Overview

overview

10

Static

static

1

r12d12.spa...xt.ps1

windows7-x64

8

r12d12.spa...xt.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 00:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    r12d12.space_b.txt.ps1

  • Size

    1KB

  • MD5

    35c92f4cd446344a166cbf83dbf0ff15

  • SHA1

    e06f98c2f5f82eab44226937d5ce29600f407dcf

  • SHA256

    8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

  • SHA512

    63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

Score
10/10
lummaparallaxremcoscrypt04discoveryexecutionratstealer

Malware Config

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Family

remcos

Botnet

Crypt04

C2

185.208.158.161:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    crashhandlerinfo

  • mouse_option

    false

  • mutex

    Rmc-F12W9O

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

lumma

C2

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Parallax family
    parallax
  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 5 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 8 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\r12d12.space_b.txt.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uhrscxnm\uhrscxnm.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B48.tmp" "c:\Users\Admin\AppData\Local\Temp\uhrscxnm\CSC75F228C0C7B4E8F8286AC4FC198071.TMP"
        3⤵
          PID:2284
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe
          "C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Users\Admin\AppData\Roaming\signarchive\Dashboard.exe
            C:\Users\Admin\AppData\Roaming\signarchive\Dashboard.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:736
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3712
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4072
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1556
                  7⤵
                  • Program crash
                  PID:448
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "C:\Users\Admin\AppData\Local\Temp\extracted1\Dashboard.exe"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:708
        • C:\Users\Admin\AppData\Local\Temp\extracted1\Dashboard.exe
          "C:\Users\Admin\AppData\Local\Temp\extracted1\Dashboard.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4932
          • C:\Users\Admin\AppData\Roaming\NotepadAdvanced\Dashboard.exe
            C:\Users\Admin\AppData\Roaming\NotepadAdvanced\Dashboard.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd.exe
              5⤵
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3060
              • C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
                C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
                6⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                PID:4340
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "C:\Users\Admin\AppData\Local\Temp\extracted2\Dashboard.exe"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Users\Admin\AppData\Local\Temp\extracted2\Dashboard.exe
          "C:\Users\Admin\AppData\Local\Temp\extracted2\Dashboard.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5072
          • C:\Users\Admin\AppData\Roaming\syncarchive\Dashboard.exe
            C:\Users\Admin\AppData\Roaming\syncarchive\Dashboard.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4108
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3632
              • C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
                C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
                6⤵
                • Loads dropped DLL
                PID:3472
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1580
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4072 -ip 4072
        1⤵
          PID:1356

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\crashhandlerinfo\logs.dat
          Filesize

          416B

          MD5

          473d0f93fc953662a82c64e8878b4e58

          SHA1

          ba28ca986adbec80bf259756dcf0bbb223640c02

          SHA256

          a51a21f76e1f8ad0db92821559cb2c5e3df13f458403654a09e0d7430fd8c7b4

          SHA512

          03309488f66308eb1e51a5e4fb9d77ef478f0153fd4b1a7a736fa7e72fa78945c9562712268154d4b26e43ff9310b881412302356a35ff522c51156724a9e7d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          446dd1cf97eaba21cf14d03aebc79f27

          SHA1

          36e4cc7367e0c7b40f4a8ace272941ea46373799

          SHA256

          a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

          SHA512

          a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          795f438ac2dada33cc5f84e28858b84f

          SHA1

          3a36ec41e4ab36d024947f83f89425e219a1a7e1

          SHA256

          70ed5658e006de5991cd203bef968c4e44af6e52dbc5112bb3cfbe1983e17333

          SHA512

          014dcb2a0bdb17b27932ef37f309a593a92304dd18fe0020d5e9ff63886ffdb6c19f0d175ba8774f4fd53277843141a309802cbb1f4ce70e1d25948c65751560

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          5caad758326454b5788ec35315c4c304

          SHA1

          3aef8dba8042662a7fcf97e51047dc636b4d4724

          SHA256

          83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

          SHA512

          4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\34afd131
          Filesize

          988KB

          MD5

          df553ab357bc1f5c0da42a49572425cb

          SHA1

          ea98dcbb07d830d837aa59880b1be3ffcdb72459

          SHA256

          1fe84e591ea64753d039734f0bd36e1a6d47c92a0f85ceeb4c4b78618724b61c

          SHA512

          cc3efe44987bbe2568ecff34bab1bd0efaa51e28ff3504ba914b9cd1c6d91736da4c16f892e32d57e1b2af134108b9baf357460bba8f4e84057ba77ff668fb7d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\3e54ae42
          Filesize

          1.6MB

          MD5

          bd8bd35ad8282a6fdae032018ab07f2c

          SHA1

          4cb38f7ce34a9c725a11eba88b2f018fdac04349

          SHA256

          04128c9b45aa17e71d32abef405d24bd03d2d13ae8b2d4c305e90807368712d9

          SHA512

          13a8f2f78068f8fb4d7b2fd6e91742c7bc0f9a7c8870f5fe54c4ee91073f904a98a2c7ca35cfaeeeda32db9bc98ce08e957eeed615e8b786c112e9d1d4145a07

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\4f5c543f
          Filesize

          1.2MB

          MD5

          283cd4749319cc011d3cee0f68c6a702

          SHA1

          4b33dbd95e6a2c20b2d27dde6311b163319d2e6a

          SHA256

          bf24c8ccb869da1276f6a704be0d733555fd7eacc5bac5e9b4c9d3b3aac9061f

          SHA512

          b4031f9987b78d6fd8cdfca3fbd0f6104db4f98d308a3a68841a498ad3bbc824f5fb0eb6fc851a05fa099d33f37622fe23f2a21affeef78973f8a71b555a72c5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES8B48.tmp
          Filesize

          1KB

          MD5

          9a3babe6b5dd9ded229c8a9f93c32e7e

          SHA1

          3ef24f9e122aceae054150d72aa35e64d78a97ab

          SHA256

          4c6e6ae0528304172df792ac1a5ba54574731d57d660d1946cfa44cab5ea36ca

          SHA512

          8ab416e238ad6db21fbb594a5c157fe2ab1de1f50d193dfd38748caf356e71f8c97a2795657f18aa8c7fb9d3309bf3f4409b72b09a25e4f01ee79df09ab6dd77

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ai2z5oro.u4w.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\extracted1\lkw
          Filesize

          1.1MB

          MD5

          61156c6830e58c45d394ee287d690e42

          SHA1

          02751be99c13cfd33abdfd946b1d30d165347687

          SHA256

          7c22d05a2511f719ef53433899c305233efd80c77ffa8e876ce42c5c8efa7102

          SHA512

          c94a04f60fb14bbcf8515ff3430f1fa40efc50fedfef424d53a4c1776ad660862123f38570e12701c21c0241e9822ab8d4cb9eaf05cad348889753e09d853675

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\extracted2\lkw
          Filesize

          807KB

          MD5

          bd63d959183ec0aca41ff4ce31f783b8

          SHA1

          02419ae0685f3b6aee4dd93d752b8c5e25e7ef8e

          SHA256

          297de40bbe64a3c103d541ad58caf1729893f4c090ea6283743494a68a59d4fa

          SHA512

          a582da637f45be0ed2b5acb69ac6f091a829608afc271ad18d2caef9a4ab15a0a4bd11d8c2d6a6132eb593029f6394b4bb34d767874e170a91b6e0af9673805d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe
          Filesize

          141KB

          MD5

          704925ecfdb24ef81190b82de0e5453c

          SHA1

          1128b3063180419893615ca73ad4f9dd51ebeac6

          SHA256

          8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e

          SHA512

          ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\extracted\UXCore.dll
          Filesize

          811KB

          MD5

          07a73d4a6a7613e8eb000eae63929991

          SHA1

          631b6c7591444048179e70a7b101035f887bd9b4

          SHA256

          cf81038add62d5b67c7f91e88ddc64a2fd1b2bafc4732f6e38bbda7bd78dd98c

          SHA512

          c80b4cbe57bbb191d6cc501d9b4c098da5d6d1e440dfd503e6cf94a17e3a247120bee2c057560c3b8ccaa1132d923a3015a74336d0e3df5db31ccd867e6903f0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\extracted\lkw
          Filesize

          751KB

          MD5

          ed8ee7327801428abd0b661dc5431298

          SHA1

          869648355eecc13fd3808c40d0cebe2074d0ca8d

          SHA256

          fe84ee42976b33ba39c0c0c730a2318abe68bd7b18783fd324f117e46254571d

          SHA512

          7aba615189d7d4270a4948d139d1d3c2bfd729911661b3d39211803ec1710ee3da47ece6d7ca2ef7c8a5f481df16617a51eec62ccc418df9e1c03be52f9e91ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\extracted\posrbt
          Filesize

          27KB

          MD5

          32a041b0410f65eee86de5e71700325a

          SHA1

          382bca7990ce27f509d7fcac4e42af5531f2e68b

          SHA256

          de1d3d5587c058b4f62e2d9b9a32a0330806123657cbf8cf71cec3c2e8c15dd3

          SHA512

          d8b8d64017c67bf34ba7394dc2273b21eb8f86eb6b9d8b5fb7205683d7f8dd7929461430cd92a02a7eab1f1a93c880874b18f61eb95271fbb03a71e172afb201

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\uhrscxnm\uhrscxnm.dll
          Filesize

          3KB

          MD5

          cc70e8602e71280cbf5ba225a2cb03f9

          SHA1

          e84e1df075763e837a2e62e154303177271d39a9

          SHA256

          e44959b5808fc573198a4a729531f9ab40be9eee38ba7fefd8cf48c1d707e957

          SHA512

          3af08a6639aa3c66ec1ae8ebab7175c382511096b8342b8b36be599660188e6738d65aa106479e812a34a31a8c7c7dd0cce03c0d67f87080c9e1d47ae0097c85

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
          Filesize

          433KB

          MD5

          fea067901f48a5f1faf7ca3b373f1a8f

          SHA1

          e8abe0deb87de9fe3bb3a611234584e9a9b17cce

          SHA256

          bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

          SHA512

          07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

          Download Submit

        • C:\Users\Admin\AppData\Roaming\signarchive\msvcr80.dll
          Filesize

          612KB

          MD5

          43143abb001d4211fab627c136124a44

          SHA1

          edb99760ae04bfe68aaacf34eb0287a3c10ec885

          SHA256

          cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

          SHA512

          ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

          Download Submit

        • C:\Windows\Tasks\altApp_test.job
          Filesize

          294B

          MD5

          86a518399cf6e5cb6634714adb272476

          SHA1

          63b3a9eae61693ec7e4b8baaeb027c5d6228e9a8

          SHA256

          cc95f1bb96d56fbbe70f1e11bf870f5acc3e9000b44968d12997e591b3c91d73

          SHA512

          7d99a75e031cc89e230ca7af9a4b6eedc72628f7f6529886184b78c6cfbcb3ce56d318f5d530dacd0ff98b0d68997f91822760223fc0c98f5868531013083ba0

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\uhrscxnm\CSC75F228C0C7B4E8F8286AC4FC198071.TMP
          Filesize

          652B

          MD5

          6d3796051cb48b582062189083be86bc

          SHA1

          4cee3896a3dbbb0564cba5a08b5edd460885969e

          SHA256

          35530306810a47361730ab5e9c2d93ac60915f3a0d3dc7ad6d4f515a5ad1d02f

          SHA512

          5acfedc1e8683d68fbfc5ce9ee6dd228da7cef892bd1a0aeffc3b6a4c424a7dc042de5f954d4a30ef6293b2184c427134cf1b0c0046aadbf2767ccccf63fa8d0

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\uhrscxnm\uhrscxnm.0.cs
          Filesize

          267B

          MD5

          23153877f0e70049d7f366448cc220bc

          SHA1

          2851269291a02ad0c7b60cb6ff7395bd1a20c659

          SHA256

          d7ed9035e9940848f250a57fb4f99e509e3fc50e4b5cb7be13c7ffb4787508ac

          SHA512

          82f29b8507abed31d15c2cb892c338debe6a2538c6be2c6741fb9c8afe76d26c43ec8b7060c37b1f91d1c475581e3bb816033bd09389d3973349a3b6e17af1a1

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\uhrscxnm\uhrscxnm.cmdline
          Filesize

          369B

          MD5

          2990de7b43f6ef0b60420ac75c60fba6

          SHA1

          7cf763c5ea912f78e5d3e7091e9facd16946652f

          SHA256

          2875b4a8286f98fc8e81b21314771ceecd103bd920a63912fe401ebb08de2d75

          SHA512

          02897a98e26f3cba6cfcc6d7f67f05d048847f3a95605c1b324d6ff01a66a91b6bca4ffa73f15982d2ac023601c92ab00c727ccc40f3fac65c020ff331335ef5

          Download Submit

        • memory/736-149-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/736-151-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/736-177-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1388-28-0x000001C276690000-0x000001C27669A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1388-29-0x000001C2766C0000-0x000001C2766D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1388-6-0x000001C276400000-0x000001C276422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1388-11-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1388-12-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1388-0-0x00007FFB5E6D3000-0x00007FFB5E6D5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1388-147-0x00007FFB5E6D3000-0x00007FFB5E6D5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1388-104-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1388-25-0x000001C275500000-0x000001C275508000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1388-154-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1544-51-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1544-57-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1544-52-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1544-41-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1580-193-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-199-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-200-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-201-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-203-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-204-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-205-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-202-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-195-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-194-0x000001C1EBFB0000-0x000001C1EBFB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2624-180-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2624-158-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2624-157-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3060-188-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3060-187-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3060-214-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3472-257-0x00000000005D0000-0x00000000005FA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3472-241-0x00000000005D0000-0x00000000005FA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3472-234-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3472-235-0x00000000005D0000-0x00000000005FA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3472-246-0x00000000005D0000-0x00000000005FA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3472-231-0x00000000005D0000-0x00000000005FA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3632-206-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3712-212-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3712-183-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4072-225-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4072-229-0x00000000000A0000-0x00000000000F4000-memory.dmp

          Filesize

          336KB

          Download

        • memory/4072-238-0x00000000000A0000-0x00000000000F4000-memory.dmp

          Filesize

          336KB

          Download

        • memory/4108-175-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4108-176-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4108-184-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4340-224-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4340-259-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/4340-230-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/4340-239-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/4340-243-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/4340-254-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/4340-249-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/4908-90-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4908-92-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4932-119-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4932-130-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-160-0x0000000075440000-0x00000000755BB000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/5072-161-0x00007FFB7C750000-0x00007FFB7C945000-memory.dmp

          Filesize

          2.0MB

          Download