Malware Analysis Report

2024-11-30 05:15

Sample ID 240505-rcf92sca7y
Target RClient.exe
SHA256 94c2ffc0e88f2d574819b6995845d212d96594bc2e718219171f8e846ab84b98
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94c2ffc0e88f2d574819b6995845d212d96594bc2e718219171f8e846ab84b98

Threat Level: Known bad

The file RClient.exe was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 14:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 14:02

Reported

2024-05-20 01:20

Platform

win10v2004-20240508-en

Max time kernel

15s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RClient.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\RClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\RClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\RClient.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5068 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5068 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5068 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5068 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5068 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5068 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5068 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5068 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5068 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5068 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5068 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5068 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5068 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5068 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5068 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif
PID 5068 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif
PID 5068 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif
PID 5068 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5068 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5068 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\RClient.exe

"C:\Users\Admin\AppData\Local\Temp\RClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Sufficiently Sufficiently.cmd & Sufficiently.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 1131

C:\Windows\SysWOW64\findstr.exe

findstr /V "SMITHSONIANSIMILARLYTELECOMMUNICATIONSMESSAGE" International

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Screw + Partly + Weapon + Iraq 1131\m

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif

1131\Img.pif 1131\m

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 FqagbAZhYvIW.FqagbAZhYvIW udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sufficiently

MD5 f49544d3d60b69ee76975474720b036d
SHA1 cbb1961296fe3a1386c58ee0e856011380612622
SHA256 4bcb8580220db69c4ceeda78848958526397e620554eda44ba2ef34b326612d9
SHA512 e9a42ae4f79c64bc831e4d0a3c96fefd20c3b24661e459ce55529d123020f132b653034b59d7efe51225ecbaeb8a7d11114b2e8ee6ce9d655bf2eb704b290e01

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\International

MD5 95db9a0d2707fa1796dcfc17f450aa0b
SHA1 6a09ed810cc392edd90280a3f3ceaad0a682cbe6
SHA256 51159bd5b2cbffe630e22822b621b7490b72c2d48938d84015b7348175bb5c61
SHA512 3e5f61e3dd545fc3478ae07c6d9c6ca86fafdf9702e582efba26b41ef9f503c945509d05db75312eca2ebb1a2cf249ff91696bac9f3b2cf9fd6de3992db9409c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Federal

MD5 94b11de0174497a5172cd5bfd704245f
SHA1 e004a0cfe8c789efb12cc937a20c585100bf3cb7
SHA256 0de9e68b82220949fd6da162ca5e08e8703860b43d93ecbcc8e0441e72092508
SHA512 5c4250578e6168961a6f5c37daaded2ae12d9b4d1fe7509aa20e714aad5e456757552c4813d640fb5085ce2d7dbb5e9766e8de518a858dd199403b901daf66c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mil

MD5 02e34305d486a3bd09a90255058ca35c
SHA1 d23ebee2f25ca4a9c83457cb2664403452d669ad
SHA256 40b63579f2b7b4c4db58fa9484895a8dbd88bc2b0e4e2ecc4379905202d976a5
SHA512 a54495574217d407b08d42bbb4fa5a8bd326b68c0729367a433ba5e5259e777725a5d6ce1d0efed71cf15630749c1b8233e5c3f0c98a56a4807dc1e14243e5a9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emperor

MD5 df823e73e670f3d523c619403500f359
SHA1 5a912b28713b8ff693461f61140ce49a28ee0319
SHA256 b3ce5d510ea8c839ec1b14c2a58f9bcd822b729517a87531c3ebde123e653223
SHA512 181cf3b592d83820374a89a512bf5444cdd26d05d0ea5a7eec720c3e0bd9bb68af689b6c203a5e0990923000ce737c73795a207c7497e44e2fdc86dfbb463090

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fisting

MD5 19021b086343a74eca1e11380256c204
SHA1 f6e2a7a3d9d3703a01bf85439c3c5679973a7a6c
SHA256 33e2d5721c1d23951010e9b7fc3eacd550d55c8b1f65399fd9fb88a8eab6139c
SHA512 42cb74cf4fdb608816c205fcf22005ea298f3146752b6f5303a6cf4d953879d675c6086253d5a121fb73b760ed8163f7c99587c8c8c456c1298572be43b7a449

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Collaborative

MD5 53d28a852bb45e180d065886950cd552
SHA1 57e5af9a58cb33eac24a4e5e2c1708aa1e85e82e
SHA256 6f9017fe742672f871a305e6150ddd3aa82123234ea13e09a9b579676afca64a
SHA512 87d921c5f2129a15f63000421bd9c191138cc363887ce914ef70f33a6b3b8a4c2f51d75cb8bee48833d150df68bc0d4daa16a0efe51de070f73dca77a6dac56c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Madness

MD5 00b82deb0157ac2cea1245ec860b2405
SHA1 563260c3ed3cb5516beabc70b86c01348960cea5
SHA256 bb5915f0f65bd7bcaf148503137721466e1f8406b94376f7bf49a4f45dbbe92d
SHA512 2086b3f716b0fa283f616c2ffe27347f538fa3096566b9821ae0c15781a989d0e9a927e510697e3882a90ea3d89e0cf9cdb0fb95e9813ca9bd6f7e04edccd9cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hard

MD5 a381c7ae913e2e6d5efa1c8a02ef6be7
SHA1 4d6e6d0c37ed4c6dc46848f14222896611e7720e
SHA256 34f6d4b352ecd5d3e007a33976fbd0b4ee76aac2f04a10bfbf46f6e42918c130
SHA512 365dea69443fbf3c5546dbc370bde320f167702c5826ea0e32a0ea2b5741cbfb110bd4842087a7d3d014c7af885bcdf800380c30c846dc03ba068f87530aac62

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Census

MD5 d4364612a5170c31e8582d4c68006bb6
SHA1 9c07ea747b25538d10dc65e80e69b2b7406ec161
SHA256 0ec8dd08c0400a28e95d21fdcce6cc60ab2ba50fd61ee43c204eced34d99b7d6
SHA512 1139e46f3c1168e271206580b60939152cce75be9d3bed20d2a1fa14b30ed116c367346c96af15c24051a8ad54a340798e0ecf65272e72bfc559a1cce123ded9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Unlike

MD5 e594084318e249d9218c1528c970f0eb
SHA1 01f93f614f04ba05010d732d4bda93ec460bda32
SHA256 841fda9dd61086e3f3d0da4ad85472e0d2da969be368b18e888bf99a1b93423e
SHA512 544465d4b2a22af43aee7ea04d2a0b5978272e5c5ac1cd255c3ec4b9237064a8a8f7dcf0bf3b68479d8198300e870ececfc4bab94360746d8cc8a7ea1dba467c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Trustee

MD5 719523cb94161540031473bb464b0c43
SHA1 93cfdc523386e33b6aea8525526a1557cb1a54d7
SHA256 a6e265a6973eeb68abd34f5cc23e3a7447ec03583443c7ccf8d6da6638d8842e
SHA512 599f6e0811ec1e53d49f961d5a70c679f8a285e7d440d8c566c7e0983a8b83afc74097b8afe60d1149e058923a14be166eff451240632bcc4f9909d819674e5a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scanner

MD5 0197de1922450ccd2bb92d77c658328d
SHA1 ffb64cec5b2313b7804c3dd78600f76abd375dff
SHA256 589a01b9476228f748faab795a30e62491cd2899f81f6774e69742bec83f5faf
SHA512 e7c0c32b5e692c55536c6b6c052c6884c472b4390132079e74b134bf851372bb920ce856a0f1d4d89c051f0d142de16be7876b4e4b103604538ef888522f054a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reason

MD5 02561fe9ba53c83c14c42d142facb1aa
SHA1 8db714ada099d924bb55c86c68b7ea6dbfd1af19
SHA256 ff140cbd2f7c517be5e835aa85816a86be0c2902a7e712967cf195f00a182355
SHA512 295b853ef14cad4d822f959a176412183ff7393674035285db608810de946c4522952745f5691ed0ce8643767509090dd7395b6b4f8c9ad03f894f6462721354

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explain

MD5 84857c57c5f231ada2a62f036e06bf32
SHA1 7c6d15d31f08bd99a176c5a63a2ee209ed05dab0
SHA256 ccffcb8fa25a0467f022aea32486ec16779b72cc352f1337634826e557c77971
SHA512 3498c0c8f29658d295e15e3bedda0e3c39970d4585b5f101139a73638146a6dc235705e4fe6a27dc514b982fc4187cd0f824f024f4501c696801b2d60d86efec

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Disclosure

MD5 5f9b92de362d2799af95f88c6ac0e6af
SHA1 627d4cb18b8443ef97beacf996e0393524e2bee1
SHA256 9149f570b6ed1225dc922e5f38707bbf0089e330507bb992a301887ffdde66e3
SHA512 ff9720d8753f6f0eab237dc25b9605ddbfe41cc5e87cc8d32acc40bb14864929d2a3174c5a976610c6339071f6e1a1f215aeb503b8e32aea41283c52f3a1e713

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kitty

MD5 74ded46de3d41484a04236b57201920d
SHA1 1c878cdf25c57a77f10cfc68a443f748d64cec92
SHA256 471149470aa36081af47c65f0657b669aa820ddb728e3c6c1641b3094d27eaec
SHA512 cf92e09cb1bc52f1f54c63447ce61b215b9007eab3899a3bb7e7cfabb1041db7f998cc558ffc4d295264a95a7b25ee1bcc4311cba403c786853977cbf5c7231d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Philip

MD5 31d59e0b4b851662f8b9566285a5bd31
SHA1 1756b2971e468d99622a499ac3662c0f5d34e184
SHA256 85d812bd4e96f9a9dc39ebeb58d2cfacf6326ad0d2ee09af7d357c46c7a00ec2
SHA512 4a5bb70957eaf5bfee367601bf26363459578b70d28a7a9b9d167b67f10ec4282f2eb2a880b85fbb5f187cbfa779a3517c303a027c7e2f3882e81dfe16593855

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tobacco

MD5 9e70542e3f688341f615eceafbd50602
SHA1 ed58ce7ca5620910fee3357411f4e02e22d9f95c
SHA256 e0ce8e92b1ebe38f639d3f197890cdfe02a2a526c24967ddb9d489f652c38608
SHA512 37cd48d1dca0b08b961db08304f7c8e25c2c28aa2670f4752319f658b22c68357b5749d067471cd39cb7fe0db7980198786cc4e41949fc92afdc1f3c48d8a654

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cradle

MD5 29dc59091d8bbcf67a06a70395f3abb0
SHA1 7d5d9d51ce27feb312374396dd3b1595eca52457
SHA256 0c292b18d417a96029336337842436038e87548a97ffc7c7b5f1d96a260d0fa5
SHA512 0b31dd6a9c214152dcd537824c5e6f981b23ff1ba2256a733f4dc8bc313375a4bb09876dbd9387a010288c1ecb394693de325a1f448ed8c9a489a45ed35ab30c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lit

MD5 e6842b3e2a87ca84ae0b4d0041313571
SHA1 100713fde8ff581b7e51c90e5ad761a48f81c186
SHA256 5daf9543a1f353ffeb790775761a05fe2f3a9a2a6b8cac35e8cb36e8ac49b56b
SHA512 8998aa3e618af50ccfd8d288fb90ec0cf232a984d21a1746532bc9f868d1e177fc1d7f48dc76ac326d3e53535741e6e2bcef5f603c5a40bae5faa96112d1d35d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Attend

MD5 1c56a939e90cc368a67b554804ac2fb4
SHA1 4b94972b4f82b3520120fa56e4fb27c2e89dce5d
SHA256 35e49e87d8ffa814e611f2613f3a2e76cff03b6b044a0ed689c409100457d8f8
SHA512 9a137372b79bc05164aa4824d6b6105b4b9973d95fa2ee5102edf59a8d032f92a21780ca9df1fdbf04883906bd24e3e1325cd6f5b396e6d4a997d98a9dc679d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Extending

MD5 68bb87e186f5b3ed17aa4050fe32bc25
SHA1 2fe7c779d0814cc8dc77932b5adad8dffdfb7526
SHA256 73837df5a92acac0af0bf0ea79c781ab67db714315a07aa4acbd880c62ab56e7
SHA512 00b0c98af7530ef9be5d9e43800bc38045135d1b7638e2277ce6337dc35a9a970311e21bb2ae9c507ec7442a115ba22a0f99862ad6bbf27a36b5fe6e9a3977e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Finest

MD5 66b8e6980e28c3baba11bb08599b4389
SHA1 14598ee09b1b44d91bfb9cde02a1bef2751af009
SHA256 6cc0861fa36b626b19076f6159f13d230e3624ad21f97a568a9a6ddd9a199d6f
SHA512 0a29ee237a5a6c913c6aefc43254d5d9632e2036cb78836071d2bfd1c5a037d62408762954d22d8cefca6bf74c06eb5c54192a7a173e26ac1f63e28bb6ef5a85

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ai

MD5 72742d7b201e8febed4d3f888bc6e44b
SHA1 1625226a9e2cf761a356a646e95ed86a18480cd0
SHA256 dd11e09ccef402108fa44306066a6e8dc1a78fc4c4bcf71bb97b0707e98ed8ae
SHA512 8951a1f1d33992ba4da0d25cfe18794932e1219e61accafd9e413f9983b93ec967faae813fd5160dd01316f82a3158e71904c1775a5285f3e6c05842f7760d54

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Filled

MD5 c30792f5cee3626ae9cbb7cfdcec7f10
SHA1 ce510cd0c80d31a46dbc1bd27c56b694ce924203
SHA256 da2bd22dd466e90688761c0becc56c7a578da05d5b09b9adf66f1471eb193db7
SHA512 7039890140e70e069208da51d44121efda2c9536597e18d527d5f2398670d88cf4088e1bb2a2815a7c069706d17093d987f7eed2c47e0966cd05ef3a1c573b63

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Forgot

MD5 565fa91a2f700a2e09dc007b1865df38
SHA1 78904e59c30b6e29eda41aa3fc0c44631e353fbe
SHA256 ae3642f02c565c3ca3a9a0ea563ac3fbd7eb82787f3274a5ca4a6ec68ff7d0c9
SHA512 2ed3acceadf6a9ba61f254ac0840052c1c3afaa1a2a9d78ee2ffd1f98725d63feeb0c607550dd62898b24ac88171cecaccd71ef75ca904a862795e36f0328159

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hash

MD5 46e071f4c45348dc7ce9eb62a43ebab0
SHA1 c5cdba7dfb30d4047f1ce037fa6a400c406b4ef7
SHA256 c5bb8ef08cdae82bd60243c82a9953e67e211c3f3ccfcb1a843c1eaec6fdfa16
SHA512 231d48f817344bd48af723a1209965296f4b751a3aa5fbe91ad4a9428b197bcefee65e5fc60ad4e65a7b0b6a00b70f2da490b03b80589fe7e97722b763db733e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Possibility

MD5 a096c9ce67246d6bc0a647fd6087008c
SHA1 a5ad89a6624b81385f3443347d3d86e2800ff6c3
SHA256 2edb48f3aa748e1432b1788559270949895e015bbd70086f81e48b8f4b1fab4c
SHA512 35537c6dbdd83ff71015182b489167ed9c53ea5d7a4cf26cafede89f34aa1bd37b3f9184b9a8342bcd295bed0a43b1b6b6edf071ca79e2de73ec59af217e1b93

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Grams

MD5 ab3b568371371e358abdab6115dcc322
SHA1 1df003f3e497df0c990a7ef72ef4a4b463169a6e
SHA256 be4e2b3d1b22151e6af9167740828f2a526dbfec0e89f6f07e67587cf5146f69
SHA512 2af77b8bf70261db74180bfb29d0f961da86fe2924a61f1eee7eb11d686167785625a71d42bfc6d131531462906239289dba47d1388fc07b88d8e38756ea8e24

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Architecture

MD5 197064b504cfdd845f24e18cda584897
SHA1 828d69bbb3406605cd462adb253bb6c1cbb5c47c
SHA256 743fccc0e7ad2d395ba427f218cb1b74201e1d38ef3df43480b8d8ba74739fe1
SHA512 1333f52886b60292acfbf2935206e44815723c51dd4f9c363682ffe5a91256a72891e8e9cffcf9cb5fd657443a603afde7740be059302755225e28d0b4ccba84

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Agreement

MD5 b4de9393fdda497fd45f614241cef498
SHA1 0e9b566ce702165b648d0468e723b27416c6cd7a
SHA256 e4e32b63db8c3ca181de5f48a0b1b6ca0d94877365991dcc1065363ea9a55cd6
SHA512 d0e893538c56e764e87da164e2697c32857ce9a49b76d628870472b5418221617fd967e9384af644e3b940fbb276b10cd9accd4ce404140ee0d21318779ffb16

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richmond

MD5 07b8978306c6ec0aee7eac71aec6d484
SHA1 e155a28147f7fdd1fbb73cf0640a6d2a8c4bd49f
SHA256 cde66bce502d120b8d978ea8cf48e171e25da45db0c4de96672a79d84fa42dfc
SHA512 335460918ce6861144999fe0d9b5f875892fbaedeb27389745b7f0584e6f06d170c83a4181451f48180fa8402dac77741798d8961716ef03f3f9ecda98b086f1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Screw

MD5 14fe35dbab80c3575a13deb6c22b16be
SHA1 2ad33489d4ac63b9e280b6d3a42d85b29dd2f82e
SHA256 50d45aaae9f376e8aefa0593074574ec64393757c68f601a89648be0734e178b
SHA512 b53844a8da1cd7e899fb58e72bcdea1984d2bdfaba4b3e74438d67c8a1525424f167a2ec6911d9c975362057878f5522095eedd037ed5aab91871b5f45440cca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Partly

MD5 bae5511ea75cb9f263ca67a0ce2bd1f4
SHA1 de69a8845b3e59747e53875b1d50431395dc2c83
SHA256 f186952cfcf8c1ebf89cb5ca1b1f236bc7b12c04596798b11c5094ee70320b12
SHA512 55a68124c5f74c476b9f84f72e5fe1699094a945015f404eec897f850649e8413e94b89e23945249477ef82c47e29badc0081acbb13ee277497873b10932dd40

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Weapon

MD5 ea56ba4e13028665f00a38b80e212554
SHA1 016ca1a5857b3323dd6979366cb74bab1c00c3fa
SHA256 785c0d455af994c3aac998018e8f6a0567ca069557bb8d6ccac6e32e19a9a51c
SHA512 c1a6be76a3e1440e914c6aa3f2a88c8b9ae2b4d156a1cc57312c49905c0cfae85dbe74971ef4f75082482fa28f8641ddc4cc618bfe05ba50b26571b384ccd333

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Iraq

MD5 57fb5b11341939b3e07cba598c146d07
SHA1 36a8ef2961813095898d8cdefbd1ae26b1c7fd8d
SHA256 ee4d3cf708be1e374df1e94000083e6aea9a63cde8671fe5f69daec5e1ce9e3f
SHA512 fbe917897adb907c91bb62c791efee6dc7abe485bc1b6ff2205cdb1fef3186bfe841de298e02f33736eb41264eb3a9d5d03a6d90fb89026fb3086a11542ee88e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Img.pif

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\m

MD5 45c6ad80b1da7615068ccd554e0788fd
SHA1 813a10641d6f85d50c317b48598058dc7ee82d64
SHA256 27637d3913753b60e440d8d817d5a02862a165975553edb2617b69d3f2c4f75a
SHA512 26f2ac274ccdf29ad3511587d5bc968057649fddd1a74111ab761f8782b4af01ef6f81ce3bacc852ea24c9ef90c2b669af718624afd1c41108dcf05d02b7a07e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 14:02

Reported

2024-05-20 01:25

Platform

win10-20240404-en

Max time kernel

127s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RClient.exe"

Signatures

Lumma Stealer

stealer lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 660 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\RClient.exe C:\Windows\SysWOW64\cmd.exe
PID 660 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\RClient.exe C:\Windows\SysWOW64\cmd.exe
PID 660 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\RClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3408 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3408 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3408 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3408 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3408 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3408 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3408 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3408 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3408 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3408 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3408 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3408 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3408 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3408 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3408 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif
PID 3408 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif
PID 3408 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif
PID 3408 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3408 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3408 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\RClient.exe

"C:\Users\Admin\AppData\Local\Temp\RClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Sufficiently Sufficiently.cmd & Sufficiently.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 1181

C:\Windows\SysWOW64\findstr.exe

findstr /V "SMITHSONIANSIMILARLYTELECOMMUNICATIONSMESSAGE" International

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Screw + Partly + Weapon + Iraq 1181\m

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif

1181\Img.pif 1181\m

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 FqagbAZhYvIW.FqagbAZhYvIW udp
US 8.8.8.8:53 chunkylopsidedwos.shop udp
US 104.21.43.226:443 chunkylopsidedwos.shop tcp
US 8.8.8.8:53 acceptabledcooeprs.shop udp
US 172.67.180.137:443 acceptabledcooeprs.shop tcp
US 8.8.8.8:53 226.43.21.104.in-addr.arpa udp
US 8.8.8.8:53 obsceneclassyjuwks.shop udp
US 104.21.20.88:443 obsceneclassyjuwks.shop tcp
US 8.8.8.8:53 zippyfinickysofwps.shop udp
US 172.67.148.231:443 zippyfinickysofwps.shop tcp
US 8.8.8.8:53 miniaturefinerninewjs.shop udp
US 104.21.30.191:443 miniaturefinerninewjs.shop tcp
US 8.8.8.8:53 137.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 plaintediousidowsko.shop udp
US 172.67.213.139:443 plaintediousidowsko.shop tcp
US 8.8.8.8:53 sweetsquarediaslw.shop udp
US 172.67.203.170:443 sweetsquarediaslw.shop tcp
US 8.8.8.8:53 holicisticscrarws.shop udp
US 104.21.40.92:443 holicisticscrarws.shop tcp
US 8.8.8.8:53 88.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 231.148.67.172.in-addr.arpa udp
US 8.8.8.8:53 191.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 boredimperissvieos.shop udp
US 104.21.72.135:443 boredimperissvieos.shop tcp
US 8.8.8.8:53 170.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 139.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 92.40.21.104.in-addr.arpa udp
US 8.8.8.8:53 135.72.21.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sufficiently

MD5 f49544d3d60b69ee76975474720b036d
SHA1 cbb1961296fe3a1386c58ee0e856011380612622
SHA256 4bcb8580220db69c4ceeda78848958526397e620554eda44ba2ef34b326612d9
SHA512 e9a42ae4f79c64bc831e4d0a3c96fefd20c3b24661e459ce55529d123020f132b653034b59d7efe51225ecbaeb8a7d11114b2e8ee6ce9d655bf2eb704b290e01

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\International

MD5 95db9a0d2707fa1796dcfc17f450aa0b
SHA1 6a09ed810cc392edd90280a3f3ceaad0a682cbe6
SHA256 51159bd5b2cbffe630e22822b621b7490b72c2d48938d84015b7348175bb5c61
SHA512 3e5f61e3dd545fc3478ae07c6d9c6ca86fafdf9702e582efba26b41ef9f503c945509d05db75312eca2ebb1a2cf249ff91696bac9f3b2cf9fd6de3992db9409c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Federal

MD5 94b11de0174497a5172cd5bfd704245f
SHA1 e004a0cfe8c789efb12cc937a20c585100bf3cb7
SHA256 0de9e68b82220949fd6da162ca5e08e8703860b43d93ecbcc8e0441e72092508
SHA512 5c4250578e6168961a6f5c37daaded2ae12d9b4d1fe7509aa20e714aad5e456757552c4813d640fb5085ce2d7dbb5e9766e8de518a858dd199403b901daf66c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mil

MD5 02e34305d486a3bd09a90255058ca35c
SHA1 d23ebee2f25ca4a9c83457cb2664403452d669ad
SHA256 40b63579f2b7b4c4db58fa9484895a8dbd88bc2b0e4e2ecc4379905202d976a5
SHA512 a54495574217d407b08d42bbb4fa5a8bd326b68c0729367a433ba5e5259e777725a5d6ce1d0efed71cf15630749c1b8233e5c3f0c98a56a4807dc1e14243e5a9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emperor

MD5 df823e73e670f3d523c619403500f359
SHA1 5a912b28713b8ff693461f61140ce49a28ee0319
SHA256 b3ce5d510ea8c839ec1b14c2a58f9bcd822b729517a87531c3ebde123e653223
SHA512 181cf3b592d83820374a89a512bf5444cdd26d05d0ea5a7eec720c3e0bd9bb68af689b6c203a5e0990923000ce737c73795a207c7497e44e2fdc86dfbb463090

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fisting

MD5 19021b086343a74eca1e11380256c204
SHA1 f6e2a7a3d9d3703a01bf85439c3c5679973a7a6c
SHA256 33e2d5721c1d23951010e9b7fc3eacd550d55c8b1f65399fd9fb88a8eab6139c
SHA512 42cb74cf4fdb608816c205fcf22005ea298f3146752b6f5303a6cf4d953879d675c6086253d5a121fb73b760ed8163f7c99587c8c8c456c1298572be43b7a449

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Collaborative

MD5 53d28a852bb45e180d065886950cd552
SHA1 57e5af9a58cb33eac24a4e5e2c1708aa1e85e82e
SHA256 6f9017fe742672f871a305e6150ddd3aa82123234ea13e09a9b579676afca64a
SHA512 87d921c5f2129a15f63000421bd9c191138cc363887ce914ef70f33a6b3b8a4c2f51d75cb8bee48833d150df68bc0d4daa16a0efe51de070f73dca77a6dac56c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Madness

MD5 00b82deb0157ac2cea1245ec860b2405
SHA1 563260c3ed3cb5516beabc70b86c01348960cea5
SHA256 bb5915f0f65bd7bcaf148503137721466e1f8406b94376f7bf49a4f45dbbe92d
SHA512 2086b3f716b0fa283f616c2ffe27347f538fa3096566b9821ae0c15781a989d0e9a927e510697e3882a90ea3d89e0cf9cdb0fb95e9813ca9bd6f7e04edccd9cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hard

MD5 a381c7ae913e2e6d5efa1c8a02ef6be7
SHA1 4d6e6d0c37ed4c6dc46848f14222896611e7720e
SHA256 34f6d4b352ecd5d3e007a33976fbd0b4ee76aac2f04a10bfbf46f6e42918c130
SHA512 365dea69443fbf3c5546dbc370bde320f167702c5826ea0e32a0ea2b5741cbfb110bd4842087a7d3d014c7af885bcdf800380c30c846dc03ba068f87530aac62

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Census

MD5 d4364612a5170c31e8582d4c68006bb6
SHA1 9c07ea747b25538d10dc65e80e69b2b7406ec161
SHA256 0ec8dd08c0400a28e95d21fdcce6cc60ab2ba50fd61ee43c204eced34d99b7d6
SHA512 1139e46f3c1168e271206580b60939152cce75be9d3bed20d2a1fa14b30ed116c367346c96af15c24051a8ad54a340798e0ecf65272e72bfc559a1cce123ded9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Unlike

MD5 e594084318e249d9218c1528c970f0eb
SHA1 01f93f614f04ba05010d732d4bda93ec460bda32
SHA256 841fda9dd61086e3f3d0da4ad85472e0d2da969be368b18e888bf99a1b93423e
SHA512 544465d4b2a22af43aee7ea04d2a0b5978272e5c5ac1cd255c3ec4b9237064a8a8f7dcf0bf3b68479d8198300e870ececfc4bab94360746d8cc8a7ea1dba467c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Trustee

MD5 719523cb94161540031473bb464b0c43
SHA1 93cfdc523386e33b6aea8525526a1557cb1a54d7
SHA256 a6e265a6973eeb68abd34f5cc23e3a7447ec03583443c7ccf8d6da6638d8842e
SHA512 599f6e0811ec1e53d49f961d5a70c679f8a285e7d440d8c566c7e0983a8b83afc74097b8afe60d1149e058923a14be166eff451240632bcc4f9909d819674e5a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scanner

MD5 0197de1922450ccd2bb92d77c658328d
SHA1 ffb64cec5b2313b7804c3dd78600f76abd375dff
SHA256 589a01b9476228f748faab795a30e62491cd2899f81f6774e69742bec83f5faf
SHA512 e7c0c32b5e692c55536c6b6c052c6884c472b4390132079e74b134bf851372bb920ce856a0f1d4d89c051f0d142de16be7876b4e4b103604538ef888522f054a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reason

MD5 02561fe9ba53c83c14c42d142facb1aa
SHA1 8db714ada099d924bb55c86c68b7ea6dbfd1af19
SHA256 ff140cbd2f7c517be5e835aa85816a86be0c2902a7e712967cf195f00a182355
SHA512 295b853ef14cad4d822f959a176412183ff7393674035285db608810de946c4522952745f5691ed0ce8643767509090dd7395b6b4f8c9ad03f894f6462721354

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explain

MD5 84857c57c5f231ada2a62f036e06bf32
SHA1 7c6d15d31f08bd99a176c5a63a2ee209ed05dab0
SHA256 ccffcb8fa25a0467f022aea32486ec16779b72cc352f1337634826e557c77971
SHA512 3498c0c8f29658d295e15e3bedda0e3c39970d4585b5f101139a73638146a6dc235705e4fe6a27dc514b982fc4187cd0f824f024f4501c696801b2d60d86efec

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Disclosure

MD5 5f9b92de362d2799af95f88c6ac0e6af
SHA1 627d4cb18b8443ef97beacf996e0393524e2bee1
SHA256 9149f570b6ed1225dc922e5f38707bbf0089e330507bb992a301887ffdde66e3
SHA512 ff9720d8753f6f0eab237dc25b9605ddbfe41cc5e87cc8d32acc40bb14864929d2a3174c5a976610c6339071f6e1a1f215aeb503b8e32aea41283c52f3a1e713

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kitty

MD5 74ded46de3d41484a04236b57201920d
SHA1 1c878cdf25c57a77f10cfc68a443f748d64cec92
SHA256 471149470aa36081af47c65f0657b669aa820ddb728e3c6c1641b3094d27eaec
SHA512 cf92e09cb1bc52f1f54c63447ce61b215b9007eab3899a3bb7e7cfabb1041db7f998cc558ffc4d295264a95a7b25ee1bcc4311cba403c786853977cbf5c7231d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Philip

MD5 31d59e0b4b851662f8b9566285a5bd31
SHA1 1756b2971e468d99622a499ac3662c0f5d34e184
SHA256 85d812bd4e96f9a9dc39ebeb58d2cfacf6326ad0d2ee09af7d357c46c7a00ec2
SHA512 4a5bb70957eaf5bfee367601bf26363459578b70d28a7a9b9d167b67f10ec4282f2eb2a880b85fbb5f187cbfa779a3517c303a027c7e2f3882e81dfe16593855

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tobacco

MD5 9e70542e3f688341f615eceafbd50602
SHA1 ed58ce7ca5620910fee3357411f4e02e22d9f95c
SHA256 e0ce8e92b1ebe38f639d3f197890cdfe02a2a526c24967ddb9d489f652c38608
SHA512 37cd48d1dca0b08b961db08304f7c8e25c2c28aa2670f4752319f658b22c68357b5749d067471cd39cb7fe0db7980198786cc4e41949fc92afdc1f3c48d8a654

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cradle

MD5 29dc59091d8bbcf67a06a70395f3abb0
SHA1 7d5d9d51ce27feb312374396dd3b1595eca52457
SHA256 0c292b18d417a96029336337842436038e87548a97ffc7c7b5f1d96a260d0fa5
SHA512 0b31dd6a9c214152dcd537824c5e6f981b23ff1ba2256a733f4dc8bc313375a4bb09876dbd9387a010288c1ecb394693de325a1f448ed8c9a489a45ed35ab30c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lit

MD5 e6842b3e2a87ca84ae0b4d0041313571
SHA1 100713fde8ff581b7e51c90e5ad761a48f81c186
SHA256 5daf9543a1f353ffeb790775761a05fe2f3a9a2a6b8cac35e8cb36e8ac49b56b
SHA512 8998aa3e618af50ccfd8d288fb90ec0cf232a984d21a1746532bc9f868d1e177fc1d7f48dc76ac326d3e53535741e6e2bcef5f603c5a40bae5faa96112d1d35d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Attend

MD5 1c56a939e90cc368a67b554804ac2fb4
SHA1 4b94972b4f82b3520120fa56e4fb27c2e89dce5d
SHA256 35e49e87d8ffa814e611f2613f3a2e76cff03b6b044a0ed689c409100457d8f8
SHA512 9a137372b79bc05164aa4824d6b6105b4b9973d95fa2ee5102edf59a8d032f92a21780ca9df1fdbf04883906bd24e3e1325cd6f5b396e6d4a997d98a9dc679d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Extending

MD5 68bb87e186f5b3ed17aa4050fe32bc25
SHA1 2fe7c779d0814cc8dc77932b5adad8dffdfb7526
SHA256 73837df5a92acac0af0bf0ea79c781ab67db714315a07aa4acbd880c62ab56e7
SHA512 00b0c98af7530ef9be5d9e43800bc38045135d1b7638e2277ce6337dc35a9a970311e21bb2ae9c507ec7442a115ba22a0f99862ad6bbf27a36b5fe6e9a3977e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Finest

MD5 66b8e6980e28c3baba11bb08599b4389
SHA1 14598ee09b1b44d91bfb9cde02a1bef2751af009
SHA256 6cc0861fa36b626b19076f6159f13d230e3624ad21f97a568a9a6ddd9a199d6f
SHA512 0a29ee237a5a6c913c6aefc43254d5d9632e2036cb78836071d2bfd1c5a037d62408762954d22d8cefca6bf74c06eb5c54192a7a173e26ac1f63e28bb6ef5a85

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ai

MD5 72742d7b201e8febed4d3f888bc6e44b
SHA1 1625226a9e2cf761a356a646e95ed86a18480cd0
SHA256 dd11e09ccef402108fa44306066a6e8dc1a78fc4c4bcf71bb97b0707e98ed8ae
SHA512 8951a1f1d33992ba4da0d25cfe18794932e1219e61accafd9e413f9983b93ec967faae813fd5160dd01316f82a3158e71904c1775a5285f3e6c05842f7760d54

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Filled

MD5 c30792f5cee3626ae9cbb7cfdcec7f10
SHA1 ce510cd0c80d31a46dbc1bd27c56b694ce924203
SHA256 da2bd22dd466e90688761c0becc56c7a578da05d5b09b9adf66f1471eb193db7
SHA512 7039890140e70e069208da51d44121efda2c9536597e18d527d5f2398670d88cf4088e1bb2a2815a7c069706d17093d987f7eed2c47e0966cd05ef3a1c573b63

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hash

MD5 46e071f4c45348dc7ce9eb62a43ebab0
SHA1 c5cdba7dfb30d4047f1ce037fa6a400c406b4ef7
SHA256 c5bb8ef08cdae82bd60243c82a9953e67e211c3f3ccfcb1a843c1eaec6fdfa16
SHA512 231d48f817344bd48af723a1209965296f4b751a3aa5fbe91ad4a9428b197bcefee65e5fc60ad4e65a7b0b6a00b70f2da490b03b80589fe7e97722b763db733e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Forgot

MD5 565fa91a2f700a2e09dc007b1865df38
SHA1 78904e59c30b6e29eda41aa3fc0c44631e353fbe
SHA256 ae3642f02c565c3ca3a9a0ea563ac3fbd7eb82787f3274a5ca4a6ec68ff7d0c9
SHA512 2ed3acceadf6a9ba61f254ac0840052c1c3afaa1a2a9d78ee2ffd1f98725d63feeb0c607550dd62898b24ac88171cecaccd71ef75ca904a862795e36f0328159

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Possibility

MD5 a096c9ce67246d6bc0a647fd6087008c
SHA1 a5ad89a6624b81385f3443347d3d86e2800ff6c3
SHA256 2edb48f3aa748e1432b1788559270949895e015bbd70086f81e48b8f4b1fab4c
SHA512 35537c6dbdd83ff71015182b489167ed9c53ea5d7a4cf26cafede89f34aa1bd37b3f9184b9a8342bcd295bed0a43b1b6b6edf071ca79e2de73ec59af217e1b93

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Grams

MD5 ab3b568371371e358abdab6115dcc322
SHA1 1df003f3e497df0c990a7ef72ef4a4b463169a6e
SHA256 be4e2b3d1b22151e6af9167740828f2a526dbfec0e89f6f07e67587cf5146f69
SHA512 2af77b8bf70261db74180bfb29d0f961da86fe2924a61f1eee7eb11d686167785625a71d42bfc6d131531462906239289dba47d1388fc07b88d8e38756ea8e24

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Architecture

MD5 197064b504cfdd845f24e18cda584897
SHA1 828d69bbb3406605cd462adb253bb6c1cbb5c47c
SHA256 743fccc0e7ad2d395ba427f218cb1b74201e1d38ef3df43480b8d8ba74739fe1
SHA512 1333f52886b60292acfbf2935206e44815723c51dd4f9c363682ffe5a91256a72891e8e9cffcf9cb5fd657443a603afde7740be059302755225e28d0b4ccba84

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richmond

MD5 07b8978306c6ec0aee7eac71aec6d484
SHA1 e155a28147f7fdd1fbb73cf0640a6d2a8c4bd49f
SHA256 cde66bce502d120b8d978ea8cf48e171e25da45db0c4de96672a79d84fa42dfc
SHA512 335460918ce6861144999fe0d9b5f875892fbaedeb27389745b7f0584e6f06d170c83a4181451f48180fa8402dac77741798d8961716ef03f3f9ecda98b086f1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Agreement

MD5 b4de9393fdda497fd45f614241cef498
SHA1 0e9b566ce702165b648d0468e723b27416c6cd7a
SHA256 e4e32b63db8c3ca181de5f48a0b1b6ca0d94877365991dcc1065363ea9a55cd6
SHA512 d0e893538c56e764e87da164e2697c32857ce9a49b76d628870472b5418221617fd967e9384af644e3b940fbb276b10cd9accd4ce404140ee0d21318779ffb16

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Screw

MD5 14fe35dbab80c3575a13deb6c22b16be
SHA1 2ad33489d4ac63b9e280b6d3a42d85b29dd2f82e
SHA256 50d45aaae9f376e8aefa0593074574ec64393757c68f601a89648be0734e178b
SHA512 b53844a8da1cd7e899fb58e72bcdea1984d2bdfaba4b3e74438d67c8a1525424f167a2ec6911d9c975362057878f5522095eedd037ed5aab91871b5f45440cca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Weapon

MD5 ea56ba4e13028665f00a38b80e212554
SHA1 016ca1a5857b3323dd6979366cb74bab1c00c3fa
SHA256 785c0d455af994c3aac998018e8f6a0567ca069557bb8d6ccac6e32e19a9a51c
SHA512 c1a6be76a3e1440e914c6aa3f2a88c8b9ae2b4d156a1cc57312c49905c0cfae85dbe74971ef4f75082482fa28f8641ddc4cc618bfe05ba50b26571b384ccd333

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Partly

MD5 bae5511ea75cb9f263ca67a0ce2bd1f4
SHA1 de69a8845b3e59747e53875b1d50431395dc2c83
SHA256 f186952cfcf8c1ebf89cb5ca1b1f236bc7b12c04596798b11c5094ee70320b12
SHA512 55a68124c5f74c476b9f84f72e5fe1699094a945015f404eec897f850649e8413e94b89e23945249477ef82c47e29badc0081acbb13ee277497873b10932dd40

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Iraq

MD5 57fb5b11341939b3e07cba598c146d07
SHA1 36a8ef2961813095898d8cdefbd1ae26b1c7fd8d
SHA256 ee4d3cf708be1e374df1e94000083e6aea9a63cde8671fe5f69daec5e1ce9e3f
SHA512 fbe917897adb907c91bb62c791efee6dc7abe485bc1b6ff2205cdb1fef3186bfe841de298e02f33736eb41264eb3a9d5d03a6d90fb89026fb3086a11542ee88e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Img.pif

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\m

MD5 45c6ad80b1da7615068ccd554e0788fd
SHA1 813a10641d6f85d50c317b48598058dc7ee82d64
SHA256 27637d3913753b60e440d8d817d5a02862a165975553edb2617b69d3f2c4f75a
SHA512 26f2ac274ccdf29ad3511587d5bc968057649fddd1a74111ab761f8782b4af01ef6f81ce3bacc852ea24c9ef90c2b669af718624afd1c41108dcf05d02b7a07e

memory/2372-81-0x0000000008060000-0x00000000080BC000-memory.dmp

memory/2372-82-0x0000000008060000-0x00000000080BC000-memory.dmp

memory/2372-83-0x0000000008060000-0x00000000080BC000-memory.dmp

memory/2372-85-0x0000000008060000-0x00000000080BC000-memory.dmp

memory/2372-84-0x0000000008060000-0x00000000080BC000-memory.dmp