lumma | 8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39.ps1
Size

1KB
MD5

35c92f4cd446344a166cbf83dbf0ff15
SHA1

e06f98c2f5f82eab44226937d5ce29600f407dcf
SHA256

8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39
SHA512

63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

Score

10^/10

lumma parallax remcos crypt04 discovery execution rat spyware stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Family

remcos

Botnet

Crypt04

185.208.158.161:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
crashhandlerinfo
mouse_option
false
mutex
Rmc-F12W9O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Parallax family
parallax
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 3 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/708-218-0x0000000000130000-0x000000000015A000-memory.dmp	parallax_rat
behavioral2/memory/708-223-0x0000000000130000-0x000000000015A000-memory.dmp	parallax_rat
behavioral2/memory/708-233-0x0000000000130000-0x000000000015A000-memory.dmp	parallax_rat

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4856	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4856	powershell.exe
640	powershell.exe
2344	powershell.exe
4208	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
1148	Dashboard.exe
2900	Dashboard.exe
3016	Dashboard.exe
2192	Dashboard.exe
3304	Dashboard.exe
4836	Dashboard.exe

Loads dropped DLL 8 IoCs

pid	Process
1148	Dashboard.exe
2900	Dashboard.exe
3016	Dashboard.exe
2192	Dashboard.exe
3304	Dashboard.exe
4836	Dashboard.exe
4408	writerpatch.exe
708	writerpatch.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 4212	3016	Dashboard.exe	96
PID 2192 set thread context of 3152	2192	Dashboard.exe	98
PID 4836 set thread context of 2388	4836	Dashboard.exe	102

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\altApp_test.job	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	writerpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4856	powershell.exe
4856	powershell.exe
4856	powershell.exe
4856	powershell.exe
640	powershell.exe
640	powershell.exe
4856	powershell.exe
4856	powershell.exe
4856	powershell.exe
2344	powershell.exe
2344	powershell.exe
1148	Dashboard.exe
4856	powershell.exe
4856	powershell.exe
4856	powershell.exe
4208	powershell.exe
4208	powershell.exe
2900	Dashboard.exe
4856	powershell.exe
3016	Dashboard.exe
3016	Dashboard.exe
2192	Dashboard.exe
3304	Dashboard.exe
2192	Dashboard.exe
4836	Dashboard.exe
4836	Dashboard.exe
4212	cmd.exe
4212	cmd.exe
3152	cmd.exe
3152	cmd.exe
2388	cmd.exe
2388	cmd.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3016	Dashboard.exe
2192	Dashboard.exe
4836	Dashboard.exe
4212	cmd.exe
3152	cmd.exe
2388	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4408	writerpatch.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2632	4856	powershell.exe	86
PID 4856 wrote to memory of 2632	4856	powershell.exe	86
PID 2632 wrote to memory of 3524	2632	csc.exe	87
PID 2632 wrote to memory of 3524	2632	csc.exe	87
PID 4856 wrote to memory of 640	4856	powershell.exe	88
PID 4856 wrote to memory of 640	4856	powershell.exe	88
PID 640 wrote to memory of 1148	640	powershell.exe	89
PID 640 wrote to memory of 1148	640	powershell.exe	89
PID 640 wrote to memory of 1148	640	powershell.exe	89
PID 4856 wrote to memory of 2344	4856	powershell.exe	90
PID 4856 wrote to memory of 2344	4856	powershell.exe	90
PID 2344 wrote to memory of 2900	2344	powershell.exe	91
PID 2344 wrote to memory of 2900	2344	powershell.exe	91
PID 2344 wrote to memory of 2900	2344	powershell.exe	91
PID 1148 wrote to memory of 3016	1148	Dashboard.exe	92
PID 1148 wrote to memory of 3016	1148	Dashboard.exe	92
PID 1148 wrote to memory of 3016	1148	Dashboard.exe	92
PID 4856 wrote to memory of 4208	4856	powershell.exe	93
PID 4856 wrote to memory of 4208	4856	powershell.exe	93
PID 2900 wrote to memory of 2192	2900	Dashboard.exe	94
PID 2900 wrote to memory of 2192	2900	Dashboard.exe	94
PID 2900 wrote to memory of 2192	2900	Dashboard.exe	94
PID 4208 wrote to memory of 3304	4208	powershell.exe	95
PID 4208 wrote to memory of 3304	4208	powershell.exe	95
PID 4208 wrote to memory of 3304	4208	powershell.exe	95
PID 3016 wrote to memory of 4212	3016	Dashboard.exe	96
PID 3016 wrote to memory of 4212	3016	Dashboard.exe	96
PID 3016 wrote to memory of 4212	3016	Dashboard.exe	96
PID 2192 wrote to memory of 3152	2192	Dashboard.exe	98
PID 2192 wrote to memory of 3152	2192	Dashboard.exe	98
PID 2192 wrote to memory of 3152	2192	Dashboard.exe	98
PID 3304 wrote to memory of 4836	3304	Dashboard.exe	100
PID 3304 wrote to memory of 4836	3304	Dashboard.exe	100
PID 3304 wrote to memory of 4836	3304	Dashboard.exe	100
PID 3016 wrote to memory of 4212	3016	Dashboard.exe	96
PID 4836 wrote to memory of 2388	4836	Dashboard.exe	102
PID 4836 wrote to memory of 2388	4836	Dashboard.exe	102
PID 4836 wrote to memory of 2388	4836	Dashboard.exe	102
PID 2192 wrote to memory of 3152	2192	Dashboard.exe	98
PID 4836 wrote to memory of 2388	4836	Dashboard.exe	102
PID 4212 wrote to memory of 3760	4212	cmd.exe	116
PID 4212 wrote to memory of 3760	4212	cmd.exe	116
PID 4212 wrote to memory of 3760	4212	cmd.exe	116
PID 3152 wrote to memory of 4408	3152	cmd.exe	117
PID 3152 wrote to memory of 4408	3152	cmd.exe	117
PID 3152 wrote to memory of 4408	3152	cmd.exe	117
PID 4212 wrote to memory of 3760	4212	cmd.exe	116
PID 2388 wrote to memory of 708	2388	cmd.exe	120
PID 2388 wrote to memory of 708	2388	cmd.exe	120
PID 2388 wrote to memory of 708	2388	cmd.exe	120
PID 3152 wrote to memory of 4408	3152	cmd.exe	117
PID 3152 wrote to memory of 4408	3152	cmd.exe	117
PID 2388 wrote to memory of 708	2388	cmd.exe	120
PID 2388 wrote to memory of 708	2388	cmd.exe	120
PID 3152 wrote to memory of 4408	3152	cmd.exe	117
PID 2388 wrote to memory of 708	2388	cmd.exe	120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1yjpx5j3\1yjpx5j3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88D7.tmp" "c:\Users\Admin\AppData\Local\Temp\1yjpx5j3\CSC327652A36324F4C98F87E5E4B2CD45.TMP"
    3⤵
    PID:3524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe
    "C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\AppData\Roaming\signarchive\Dashboard.exe
      C:\Users\Admin\AppData\Roaming\signarchive\Dashboard.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "C:\Users\Admin\AppData\Local\Temp\extracted1\Dashboard.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\extracted1\Dashboard.exe
    "C:\Users\Admin\AppData\Local\Temp\extracted1\Dashboard.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Roaming\NotepadAdvanced\Dashboard.exe
      C:\Users\Admin\AppData\Roaming\NotepadAdvanced\Dashboard.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3152
      - C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
        
        C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "C:\Users\Admin\AppData\Local\Temp\extracted2\Dashboard.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\extracted2\Dashboard.exe
    "C:\Users\Admin\AppData\Local\Temp\extracted2\Dashboard.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Users\Admin\AppData\Roaming\syncarchive\Dashboard.exe
      C:\Users\Admin\AppData\Roaming\syncarchive\Dashboard.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
        
        C:\Users\Admin\AppData\Local\Temp\writerpatch.exe
        6⤵
        Loads dropped DLL
        
        PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\crashhandlerinfo\logs.dat

Filesize
144B

MD5
8f9125c8384dfdac64c3c7d78a10a39b

SHA1
5b1aad7add08408cf73e41b5f001f24e44f27f13

SHA256
cbf3b812cc96b8a8bedbba1c739e9979329e6fb602c1ab1090855a302cd34c16

SHA512
dc80cbe07b7759ec5fd298aedd04f68b9f3930612b257219feddea61c3c3f18ee7b21477ef767fba3263f1a7a45c89fc251e4b2c118c59184da196830b0a4e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
795f438ac2dada33cc5f84e28858b84f

SHA1
3a36ec41e4ab36d024947f83f89425e219a1a7e1

SHA256
70ed5658e006de5991cd203bef968c4e44af6e52dbc5112bb3cfbe1983e17333

SHA512
014dcb2a0bdb17b27932ef37f309a593a92304dd18fe0020d5e9ff63886ffdb6c19f0d175ba8774f4fd53277843141a309802cbb1f4ce70e1d25948c65751560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\1yjpx5j3\1yjpx5j3.dll

Filesize
3KB

MD5
676559fc73b26256e96aca136e5cdc41

SHA1
faee33c4e18096ee978e2285ff75d120952d7dc7

SHA256
745db9bf3ef62f95a5db9c3d7752e5bc7fdcb4e8c274dbb0c27479a6b4f0f9b0

SHA512
1b158166d67b68fe9f459b10f688e37483f9c1c8d04514972e5382d5a3342217e40dea275d29f4f58f43cc18fad1a72116fcd5a8a5fad612c49469e744ff3151

Download Submit
C:\Users\Admin\AppData\Local\Temp\33a1c1f3

Filesize
988KB

MD5
eb63f56766ffc9467c8ae33a025c5516

SHA1
dcfce644ef5bdec765ee5278241bba189bee9f93

SHA256
fb38a62fa12ef0d0f2505b211cfd882bcde73689207fbefb40605726e60d8193

SHA512
36c3de6e958e62fbd33edec074e61fbbf740c0e9e1275e855f9e3eed44e68b5dd046bb0de9ba6e99b99d7b4687e55447f5210b6e0f214d7528d14617115166c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d9fc660

Filesize
1.6MB

MD5
024abf960b3a1375e9606815e98cdf5f

SHA1
cd6515babe1d542f0a5a9b07b6357077f114d008

SHA256
1b5b27746b0b75e8b9b78e558d89015f24a12c95ac720f740f4ffb840f6231b4

SHA512
5bea2c488baaf34aac99c5d2411c28e82934b62b065df9b29341bccc7fbcb5b4433a9ada80e3c07a4898be4cba01e84130a14599d1404452e0fc8918f2e1b431

Download Submit
C:\Users\Admin\AppData\Local\Temp\51fdf777

Filesize
1.2MB

MD5
5b3f1025b09c73306d372213515198e5

SHA1
9de2127d1a38301b12d307a8c990bd704c1fa668

SHA256
bff12ec2b210aacad5e0402db0722b795b1b9ee527069ff12f2f3f6eda260aa5

SHA512
5660c99efebae17497aa84a44b2b183bb3abf2763b9e63e009e97cd9ffea962bea95fd763691106b990108e0be0ce5748f6c6dc58a53dbc63b9677ce0cbbe32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88D7.tmp

Filesize
1KB

MD5
c2e687536a77742c0ac2c924e95c7143

SHA1
1e11c1c9075f180d09d974e2a511ae4ff496b55a

SHA256
908ac810cf1a47af118c88ef2b57da979fad384b42e6ce053d338bf1990cadf1

SHA512
1d4e6dadee722536b9adc6a6f87d4b23faa1de5d9755d8dd9b258dc862ff6a3318ba8a14c4617a53dd48e1c2f237e553803c128f75136e63802f461ab100e9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_diprehnk.cz2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted1\lkw

Filesize
1.1MB

MD5
61156c6830e58c45d394ee287d690e42

SHA1
02751be99c13cfd33abdfd946b1d30d165347687

SHA256
7c22d05a2511f719ef53433899c305233efd80c77ffa8e876ce42c5c8efa7102

SHA512
c94a04f60fb14bbcf8515ff3430f1fa40efc50fedfef424d53a4c1776ad660862123f38570e12701c21c0241e9822ab8d4cb9eaf05cad348889753e09d853675

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted2\lkw

Filesize
807KB

MD5
bd63d959183ec0aca41ff4ce31f783b8

SHA1
02419ae0685f3b6aee4dd93d752b8c5e25e7ef8e

SHA256
297de40bbe64a3c103d541ad58caf1729893f4c090ea6283743494a68a59d4fa

SHA512
a582da637f45be0ed2b5acb69ac6f091a829608afc271ad18d2caef9a4ab15a0a4bd11d8c2d6a6132eb593029f6394b4bb34d767874e170a91b6e0af9673805d

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\Dashboard.exe

Filesize
141KB

MD5
704925ecfdb24ef81190b82de0e5453c

SHA1
1128b3063180419893615ca73ad4f9dd51ebeac6

SHA256
8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e

SHA512
ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\UXCore.dll

Filesize
811KB

MD5
07a73d4a6a7613e8eb000eae63929991

SHA1
631b6c7591444048179e70a7b101035f887bd9b4

SHA256
cf81038add62d5b67c7f91e88ddc64a2fd1b2bafc4732f6e38bbda7bd78dd98c

SHA512
c80b4cbe57bbb191d6cc501d9b4c098da5d6d1e440dfd503e6cf94a17e3a247120bee2c057560c3b8ccaa1132d923a3015a74336d0e3df5db31ccd867e6903f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\lkw

Filesize
751KB

MD5
ed8ee7327801428abd0b661dc5431298

SHA1
869648355eecc13fd3808c40d0cebe2074d0ca8d

SHA256
fe84ee42976b33ba39c0c0c730a2318abe68bd7b18783fd324f117e46254571d

SHA512
7aba615189d7d4270a4948d139d1d3c2bfd729911661b3d39211803ec1710ee3da47ece6d7ca2ef7c8a5f481df16617a51eec62ccc418df9e1c03be52f9e91ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\posrbt

Filesize
27KB

MD5
32a041b0410f65eee86de5e71700325a

SHA1
382bca7990ce27f509d7fcac4e42af5531f2e68b

SHA256
de1d3d5587c058b4f62e2d9b9a32a0330806123657cbf8cf71cec3c2e8c15dd3

SHA512
d8b8d64017c67bf34ba7394dc2273b21eb8f86eb6b9d8b5fb7205683d7f8dd7929461430cd92a02a7eab1f1a93c880874b18f61eb95271fbb03a71e172afb201

Download Submit
C:\Users\Admin\AppData\Local\Temp\writerpatch.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
C:\Windows\Tasks\altApp_test.job

Filesize
294B

MD5
6287a58f3fced255856e89db9df34248

SHA1
de2b453614b66244db5d0c1d04c03f3410f6ec86

SHA256
337c970a55b638a9fe1d966e4c5cd798349cac284d5b41119c6831901dfb33b4

SHA512
1e9405d01a6c46fb739cd17c4127e1af7444ab5f553b908da67ec1688cd2f38fce7702a7f6eb5fdca42a78b02bec81a01f1b12f0bcc2c616f561cb10b8e4a5bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1yjpx5j3\1yjpx5j3.0.cs

Filesize
267B

MD5
23153877f0e70049d7f366448cc220bc

SHA1
2851269291a02ad0c7b60cb6ff7395bd1a20c659

SHA256
d7ed9035e9940848f250a57fb4f99e509e3fc50e4b5cb7be13c7ffb4787508ac

SHA512
82f29b8507abed31d15c2cb892c338debe6a2538c6be2c6741fb9c8afe76d26c43ec8b7060c37b1f91d1c475581e3bb816033bd09389d3973349a3b6e17af1a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1yjpx5j3\1yjpx5j3.cmdline

Filesize
369B

MD5
7b94b906e4b46ec64dbf465acf68e5b0

SHA1
8bfab68504c056ab386cb1a98b4e42bfa09a6d00

SHA256
b6bba4be0d82b3bd9f1b7b71c85a2e0371b9b96a5c698beae5b853e4159be570

SHA512
0e26300b0e6010a4fba842b6872dd1e655666955d9dcafe806c4a81291996054535da115ca8167deb89a67db7b4b0826f1cfdc74d95f6d7acbb98dd382595406

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1yjpx5j3\CSC327652A36324F4C98F87E5E4B2CD45.TMP

Filesize
652B

MD5
693f6f460aacd3e611af6379aa5ab3d9

SHA1
7e644647f65492270a477182147227c4fd7c79dd

SHA256
061151e6560f70e6d28969a2e58680c8fafc9a162c6ca30c6aadcb3eb001758a

SHA512
3b0d0f028ac890d67ac676767cdc91be2449bcc4f464d1f68003456444c59252ffe0d127ae474480de4d7b443853af8fb2425b194d945f68a6c5e4f92094a9a6

Download Submit
memory/640-41-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/640-52-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/640-57-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/640-51-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/708-218-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/708-222-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/708-223-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/708-233-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/1148-90-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/1148-92-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/2192-158-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/2192-181-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/2192-160-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/2388-194-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/2900-129-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/2900-128-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/3016-178-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/3016-156-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/3016-152-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/3152-202-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/3152-188-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/3152-189-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/3304-162-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/3304-161-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/3760-225-0x0000000000610000-0x0000000000664000-memory.dmp

Filesize
336KB

Download
memory/3760-217-0x0000000000610000-0x0000000000664000-memory.dmp

Filesize
336KB

Download
memory/3760-213-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/3760-227-0x0000000000610000-0x0000000000664000-memory.dmp

Filesize
336KB

Download
memory/4212-200-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/4212-184-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/4408-219-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4408-235-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4408-239-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4408-243-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4408-231-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4408-212-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/4408-247-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4408-226-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4836-177-0x00007FFC2D890000-0x00007FFC2DA85000-memory.dmp

Filesize
2.0MB

Download
memory/4836-185-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/4836-176-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/4856-147-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/4856-12-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/4856-25-0x0000013BE6F70000-0x0000013BE6F78000-memory.dmp

Filesize
32KB

Download
memory/4856-28-0x0000013BE6F90000-0x0000013BE6F9A000-memory.dmp

Filesize
40KB

Download
memory/4856-29-0x0000013BE6FC0000-0x0000013BE6FD2000-memory.dmp

Filesize
72KB

Download
memory/4856-11-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/4856-6-0x0000013BE6F40000-0x0000013BE6F62000-memory.dmp

Filesize
136KB

Download
memory/4856-0-0x00007FFC0F873000-0x00007FFC0F875000-memory.dmp

Filesize
8KB

Download
memory/4856-146-0x00007FFC0F873000-0x00007FFC0F875000-memory.dmp

Filesize
8KB

Download
memory/4856-155-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/4856-148-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download