lumma | 94ab177cc62af8c0fa1d2a0be6575db5bde69a52d126293e6a7fe5c01607597d

Analysis

max time kernel
162s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

!!@NeW_$etUp_2024_pAsSW0rds$_.exe
Size

13.7MB
MD5

b1cb85d0689f64c6373345fc6b084f5f
SHA1

9901c71cf849f77161732f1ab9631b111fd00753
SHA256

94ab177cc62af8c0fa1d2a0be6575db5bde69a52d126293e6a7fe5c01607597d
SHA512

3a2751b43a725fa436907156f3976a93eaebbcaa93eb3118f35ceb7268cd9f3a5037f8b02216dde58fdf6e766a728fbf8db5668f67dd3225342e1411e83f2f51
SSDEEP

393216:uPUByGBdf6xy5DEs5Rr7+EVrwRGJvxPjVHs+i2sUC8RS:uPkyGBdIy5DIEqY3M3T

Score

10^/10

lumma zgrat rat spyware stealer

Malware Config

Extracted

Family

lumma

https://marchsensedjurkey.shop/api

Signatures

Detect ZGRat V1 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2392-366-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-367-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-369-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-371-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-373-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-375-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-377-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-379-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-381-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-383-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-389-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-391-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-393-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-396-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-398-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-400-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-402-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-405-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/1144-403-0x00000210F5110000-0x00000210F5DE1000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-408-0x0000000006540000-0x0000000006759000-memory.dmp	family_zgrat_v1
behavioral2/memory/1144-406-0x00000210F5110000-0x00000210F5DE1000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

69 1064 powershell.exe
Downloads MZ/PE file

flow	pid	process
69	1064	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

!!@NeW_$etUp_2024_pAsSW0rds$_.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	!!@NeW_$etUp_2024_pAsSW0rds$_.exe

Executes dropped EXE 4 IoCs

Processes:

setup.exewujUNmYy.exe54OPYw9Inz6qSdW.exeGOFKoqOvWzr6ie0Bvj.exe

pid process

5000 setup.exe
4836 wujUNmYy.exe
2392 54OPYw9Inz6qSdW.exe
1144 GOFKoqOvWzr6ie0Bvj.exe

Loads dropped DLL 13 IoCs

Processes:

setup.exe

pid	process
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

Processes:

setup.exewujUNmYy.exe

description	pid	process	target process
PID 5000 set thread context of 1436	5000	setup.exe	netsh.exe
PID 4836 set thread context of 1164	4836	wujUNmYy.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2588 ipconfig.exe

pid	process
2588	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

setup.exenetsh.exeexplorer.exepowershell.exepowershell.exewujUNmYy.execmd.exe

pid	process
5000	setup.exe
5000	setup.exe
1436	netsh.exe
1436	netsh.exe
1436	netsh.exe
1436	netsh.exe
4868	explorer.exe
4868	explorer.exe
4868	explorer.exe
4868	explorer.exe
1064	powershell.exe
1064	powershell.exe
1064	powershell.exe
1064	powershell.exe
1064	powershell.exe
1064	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
4836	wujUNmYy.exe
4836	wujUNmYy.exe
4836	wujUNmYy.exe
1164	cmd.exe
1164	cmd.exe
1164	cmd.exe
1164	cmd.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

setup.exenetsh.exewujUNmYy.execmd.exe

pid process

5000 setup.exe
1436 netsh.exe
4836 wujUNmYy.exe
1164 cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exe54OPYw9Inz6qSdW.exeGOFKoqOvWzr6ie0Bvj.exe

description	pid	process
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2392	54OPYw9Inz6qSdW.exe
Token: SeDebugPrivilege	1144	GOFKoqOvWzr6ie0Bvj.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

!!@NeW_$etUp_2024_pAsSW0rds$_.exesetup.exenetsh.exeexplorer.exepowershell.exewujUNmYy.execmd.exe

description	pid	process	target process
PID 1456 wrote to memory of 5000	1456	!!@NeW_$etUp_2024_pAsSW0rds$_.exe	setup.exe
PID 1456 wrote to memory of 5000	1456	!!@NeW_$etUp_2024_pAsSW0rds$_.exe	setup.exe
PID 5000 wrote to memory of 1436	5000	setup.exe	netsh.exe
PID 5000 wrote to memory of 1436	5000	setup.exe	netsh.exe
PID 5000 wrote to memory of 1436	5000	setup.exe	netsh.exe
PID 5000 wrote to memory of 1436	5000	setup.exe	netsh.exe
PID 1436 wrote to memory of 4868	1436	netsh.exe	explorer.exe
PID 1436 wrote to memory of 4868	1436	netsh.exe	explorer.exe
PID 1436 wrote to memory of 4868	1436	netsh.exe	explorer.exe
PID 1436 wrote to memory of 4868	1436	netsh.exe	explorer.exe
PID 4868 wrote to memory of 1064	4868	explorer.exe	powershell.exe
PID 4868 wrote to memory of 1064	4868	explorer.exe	powershell.exe
PID 4868 wrote to memory of 1064	4868	explorer.exe	powershell.exe
PID 1064 wrote to memory of 2588	1064	powershell.exe	ipconfig.exe
PID 1064 wrote to memory of 2588	1064	powershell.exe	ipconfig.exe
PID 1064 wrote to memory of 2588	1064	powershell.exe	ipconfig.exe
PID 1064 wrote to memory of 1584	1064	powershell.exe	powershell.exe
PID 1064 wrote to memory of 1584	1064	powershell.exe	powershell.exe
PID 1064 wrote to memory of 1584	1064	powershell.exe	powershell.exe
PID 1064 wrote to memory of 4836	1064	powershell.exe	wujUNmYy.exe
PID 1064 wrote to memory of 4836	1064	powershell.exe	wujUNmYy.exe
PID 1064 wrote to memory of 4836	1064	powershell.exe	wujUNmYy.exe
PID 1064 wrote to memory of 2392	1064	powershell.exe	54OPYw9Inz6qSdW.exe
PID 1064 wrote to memory of 2392	1064	powershell.exe	54OPYw9Inz6qSdW.exe
PID 1064 wrote to memory of 2392	1064	powershell.exe	54OPYw9Inz6qSdW.exe
PID 1064 wrote to memory of 1144	1064	powershell.exe	GOFKoqOvWzr6ie0Bvj.exe
PID 1064 wrote to memory of 1144	1064	powershell.exe	GOFKoqOvWzr6ie0Bvj.exe
PID 4836 wrote to memory of 1164	4836	wujUNmYy.exe	cmd.exe
PID 4836 wrote to memory of 1164	4836	wujUNmYy.exe	cmd.exe
PID 4836 wrote to memory of 1164	4836	wujUNmYy.exe	cmd.exe
PID 4836 wrote to memory of 1164	4836	wujUNmYy.exe	cmd.exe
PID 1164 wrote to memory of 1872	1164	cmd.exe	explorer.exe
PID 1164 wrote to memory of 1872	1164	cmd.exe	explorer.exe
PID 1164 wrote to memory of 1872	1164	cmd.exe	explorer.exe
PID 1164 wrote to memory of 1872	1164	cmd.exe	explorer.exe
PID 1164 wrote to memory of 1872	1164	cmd.exe	explorer.exe
PID 1164 wrote to memory of 1872	1164	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\!!@NeW_$etUp_2024_pAsSW0rds$_.exe
"C:\Users\Admin\AppData\Local\Temp\!!@NeW_$etUp_2024_pAsSW0rds$_.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -exec bypass C:\Users\Admin\AppData\Local\Temp\W0IQXZIDJWGLLZULV87S6MJ6GOHQXK.ps1
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /flushdns
6⤵
- Gathers network information
PID:2588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -c Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Set-MpPreference -DisableRealtimeMonitoring True; Set-MpPreference -MAPSReporting 0; Set-MpPreference -SubmitSamplesConsent 2; Set-MpPreference -DisableArchiveScanning True; Set-MpPreference -DisableBehaviorMonitoring True; Set-MpPreference -DisableBlockAtFirstSeen True; Set-MpPreference -DisableIntrusionPreventionSystem True; Set-MpPreference -DisableIOAVProtection True; Set-MpPreference -DisablePrivacyMode True; Set-MpPreference -DisableScriptScanning True; Set-MpPreference -DisableScanningNetworkFiles True; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan True; exit
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Local\Temp\wujUNmYy.exe
"C:\Users\Admin\AppData\Local\Temp\wujUNmYy.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
8⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\54OPYw9Inz6qSdW.exe
"C:\Users\Admin\AppData\Local\Temp\54OPYw9Inz6qSdW.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Users\Admin\AppData\Local\Temp\GOFKoqOvWzr6ie0Bvj.exe
"C:\Users\Admin\AppData\Local\Temp\GOFKoqOvWzr6ie0Bvj.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\20e103d0
Filesize
998KB

MD5
f9651095c6bb6124b57eb2377d39b43a

SHA1
226da73ae6854798c331f3ff657bb57a513a8ec3

SHA256
91097c2a3efb544e4ca4f2a86c22997da902155103f7aafe6262ec711d32361c

SHA512
e2f46c97e3669733888fcddf71cd82f79367bce62cc1b4d36ca9879a370b0d241145a5509617601af509f22c6f5d6d587bec24de3eefedf976518ad4143737d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ed2c032
Filesize
1.2MB

MD5
c47b3e59f451975dd277c637e1636f43

SHA1
a86a805c219806a82352d76a6a89dbc61334e3b4

SHA256
d36db54ce9a87b04c1f60954f43c5adb5c88e52241e20e33460471567618bff1

SHA512
65aac733d4528de6fc55b725680b7cea3b3382e811552d12054b557c624d3c75612960fcf6e135fede47149e628c1ddb2b3c65ff1ce38cfc742c2d1f065c4742

Download Submit
C:\Users\Admin\AppData\Local\Temp\4faf31c7
Filesize
1.1MB

MD5
3caf0251f3d3a1116e50a83433f4bca0

SHA1
cdfe4d406a4c935d72fde02cf3c5d9692f1a9592

SHA256
5fbcd3e11a12863e913beb4ad6e38dfb6442352af01f6acdefb0bba6018265e2

SHA512
616c50a56bf1b5c60266759e1baa9a90a604e42bb2e8da2ac05da97fd0d085b1acb777125bcd4341810925f6ab8e639f71df3658ab5b67bcac7e29511f05abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\54OPYw9Inz6qSdW.exe
Filesize
115KB

MD5
adc187b1e5a6b66ca28fd3be5f6790cc

SHA1
ce467cb5d6275cd8289847c77ed9ebaee1c04a89

SHA256
c4e838a74e5baf5dbd86beedff96c1c9353b49ecf2ad362f47a4b134453701ab

SHA512
9f5d187c585a7344375ef5f239d4d10461c3fd5bf6b411e7e85edd8ead1f2994f41e4c62587425de480d05b7ddac7bd4cdd0754e382fcdfeac2f59c8c14105d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOFKoqOvWzr6ie0Bvj.exe
Filesize
81KB

MD5
ebf4df07bce350808f86a7fd96d1c13f

SHA1
7b263a8c732e648c2597f965fe515d441c428d90

SHA256
5803fdc567c98f8d902020390105fb26fc61370a21a5af7aa1152ce1414db0e2

SHA512
532892705b8b1bc54f273e8b0bdfd620a4c2a0dc3af7f2ff425bfe75c09eb9ed7a356addb0b42095c1a713d3be82b9558a9bcd8025b8b85c68f7bf1f6b335c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Core.dll
Filesize
5.8MB

MD5
a69021f31874d4aefec8c3a2bedd4437

SHA1
aff85d5df7a4e69303f579b9a5a2ae82e14f3af6

SHA256
dc68a1446e829afa5c7e33f4dd2233e096a492bdf3a82eb0eeacfafb69bdecbf

SHA512
63fff0338d325f63431004f0fdf9e21a570536c1ac95ccd3f8a33c065d29d35d524ef6e2e5878d3986109e681480c03c2311b2447611003850d381bae4707667

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Gui.dll
Filesize
6.2MB

MD5
34893cb3d9a2250f0edecd68aedb72c7

SHA1
37161412df2c1313a54749fe6f33e4dbf41d128a

SHA256
ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34

SHA512
484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Multimedia.dll
Filesize
716KB

MD5
a753b28600d26383401429a8641e145b

SHA1
057d76b836ad68602e9d03adfcf6fb002f5b73b5

SHA256
d6cd0a48b2b32f47fcd439b55769748b529149fbd1901f6c4759b263cea22216

SHA512
3bf3eadd96259f72d5f4152cb81da35decce77282cb6dc9a9277cbf60a31f47ecc9a571af85baec013b99af5b9edfc0ceaed5fab70282d7554991a6650478de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Network.dll
Filesize
1.3MB

MD5
03bce6428b28109712aee67d612ca930

SHA1
f1cd0d5376b0a3553a36a3a899b9c3bfa390f6b0

SHA256
9477313d8b6291de7f2e7cc1829c50cf4c1de5a1c9f434a292c748a2b79c3567

SHA512
b103850b0f24f134b358689caddc12f741ed2bc18eae9c4cefcee5b1efba4f43b424c65cb8ed5ccaf3de833abcfd5a54806c7d402884a584c1a7ec1c16cf5ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5PrintSupport.dll
Filesize
316KB

MD5
d0634933db2745397a603d5976bee8e7

SHA1
ddec98433bcfec1d9e38557d803bc73e1ff883b6

SHA256
7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1

SHA512
9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Widgets.dll
Filesize
5.3MB

MD5
c502bb8a4a7dc3724ab09292cd3c70d6

SHA1
ff44fddeec2d335ec0eaa861714b561f899675fd

SHA256
4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d

SHA512
73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5WinExtras.dll
Filesize
282KB

MD5
3fb65e97206482138ae1093252c94021

SHA1
e6a1bea7ecd7d654b8160c60f673723669091953

SHA256
6c38c5fcc054c2344a5afcd4f92e4a2c4cc7d73c0b4f5087d037eee371862a29

SHA512
5c8c23a9e1c4546f2320277e3f9d1f9efae1e5f374d3d841c2964ff0d16897906c1d4c156648d3a7b885026279a4a1e4035944b0cb621f860431d6d65cc38e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
Filesize
8.5MB

MD5
d96919680103fc15a941c14f42fef59f

SHA1
c8eb42ddb5ca60fefd4ce7884560f9d150cefcb7

SHA256
b9b50790c130e782fa572f832b3cec5ab77da914577a1bd5d209fed2acb516fa

SHA512
bf9a00d0888509fa14ba747440ea4fc1b1788082ca7446355c34853064006bc537c53973b9edcf785c3db0a4129ed2361f50a628390ed2f4e8f7417acfb8bb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140_1.dll
Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mommy.eps
Filesize
763KB

MD5
42d65f158858ae97401a478dbb024602

SHA1
370adef8e6863243db5e4a17b581dd391a465792

SHA256
ddfe3cfbbed68c40b80b5648dd3aa7e6e7cbcddfa5e96b64a287d9d1afdc2ede

SHA512
76f2b20c0d47b61c36dda3c53977dab512686882451ffb2437fd0ff0af196ae1946ba0af6a0a71759cacd3054f6a80da12f2c5b1b662986b4d93efb6486b7e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll
Filesize
557KB

MD5
7db24201efea565d930b7ec3306f4308

SHA1
880c8034b1655597d0eebe056719a6f79b60e03c

SHA256
72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e

SHA512
bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0IQXZIDJWGLLZULV87S6MJ6GOHQXK.ps1
Filesize
2KB

MD5
84fc911bc7f305f4f1e1526f114b32e8

SHA1
b856166c5f336facf362e1300404b7dd3cb4ed22

SHA256
503cb62569cf05f5c94fd45470d3fdae5a9c86ffc253ae086d727a1ad62337f7

SHA512
6c42fa5d2cc747eb6f9b561466104b354e66363c6636fc299465eb93817b605620c270947b918cbf169eb4a11df2ceea14ddf0e4a39c578e9cf519d9b9f92a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z0eq2hs3.433.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wujUNmYy.exe
Filesize
8.1MB

MD5
31fd3d2bdee0fd45c35273bebe4907fa

SHA1
e464d8d3e5a16c0484ecb40e0599a3b4ad1e3f21

SHA256
5fa605bf9666dc9486a83737d1f77e241bb27a033e609625499f17dbf608e840

SHA512
5a5558811d5a167db43a0a96679f253c3692921e59bc61708a66f6f55458441bb3c3bdc24896eefabd5f2edfb6c87b87be520bd8abd29b0428d831d24ae947b9

Download Submit
memory/1144-403-0x00000210F5110000-0x00000210F5DE1000-memory.dmp

Filesize
12.8MB

Download
memory/1144-406-0x00000210F5110000-0x00000210F5DE1000-memory.dmp

Filesize
12.8MB

Download
memory/1436-79-0x00007FF9DC5D0000-0x00007FF9DC7C5000-memory.dmp

Filesize
2.0MB

Download
memory/1436-80-0x0000000074290000-0x00000000742A2000-memory.dmp

Filesize
72KB

Download
memory/1436-81-0x0000000074290000-0x00000000742A2000-memory.dmp

Filesize
72KB

Download
memory/1436-82-0x0000000074290000-0x00000000742A2000-memory.dmp

Filesize
72KB

Download
memory/2392-396-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-369-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-383-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-391-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-408-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-381-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-379-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-377-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-375-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-373-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-371-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-389-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-367-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-366-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-405-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-402-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-393-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-398-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/2392-400-0x0000000006540000-0x0000000006759000-memory.dmp

Filesize
2.1MB

Download
memory/4836-333-0x0000000000B90000-0x0000000000F28000-memory.dmp

Filesize
3.6MB

Download
memory/4836-361-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/4836-362-0x00007FF9DC5D0000-0x00007FF9DC7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4836-384-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/4868-92-0x0000000000C10000-0x0000000000C42000-memory.dmp

Filesize
200KB

Download
memory/4868-151-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-113-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-116-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-117-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-118-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-119-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-120-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-121-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-123-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-122-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-124-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-126-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-127-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-128-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-129-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-130-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-131-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-132-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-134-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-135-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-133-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-137-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-136-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-138-0x00000000002C0000-0x000000000030D000-memory.dmp

Filesize
308KB

Download
memory/4868-140-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-143-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-145-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-142-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-141-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-139-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-144-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-146-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-147-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-148-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-150-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-149-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-115-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-152-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4868-114-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-262-0x00000000002C0000-0x000000000030D000-memory.dmp

Filesize
308KB

Download
memory/4868-112-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-110-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-111-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-109-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-108-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-107-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-106-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-105-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-104-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-103-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-102-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-98-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-101-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-99-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-100-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-97-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-96-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-95-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-94-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/4868-93-0x0000000000C10000-0x0000000000C42000-memory.dmp

Filesize
200KB

Download
memory/4868-90-0x0000000000C10000-0x0000000000C42000-memory.dmp

Filesize
200KB

Download
memory/4868-91-0x0000000000C10000-0x0000000000C42000-memory.dmp

Filesize
200KB

Download
memory/4868-89-0x0000000000310000-0x0000000000743000-memory.dmp

Filesize
4.2MB

Download
memory/4868-86-0x00000000002C0000-0x000000000030D000-memory.dmp

Filesize
308KB

Download
memory/4868-84-0x00007FF9DC5D0000-0x00007FF9DC7C5000-memory.dmp

Filesize
2.0MB

Download
memory/5000-75-0x00007FF9CC7E0000-0x00007FF9CC7F9000-memory.dmp

Filesize
100KB

Download
memory/5000-74-0x00007FF9CC7E0000-0x00007FF9CC7F9000-memory.dmp

Filesize
100KB

Download
memory/5000-62-0x00007FF745F60000-0x00007FF7467E4000-memory.dmp

Filesize
8.5MB

Download
memory/5000-56-0x00007FF9BC650000-0x00007FF9BCB9E000-memory.dmp

Filesize
5.3MB

Download
memory/5000-61-0x00007FF9CC7E0000-0x00007FF9CC7F9000-memory.dmp

Filesize
100KB

Download
memory/5000-59-0x00007FF745F60000-0x00007FF7467E4000-memory.dmp

Filesize
8.5MB

Download
memory/5000-54-0x00007FF745F60000-0x00007FF7467E4000-memory.dmp

Filesize
8.5MB

Download