4464-184-0x0000000005C50000-0x0000000006278000-memory.dmp

Filesize
6.2MB

Download
memory/4464-185-0x00000000059B0000-0x00000000059D2000-memory.dmp

Filesize
136KB

Download
memory/4464-183-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/4464-203-0x0000000006E80000-0x0000000006EA2000-memory.dmp

Filesize
136KB

Download
memory/4464-202-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/4464-201-0x0000000006EB0000-0x0000000006F46000-memory.dmp

Filesize
600KB

Download
memory/4464-199-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/4464-198-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/4464-197-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/4464-186-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download