Overview

overview

10

Static

static

1

SoftV10.16.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2025, 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SoftV10.16.zip

  • Size

    54.7MB

  • MD5

    2b4fbe0df60ebec2ff0954762b4a5fde

  • SHA1

    ddc6ec51c8681eaa65edeb259ce4eede6272cab7

  • SHA256

    573adec2017ad15a98161a9aa7c9d80e526af74bb87c73616512c8f3a98966c4

  • SHA512

    5fd7033af6b9306d7d632047a5558f71a22a1acab2ea0a4dae498550cf60b8ca5a8b7dc8067033c58541a7d95492031aba2875824b375ce98ade110a6e41a07d

  • SSDEEP

    1572864:TlYTTJC5XR597XxJR578+tVAJsch4UrwHA4Kx:TliJC5XR597hZ78+EJseUzKx

Score
10/10
lummadiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://flourishfo.run/ayuio

https://soursopsf.run/gsoiao

https://changeaie.top/geps

https://easyupgw.live/eosz

https://liftally.top/xasj

https://upmodini.digital/gokk

https://salaccgfa.top/gsooz

https://zestmodp.top/zeda

https://xcelmodo.run/nahd

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 62 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SoftV10.16.zip
    1⤵
      PID:4400
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5140
      • C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe
        "C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe"
        1⤵
        • Downloads MZ/PE file
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\vlfkggz'; Add-MpPreference -ExclusionPath 'C:\Users'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3224
        • C:\Users\Admin\AppData\Local\vlfkggz\file.exe
          "C:\Users\Admin\AppData\Local\vlfkggz\file.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1492
      • C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe
        "C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3344
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\hidlpgt'; Add-MpPreference -ExclusionPath 'C:\Users'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4952
        • C:\Users\Admin\AppData\Local\hidlpgt\file.exe
          "C:\Users\Admin\AppData\Local\hidlpgt\file.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5232
      • C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe
        "C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\jndjqtodovb'; Add-MpPreference -ExclusionPath 'C:\Users'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3296
        • C:\Users\Admin\AppData\Local\jndjqtodovb\file.exe
          "C:\Users\Admin\AppData\Local\jndjqtodovb\file.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4472
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4428
      • C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe
        "C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\fipjjjul'; Add-MpPreference -ExclusionPath 'C:\Users'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5452
        • C:\Users\Admin\AppData\Local\fipjjjul\file.exe
          "C:\Users\Admin\AppData\Local\fipjjjul\file.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5708
      • C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe
        "C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:5652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\tdadqfwu'; Add-MpPreference -ExclusionPath 'C:\Users'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2636
        • C:\Users\Admin\AppData\Local\tdadqfwu\file.exe
          "C:\Users\Admin\AppData\Local\tdadqfwu\file.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3636
      • C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe
        "C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4804
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\fpcuxcszk'; Add-MpPreference -ExclusionPath 'C:\Users'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4348
        • C:\Users\Admin\AppData\Local\fpcuxcszk\file.exe
          "C:\Users\Admin\AppData\Local\fpcuxcszk\file.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2764
      • C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe
        "C:\Users\Admin\Documents\SoftV10.16\SoftV10.16\SetupByLumenTeamV10.16.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4112
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\hwjxrjwv'; Add-MpPreference -ExclusionPath 'C:\Users'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4952
        • C:\Users\Admin\AppData\Local\hwjxrjwv\file.exe
          "C:\Users\Admin\AppData\Local\hwjxrjwv\file.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:6096

      Network

      MITRE ATT&CK Enterprise v16

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        2KB

        MD5

        d4d8e78fa186aeb3c64c386ce6ce5405

        SHA1

        48fa9322b4c1b4f25521a54cdf87d2e29afe0d4a

        SHA256

        4dc2f866451210fd57db47965a40785a22c8d17622249bb742f60eccf6d3b629

        SHA512

        7468e93a2760eaf1f69da2c58b2955f728647bc9a90fb64542f7a00dbc5fc225fe221639fb7551299c60be54b4e497e605d42d3079d984b6712c9cfa97b83af7

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
        Filesize

        1KB

        MD5

        54833a1672dea57fe6d24a2fc879c249

        SHA1

        9253cffc88f6ffd5ef578cfd27bd8d104f674818

        SHA256

        934680bd85dc825b77c5b22fcca615a4024edd2440e499b532e0096a76708804

        SHA512

        7e2038155b292d3c833f905fbab2df83998254457691bfbda0ab7f0644381a9a230e3fb2f7eb3a7fa1982eae884005f607fa28abc40f09f394695684b83dc198

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        1KB

        MD5

        6ec34697b5e535625f4287f4ab99f0bc

        SHA1

        c90c8b76e6acefc8845c4e826058b43925b79afb

        SHA256

        e8e0345e65f69786ea3d8a11a1af4a8f02af567a0b6953cfae578636764c1081

        SHA512

        1470c7a6e7d2aea9381dc2121fd5efe6178296a527677a1c10c315d8a40ebbca847f248239298756101b76a44a2b936e8fb50f459f354b16d3987a5b68bdf1db

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
        Filesize

        978B

        MD5

        5fb7faabfcc1d1ef93b8ad49f9d13022

        SHA1

        cfbc5003dc5e03d262e7bc96d3b50f6c43b4ec97

        SHA256

        d79e04ad5f60a738208d66ccd5528062640975d82a63e66a5e2715c1f35b985b

        SHA512

        543196c4dc74650873d5562674f41bbc753746d496b439b433af0f05cee2792a06f87c313b7c33e7829c2776f1014d6bae64a94ed84cc25a53bae9ce0c100140

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CA54E0FA212456E1DB00704A97658E
        Filesize

        282B

        MD5

        d0732acf67d65448018383250eccd268

        SHA1

        845d9083a74227c7733328901519e2c52a6d67d4

        SHA256

        dabb39ac00c00efdd44f9426600094dfd1e8a2afdf4590109b59b963e8115f07

        SHA512

        3bd7dfdb1522d57a8a1a16766c67151e06e2b1a16e37032bca1a0e04c160fc8982be8250b9dfee57a3b91df55b2e9c55246cae51cc89d487218ed13fe6a95f99

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        488B

        MD5

        098d25acea36d230339141c9cca3ec28

        SHA1

        0d4989087abe72a2460a7f71e61caadc62b1ebaa

        SHA256

        dc48f395b195ea694fc28bf3764e23aa2ffd0aef99273eb8923e09455fb6b41b

        SHA512

        d60dd9dbae59f1b7332aa8ff228fdce073ad6ab9e3f3b3063b532e50fe5379a0b5613ecb472efbf0edb3b56ca253a0675436615f3864e3d87bc743538fd07f18

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
        Filesize

        482B

        MD5

        dc0b44273a0aadb9ff18e69ca75dc330

        SHA1

        16aaeaa7683a45f7cb0c7e8f4087b47a2ed9ffde

        SHA256

        e18c68c8e2c34109bd9a5c8632ddf295704da853e90a067576ff6c9c1cbd3891

        SHA512

        1975cb9b5aa8a04c238f76ae914204102bc5396f239e05c827ebf944deea5124f06966f436aee55e71c5d180d299593b522ce34a1dd32d6fd4afaeee56fe0d98

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        482B

        MD5

        a307f27d0eaa3272fa48dd5c3bbaeed7

        SHA1

        5b3a6988896efcd5dab7f92fd0beec27476a2e9e

        SHA256

        89237e41c73dc49c55102c6476f37a14ad6fb9aabe7480f98d9156133f07f4bd

        SHA512

        b82c18a3596149d706851ae538a83f8228c529998665b6568a56eabd259a358f673218bfae1e579dd224db14b8cb0115901f03c1e030c98ed39e14a41aadc074

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
        Filesize

        480B

        MD5

        c9e4402cf9e1703bc02968346fd9480d

        SHA1

        f5ecc1af30858cf22e4c1716cd437d282db7e799

        SHA256

        52b2813dac12100570e1ea8fffef3496a96f482ec999773a8076cbcb4ad3f9e7

        SHA512

        b63a600f08e9bca33d66d7c20b7edb460c64828847621a96983a6e4aa4d129c785ef8902b6b4c400c7d3e44fab0ec5ec32efb23796eca701e515d8b20525ecea

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CA54E0FA212456E1DB00704A97658E
        Filesize

        476B

        MD5

        fb0e22d08a0bfaf5fc7007ac5e980adb

        SHA1

        12eadb66e3ea0c76560b8536eefb061bb6d59f8d

        SHA256

        a958431d783f19643eef848b90f80681a92d463e8d920b7fafa251ce15f1eceb

        SHA512

        d1d969dc1c6aea9a286e5424a52a87dff4593419b888f2ad7a531267d08a070c3d8b4263c18380adff28d2899340bf579009bbc95df252aece6e41bd9a082736

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        7aaabbabed1e03e27f0fc866977c8233

        SHA1

        3674b1b903897a04ab60f4d2fab67dc68c8ef1c6

        SHA256

        afbd524eb67d6bd11320545d9992cde053a81467c26500607c9dfedfc54eb8c4

        SHA512

        dd3f6e176b3b2521b82cdea1516b1a442967424a961511cf3d5dd8406c3a37b84642364558eee1c90d560c62dd88f14d5504077a081d8fb09a9a2d23d20088d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e60eb305a7b2d9907488068b7065abd3

        SHA1

        1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

        SHA256

        ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

        SHA512

        95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        eb1ad317bd25b55b2bbdce8a28a74a94

        SHA1

        98a3978be4d10d62e7411946474579ee5bdc5ea6

        SHA256

        9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

        SHA512

        d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        2fe35857b3f3ef45e38b15e86c2708f6

        SHA1

        a2d29b4db0f5c4bf475b015be8226735e07393ab

        SHA256

        5281db72d91f067d2c7703a8ca890c2d16807449b0badd0dae695afef5d1ad1d

        SHA512

        706e6b405339e51750b34b330d5141ec45dd81963a1294ea9b7726a7bf5082f94ca2ac2c38f91fe36105424a3516fa07f030b0ab56065b1328b0426f51555891

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        b7e1db446e63a2aae76cd85440a08856

        SHA1

        c900cc81335dd3ca6337e21f5bcde80f8e8a88f3

        SHA256

        7305bcde3ba246a9b5c1666079c61596cc2ed2c651a1cd9e20557dba8a78c0e4

        SHA512

        dd63e28017eec632868489e469dd2ba54f20a3024be44550b729a0384bd55c5aa78171f7416612cd5174047afc544e21678ca164359962312b1d853c9bff04ea

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        22310ad6749d8cc38284aa616efcd100

        SHA1

        440ef4a0a53bfa7c83fe84326a1dff4326dcb515

        SHA256

        55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

        SHA512

        2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4gmscgu.wew.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\vlfkggz\file.exe
        Filesize

        1.2MB

        MD5

        a50ae975619b64e8828866b6002439c5

        SHA1

        291421696d4f933d91abffc6f3d231304d99c71e

        SHA256

        9361a09f5f1d865cf9037a232cf4caa46bb4f5062e86e832ab4e53b76ad440d3

        SHA512

        52290fd5263aa8ddb0ae606b6aba5f3b647adc48a3724de87f54d93f25f7d46b58962ea5fb8a009a42a4bc19d7094665cf92eb9a849613aaf3062286559db8b0

        Download Submit

      • memory/1492-210-0x0000000000BB0000-0x0000000000F76000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1492-83-0x0000000002FE0000-0x0000000002FE6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1492-95-0x0000000000BB0000-0x0000000000F76000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1492-128-0x0000000000BB0000-0x0000000000F76000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1492-102-0x0000000000BB0000-0x0000000000F76000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1492-49-0x0000000000BB0000-0x0000000000F76000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1492-82-0x0000000002FE0000-0x0000000002FE6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1492-171-0x0000000000BB0000-0x0000000000F76000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1492-125-0x0000000000BB0000-0x0000000000F76000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/2764-233-0x0000000002B00000-0x0000000002B06000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2764-219-0x0000000000100000-0x00000000004C6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3224-7-0x0000020FA1690000-0x0000020FA16B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3636-181-0x0000000000B10000-0x0000000000ED6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3636-180-0x0000000000B10000-0x0000000000ED6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3636-199-0x0000000004020000-0x0000000004026000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3636-169-0x0000000000B10000-0x0000000000ED6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3636-231-0x0000000000B10000-0x0000000000ED6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4428-111-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-115-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-110-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-104-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-105-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-116-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-106-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-113-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-114-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-112-0x000002766BFA0000-0x000002766BFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4472-127-0x0000000000EE0000-0x00000000012A6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4472-209-0x0000000000EE0000-0x00000000012A6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4472-170-0x0000000000EE0000-0x00000000012A6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4472-124-0x0000000000EE0000-0x00000000012A6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4472-96-0x0000000000EE0000-0x00000000012A6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4472-242-0x0000000000EE0000-0x00000000012A6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4472-119-0x0000000002BC0000-0x0000000002BC6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4472-123-0x0000000000EE0000-0x00000000012A6000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5232-99-0x00000000039D0000-0x00000000039D6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/5232-229-0x0000000000470000-0x0000000000836000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5232-126-0x0000000000470000-0x0000000000836000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5232-177-0x0000000000470000-0x0000000000836000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5232-70-0x0000000000470000-0x0000000000836000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5232-117-0x0000000000470000-0x0000000000836000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5232-103-0x0000000000470000-0x0000000000836000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5232-151-0x0000000000470000-0x0000000000836000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5708-173-0x0000000002B10000-0x0000000002B16000-memory.dmp

        Filesize

        24KB

        Download

      • memory/5708-230-0x0000000000C70000-0x0000000001036000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5708-161-0x0000000000C70000-0x0000000001036000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5708-179-0x0000000000C70000-0x0000000001036000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/5708-178-0x0000000000C70000-0x0000000001036000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/6096-228-0x0000000000AB0000-0x0000000000E76000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/6096-238-0x0000000002BC0000-0x0000000002BC6000-memory.dmp

        Filesize

        24KB

        Download