lumma | 8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r12d12.space_b.txt.ps1
Size

1KB
MD5

35c92f4cd446344a166cbf83dbf0ff15
SHA1

e06f98c2f5f82eab44226937d5ce29600f407dcf
SHA256

8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39
SHA512

63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

Score

10^/10

lumma parallax remcos crypt04 discovery execution rat stealer

Malware Config

Extracted

Family

remcos

Botnet

Crypt04

185.208.158.161:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
crashhandlerinfo
mouse_option
false
mutex
Rmc-F12W9O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Family

lumma

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Parallax family
parallax
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 11 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/4764-219-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-225-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-232-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-236-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-244-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-248-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-252-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-256-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-260-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-264-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat
behavioral2/memory/4764-268-0x0000000000A30000-0x0000000000A5A000-memory.dmp	parallax_rat

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	1600	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1600	powershell.exe
716	powershell.exe
4084	powershell.exe
2340	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
4500	Dashboard.exe
4752	Dashboard.exe
4140	Dashboard.exe
1952	Dashboard.exe
1176	Dashboard.exe
5040	Dashboard.exe

Loads dropped DLL 8 IoCs

pid	Process
4500	Dashboard.exe
4752	Dashboard.exe
4140	Dashboard.exe
1952	Dashboard.exe
1176	Dashboard.exe
5040	Dashboard.exe
664	writerpatch.exe
4764	writerpatch.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4140 set thread context of 3748	4140	Dashboard.exe	94
PID 1952 set thread context of 2408	1952	Dashboard.exe	95
PID 5040 set thread context of 4556	5040	Dashboard.exe	103

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\altApp_test.job	cmd.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2468	536	WerFault.exe	115
1228	536	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	writerpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1600	powershell.exe
1600	powershell.exe
1600	powershell.exe
1600	powershell.exe
716	powershell.exe
716	powershell.exe
1600	powershell.exe
1600	powershell.exe
1600	powershell.exe
4084	powershell.exe
4084	powershell.exe
4500	Dashboard.exe
1600	powershell.exe
1600	powershell.exe
1600	powershell.exe
4752	Dashboard.exe
2340	powershell.exe
2340	powershell.exe
1600	powershell.exe
4140	Dashboard.exe
1952	Dashboard.exe
4140	Dashboard.exe
1952	Dashboard.exe
1176	Dashboard.exe
5040	Dashboard.exe
5040	Dashboard.exe
3748	cmd.exe
3748	cmd.exe
2408	cmd.exe
2408	cmd.exe
4556	cmd.exe
4556	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4140	Dashboard.exe
1952	Dashboard.exe
5040	Dashboard.exe
2408	cmd.exe
3748	cmd.exe
4556	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
664	writerpatch.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3260	1600	powershell.exe	84
PID 1600 wrote to memory of 3260	1600	powershell.exe	84
PID 3260 wrote to memory of 2068	3260	csc.exe	85
PID 3260 wrote to memory of 2068	3260	csc.exe	85
PID 1600 wrote to memory of 716	1600	powershell.exe	86
PID 1600 wrote to memory of 716	1600	powershell.exe	86
PID 716 wrote to memory of 4500	716	powershell.exe	87
PID 716 wrote to memory of 4500	716	powershell.exe	87
PID 716 wrote to memory of 4500	716	powershell.exe	87
PID 1600 wrote to memory of 4084	1600	powershell.exe	88
PID 1600 wrote to memory of 4084	1600	powershell.exe	88
PID 4084 wrote to memory of 4752	4084	powershell.exe	89
PID 4084 wrote to memory of 4752	4084	powershell.exe	89
PID 4084 wrote to memory of 4752	4084	powershell.exe	89
PID 4500 wrote to memory of 4140	4500	Dashboard.exe	90
PID 4500 wrote to memory of 4140	4500	Dashboard.exe	90
PID 4500 wrote to memory of 4140	4500	Dashboard.exe	90
PID 1600 wrote to memory of 2340	1600	powershell.exe	91
PID 1600 wrote to memory of 2340	1600	powershell.exe	91
PID 4752 wrote to memory of 1952	4752	Dashboard.exe	92
PID 4752 wrote to memory of 1952	4752	Dashboard.exe	92
PID 4752 wrote to memory of 1952	4752	Dashboard.exe	92
PID 2340 wrote to memory of 1176	2340	powershell.exe	93
PID 2340 wrote to memory of 1176	2340	powershell.exe	93
PID 2340 wrote to memory of 1176	2340	powershell.exe	93
PID 4140 wrote to memory of 3748	4140	Dashboard.exe	94
PID 4140 wrote to memory of 3748	4140	Dashboard.exe	94
PID 4140 wrote to memory of 3748	4140	Dashboard.exe	94
PID 1952 wrote to memory of 2408	1952	Dashboard.exe	95
PID 1952 wrote to memory of 2408	1952	Dashboard.exe	95
PID 1952 wrote to memory of 2408	1952	Dashboard.exe	95
PID 1176 wrote to memory of 5040	1176	Dashboard.exe	101
PID 1176 wrote to memory of 5040	1176	Dashboard.exe	101
PID 1176 wrote to memory of 5040	1176	Dashboard.exe	101
PID 5040 wrote to memory of 4556	5040	Dashboard.exe	103
PID 5040 wrote to memory of 4556	5040	Dashboard.exe	103
PID 5040 wrote to memory of 4556	5040	Dashboard.exe	103
PID 4140 wrote to memory of 3748	4140	Dashboard.exe	94
PID 1952 wrote to memory of 2408	1952	Dashboard.exe	95
PID 5040 wrote to memory of 4556	5040	Dashboard.exe	103
PID 2408 wrote to memory of 664	2408	cmd.exe	111
PID 2408 wrote to memory of 664	2408	cmd.exe	111
PID 2408 wrote to memory of 664	2408	cmd.exe	111
PID 3748 wrote to memory of 536	3748	cmd.exe	115
PID 3748 wrote to memory of 536	3748	cmd.exe	115
PID 3748 wrote to memory of 536	3748	cmd.exe	115
PID 2408 wrote to memory of 664	2408	cmd.exe	111
PID 2408 wrote to memory of 664	2408	cmd.exe	111
PID 4556 wrote to memory of 4764	4556	cmd.exe	116
PID 4556 wrote to memory of 4764	4556	cmd.exe	116
PID 4556 wrote to memory of 4764	4556	cmd.exe	116
PID 3748 wrote to memory of 536	3748	cmd.exe	115
PID 4556 wrote to memory of 4764	4556	cmd.exe	116
PID 4556 wrote to memory of 4764	4556	cmd.exe	116
PID 2408 wrote to memory of 664	2408	cmd.exe	111
PID 4556 wrote to memory of 4764	4556	cmd.exe	116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\r12d12.space_b.txt.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ia1wzaj1\ia1wzaj1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C21.tmp" "c:\Users\Admin\AppData\Local\Temp\ia1wzaj1\CSC4368834F26FD4E61BAE18237AF782DFA.TMP"
    3⤵
    PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe
    "C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Users\Admin\AppData\Roaming\signarchive\Dashboard.exe
      C:\Users\Admin\AppData\Roaming\signarchive\Dashboard.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1528
        7⤵
        Program crash
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1544
        7⤵
        Program crash
        
        PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "C:\Users\Admin\AppData\Local\Temp\extracted1\Dashboard.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\extracted1\Dashboard.exe
    "C:\Users\Admin\AppData\Local\Temp\extracted1\Dashboard.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Users\Admin\AppData\Roaming\NotepadAdvanced\Dashboard.exe
      C:\Users\Admin\AppData\Roaming\NotepadAdvanced\Dashboard.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
        
        C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "C:\Users\Admin\AppData\Local\Temp\extracted2\Dashboard.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\extracted2\Dashboard.exe
    "C:\Users\Admin\AppData\Local\Temp\extracted2\Dashboard.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Users\Admin\AppData\Roaming\syncarchive\Dashboard.exe
      C:\Users\Admin\AppData\Roaming\syncarchive\Dashboard.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
        
        C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
        6⤵
        Loads dropped DLL
        
        PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 536 -ip 536
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 536 -ip 536
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\crashhandlerinfo\logs.dat

Filesize
144B

MD5
b652870ff2e77e81b48efb2cc200e9ef

SHA1
7741b9723529a3e929906c5594e293e2cf4ed67b

SHA256
344d7d34c69e8771f9db70b47376d19f23c766f57baf063f456e2966cb7a5608

SHA512
0d1603dbcbedd7745a0a6f9f52cab92a6a9c6004f69926d8ce863129be7c16b13304c1fee9ac5d207bbf68e76971a71cbdbff75a044e86b6c44d38197c7b7754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
795f438ac2dada33cc5f84e28858b84f

SHA1
3a36ec41e4ab36d024947f83f89425e219a1a7e1

SHA256
70ed5658e006de5991cd203bef968c4e44af6e52dbc5112bb3cfbe1983e17333

SHA512
014dcb2a0bdb17b27932ef37f309a593a92304dd18fe0020d5e9ff63886ffdb6c19f0d175ba8774f4fd53277843141a309802cbb1f4ce70e1d25948c65751560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5685fa1a

Filesize
988KB

MD5
39e99389ad900a5a04a364ce9b985cd0

SHA1
8942dfcfae7bec89f709d421451b24d0dd19dd16

SHA256
d62109308c6e0272917e58cbb925cc44a99e9ce707196086e75a98b22697141e

SHA512
a9e49bac370560d63d1ba69057c9e8b191c6807f9bdb2b4fe6797c34645d002726c3be517b3659853575c546767188fd339ad1128e1bc1d0d81c89f2f499c158

Download Submit
C:\Users\Admin\AppData\Local\Temp\56f33e58

Filesize
1.6MB

MD5
f8bf08b857add4f57454c9f03388d506

SHA1
6599743fc9da5056d67e5f84a964d5cdef796cf5

SHA256
e6130b6e0b2cd5d36a0e07aab46d38fdbda14148db43c68dedb28f44efad9880

SHA512
0741cbb044b680d08264695b51e9303aef78122fa53bde6d3a3087f648fbba2a635ed1f1282fd9ab7f83137885c6eb1ad539dc9b78b438cfa73cd9a011f33c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\70df18e8

Filesize
1.2MB

MD5
8c1a3297ebf60a785d3a9992891761f2

SHA1
190c684e7bdeca75b1d1cf2d774b0cd0697ec585

SHA256
3d7bcc2645e6b0237dcc18049e95beafde2322493747722c28dca12b0a8a453d

SHA512
ead7c5b7158236463ce2d01e2cd75cab583c4024c5fdfdcfcfababc7da62c07ea4ca59c376c0cea6a07e58f33aa5ddf68fe81db940f913e6a7396b8a3d27b99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C21.tmp

Filesize
1KB

MD5
d050591362e96cce4d429ce2e6328306

SHA1
cb4cd3cf3d0a46b62dc7271505e170243c6cddef

SHA256
bcc9791c6390a12a6c5743f850d30b87022c5b3e83bcb0726a45304be585895b

SHA512
3adaf7f032ce47990988bec37435e5afc63574b24c396e7da04b181f4b7f17c71917a797b66b4c07fc3f1def6349a6e2bce9feb4afcb0324e5b5d43d29399cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzxdcxdz.4ga.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted1\lkw

Filesize
1.1MB

MD5
61156c6830e58c45d394ee287d690e42

SHA1
02751be99c13cfd33abdfd946b1d30d165347687

SHA256
7c22d05a2511f719ef53433899c305233efd80c77ffa8e876ce42c5c8efa7102

SHA512
c94a04f60fb14bbcf8515ff3430f1fa40efc50fedfef424d53a4c1776ad660862123f38570e12701c21c0241e9822ab8d4cb9eaf05cad348889753e09d853675

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted2\lkw

Filesize
807KB

MD5
bd63d959183ec0aca41ff4ce31f783b8

SHA1
02419ae0685f3b6aee4dd93d752b8c5e25e7ef8e

SHA256
297de40bbe64a3c103d541ad58caf1729893f4c090ea6283743494a68a59d4fa

SHA512
a582da637f45be0ed2b5acb69ac6f091a829608afc271ad18d2caef9a4ab15a0a4bd11d8c2d6a6132eb593029f6394b4bb34d767874e170a91b6e0af9673805d

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe

Filesize
141KB

MD5
704925ecfdb24ef81190b82de0e5453c

SHA1
1128b3063180419893615ca73ad4f9dd51ebeac6

SHA256
8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e

SHA512
ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\UXCore.dll

Filesize
811KB

MD5
07a73d4a6a7613e8eb000eae63929991

SHA1
631b6c7591444048179e70a7b101035f887bd9b4

SHA256
cf81038add62d5b67c7f91e88ddc64a2fd1b2bafc4732f6e38bbda7bd78dd98c

SHA512
c80b4cbe57bbb191d6cc501d9b4c098da5d6d1e440dfd503e6cf94a17e3a247120bee2c057560c3b8ccaa1132d923a3015a74336d0e3df5db31ccd867e6903f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\lkw

Filesize
751KB

MD5
ed8ee7327801428abd0b661dc5431298

SHA1
869648355eecc13fd3808c40d0cebe2074d0ca8d

SHA256
fe84ee42976b33ba39c0c0c730a2318abe68bd7b18783fd324f117e46254571d

SHA512
7aba615189d7d4270a4948d139d1d3c2bfd729911661b3d39211803ec1710ee3da47ece6d7ca2ef7c8a5f481df16617a51eec62ccc418df9e1c03be52f9e91ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\posrbt

Filesize
27KB

MD5
32a041b0410f65eee86de5e71700325a

SHA1
382bca7990ce27f509d7fcac4e42af5531f2e68b

SHA256
de1d3d5587c058b4f62e2d9b9a32a0330806123657cbf8cf71cec3c2e8c15dd3

SHA512
d8b8d64017c67bf34ba7394dc2273b21eb8f86eb6b9d8b5fb7205683d7f8dd7929461430cd92a02a7eab1f1a93c880874b18f61eb95271fbb03a71e172afb201

Download Submit
C:\Users\Admin\AppData\Local\Temp\ia1wzaj1\ia1wzaj1.dll

Filesize
3KB

MD5
dd5986f00d4608e6b45955127c503887

SHA1
a4dbb3b7d59b438de310efb4a8a8e25b4b1db49a

SHA256
ae5a09cf85cbecefb926610283ce84b3f6cd42cb83c4eddc3b4957a606520249

SHA512
2c16d834ca4de3a7b0918a312696fc74aa428d9ad077813d9b1ee18c78c727fa3bd08c6c67f9d0368148aab6b95f9df315e12c99a7b20c9fc435512bc99b59e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\writerpatch.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
C:\Windows\Tasks\altApp_test.job

Filesize
294B

MD5
52663062e343e6d6a4e471801758f3dd

SHA1
3e4a7912e3ecea87e70c11826f9985fa506cf09d

SHA256
c1050c41918e7d25cca17c364c9abca77a49cafbeae55ebd6ff17d8638d0a18f

SHA512
c73c09d0e58f3332833a458401891e9915a8683e14e150c708707b8bf4ad1ae420060db03348ee624d55c4c9837153775ee1b00d34b34b33c25ac2caea8b0fd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ia1wzaj1\CSC4368834F26FD4E61BAE18237AF782DFA.TMP

Filesize
652B

MD5
67da7f7f639fa654539a50d63b8c0efe

SHA1
1eaa46ac2833c0c3861feadfca2db5229ec46933

SHA256
a2acfa2926db6079d1215ff4b32310e37b658707956fc069ae6834bd25556a6b

SHA512
0fbf9421b160cc9ec1a917233cef4b1c98136e2a9f187b317a145be7a9ccfb7d5950efde2619cb81fb045397c164defba53662e36b6885637dbd532c0cf3c07b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ia1wzaj1\ia1wzaj1.0.cs

Filesize
267B

MD5
23153877f0e70049d7f366448cc220bc

SHA1
2851269291a02ad0c7b60cb6ff7395bd1a20c659

SHA256
d7ed9035e9940848f250a57fb4f99e509e3fc50e4b5cb7be13c7ffb4787508ac

SHA512
82f29b8507abed31d15c2cb892c338debe6a2538c6be2c6741fb9c8afe76d26c43ec8b7060c37b1f91d1c475581e3bb816033bd09389d3973349a3b6e17af1a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ia1wzaj1\ia1wzaj1.cmdline

Filesize
369B

MD5
0a438823ff4865537f96ae6463090331

SHA1
2ddc770bd58e4ae9af695cc8cda22fc555e9c6ba

SHA256
08e2dfa70572d205252fe17044239bc112482c1b60fe45f459ea0eed47b8ee91

SHA512
ad9cfc57e93c8856d30e0d8cf9649b9c54caa719b020e638656d297d484c281703885574e68766c604688ac1a192353cd15ab5d57297c8af676d27386f77578e

Download Submit
memory/536-215-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/536-224-0x0000000000700000-0x0000000000754000-memory.dmp

Filesize
336KB

Download
memory/536-230-0x0000000000700000-0x0000000000754000-memory.dmp

Filesize
336KB

Download
memory/664-220-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-229-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-258-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-254-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-250-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-246-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-242-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-238-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-234-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-210-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/664-213-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/716-52-0x00007FFF0CD40000-0x00007FFF0D801000-memory.dmp

Filesize
10.8MB

Download
memory/716-50-0x00007FFF0CD40000-0x00007FFF0D801000-memory.dmp

Filesize
10.8MB

Download
memory/716-59-0x00007FFF0CD40000-0x00007FFF0D801000-memory.dmp

Filesize
10.8MB

Download
memory/716-51-0x00007FFF0CD40000-0x00007FFF0D801000-memory.dmp

Filesize
10.8MB

Download
memory/1176-161-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/1176-162-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/1600-8-0x000001DD21750000-0x000001DD21772000-memory.dmp

Filesize
136KB

Download
memory/1600-12-0x00007FFF0CD40000-0x00007FFF0D801000-memory.dmp

Filesize
10.8MB

Download
memory/1600-142-0x00007FFF0CD40000-0x00007FFF0D801000-memory.dmp

Filesize
10.8MB

Download
memory/1600-141-0x00007FFF0CD43000-0x00007FFF0CD45000-memory.dmp

Filesize
8KB

Download
memory/1600-149-0x00007FFF0CD40000-0x00007FFF0D801000-memory.dmp

Filesize
10.8MB

Download
memory/1600-152-0x00007FFF0CD40000-0x00007FFF0D801000-memory.dmp

Filesize
10.8MB

Download
memory/1600-11-0x00007FFF0CD40000-0x00007FFF0D801000-memory.dmp

Filesize
10.8MB

Download
memory/1600-0-0x00007FFF0CD43000-0x00007FFF0CD45000-memory.dmp

Filesize
8KB

Download
memory/1600-25-0x000001DD21880000-0x000001DD21888000-memory.dmp

Filesize
32KB

Download
memory/1600-28-0x000001DD218A0000-0x000001DD218AA000-memory.dmp

Filesize
40KB

Download
memory/1600-29-0x000001DD218D0000-0x000001DD218E2000-memory.dmp

Filesize
72KB

Download
memory/1952-159-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/1952-180-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/1952-158-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/2408-186-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/2408-201-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/2408-185-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/3748-203-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/3748-184-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/4140-156-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/4140-178-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/4140-155-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/4500-92-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/4500-91-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/4556-194-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/4752-117-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/4752-118-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/4764-232-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-223-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/4764-225-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-268-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-244-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-264-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-248-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-236-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-252-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-219-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-256-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/4764-260-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/5040-187-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-177-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/5040-176-0x0000000074FE0000-0x000000007515B000-memory.dmp

Filesize
1.5MB

Download