lumma | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

max time kernel
149s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17/01/2025, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

lumma quasar redline xworm @glowfy0 office04 powerstealer user discovery evasion execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

lumma

https://covvercilverow.shop/api

https://surroundeocw.shop/api

https://abortinoiwiam.shop/api

https://pumpkinkwquo.shop/api

https://priooozekw.shop/api

https://deallyharvenw.shop/api

https://defenddsouneuw.shop/api

https://racedsuitreow.shop/api

https://roaddrermncomplai.shop/api

Extracted

Family

xworm

193.222.96.100:5555

163.5.215.245:9049

Attributes

Install_directory
%Temp%
install_file
requirements.exe

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes

encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
install_name
Java Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Extracted

Family

redline

Botnet

@glowfy0

91.214.78.86:1912

Extracted

Family

quasar

Version

1.4.1

Botnet

powerstealer

192.168.56.1:4782

Mutex

6760d0e9-9df9-4aba-89be-4e5ce3e92cc8

Attributes

encryption_key
057FCAF700E62ACFECC7338C474084AF9B47ABEB
install_name
powerstealer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.1.0.0

Botnet

User

erbaevbann3.ddns.net:4444

Mutex

xTSR_MUTEX_tDOmSpZY0vhNMbdmkR

Attributes

encryption_key
Uz3u2uI4Ld2N91oq93Eb
install_name
systemware.exe
log_directory
logs
reconnect_delay
3000
startup_key
System Ware
subdirectory
system

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral3/files/0x0028000000046144-41.dat	family_xworm
behavioral3/memory/4660-52-0x0000000000880000-0x0000000000898000-memory.dmp	family_xworm
behavioral3/files/0x002b000000046168-260.dat	family_xworm
behavioral3/memory/4116-270-0x00000000004E0000-0x00000000004F6000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral3/files/0x002900000004615e-124.dat	family_quasar
behavioral3/memory/3580-134-0x0000000000DA0000-0x0000000000E24000-memory.dmp	family_quasar
behavioral3/files/0x0029000000046167-242.dat	family_quasar
behavioral3/memory/2452-252-0x00000000005F0000-0x000000000091A000-memory.dmp	family_quasar
behavioral3/files/0x002800000004616c-273.dat	family_quasar
behavioral3/memory/3932-285-0x00000000007E0000-0x000000000083E000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0028000000046161-185.dat	family_redline
behavioral3/memory/3208-195-0x0000000000B40000-0x0000000000B92000-memory.dmp	family_redline

Redline family
redline

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wefhrf.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2020	powershell.exe
1768	powershell.exe
4560	powershell.exe
1176	powershell.exe
1632	powershell.exe
1112	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	requirements.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	wefhrf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	build6_unencrypted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	systemware.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\requirements.lnk	requirements.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\requirements.lnk	requirements.exe

Executes dropped EXE 17 IoCs

pid	Process
3784	ExtremeInjector.exe
4660	requirements.exe
872	requirements.exe
3656	loader.exe
3580	spectrum.exe
2844	wefhrf.exe
1000	steamerx.exe
5068	Java Updater.exe
3208	toolwin.exe
4592	requirements.exe
2452	Discord.exe
4492	powerstealer.exe
4116	build6_unencrypted.exe
3932	intro.avi.exe
2496	systemware.exe
2148	systemware.exe
4052	requirements.exe

Loads dropped DLL 1 IoCs

pid	Process
3784	ExtremeInjector.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\requirements = "C:\\Users\\Admin\\AppData\\Local\\Temp\\requirements.exe"	requirements.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wefhrf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wefhrf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
9	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com
80	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3656	loader.exe
3656	loader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3784 set thread context of 4332	3784	ExtremeInjector.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2456	2496	WerFault.exe	134
4964	2148	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wefhrf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toolwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExtremeInjector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intro.avi.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4044	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4044	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4904	schtasks.exe
4052	schtasks.exe
2792	schtasks.exe
4568	schtasks.exe
4000	schtasks.exe
3604	schtasks.exe
2632	schtasks.exe
4512	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4116	build6_unencrypted.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2020	powershell.exe
2020	powershell.exe
1768	powershell.exe
1768	powershell.exe
4560	powershell.exe
4560	powershell.exe
1176	powershell.exe
1176	powershell.exe
3656	loader.exe
3656	loader.exe
2844	wefhrf.exe
1632	powershell.exe
1632	powershell.exe
1112	powershell.exe
1112	powershell.exe
1112	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	4363463463464363463463463.exe
Token: SeDebugPrivilege	4660	requirements.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeIncreaseQuotaPrivilege	2020	powershell.exe
Token: SeSecurityPrivilege	2020	powershell.exe
Token: SeTakeOwnershipPrivilege	2020	powershell.exe
Token: SeLoadDriverPrivilege	2020	powershell.exe
Token: SeSystemProfilePrivilege	2020	powershell.exe
Token: SeSystemtimePrivilege	2020	powershell.exe
Token: SeProfSingleProcessPrivilege	2020	powershell.exe
Token: SeIncBasePriorityPrivilege	2020	powershell.exe
Token: SeCreatePagefilePrivilege	2020	powershell.exe
Token: SeBackupPrivilege	2020	powershell.exe
Token: SeRestorePrivilege	2020	powershell.exe
Token: SeShutdownPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeSystemEnvironmentPrivilege	2020	powershell.exe
Token: SeRemoteShutdownPrivilege	2020	powershell.exe
Token: SeUndockPrivilege	2020	powershell.exe
Token: SeManageVolumePrivilege	2020	powershell.exe
Token: 33	2020	powershell.exe
Token: 34	2020	powershell.exe
Token: 35	2020	powershell.exe
Token: 36	2020	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeIncreaseQuotaPrivilege	1768	powershell.exe
Token: SeSecurityPrivilege	1768	powershell.exe
Token: SeTakeOwnershipPrivilege	1768	powershell.exe
Token: SeLoadDriverPrivilege	1768	powershell.exe
Token: SeSystemProfilePrivilege	1768	powershell.exe
Token: SeSystemtimePrivilege	1768	powershell.exe
Token: SeProfSingleProcessPrivilege	1768	powershell.exe
Token: SeIncBasePriorityPrivilege	1768	powershell.exe
Token: SeCreatePagefilePrivilege	1768	powershell.exe
Token: SeBackupPrivilege	1768	powershell.exe
Token: SeRestorePrivilege	1768	powershell.exe
Token: SeShutdownPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeSystemEnvironmentPrivilege	1768	powershell.exe
Token: SeRemoteShutdownPrivilege	1768	powershell.exe
Token: SeUndockPrivilege	1768	powershell.exe
Token: SeManageVolumePrivilege	1768	powershell.exe
Token: 33	1768	powershell.exe
Token: 34	1768	powershell.exe
Token: 35	1768	powershell.exe
Token: 36	1768	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeIncreaseQuotaPrivilege	4560	powershell.exe
Token: SeSecurityPrivilege	4560	powershell.exe
Token: SeTakeOwnershipPrivilege	4560	powershell.exe
Token: SeLoadDriverPrivilege	4560	powershell.exe
Token: SeSystemProfilePrivilege	4560	powershell.exe
Token: SeSystemtimePrivilege	4560	powershell.exe
Token: SeProfSingleProcessPrivilege	4560	powershell.exe
Token: SeIncBasePriorityPrivilege	4560	powershell.exe
Token: SeCreatePagefilePrivilege	4560	powershell.exe
Token: SeBackupPrivilege	4560	powershell.exe
Token: SeRestorePrivilege	4560	powershell.exe
Token: SeShutdownPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeSystemEnvironmentPrivilege	4560	powershell.exe
Token: SeRemoteShutdownPrivilege	4560	powershell.exe
Token: SeUndockPrivilege	4560	powershell.exe
Token: SeManageVolumePrivilege	4560	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5068	Java Updater.exe
4492	powerstealer.exe
2496	systemware.exe
2148	systemware.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 3784	828	4363463463464363463463463.exe	85
PID 828 wrote to memory of 3784	828	4363463463464363463463463.exe	85
PID 828 wrote to memory of 3784	828	4363463463464363463463463.exe	85
PID 3784 wrote to memory of 4332	3784	ExtremeInjector.exe	87
PID 3784 wrote to memory of 4332	3784	ExtremeInjector.exe	87
PID 3784 wrote to memory of 4332	3784	ExtremeInjector.exe	87
PID 3784 wrote to memory of 4332	3784	ExtremeInjector.exe	87
PID 3784 wrote to memory of 4332	3784	ExtremeInjector.exe	87
PID 3784 wrote to memory of 4332	3784	ExtremeInjector.exe	87
PID 3784 wrote to memory of 4332	3784	ExtremeInjector.exe	87
PID 3784 wrote to memory of 4332	3784	ExtremeInjector.exe	87
PID 3784 wrote to memory of 4332	3784	ExtremeInjector.exe	87
PID 828 wrote to memory of 4660	828	4363463463464363463463463.exe	88
PID 828 wrote to memory of 4660	828	4363463463464363463463463.exe	88
PID 4660 wrote to memory of 2020	4660	requirements.exe	90
PID 4660 wrote to memory of 2020	4660	requirements.exe	90
PID 4660 wrote to memory of 1768	4660	requirements.exe	93
PID 4660 wrote to memory of 1768	4660	requirements.exe	93
PID 4660 wrote to memory of 4560	4660	requirements.exe	95
PID 4660 wrote to memory of 4560	4660	requirements.exe	95
PID 4660 wrote to memory of 1176	4660	requirements.exe	97
PID 4660 wrote to memory of 1176	4660	requirements.exe	97
PID 4660 wrote to memory of 3604	4660	requirements.exe	99
PID 4660 wrote to memory of 3604	4660	requirements.exe	99
PID 828 wrote to memory of 3656	828	4363463463464363463463463.exe	104
PID 828 wrote to memory of 3656	828	4363463463464363463463463.exe	104
PID 828 wrote to memory of 3580	828	4363463463464363463463463.exe	106
PID 828 wrote to memory of 3580	828	4363463463464363463463463.exe	106
PID 828 wrote to memory of 2844	828	4363463463464363463463463.exe	107
PID 828 wrote to memory of 2844	828	4363463463464363463463463.exe	107
PID 828 wrote to memory of 2844	828	4363463463464363463463463.exe	107
PID 828 wrote to memory of 1000	828	4363463463464363463463463.exe	108
PID 828 wrote to memory of 1000	828	4363463463464363463463463.exe	108
PID 828 wrote to memory of 1000	828	4363463463464363463463463.exe	108
PID 3580 wrote to memory of 2632	3580	spectrum.exe	110
PID 3580 wrote to memory of 2632	3580	spectrum.exe	110
PID 3580 wrote to memory of 5068	3580	spectrum.exe	112
PID 3580 wrote to memory of 5068	3580	spectrum.exe	112
PID 5068 wrote to memory of 4512	5068	Java Updater.exe	114
PID 5068 wrote to memory of 4512	5068	Java Updater.exe	114
PID 828 wrote to memory of 3208	828	4363463463464363463463463.exe	116
PID 828 wrote to memory of 3208	828	4363463463464363463463463.exe	116
PID 828 wrote to memory of 3208	828	4363463463464363463463463.exe	116
PID 2844 wrote to memory of 1632	2844	wefhrf.exe	117
PID 2844 wrote to memory of 1632	2844	wefhrf.exe	117
PID 2844 wrote to memory of 1632	2844	wefhrf.exe	117
PID 3656 wrote to memory of 4676	3656	loader.exe	118
PID 3656 wrote to memory of 4676	3656	loader.exe	118
PID 828 wrote to memory of 2452	828	4363463463464363463463463.exe	121
PID 828 wrote to memory of 2452	828	4363463463464363463463463.exe	121
PID 2452 wrote to memory of 4904	2452	Discord.exe	122
PID 2452 wrote to memory of 4904	2452	Discord.exe	122
PID 2452 wrote to memory of 4492	2452	Discord.exe	124
PID 2452 wrote to memory of 4492	2452	Discord.exe	124
PID 4492 wrote to memory of 4052	4492	powerstealer.exe	125
PID 4492 wrote to memory of 4052	4492	powerstealer.exe	125
PID 828 wrote to memory of 4116	828	4363463463464363463463463.exe	127
PID 828 wrote to memory of 4116	828	4363463463464363463463463.exe	127
PID 828 wrote to memory of 3932	828	4363463463464363463463463.exe	128
PID 828 wrote to memory of 3932	828	4363463463464363463463463.exe	128
PID 828 wrote to memory of 3932	828	4363463463464363463463463.exe	128
PID 4116 wrote to memory of 1112	4116	build6_unencrypted.exe	129
PID 4116 wrote to memory of 1112	4116	build6_unencrypted.exe	129
PID 3932 wrote to memory of 2792	3932	intro.avi.exe	132

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wefhrf.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4332
- C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\requirements.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1176
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "requirements" /tr "C:\Users\Admin\AppData\Local\Temp\requirements.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3604
- C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4676
- C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2632
- - C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4512
- C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1632
- C:\Users\Admin\AppData\Local\Temp\Files\steamerx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\steamerx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1000
- C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3208
- C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4904
- - C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4052
- C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1112
- C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- - C:\Users\Admin\AppData\Roaming\system\systemware.exe
    "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2496
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2PpkWBSbItk4.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4572
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4044
    - - C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2148
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOPizziafrtW.bat" "
        6⤵
        
        PID:3668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2216
        6⤵
        Program crash
        
        PID:4964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1700
      4⤵
      Program crash
      PID:2456

C:\Users\Admin\AppData\Local\Temp\requirements.exe
"C:\Users\Admin\AppData\Local\Temp\requirements.exe"
1⤵
- Executes dropped EXE
PID:872

C:\Users\Admin\AppData\Local\Temp\requirements.exe
"C:\Users\Admin\AppData\Local\Temp\requirements.exe"
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2496 -ip 2496
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\requirements.exe
"C:\Users\Admin\AppData\Local\Temp\requirements.exe"
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2148 -ip 2148
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\requirements.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
096498ff2314245f6a4ca58f63881808

SHA1
537d9c09121d194c6fe9c10fd40c999fbf508e38

SHA256
839cc80f53ba38c3f6a9eb181850574fbdbc192e48f27fc453cee23a027ab1cb

SHA512
411243bb29e81b5d84b687bc1683e577d138f0cd15cd23fd3e7ae3851c701ce50238be22858376c9fae5da30b8187294b77ed277160aa5de2d7a2c37bff0802e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f7eb405e2879fb008dc3a533e6357d3

SHA1
0d99c40ebc8cc86ca4bda593097837a92dc06f57

SHA256
b08ac14c18515a078ceeb317fffbb7be08c0d5825dde712eb9ad285194b203d2

SHA512
470f3547656ba63513a8cc4ec7e4a5cc765312e394fc7759ca0eadf244ffd23c5491fa39669f2f5d82845a6884936caba6420e4480375af0daf678bad21c9e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eecb060cc9f344bbd30f0315cc36ac02

SHA1
5a974e5276aaa47bddf94ca78b5147c7e055b0f9

SHA256
77e1497f014e0c74113d8be3d4382265c4df0ef5ae985bda271b24bc3620b408

SHA512
bebcca158418e6df2643c76f01f5633919d287c7f9fe1f1a6927418d4bc77f90a0d83695e983df83dd87cc2a36b992c3e8fd7d5ab28713c9d15dc14e2ba27cdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8df996000e2ac28611eb19f3d4d1de29

SHA1
03bf11ff339a228cf0d1b72088fc28ee7ff8d516

SHA256
e2d1871af8a24a649f43153a7e65fd9df399ea0b6a69bb82979347981cc6050e

SHA512
10902514f9e8e0b620d332afb446382b37b2c5857bff272ce830140b23d0d7126320b1c5ccccfd77247e63a05a9693675372eedf48fa730bd376a1205a1180af

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PpkWBSbItk4.bat

Filesize
211B

MD5
56d28395f834839047305a979a55ce85

SHA1
4df785ab2f834b4062410397c8e25dd11cf8795c

SHA256
960c7aaba76981740b1aeb1ac8fd3518ea51d0cd0f352423646ec641918e557f

SHA512
cd5181dc7cfdbbb43730bacecbe6701e6debd0a90b6b37376118209dd5bb1b654b0a80219f783e201067bedd33fd575736f4aec2bb2467a218fcd49650de3c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe

Filesize
3.1MB

MD5
bedd5e5f44b78c79f93e29dc184cfa3d

SHA1
11e7e692b9a6b475f8561f283b2dd59c3cd19bfd

SHA256
e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c

SHA512
3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe

Filesize
550KB

MD5
ee6be1648866b63fd7f860fa0114f368

SHA1
42cab62fff29eb98851b33986b637514fc904f4b

SHA256
e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

SHA512
d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe

Filesize
65KB

MD5
3b5926b1dca859fa1a51a103ab0fd068

SHA1
9b41d9e1810454b00e12cc386e8e31fc1bd29ef6

SHA256
e1f3e0bc705e2917d285f9a9ab49cc6444ff9267b46cbf1be3b97f9a716e6d08

SHA512
6f924f3b1a7bcce36cea2ef0f73dfcf837b2ec03da44e0a12d6afcd2af1a92d20af251d04fd3970beedad082d646fc84ae7107b4111f43abc12b5a1e3d03a794

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe

Filesize
348KB

MD5
d219d94cabaa00e5abffc599bdeef75d

SHA1
123e511de20beab7bfa2bea5c2206422bc5e8241

SHA256
3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

SHA512
82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

Filesize
10.6MB

MD5
f2bb0e58b960c3d8a6b4c2441562d9f9

SHA1
0931d714a92164618ca024702d17a34f71bfb6ab

SHA256
6d046c393bba7f177ddd0ae5d3771a17c99ffed2ec0e558b760cc5bd8cd4740b

SHA512
eb8ad56848ba89cf0f431bd0c57d3200f8ec158cc338499d2142d57c0f4bcf4eab65c0b45b2660062bfd5f1baf50cd55f68955914aa7b42e8482cd9cdf04c7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe

Filesize
67KB

MD5
00bcef19c1d757d272439bb4a427e2c2

SHA1
dddc90e904c33c20898f69dd1529a106c65ad2fa

SHA256
8cbdf129e7d0a40ce86513be5dd5d0dcffdd140383bbbfca1d2ac7eebeb10691

SHA512
4d4f57af0b5d0157d9151bb7985516faf78b4a55886c7e793144e6662a1b70cc22d0cb4c9e530f832010bd256d0b3bb27117b852a2846ea69cb4abc8e401f081

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe

Filesize
502KB

MD5
1441905fc4082ee6055ea39f5875a6c5

SHA1
78f91f9f9ffe47e5f47e9844bd026d150146744e

SHA256
1b05c4d74e0d17a983f9b91aa706a7a60f37ec270b7e2433d6798afa1c7be766

SHA512
70e9ab0e49b4bf89505f16c499538daebc1e8da72488cd63ff60747d15a1d486ba38802b0622c9240d10ff68ab32e6bb36a0b809e7cd0e2ec4945d023ce86c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\steamerx.exe

Filesize
8KB

MD5
695e9d580533372fb131ed51f8321c06

SHA1
c63aa86d1fe306f38d94621247b578819a951860

SHA256
cfbcae5f183d4f254603b0c2fcb66a9da2d8db663c92d9203e525f41704f4c89

SHA512
7185e34d3ab5b30e9a6c20f995fb4e90c0a0a0fc60c0febf2ab1c97e90803b428d88f6011b38918d782f4d5a15d4b6e53c359435aa25ea56bc1468fc1848680f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe

Filesize
300KB

MD5
5c544cd5437d21e63c9990e42e92ffbf

SHA1
15981a0f2a6078e1c65285f2ff3114b1e2158a64

SHA256
8f33fcc42396a72e93bc42947d8fc659ff691ea154f76babe06626f666aa3926

SHA512
a8e9c15e3db54ae69ca18e07acc14c27298fa4162b6d9e40f87895d1a74267b2797b0137d9fb80c3a8a65f83b0ea071eb7a22d31e7bb99022f712ef8287f0f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe

Filesize
15KB

MD5
2ca4bd5f5fece4e6def53720f2a7a9bb

SHA1
04b49bb6f0b9600782d091eaa5d54963ff6d7e10

SHA256
ab55d9b53f755a232a7968d7b5fcb6ca56fc0f59e72b1e60ab8624a0ee6be8c1

SHA512
3e9e5c9793b4880990fbc8ab38f8a28b38a7493adb3ee1727e5ce0f8377348142705533f672356152a895694800c82517c71f2070c0dff08b73555214a165481

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOPizziafrtW.bat

Filesize
211B

MD5
9914e676dbb245bf038df850e743a6b7

SHA1
207cc3cfb53dff09fa90466e336e5e3157e678a6

SHA256
d78cf64d85db5b9e7fd28699a3d9720d470485275401df05a369bc3a1142544f

SHA512
67f3d0cb1f0ed071b5b191cf59cc283ac2525232ad44cd2d0b2f80e3e50f2f9b6cfc83e102b590ca7cf87cfd12c44d8a6e9c046107b7f68ce8c59eb64ee2ebd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pugaxdsm.nsr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-17-2025

Filesize
224B

MD5
7d787143413d1085ff96f38c07d0afad

SHA1
ff7f0291452fb3fe7dd2217e8f4eea7b5c515a73

SHA256
c29fe71286a29fdfb96fc8279a7972669fc266e54fbfee52809dd438699e0f13

SHA512
fddee3e139728a857f40544c64f7639c7e0c95e4b59a4c34daac9812e2d3c014239670cc929bd390e0450d0eb408a455152ff32f2a11a750a382a543d18fdfc7

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
642KB

MD5
9bc424be13dca227268ab018dca9ef0c

SHA1
f6f42e926f511d57ef298613634f3a186ec25ddc

SHA256
59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2

SHA512
70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

Download Submit
memory/828-2-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

Filesize
624KB

Download
memory/828-88-0x0000000074430000-0x0000000074BE1000-memory.dmp

Filesize
7.7MB

Download
memory/828-65-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/828-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/828-1-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/828-3-0x0000000074430000-0x0000000074BE1000-memory.dmp

Filesize
7.7MB

Download
memory/1000-166-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/1112-308-0x000001A5A5310000-0x000001A5A53C5000-memory.dmp

Filesize
724KB

Download
memory/1112-307-0x000001A5A5260000-0x000001A5A527C000-memory.dmp

Filesize
112KB

Download
memory/1112-309-0x000001A5A5250000-0x000001A5A525A000-memory.dmp

Filesize
40KB

Download
memory/1632-231-0x0000000007A50000-0x0000000007AF3000-memory.dmp

Filesize
652KB

Download
memory/1632-230-0x0000000006E40000-0x0000000006E5E000-memory.dmp

Filesize
120KB

Download
memory/1632-202-0x00000000031B0000-0x00000000031E6000-memory.dmp

Filesize
216KB

Download
memory/1632-235-0x0000000007DF0000-0x0000000007E86000-memory.dmp

Filesize
600KB

Download
memory/1632-234-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

Filesize
40KB

Download
memory/1632-233-0x0000000007B80000-0x0000000007B9A000-memory.dmp

Filesize
104KB

Download
memory/1632-232-0x00000000081C0000-0x000000000883A000-memory.dmp

Filesize
6.5MB

Download
memory/1632-216-0x0000000006370000-0x00000000066C7000-memory.dmp

Filesize
3.3MB

Download
memory/1632-219-0x0000000007A10000-0x0000000007A42000-memory.dmp

Filesize
200KB

Download
memory/1632-220-0x000000006CE00000-0x000000006CE4C000-memory.dmp

Filesize
304KB

Download
memory/1632-218-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/1632-209-0x00000000060F0000-0x0000000006112000-memory.dmp

Filesize
136KB

Download
memory/1632-214-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/1632-215-0x0000000006300000-0x0000000006366000-memory.dmp

Filesize
408KB

Download
memory/1632-203-0x0000000005A20000-0x00000000060EA000-memory.dmp

Filesize
6.8MB

Download
memory/2020-55-0x000001763DCC0000-0x000001763DCE2000-memory.dmp

Filesize
136KB

Download
memory/2452-252-0x00000000005F0000-0x000000000091A000-memory.dmp

Filesize
3.2MB

Download
memory/2844-155-0x0000000005C60000-0x0000000006206000-memory.dmp

Filesize
5.6MB

Download
memory/2844-149-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/2844-162-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/3208-198-0x0000000005680000-0x000000000578A000-memory.dmp

Filesize
1.0MB

Download
memory/3208-199-0x00000000055B0000-0x00000000055C2000-memory.dmp

Filesize
72KB

Download
memory/3208-201-0x0000000005790000-0x00000000057DC000-memory.dmp

Filesize
304KB

Download
memory/3208-200-0x0000000005610000-0x000000000564C000-memory.dmp

Filesize
240KB

Download
memory/3208-197-0x0000000006F20000-0x0000000007538000-memory.dmp

Filesize
6.1MB

Download
memory/3208-196-0x00000000054E0000-0x00000000054EA000-memory.dmp

Filesize
40KB

Download
memory/3208-195-0x0000000000B40000-0x0000000000B92000-memory.dmp

Filesize
328KB

Download
memory/3580-134-0x0000000000DA0000-0x0000000000E24000-memory.dmp

Filesize
528KB

Download
memory/3656-170-0x00007FFAA4210000-0x00007FFAA4212000-memory.dmp

Filesize
8KB

Download
memory/3656-171-0x00007FFAA4220000-0x00007FFAA4222000-memory.dmp

Filesize
8KB

Download
memory/3656-172-0x0000000140000000-0x00000001414B5000-memory.dmp

Filesize
20.7MB

Download
memory/3784-44-0x0000000074430000-0x0000000074BE1000-memory.dmp

Filesize
7.7MB

Download
memory/3784-27-0x0000000074430000-0x0000000074BE1000-memory.dmp

Filesize
7.7MB

Download
memory/3784-25-0x0000000074430000-0x0000000074BE1000-memory.dmp

Filesize
7.7MB

Download
memory/3784-19-0x0000000074430000-0x0000000074BE1000-memory.dmp

Filesize
7.7MB

Download
memory/3784-18-0x0000000000C70000-0x0000000000D00000-memory.dmp

Filesize
576KB

Download
memory/3932-285-0x00000000007E0000-0x000000000083E000-memory.dmp

Filesize
376KB

Download
memory/4116-270-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/4332-33-0x0000000001300000-0x0000000001365000-memory.dmp

Filesize
404KB

Download
memory/4332-36-0x0000000001300000-0x0000000001365000-memory.dmp

Filesize
404KB

Download
memory/4332-28-0x0000000001300000-0x0000000001365000-memory.dmp

Filesize
404KB

Download
memory/4660-52-0x0000000000880000-0x0000000000898000-memory.dmp

Filesize
96KB

Download
memory/5068-180-0x000000001C810000-0x000000001C8C2000-memory.dmp

Filesize
712KB

Download
memory/5068-179-0x000000001B650000-0x000000001B6A0000-memory.dmp

Filesize
320KB

Download