Analysis Overview
SHA256
94c2ffc0e88f2d574819b6995845d212d96594bc2e718219171f8e846ab84b98
Threat Level: Known bad
The file RClient.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-05 14:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-05 14:02
Reported
2024-05-20 01:20
Platform
win10v2004-20240508-en
Max time kernel
15s
Max time network
22s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RClient.exe
"C:\Users\Admin\AppData\Local\Temp\RClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Sufficiently Sufficiently.cmd & Sufficiently.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 1131
C:\Windows\SysWOW64\findstr.exe
findstr /V "SMITHSONIANSIMILARLYTELECOMMUNICATIONSMESSAGE" International
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Screw + Partly + Weapon + Iraq 1131\m
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif
1131\Img.pif 1131\m
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | FqagbAZhYvIW.FqagbAZhYvIW | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sufficiently
| MD5 | f49544d3d60b69ee76975474720b036d |
| SHA1 | cbb1961296fe3a1386c58ee0e856011380612622 |
| SHA256 | 4bcb8580220db69c4ceeda78848958526397e620554eda44ba2ef34b326612d9 |
| SHA512 | e9a42ae4f79c64bc831e4d0a3c96fefd20c3b24661e459ce55529d123020f132b653034b59d7efe51225ecbaeb8a7d11114b2e8ee6ce9d655bf2eb704b290e01 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\International
| MD5 | 95db9a0d2707fa1796dcfc17f450aa0b |
| SHA1 | 6a09ed810cc392edd90280a3f3ceaad0a682cbe6 |
| SHA256 | 51159bd5b2cbffe630e22822b621b7490b72c2d48938d84015b7348175bb5c61 |
| SHA512 | 3e5f61e3dd545fc3478ae07c6d9c6ca86fafdf9702e582efba26b41ef9f503c945509d05db75312eca2ebb1a2cf249ff91696bac9f3b2cf9fd6de3992db9409c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Federal
| MD5 | 94b11de0174497a5172cd5bfd704245f |
| SHA1 | e004a0cfe8c789efb12cc937a20c585100bf3cb7 |
| SHA256 | 0de9e68b82220949fd6da162ca5e08e8703860b43d93ecbcc8e0441e72092508 |
| SHA512 | 5c4250578e6168961a6f5c37daaded2ae12d9b4d1fe7509aa20e714aad5e456757552c4813d640fb5085ce2d7dbb5e9766e8de518a858dd199403b901daf66c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mil
| MD5 | 02e34305d486a3bd09a90255058ca35c |
| SHA1 | d23ebee2f25ca4a9c83457cb2664403452d669ad |
| SHA256 | 40b63579f2b7b4c4db58fa9484895a8dbd88bc2b0e4e2ecc4379905202d976a5 |
| SHA512 | a54495574217d407b08d42bbb4fa5a8bd326b68c0729367a433ba5e5259e777725a5d6ce1d0efed71cf15630749c1b8233e5c3f0c98a56a4807dc1e14243e5a9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emperor
| MD5 | df823e73e670f3d523c619403500f359 |
| SHA1 | 5a912b28713b8ff693461f61140ce49a28ee0319 |
| SHA256 | b3ce5d510ea8c839ec1b14c2a58f9bcd822b729517a87531c3ebde123e653223 |
| SHA512 | 181cf3b592d83820374a89a512bf5444cdd26d05d0ea5a7eec720c3e0bd9bb68af689b6c203a5e0990923000ce737c73795a207c7497e44e2fdc86dfbb463090 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fisting
| MD5 | 19021b086343a74eca1e11380256c204 |
| SHA1 | f6e2a7a3d9d3703a01bf85439c3c5679973a7a6c |
| SHA256 | 33e2d5721c1d23951010e9b7fc3eacd550d55c8b1f65399fd9fb88a8eab6139c |
| SHA512 | 42cb74cf4fdb608816c205fcf22005ea298f3146752b6f5303a6cf4d953879d675c6086253d5a121fb73b760ed8163f7c99587c8c8c456c1298572be43b7a449 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Collaborative
| MD5 | 53d28a852bb45e180d065886950cd552 |
| SHA1 | 57e5af9a58cb33eac24a4e5e2c1708aa1e85e82e |
| SHA256 | 6f9017fe742672f871a305e6150ddd3aa82123234ea13e09a9b579676afca64a |
| SHA512 | 87d921c5f2129a15f63000421bd9c191138cc363887ce914ef70f33a6b3b8a4c2f51d75cb8bee48833d150df68bc0d4daa16a0efe51de070f73dca77a6dac56c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Madness
| MD5 | 00b82deb0157ac2cea1245ec860b2405 |
| SHA1 | 563260c3ed3cb5516beabc70b86c01348960cea5 |
| SHA256 | bb5915f0f65bd7bcaf148503137721466e1f8406b94376f7bf49a4f45dbbe92d |
| SHA512 | 2086b3f716b0fa283f616c2ffe27347f538fa3096566b9821ae0c15781a989d0e9a927e510697e3882a90ea3d89e0cf9cdb0fb95e9813ca9bd6f7e04edccd9cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hard
| MD5 | a381c7ae913e2e6d5efa1c8a02ef6be7 |
| SHA1 | 4d6e6d0c37ed4c6dc46848f14222896611e7720e |
| SHA256 | 34f6d4b352ecd5d3e007a33976fbd0b4ee76aac2f04a10bfbf46f6e42918c130 |
| SHA512 | 365dea69443fbf3c5546dbc370bde320f167702c5826ea0e32a0ea2b5741cbfb110bd4842087a7d3d014c7af885bcdf800380c30c846dc03ba068f87530aac62 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Census
| MD5 | d4364612a5170c31e8582d4c68006bb6 |
| SHA1 | 9c07ea747b25538d10dc65e80e69b2b7406ec161 |
| SHA256 | 0ec8dd08c0400a28e95d21fdcce6cc60ab2ba50fd61ee43c204eced34d99b7d6 |
| SHA512 | 1139e46f3c1168e271206580b60939152cce75be9d3bed20d2a1fa14b30ed116c367346c96af15c24051a8ad54a340798e0ecf65272e72bfc559a1cce123ded9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Unlike
| MD5 | e594084318e249d9218c1528c970f0eb |
| SHA1 | 01f93f614f04ba05010d732d4bda93ec460bda32 |
| SHA256 | 841fda9dd61086e3f3d0da4ad85472e0d2da969be368b18e888bf99a1b93423e |
| SHA512 | 544465d4b2a22af43aee7ea04d2a0b5978272e5c5ac1cd255c3ec4b9237064a8a8f7dcf0bf3b68479d8198300e870ececfc4bab94360746d8cc8a7ea1dba467c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Trustee
| MD5 | 719523cb94161540031473bb464b0c43 |
| SHA1 | 93cfdc523386e33b6aea8525526a1557cb1a54d7 |
| SHA256 | a6e265a6973eeb68abd34f5cc23e3a7447ec03583443c7ccf8d6da6638d8842e |
| SHA512 | 599f6e0811ec1e53d49f961d5a70c679f8a285e7d440d8c566c7e0983a8b83afc74097b8afe60d1149e058923a14be166eff451240632bcc4f9909d819674e5a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scanner
| MD5 | 0197de1922450ccd2bb92d77c658328d |
| SHA1 | ffb64cec5b2313b7804c3dd78600f76abd375dff |
| SHA256 | 589a01b9476228f748faab795a30e62491cd2899f81f6774e69742bec83f5faf |
| SHA512 | e7c0c32b5e692c55536c6b6c052c6884c472b4390132079e74b134bf851372bb920ce856a0f1d4d89c051f0d142de16be7876b4e4b103604538ef888522f054a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reason
| MD5 | 02561fe9ba53c83c14c42d142facb1aa |
| SHA1 | 8db714ada099d924bb55c86c68b7ea6dbfd1af19 |
| SHA256 | ff140cbd2f7c517be5e835aa85816a86be0c2902a7e712967cf195f00a182355 |
| SHA512 | 295b853ef14cad4d822f959a176412183ff7393674035285db608810de946c4522952745f5691ed0ce8643767509090dd7395b6b4f8c9ad03f894f6462721354 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explain
| MD5 | 84857c57c5f231ada2a62f036e06bf32 |
| SHA1 | 7c6d15d31f08bd99a176c5a63a2ee209ed05dab0 |
| SHA256 | ccffcb8fa25a0467f022aea32486ec16779b72cc352f1337634826e557c77971 |
| SHA512 | 3498c0c8f29658d295e15e3bedda0e3c39970d4585b5f101139a73638146a6dc235705e4fe6a27dc514b982fc4187cd0f824f024f4501c696801b2d60d86efec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Disclosure
| MD5 | 5f9b92de362d2799af95f88c6ac0e6af |
| SHA1 | 627d4cb18b8443ef97beacf996e0393524e2bee1 |
| SHA256 | 9149f570b6ed1225dc922e5f38707bbf0089e330507bb992a301887ffdde66e3 |
| SHA512 | ff9720d8753f6f0eab237dc25b9605ddbfe41cc5e87cc8d32acc40bb14864929d2a3174c5a976610c6339071f6e1a1f215aeb503b8e32aea41283c52f3a1e713 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kitty
| MD5 | 74ded46de3d41484a04236b57201920d |
| SHA1 | 1c878cdf25c57a77f10cfc68a443f748d64cec92 |
| SHA256 | 471149470aa36081af47c65f0657b669aa820ddb728e3c6c1641b3094d27eaec |
| SHA512 | cf92e09cb1bc52f1f54c63447ce61b215b9007eab3899a3bb7e7cfabb1041db7f998cc558ffc4d295264a95a7b25ee1bcc4311cba403c786853977cbf5c7231d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Philip
| MD5 | 31d59e0b4b851662f8b9566285a5bd31 |
| SHA1 | 1756b2971e468d99622a499ac3662c0f5d34e184 |
| SHA256 | 85d812bd4e96f9a9dc39ebeb58d2cfacf6326ad0d2ee09af7d357c46c7a00ec2 |
| SHA512 | 4a5bb70957eaf5bfee367601bf26363459578b70d28a7a9b9d167b67f10ec4282f2eb2a880b85fbb5f187cbfa779a3517c303a027c7e2f3882e81dfe16593855 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tobacco
| MD5 | 9e70542e3f688341f615eceafbd50602 |
| SHA1 | ed58ce7ca5620910fee3357411f4e02e22d9f95c |
| SHA256 | e0ce8e92b1ebe38f639d3f197890cdfe02a2a526c24967ddb9d489f652c38608 |
| SHA512 | 37cd48d1dca0b08b961db08304f7c8e25c2c28aa2670f4752319f658b22c68357b5749d067471cd39cb7fe0db7980198786cc4e41949fc92afdc1f3c48d8a654 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cradle
| MD5 | 29dc59091d8bbcf67a06a70395f3abb0 |
| SHA1 | 7d5d9d51ce27feb312374396dd3b1595eca52457 |
| SHA256 | 0c292b18d417a96029336337842436038e87548a97ffc7c7b5f1d96a260d0fa5 |
| SHA512 | 0b31dd6a9c214152dcd537824c5e6f981b23ff1ba2256a733f4dc8bc313375a4bb09876dbd9387a010288c1ecb394693de325a1f448ed8c9a489a45ed35ab30c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lit
| MD5 | e6842b3e2a87ca84ae0b4d0041313571 |
| SHA1 | 100713fde8ff581b7e51c90e5ad761a48f81c186 |
| SHA256 | 5daf9543a1f353ffeb790775761a05fe2f3a9a2a6b8cac35e8cb36e8ac49b56b |
| SHA512 | 8998aa3e618af50ccfd8d288fb90ec0cf232a984d21a1746532bc9f868d1e177fc1d7f48dc76ac326d3e53535741e6e2bcef5f603c5a40bae5faa96112d1d35d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Attend
| MD5 | 1c56a939e90cc368a67b554804ac2fb4 |
| SHA1 | 4b94972b4f82b3520120fa56e4fb27c2e89dce5d |
| SHA256 | 35e49e87d8ffa814e611f2613f3a2e76cff03b6b044a0ed689c409100457d8f8 |
| SHA512 | 9a137372b79bc05164aa4824d6b6105b4b9973d95fa2ee5102edf59a8d032f92a21780ca9df1fdbf04883906bd24e3e1325cd6f5b396e6d4a997d98a9dc679d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Extending
| MD5 | 68bb87e186f5b3ed17aa4050fe32bc25 |
| SHA1 | 2fe7c779d0814cc8dc77932b5adad8dffdfb7526 |
| SHA256 | 73837df5a92acac0af0bf0ea79c781ab67db714315a07aa4acbd880c62ab56e7 |
| SHA512 | 00b0c98af7530ef9be5d9e43800bc38045135d1b7638e2277ce6337dc35a9a970311e21bb2ae9c507ec7442a115ba22a0f99862ad6bbf27a36b5fe6e9a3977e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Finest
| MD5 | 66b8e6980e28c3baba11bb08599b4389 |
| SHA1 | 14598ee09b1b44d91bfb9cde02a1bef2751af009 |
| SHA256 | 6cc0861fa36b626b19076f6159f13d230e3624ad21f97a568a9a6ddd9a199d6f |
| SHA512 | 0a29ee237a5a6c913c6aefc43254d5d9632e2036cb78836071d2bfd1c5a037d62408762954d22d8cefca6bf74c06eb5c54192a7a173e26ac1f63e28bb6ef5a85 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ai
| MD5 | 72742d7b201e8febed4d3f888bc6e44b |
| SHA1 | 1625226a9e2cf761a356a646e95ed86a18480cd0 |
| SHA256 | dd11e09ccef402108fa44306066a6e8dc1a78fc4c4bcf71bb97b0707e98ed8ae |
| SHA512 | 8951a1f1d33992ba4da0d25cfe18794932e1219e61accafd9e413f9983b93ec967faae813fd5160dd01316f82a3158e71904c1775a5285f3e6c05842f7760d54 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Filled
| MD5 | c30792f5cee3626ae9cbb7cfdcec7f10 |
| SHA1 | ce510cd0c80d31a46dbc1bd27c56b694ce924203 |
| SHA256 | da2bd22dd466e90688761c0becc56c7a578da05d5b09b9adf66f1471eb193db7 |
| SHA512 | 7039890140e70e069208da51d44121efda2c9536597e18d527d5f2398670d88cf4088e1bb2a2815a7c069706d17093d987f7eed2c47e0966cd05ef3a1c573b63 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Forgot
| MD5 | 565fa91a2f700a2e09dc007b1865df38 |
| SHA1 | 78904e59c30b6e29eda41aa3fc0c44631e353fbe |
| SHA256 | ae3642f02c565c3ca3a9a0ea563ac3fbd7eb82787f3274a5ca4a6ec68ff7d0c9 |
| SHA512 | 2ed3acceadf6a9ba61f254ac0840052c1c3afaa1a2a9d78ee2ffd1f98725d63feeb0c607550dd62898b24ac88171cecaccd71ef75ca904a862795e36f0328159 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hash
| MD5 | 46e071f4c45348dc7ce9eb62a43ebab0 |
| SHA1 | c5cdba7dfb30d4047f1ce037fa6a400c406b4ef7 |
| SHA256 | c5bb8ef08cdae82bd60243c82a9953e67e211c3f3ccfcb1a843c1eaec6fdfa16 |
| SHA512 | 231d48f817344bd48af723a1209965296f4b751a3aa5fbe91ad4a9428b197bcefee65e5fc60ad4e65a7b0b6a00b70f2da490b03b80589fe7e97722b763db733e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Possibility
| MD5 | a096c9ce67246d6bc0a647fd6087008c |
| SHA1 | a5ad89a6624b81385f3443347d3d86e2800ff6c3 |
| SHA256 | 2edb48f3aa748e1432b1788559270949895e015bbd70086f81e48b8f4b1fab4c |
| SHA512 | 35537c6dbdd83ff71015182b489167ed9c53ea5d7a4cf26cafede89f34aa1bd37b3f9184b9a8342bcd295bed0a43b1b6b6edf071ca79e2de73ec59af217e1b93 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Grams
| MD5 | ab3b568371371e358abdab6115dcc322 |
| SHA1 | 1df003f3e497df0c990a7ef72ef4a4b463169a6e |
| SHA256 | be4e2b3d1b22151e6af9167740828f2a526dbfec0e89f6f07e67587cf5146f69 |
| SHA512 | 2af77b8bf70261db74180bfb29d0f961da86fe2924a61f1eee7eb11d686167785625a71d42bfc6d131531462906239289dba47d1388fc07b88d8e38756ea8e24 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Architecture
| MD5 | 197064b504cfdd845f24e18cda584897 |
| SHA1 | 828d69bbb3406605cd462adb253bb6c1cbb5c47c |
| SHA256 | 743fccc0e7ad2d395ba427f218cb1b74201e1d38ef3df43480b8d8ba74739fe1 |
| SHA512 | 1333f52886b60292acfbf2935206e44815723c51dd4f9c363682ffe5a91256a72891e8e9cffcf9cb5fd657443a603afde7740be059302755225e28d0b4ccba84 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Agreement
| MD5 | b4de9393fdda497fd45f614241cef498 |
| SHA1 | 0e9b566ce702165b648d0468e723b27416c6cd7a |
| SHA256 | e4e32b63db8c3ca181de5f48a0b1b6ca0d94877365991dcc1065363ea9a55cd6 |
| SHA512 | d0e893538c56e764e87da164e2697c32857ce9a49b76d628870472b5418221617fd967e9384af644e3b940fbb276b10cd9accd4ce404140ee0d21318779ffb16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richmond
| MD5 | 07b8978306c6ec0aee7eac71aec6d484 |
| SHA1 | e155a28147f7fdd1fbb73cf0640a6d2a8c4bd49f |
| SHA256 | cde66bce502d120b8d978ea8cf48e171e25da45db0c4de96672a79d84fa42dfc |
| SHA512 | 335460918ce6861144999fe0d9b5f875892fbaedeb27389745b7f0584e6f06d170c83a4181451f48180fa8402dac77741798d8961716ef03f3f9ecda98b086f1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Screw
| MD5 | 14fe35dbab80c3575a13deb6c22b16be |
| SHA1 | 2ad33489d4ac63b9e280b6d3a42d85b29dd2f82e |
| SHA256 | 50d45aaae9f376e8aefa0593074574ec64393757c68f601a89648be0734e178b |
| SHA512 | b53844a8da1cd7e899fb58e72bcdea1984d2bdfaba4b3e74438d67c8a1525424f167a2ec6911d9c975362057878f5522095eedd037ed5aab91871b5f45440cca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Partly
| MD5 | bae5511ea75cb9f263ca67a0ce2bd1f4 |
| SHA1 | de69a8845b3e59747e53875b1d50431395dc2c83 |
| SHA256 | f186952cfcf8c1ebf89cb5ca1b1f236bc7b12c04596798b11c5094ee70320b12 |
| SHA512 | 55a68124c5f74c476b9f84f72e5fe1699094a945015f404eec897f850649e8413e94b89e23945249477ef82c47e29badc0081acbb13ee277497873b10932dd40 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Weapon
| MD5 | ea56ba4e13028665f00a38b80e212554 |
| SHA1 | 016ca1a5857b3323dd6979366cb74bab1c00c3fa |
| SHA256 | 785c0d455af994c3aac998018e8f6a0567ca069557bb8d6ccac6e32e19a9a51c |
| SHA512 | c1a6be76a3e1440e914c6aa3f2a88c8b9ae2b4d156a1cc57312c49905c0cfae85dbe74971ef4f75082482fa28f8641ddc4cc618bfe05ba50b26571b384ccd333 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Iraq
| MD5 | 57fb5b11341939b3e07cba598c146d07 |
| SHA1 | 36a8ef2961813095898d8cdefbd1ae26b1c7fd8d |
| SHA256 | ee4d3cf708be1e374df1e94000083e6aea9a63cde8671fe5f69daec5e1ce9e3f |
| SHA512 | fbe917897adb907c91bb62c791efee6dc7abe485bc1b6ff2205cdb1fef3186bfe841de298e02f33736eb41264eb3a9d5d03a6d90fb89026fb3086a11542ee88e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\m
| MD5 | 45c6ad80b1da7615068ccd554e0788fd |
| SHA1 | 813a10641d6f85d50c317b48598058dc7ee82d64 |
| SHA256 | 27637d3913753b60e440d8d817d5a02862a165975553edb2617b69d3f2c4f75a |
| SHA512 | 26f2ac274ccdf29ad3511587d5bc968057649fddd1a74111ab761f8782b4af01ef6f81ce3bacc852ea24c9ef90c2b669af718624afd1c41108dcf05d02b7a07e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-05 14:02
Reported
2024-05-20 01:25
Platform
win10-20240404-en
Max time kernel
127s
Max time network
137s
Command Line
Signatures
Lumma Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RClient.exe
"C:\Users\Admin\AppData\Local\Temp\RClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Sufficiently Sufficiently.cmd & Sufficiently.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 1181
C:\Windows\SysWOW64\findstr.exe
findstr /V "SMITHSONIANSIMILARLYTELECOMMUNICATIONSMESSAGE" International
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Screw + Partly + Weapon + Iraq 1181\m
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif
1181\Img.pif 1181\m
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | FqagbAZhYvIW.FqagbAZhYvIW | udp |
| US | 8.8.8.8:53 | chunkylopsidedwos.shop | udp |
| US | 104.21.43.226:443 | chunkylopsidedwos.shop | tcp |
| US | 8.8.8.8:53 | acceptabledcooeprs.shop | udp |
| US | 172.67.180.137:443 | acceptabledcooeprs.shop | tcp |
| US | 8.8.8.8:53 | 226.43.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | obsceneclassyjuwks.shop | udp |
| US | 104.21.20.88:443 | obsceneclassyjuwks.shop | tcp |
| US | 8.8.8.8:53 | zippyfinickysofwps.shop | udp |
| US | 172.67.148.231:443 | zippyfinickysofwps.shop | tcp |
| US | 8.8.8.8:53 | miniaturefinerninewjs.shop | udp |
| US | 104.21.30.191:443 | miniaturefinerninewjs.shop | tcp |
| US | 8.8.8.8:53 | 137.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | plaintediousidowsko.shop | udp |
| US | 172.67.213.139:443 | plaintediousidowsko.shop | tcp |
| US | 8.8.8.8:53 | sweetsquarediaslw.shop | udp |
| US | 172.67.203.170:443 | sweetsquarediaslw.shop | tcp |
| US | 8.8.8.8:53 | holicisticscrarws.shop | udp |
| US | 104.21.40.92:443 | holicisticscrarws.shop | tcp |
| US | 8.8.8.8:53 | 88.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.148.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | boredimperissvieos.shop | udp |
| US | 104.21.72.135:443 | boredimperissvieos.shop | tcp |
| US | 8.8.8.8:53 | 170.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.40.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.72.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sufficiently
| MD5 | f49544d3d60b69ee76975474720b036d |
| SHA1 | cbb1961296fe3a1386c58ee0e856011380612622 |
| SHA256 | 4bcb8580220db69c4ceeda78848958526397e620554eda44ba2ef34b326612d9 |
| SHA512 | e9a42ae4f79c64bc831e4d0a3c96fefd20c3b24661e459ce55529d123020f132b653034b59d7efe51225ecbaeb8a7d11114b2e8ee6ce9d655bf2eb704b290e01 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\International
| MD5 | 95db9a0d2707fa1796dcfc17f450aa0b |
| SHA1 | 6a09ed810cc392edd90280a3f3ceaad0a682cbe6 |
| SHA256 | 51159bd5b2cbffe630e22822b621b7490b72c2d48938d84015b7348175bb5c61 |
| SHA512 | 3e5f61e3dd545fc3478ae07c6d9c6ca86fafdf9702e582efba26b41ef9f503c945509d05db75312eca2ebb1a2cf249ff91696bac9f3b2cf9fd6de3992db9409c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Federal
| MD5 | 94b11de0174497a5172cd5bfd704245f |
| SHA1 | e004a0cfe8c789efb12cc937a20c585100bf3cb7 |
| SHA256 | 0de9e68b82220949fd6da162ca5e08e8703860b43d93ecbcc8e0441e72092508 |
| SHA512 | 5c4250578e6168961a6f5c37daaded2ae12d9b4d1fe7509aa20e714aad5e456757552c4813d640fb5085ce2d7dbb5e9766e8de518a858dd199403b901daf66c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mil
| MD5 | 02e34305d486a3bd09a90255058ca35c |
| SHA1 | d23ebee2f25ca4a9c83457cb2664403452d669ad |
| SHA256 | 40b63579f2b7b4c4db58fa9484895a8dbd88bc2b0e4e2ecc4379905202d976a5 |
| SHA512 | a54495574217d407b08d42bbb4fa5a8bd326b68c0729367a433ba5e5259e777725a5d6ce1d0efed71cf15630749c1b8233e5c3f0c98a56a4807dc1e14243e5a9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emperor
| MD5 | df823e73e670f3d523c619403500f359 |
| SHA1 | 5a912b28713b8ff693461f61140ce49a28ee0319 |
| SHA256 | b3ce5d510ea8c839ec1b14c2a58f9bcd822b729517a87531c3ebde123e653223 |
| SHA512 | 181cf3b592d83820374a89a512bf5444cdd26d05d0ea5a7eec720c3e0bd9bb68af689b6c203a5e0990923000ce737c73795a207c7497e44e2fdc86dfbb463090 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fisting
| MD5 | 19021b086343a74eca1e11380256c204 |
| SHA1 | f6e2a7a3d9d3703a01bf85439c3c5679973a7a6c |
| SHA256 | 33e2d5721c1d23951010e9b7fc3eacd550d55c8b1f65399fd9fb88a8eab6139c |
| SHA512 | 42cb74cf4fdb608816c205fcf22005ea298f3146752b6f5303a6cf4d953879d675c6086253d5a121fb73b760ed8163f7c99587c8c8c456c1298572be43b7a449 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Collaborative
| MD5 | 53d28a852bb45e180d065886950cd552 |
| SHA1 | 57e5af9a58cb33eac24a4e5e2c1708aa1e85e82e |
| SHA256 | 6f9017fe742672f871a305e6150ddd3aa82123234ea13e09a9b579676afca64a |
| SHA512 | 87d921c5f2129a15f63000421bd9c191138cc363887ce914ef70f33a6b3b8a4c2f51d75cb8bee48833d150df68bc0d4daa16a0efe51de070f73dca77a6dac56c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Madness
| MD5 | 00b82deb0157ac2cea1245ec860b2405 |
| SHA1 | 563260c3ed3cb5516beabc70b86c01348960cea5 |
| SHA256 | bb5915f0f65bd7bcaf148503137721466e1f8406b94376f7bf49a4f45dbbe92d |
| SHA512 | 2086b3f716b0fa283f616c2ffe27347f538fa3096566b9821ae0c15781a989d0e9a927e510697e3882a90ea3d89e0cf9cdb0fb95e9813ca9bd6f7e04edccd9cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hard
| MD5 | a381c7ae913e2e6d5efa1c8a02ef6be7 |
| SHA1 | 4d6e6d0c37ed4c6dc46848f14222896611e7720e |
| SHA256 | 34f6d4b352ecd5d3e007a33976fbd0b4ee76aac2f04a10bfbf46f6e42918c130 |
| SHA512 | 365dea69443fbf3c5546dbc370bde320f167702c5826ea0e32a0ea2b5741cbfb110bd4842087a7d3d014c7af885bcdf800380c30c846dc03ba068f87530aac62 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Census
| MD5 | d4364612a5170c31e8582d4c68006bb6 |
| SHA1 | 9c07ea747b25538d10dc65e80e69b2b7406ec161 |
| SHA256 | 0ec8dd08c0400a28e95d21fdcce6cc60ab2ba50fd61ee43c204eced34d99b7d6 |
| SHA512 | 1139e46f3c1168e271206580b60939152cce75be9d3bed20d2a1fa14b30ed116c367346c96af15c24051a8ad54a340798e0ecf65272e72bfc559a1cce123ded9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Unlike
| MD5 | e594084318e249d9218c1528c970f0eb |
| SHA1 | 01f93f614f04ba05010d732d4bda93ec460bda32 |
| SHA256 | 841fda9dd61086e3f3d0da4ad85472e0d2da969be368b18e888bf99a1b93423e |
| SHA512 | 544465d4b2a22af43aee7ea04d2a0b5978272e5c5ac1cd255c3ec4b9237064a8a8f7dcf0bf3b68479d8198300e870ececfc4bab94360746d8cc8a7ea1dba467c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Trustee
| MD5 | 719523cb94161540031473bb464b0c43 |
| SHA1 | 93cfdc523386e33b6aea8525526a1557cb1a54d7 |
| SHA256 | a6e265a6973eeb68abd34f5cc23e3a7447ec03583443c7ccf8d6da6638d8842e |
| SHA512 | 599f6e0811ec1e53d49f961d5a70c679f8a285e7d440d8c566c7e0983a8b83afc74097b8afe60d1149e058923a14be166eff451240632bcc4f9909d819674e5a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scanner
| MD5 | 0197de1922450ccd2bb92d77c658328d |
| SHA1 | ffb64cec5b2313b7804c3dd78600f76abd375dff |
| SHA256 | 589a01b9476228f748faab795a30e62491cd2899f81f6774e69742bec83f5faf |
| SHA512 | e7c0c32b5e692c55536c6b6c052c6884c472b4390132079e74b134bf851372bb920ce856a0f1d4d89c051f0d142de16be7876b4e4b103604538ef888522f054a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reason
| MD5 | 02561fe9ba53c83c14c42d142facb1aa |
| SHA1 | 8db714ada099d924bb55c86c68b7ea6dbfd1af19 |
| SHA256 | ff140cbd2f7c517be5e835aa85816a86be0c2902a7e712967cf195f00a182355 |
| SHA512 | 295b853ef14cad4d822f959a176412183ff7393674035285db608810de946c4522952745f5691ed0ce8643767509090dd7395b6b4f8c9ad03f894f6462721354 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explain
| MD5 | 84857c57c5f231ada2a62f036e06bf32 |
| SHA1 | 7c6d15d31f08bd99a176c5a63a2ee209ed05dab0 |
| SHA256 | ccffcb8fa25a0467f022aea32486ec16779b72cc352f1337634826e557c77971 |
| SHA512 | 3498c0c8f29658d295e15e3bedda0e3c39970d4585b5f101139a73638146a6dc235705e4fe6a27dc514b982fc4187cd0f824f024f4501c696801b2d60d86efec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Disclosure
| MD5 | 5f9b92de362d2799af95f88c6ac0e6af |
| SHA1 | 627d4cb18b8443ef97beacf996e0393524e2bee1 |
| SHA256 | 9149f570b6ed1225dc922e5f38707bbf0089e330507bb992a301887ffdde66e3 |
| SHA512 | ff9720d8753f6f0eab237dc25b9605ddbfe41cc5e87cc8d32acc40bb14864929d2a3174c5a976610c6339071f6e1a1f215aeb503b8e32aea41283c52f3a1e713 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kitty
| MD5 | 74ded46de3d41484a04236b57201920d |
| SHA1 | 1c878cdf25c57a77f10cfc68a443f748d64cec92 |
| SHA256 | 471149470aa36081af47c65f0657b669aa820ddb728e3c6c1641b3094d27eaec |
| SHA512 | cf92e09cb1bc52f1f54c63447ce61b215b9007eab3899a3bb7e7cfabb1041db7f998cc558ffc4d295264a95a7b25ee1bcc4311cba403c786853977cbf5c7231d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Philip
| MD5 | 31d59e0b4b851662f8b9566285a5bd31 |
| SHA1 | 1756b2971e468d99622a499ac3662c0f5d34e184 |
| SHA256 | 85d812bd4e96f9a9dc39ebeb58d2cfacf6326ad0d2ee09af7d357c46c7a00ec2 |
| SHA512 | 4a5bb70957eaf5bfee367601bf26363459578b70d28a7a9b9d167b67f10ec4282f2eb2a880b85fbb5f187cbfa779a3517c303a027c7e2f3882e81dfe16593855 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tobacco
| MD5 | 9e70542e3f688341f615eceafbd50602 |
| SHA1 | ed58ce7ca5620910fee3357411f4e02e22d9f95c |
| SHA256 | e0ce8e92b1ebe38f639d3f197890cdfe02a2a526c24967ddb9d489f652c38608 |
| SHA512 | 37cd48d1dca0b08b961db08304f7c8e25c2c28aa2670f4752319f658b22c68357b5749d067471cd39cb7fe0db7980198786cc4e41949fc92afdc1f3c48d8a654 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cradle
| MD5 | 29dc59091d8bbcf67a06a70395f3abb0 |
| SHA1 | 7d5d9d51ce27feb312374396dd3b1595eca52457 |
| SHA256 | 0c292b18d417a96029336337842436038e87548a97ffc7c7b5f1d96a260d0fa5 |
| SHA512 | 0b31dd6a9c214152dcd537824c5e6f981b23ff1ba2256a733f4dc8bc313375a4bb09876dbd9387a010288c1ecb394693de325a1f448ed8c9a489a45ed35ab30c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lit
| MD5 | e6842b3e2a87ca84ae0b4d0041313571 |
| SHA1 | 100713fde8ff581b7e51c90e5ad761a48f81c186 |
| SHA256 | 5daf9543a1f353ffeb790775761a05fe2f3a9a2a6b8cac35e8cb36e8ac49b56b |
| SHA512 | 8998aa3e618af50ccfd8d288fb90ec0cf232a984d21a1746532bc9f868d1e177fc1d7f48dc76ac326d3e53535741e6e2bcef5f603c5a40bae5faa96112d1d35d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Attend
| MD5 | 1c56a939e90cc368a67b554804ac2fb4 |
| SHA1 | 4b94972b4f82b3520120fa56e4fb27c2e89dce5d |
| SHA256 | 35e49e87d8ffa814e611f2613f3a2e76cff03b6b044a0ed689c409100457d8f8 |
| SHA512 | 9a137372b79bc05164aa4824d6b6105b4b9973d95fa2ee5102edf59a8d032f92a21780ca9df1fdbf04883906bd24e3e1325cd6f5b396e6d4a997d98a9dc679d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Extending
| MD5 | 68bb87e186f5b3ed17aa4050fe32bc25 |
| SHA1 | 2fe7c779d0814cc8dc77932b5adad8dffdfb7526 |
| SHA256 | 73837df5a92acac0af0bf0ea79c781ab67db714315a07aa4acbd880c62ab56e7 |
| SHA512 | 00b0c98af7530ef9be5d9e43800bc38045135d1b7638e2277ce6337dc35a9a970311e21bb2ae9c507ec7442a115ba22a0f99862ad6bbf27a36b5fe6e9a3977e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Finest
| MD5 | 66b8e6980e28c3baba11bb08599b4389 |
| SHA1 | 14598ee09b1b44d91bfb9cde02a1bef2751af009 |
| SHA256 | 6cc0861fa36b626b19076f6159f13d230e3624ad21f97a568a9a6ddd9a199d6f |
| SHA512 | 0a29ee237a5a6c913c6aefc43254d5d9632e2036cb78836071d2bfd1c5a037d62408762954d22d8cefca6bf74c06eb5c54192a7a173e26ac1f63e28bb6ef5a85 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ai
| MD5 | 72742d7b201e8febed4d3f888bc6e44b |
| SHA1 | 1625226a9e2cf761a356a646e95ed86a18480cd0 |
| SHA256 | dd11e09ccef402108fa44306066a6e8dc1a78fc4c4bcf71bb97b0707e98ed8ae |
| SHA512 | 8951a1f1d33992ba4da0d25cfe18794932e1219e61accafd9e413f9983b93ec967faae813fd5160dd01316f82a3158e71904c1775a5285f3e6c05842f7760d54 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Filled
| MD5 | c30792f5cee3626ae9cbb7cfdcec7f10 |
| SHA1 | ce510cd0c80d31a46dbc1bd27c56b694ce924203 |
| SHA256 | da2bd22dd466e90688761c0becc56c7a578da05d5b09b9adf66f1471eb193db7 |
| SHA512 | 7039890140e70e069208da51d44121efda2c9536597e18d527d5f2398670d88cf4088e1bb2a2815a7c069706d17093d987f7eed2c47e0966cd05ef3a1c573b63 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hash
| MD5 | 46e071f4c45348dc7ce9eb62a43ebab0 |
| SHA1 | c5cdba7dfb30d4047f1ce037fa6a400c406b4ef7 |
| SHA256 | c5bb8ef08cdae82bd60243c82a9953e67e211c3f3ccfcb1a843c1eaec6fdfa16 |
| SHA512 | 231d48f817344bd48af723a1209965296f4b751a3aa5fbe91ad4a9428b197bcefee65e5fc60ad4e65a7b0b6a00b70f2da490b03b80589fe7e97722b763db733e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Forgot
| MD5 | 565fa91a2f700a2e09dc007b1865df38 |
| SHA1 | 78904e59c30b6e29eda41aa3fc0c44631e353fbe |
| SHA256 | ae3642f02c565c3ca3a9a0ea563ac3fbd7eb82787f3274a5ca4a6ec68ff7d0c9 |
| SHA512 | 2ed3acceadf6a9ba61f254ac0840052c1c3afaa1a2a9d78ee2ffd1f98725d63feeb0c607550dd62898b24ac88171cecaccd71ef75ca904a862795e36f0328159 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Possibility
| MD5 | a096c9ce67246d6bc0a647fd6087008c |
| SHA1 | a5ad89a6624b81385f3443347d3d86e2800ff6c3 |
| SHA256 | 2edb48f3aa748e1432b1788559270949895e015bbd70086f81e48b8f4b1fab4c |
| SHA512 | 35537c6dbdd83ff71015182b489167ed9c53ea5d7a4cf26cafede89f34aa1bd37b3f9184b9a8342bcd295bed0a43b1b6b6edf071ca79e2de73ec59af217e1b93 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Grams
| MD5 | ab3b568371371e358abdab6115dcc322 |
| SHA1 | 1df003f3e497df0c990a7ef72ef4a4b463169a6e |
| SHA256 | be4e2b3d1b22151e6af9167740828f2a526dbfec0e89f6f07e67587cf5146f69 |
| SHA512 | 2af77b8bf70261db74180bfb29d0f961da86fe2924a61f1eee7eb11d686167785625a71d42bfc6d131531462906239289dba47d1388fc07b88d8e38756ea8e24 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Architecture
| MD5 | 197064b504cfdd845f24e18cda584897 |
| SHA1 | 828d69bbb3406605cd462adb253bb6c1cbb5c47c |
| SHA256 | 743fccc0e7ad2d395ba427f218cb1b74201e1d38ef3df43480b8d8ba74739fe1 |
| SHA512 | 1333f52886b60292acfbf2935206e44815723c51dd4f9c363682ffe5a91256a72891e8e9cffcf9cb5fd657443a603afde7740be059302755225e28d0b4ccba84 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richmond
| MD5 | 07b8978306c6ec0aee7eac71aec6d484 |
| SHA1 | e155a28147f7fdd1fbb73cf0640a6d2a8c4bd49f |
| SHA256 | cde66bce502d120b8d978ea8cf48e171e25da45db0c4de96672a79d84fa42dfc |
| SHA512 | 335460918ce6861144999fe0d9b5f875892fbaedeb27389745b7f0584e6f06d170c83a4181451f48180fa8402dac77741798d8961716ef03f3f9ecda98b086f1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Agreement
| MD5 | b4de9393fdda497fd45f614241cef498 |
| SHA1 | 0e9b566ce702165b648d0468e723b27416c6cd7a |
| SHA256 | e4e32b63db8c3ca181de5f48a0b1b6ca0d94877365991dcc1065363ea9a55cd6 |
| SHA512 | d0e893538c56e764e87da164e2697c32857ce9a49b76d628870472b5418221617fd967e9384af644e3b940fbb276b10cd9accd4ce404140ee0d21318779ffb16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Screw
| MD5 | 14fe35dbab80c3575a13deb6c22b16be |
| SHA1 | 2ad33489d4ac63b9e280b6d3a42d85b29dd2f82e |
| SHA256 | 50d45aaae9f376e8aefa0593074574ec64393757c68f601a89648be0734e178b |
| SHA512 | b53844a8da1cd7e899fb58e72bcdea1984d2bdfaba4b3e74438d67c8a1525424f167a2ec6911d9c975362057878f5522095eedd037ed5aab91871b5f45440cca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Weapon
| MD5 | ea56ba4e13028665f00a38b80e212554 |
| SHA1 | 016ca1a5857b3323dd6979366cb74bab1c00c3fa |
| SHA256 | 785c0d455af994c3aac998018e8f6a0567ca069557bb8d6ccac6e32e19a9a51c |
| SHA512 | c1a6be76a3e1440e914c6aa3f2a88c8b9ae2b4d156a1cc57312c49905c0cfae85dbe74971ef4f75082482fa28f8641ddc4cc618bfe05ba50b26571b384ccd333 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Partly
| MD5 | bae5511ea75cb9f263ca67a0ce2bd1f4 |
| SHA1 | de69a8845b3e59747e53875b1d50431395dc2c83 |
| SHA256 | f186952cfcf8c1ebf89cb5ca1b1f236bc7b12c04596798b11c5094ee70320b12 |
| SHA512 | 55a68124c5f74c476b9f84f72e5fe1699094a945015f404eec897f850649e8413e94b89e23945249477ef82c47e29badc0081acbb13ee277497873b10932dd40 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Iraq
| MD5 | 57fb5b11341939b3e07cba598c146d07 |
| SHA1 | 36a8ef2961813095898d8cdefbd1ae26b1c7fd8d |
| SHA256 | ee4d3cf708be1e374df1e94000083e6aea9a63cde8671fe5f69daec5e1ce9e3f |
| SHA512 | fbe917897adb907c91bb62c791efee6dc7abe485bc1b6ff2205cdb1fef3186bfe841de298e02f33736eb41264eb3a9d5d03a6d90fb89026fb3086a11542ee88e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\m
| MD5 | 45c6ad80b1da7615068ccd554e0788fd |
| SHA1 | 813a10641d6f85d50c317b48598058dc7ee82d64 |
| SHA256 | 27637d3913753b60e440d8d817d5a02862a165975553edb2617b69d3f2c4f75a |
| SHA512 | 26f2ac274ccdf29ad3511587d5bc968057649fddd1a74111ab761f8782b4af01ef6f81ce3bacc852ea24c9ef90c2b669af718624afd1c41108dcf05d02b7a07e |
memory/2372-81-0x0000000008060000-0x00000000080BC000-memory.dmp
memory/2372-82-0x0000000008060000-0x00000000080BC000-memory.dmp
memory/2372-83-0x0000000008060000-0x00000000080BC000-memory.dmp
memory/2372-85-0x0000000008060000-0x00000000080BC000-memory.dmp
memory/2372-84-0x0000000008060000-0x00000000080BC000-memory.dmp