Malware Analysis Report

2024-11-30 05:12

Sample ID 240519-tgjl3see2w
Target Executor.exe
SHA256 5d4a1d9250a57c5f889ee37a8262bd850bf7ac50e7bc82588b22d2ea3ac36166
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d4a1d9250a57c5f889ee37a8262bd850bf7ac50e7bc82588b22d2ea3ac36166

Threat Level: Known bad

The file Executor.exe was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 16:02

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 16:01

Reported

2024-05-19 16:03

Platform

win10v2004-20240426-en

Max time kernel

43s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Executor.exe"

Signatures

Lumma Stealer

stealer lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Executor.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\130845\Privilege.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\Executor.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\Executor.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\Executor.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4116 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4116 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4116 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4116 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4116 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4116 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4116 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4116 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4116 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4116 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4116 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4116 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4116 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4116 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4116 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\130845\Privilege.pif
PID 4116 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\130845\Privilege.pif
PID 4116 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\130845\Privilege.pif
PID 4116 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4116 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4116 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Executor.exe

"C:\Users\Admin\AppData\Local\Temp\Executor.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Metro Metro.cmd & Metro.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 130845

C:\Windows\SysWOW64\findstr.exe

findstr /V "InfectionIgnoreAssociateWearing" Rome

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Sigma + Eos + Brands + Blow 130845\d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\130845\Privilege.pif

130845\Privilege.pif 130845\d

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 bnOGPmXeWBLdpFCY.bnOGPmXeWBLdpFCY udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.107.130:443 www.bing.com tcp
US 8.8.8.8:53 130.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 employeedscratshj.shop udp
US 172.67.186.163:443 employeedscratshj.shop tcp
US 8.8.8.8:53 museumtespaceorsp.shop udp
US 172.67.184.107:443 museumtespaceorsp.shop tcp
US 8.8.8.8:53 163.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
BE 2.17.107.107:443 www.bing.com tcp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 107.184.67.172.in-addr.arpa udp
US 8.8.8.8:53 buttockdecarderwiso.shop udp
US 172.67.218.187:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 averageaattractiionsl.shop udp
US 172.67.220.163:443 averageaattractiionsl.shop tcp
US 8.8.8.8:53 femininiespywageg.shop udp
US 104.21.71.3:443 femininiespywageg.shop tcp
US 8.8.8.8:53 187.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 163.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 employhabragaomlsp.shop udp
US 104.21.85.81:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 3.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 stalfbaclcalorieeis.shop udp
US 104.21.3.197:443 stalfbaclcalorieeis.shop tcp
US 8.8.8.8:53 civilianurinedtsraov.shop udp
US 172.67.197.146:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 81.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 roomabolishsnifftwk.shop udp
US 172.67.146.92:443 roomabolishsnifftwk.shop tcp
US 8.8.8.8:53 146.197.67.172.in-addr.arpa udp
US 8.8.8.8:53 92.146.67.172.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Metro

MD5 529318b4637822bb81772a455bea46c7
SHA1 3b7848e175f78066c4fd2f8be16360c6d2b91900
SHA256 4f135f7ce8dfcddd12a5cb395dc0b5960d07da0b8e2be9190387f30e4465f580
SHA512 7311284add8ce333274cb8d6dffe008741acc72edca661e8793af62d11a0250fe6c28ad2ef17a89c42a76f1b067d359eea7dfd29456e4f89f58d8da17ae880f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rome

MD5 a81b50587fffe8e1b1cfc3a36cefa803
SHA1 93ea5dd986f8874c276b8577834ce50c6657464c
SHA256 b0d6c11a0d73a8b097a1d1ed0243aeecc551dc9560689c832ebf1d4663ab0a49
SHA512 980eb2c3cd5ef1c936f4dfbb44395867346e0e3647610c8069ee70f07be5b7d2e974bf29ea38a77804fad77272aef9e26170353c6d1a88a43ec75aa843f82197

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Singh

MD5 fe625ed79aeef81fcd7d06ad55e0a64e
SHA1 595c78b50c735fcd6052df9545aa279f1b6c5d2c
SHA256 2e2756802e58e5cce0f5c54dbe1cd75ca0e04f77bf745f5615f1ff002a95c8fb
SHA512 1e70fa190f19aee7068a3eb0931364ac3e06b7a06aad44c713db888879872a7bbf6cb2adbd1f97237f7a68bbdd04038aa5ecc2739a3f7c5ffc1aa8c2df2443ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Birds

MD5 061e6ab37aaeeefefe843608e4a83e07
SHA1 520ef9065524b92dc02018f1f691f1cf73f977a7
SHA256 d4c724c047ccc8ba8255461952a72ae9ccd32c3ea5a2212e630bcb53027de2fd
SHA512 eba212ebfe9938b290261b6065289c94c8b1028e20039b0f3b986d4398b9b6149e94965a824405f412d7d712e9263163862cba4d1504401e972af4b6a67ffe00

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Director

MD5 2bfd98e50bef1683cb5a0f353ed97d3e
SHA1 fc3c8acd8bf5da7068b0d6253d7ec9cc019dccd3
SHA256 dca382a4d289a0ec7588b117b2615636f1db5538bb2e4d9f26362af2577b9600
SHA512 283588b37a484acb53d511b21d2cc393131be40b3b0784c9cde0fa4e7f79c865a609e73ec1339bf91b5dce433e8235e1998f098e9311f48e01f2437f51c8bf59

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Task

MD5 5ee3af1803c12416a3ec9244d9fda5f9
SHA1 109b43cfcd6ffbddb2c96f76e3586c91f38d9d45
SHA256 9d0e1fa7ed2c3905b372db6154a19f734025f3a2e977d5f4b9f76070cc8589db
SHA512 99fdda1a014e7eb100d992475350c581d2ca0024c4f6c2dbcc7ee09df3bb1395797cd17b7f59ae2b9dc6b829a02e749d60ba595e9d29d248fd2f84cb5616e038

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ghana

MD5 1aa8c7aa85671acc44078621388c6aa4
SHA1 4c442a9fa86838025aca4a65cbdae3ec444175e5
SHA256 1cca146f78ec42806dcffcbc8d520d7c896363700db4b52421cf2fadbe738ade
SHA512 dcc1ab9febd25564696a38d5790b50afd6761a468417a41a049e252f738395fb0e0aa1ea309ca307c8b53f5dacb9442fa4ae89fb5923ea7f05eb554535617a17

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Showers

MD5 d2d5406873838230085ddf08c7479678
SHA1 f9d5e93bad73173b1c455671a5c83f3768b94e74
SHA256 33cfaac76dc8fad958a8822cd776fb40a2abee77a497b018b4907e01dc530866
SHA512 8930d62670a7ac69b965477fe45135058a531817d7bc3ebf937390f7ca20cc11e58585824395ee4f324595ff807fbf76463a101a43ee2b3bedb5e02bf94a88d7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Inns

MD5 d1e101e9f46d0b73a4b5511c4a80acd7
SHA1 f91f20bde323bf0bc707674013b3d8e1e00f2263
SHA256 482ec36107781521a60e9a87a5daa386743ead904c7afd85803f23b0b4e13f8a
SHA512 f38272d8d10052b959547c957f512c5f45610e0aeeb5978c34ec25527af1c6ad323fa30357c84d41017d0793330c6b1ddeaacff48edab3d62decd125c90c0345

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coordination

MD5 892f570c0fc0e834a71dd9bb5e67606e
SHA1 41309f1a1ff910208ff14aa64fb2e1a542bd5c5b
SHA256 6ed06c1942381c70c72ec240d3903e14392e14b97a1222e4d4122de6a54038d7
SHA512 9dac0439df7ccec2924bb776ec534b57c113fb87c59b80011b3c492065f8cbf582130a0fb0095dd6a4a0e8adc4ba3e7b19041f857ef70a90e1fa7c9d783db372

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Constant

MD5 38aa563b528925068c1f6d6b9af55d73
SHA1 e8f8741f0951a711c11242d18ad7539f5cd1d518
SHA256 c7ad37c1a3763ab5088d6669833e4385de3bf6a88e44df74fa1f557a3e5d1ed0
SHA512 c3dec23b493dff7d5f8858fc32e19329394c10f983d0821a71428b3f50f7c2efad0e7721a8bef23fa91173f99797aee6bf965b28d538e69ed5397bc8d19bcef2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Quite

MD5 71006ce34e715137a7610d11e852fbe6
SHA1 296282c5858f258e11ab9bf05fd552a37c9e2aaa
SHA256 3f663d70bbbb50e83a21d0e92c3cdf6c435c76c81f796a095f4647acfc89de52
SHA512 220c38efbffcfdb682911e3dda7c14a547dea1b9eb4682e2011b3e9a9e2c18308dc77ec85b25a60a179953ecc2319be6ed3aa4e511bd3fa83541b11b2c5b1411

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Laid

MD5 67f0dc55bcc26b8dc34558f23fecb60b
SHA1 af768a87d1cea6a9b00891fe57c0e82ded54cdc5
SHA256 28f973112d9b1103c7fbc01ff733477af543b0cb4946fa7fa526ffb96bf1a39b
SHA512 d513196240c2f1dd7a5bc15f27efbe8f84a3e1f589aa8345ac55b07ae0536e71099c35ecdc30e7075d746410fe47bc2c997c11dfbe46941544c6080a50cc3dea

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sharon

MD5 2b05aabcaf790eadde849a6d4b54253d
SHA1 742162373e4d0a9c575f5985f12c32da4c65c176
SHA256 feb7374a70e68a1cc672b06d9c0cd0fdebcd4c4efb48a689044f60b17d13495a
SHA512 3429903cf1aec713b25d266d6c76f9707dc3c6bb07c31fc336d967606205875d0e3781e719f106a0145e6b9e6914a558dbbc98d0dabe87723d98853a6a44146f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Providence

MD5 decd26014fbd5abe6ed80b7583dc527a
SHA1 aa91f6cbdada247440efff25949babf848170129
SHA256 e9f3ad3b58e254dc9de4e5b86b7d5b46757929586ac2944a7ba5202513b26ab3
SHA512 d5f83539ffe74ddb6eefa32275d64f39ba137705f0ee84f87f17da0a208de67dfca2da53df09f08c014e138753d22e6c8433c9e820fa43f2775a2e6fb5a98aff

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Viruses

MD5 37bff008c6fe8861842a0a3e36b7f746
SHA1 4fae05e6690e0069bdc8c8348f69446b1cd89aca
SHA256 ccfb6cc405f8d43769669941e99813ce9e5d55c850abe192b2a69c5984fcc9d0
SHA512 b3f335e9dcfdd3b39f28e9a57bcfc85a25cead5c9c2b684c9791a6af28496230514b23f8c580995d561d57b898796b47615c1d6cb1511bd755a3ef2bb8e638a8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Viagra

MD5 7b6fb0ecb28ea334f6a76912da366dfc
SHA1 2447a7bccf099779c2eee1b4d344c75cd8dff49d
SHA256 ea7cb8ac2eb3fdd83853edefdaa2024abef510c9a25154498c3427cab75d8779
SHA512 c72b731086f4d0e5dc86ff12795f09275611908f4cc543106a78f62b6068d39ae7454ae00e71dffdeb723ba1c97c628476e0c347d3f646ebb169ccd905bd4f66

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Prison

MD5 66ffc62dbafb938f66464610d6511b11
SHA1 dc1744680db6152b0881ebd0a262916a63bed0ae
SHA256 8932b1f713a396fdd5324100dacf7d0051b9b5b3d323b0493b0c0d7f252acf90
SHA512 844bc2a3c037cba10655298d972497693e3cf24f3a95757c97130705570a50e29dc40ecc5f8b51ed4b8e95d1f4fd67e5dcaba8ea1f1de34ed2a99ad263e2dcac

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Arm

MD5 1a16c56400ede15690fc870e1053e223
SHA1 703362b886a1c6713a896cc5755d05e06311b91f
SHA256 dbdf08b64842d4f00367c25da43cca6bf85fab72a9c55b6d06cd0b0e5ec31faf
SHA512 0f35abf084a9a282819d841cb70be22560e903b05cbbdf9ef4aced9854a252c5b76a70dfa07af381a708da25b1d86f823d2697e71bd4ed9a490ca86d457abad1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Follows

MD5 6d6e6ddd5cfee1050fee08f02749e7fc
SHA1 c03520e023c05c002e6eca1aebbc328d1fe18343
SHA256 7bc69d65942991ba08d04713989e50dfb777585428cd2eb735efc3c463a3fd8f
SHA512 b3073852962847847cd9b0a9f9faace556ebd83ac7499cf684e8328b8304e6eb8fd6aa48873ed395bd26c3fa9c9997050a68f3e796613742a0b6feada42e80cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Submission

MD5 c1d093c050669eb14404d62e217756e9
SHA1 10175077e7e90e406979e0bd59a24ceb577b41df
SHA256 500482c1f24463a3b6a5a44eea28173f68278433efde17471e69ca4f64ffa616
SHA512 78ef0c1319b255b4444cce8fdd9adadfcaecade22d67231bf8c2d9813d93b7d9b594e61481a64a7f306d6c35603dd62e25e437bd8e5ac14b5014250a303f5d2d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jesse

MD5 cf276a25adaf52a56d239fe985490455
SHA1 fc15727354542eca8cd996113a981385f9ecded0
SHA256 0b58d77540928e63d40b86fa1e19e8c855cfbc3a6e4909b501106571711c00d4
SHA512 386673fc22f56e169c4142fcf8f55df469d84dea527d42bf8020bcd87018f1a7d6109ccaa2dd428222c5b1c50474c5a8717b1e2e9ef15bed30ec09cf21468e07

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Smtp

MD5 2f32c58d36254a94c201b6c9e91ece87
SHA1 4ecb74faa65bef9d83a104a6c61b18ffd695d447
SHA256 50000c49e90d5d64e12267bcd640a927f879aab6e3ca8983b2134652de889b15
SHA512 3321d89cc96e2f9ff16b3a7c5363363f24987fa9ce5a328988cdfc834ce2313affb095d9276afc263179edc4f5d6e6b40ec7017a7e2a3b6395ee9b952f9cb0f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cnetcom

MD5 34b02e5084dda63a75ae542c81fde8fc
SHA1 067316a417545e56bcef48a18590922f857e606e
SHA256 d477894f3d86ae890b109d5780038519e116704cc6395389fb4e8d9cb7c8a8b2
SHA512 4e2b9158f1d7b8af017ea05746086a1ba2097302dadb4e1e45e6d51553485f3f31cf20c6804e31c03b9b404670b71940918428e1e18e1573f52cfb80dc2ff14a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Em

MD5 044674df6d2fb6c5395f795b52a5e8cd
SHA1 8c2103dbd136902dd623c6359494fffa2facc8ed
SHA256 b601e90d114dc793eae0dcfb1cdf6f60559d757306d3262daa9195536d0d7075
SHA512 b333d2a6fc8a11befe3d45c6d557713344fedaab513fd025022f5cf1b24131c02f8e9a1a5ccc99b70e17523d00eccabb68695a55cc26d613c367785d15d716f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sigma

MD5 99bb55b842811deda1364bd60cccc858
SHA1 3f4f212b2be26f708f97455703bb0cd339c2bb1d
SHA256 a5261b273662aa0beddcd849073c64493d0c9a3e2b9645ffa0caedc0f76b27ac
SHA512 a5ccd3b853d608f010e57246aebb064356a69466a4508ae7b27aa70f5e7a77262e93f6bce69b5dd654583f03616d7299669f4ef4c208ae9c81f2dba69ab723ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Eos

MD5 323eed53c9441cad43c3b022f4c78a62
SHA1 7340809c3bf99b0c7c12855503d131fab56ff724
SHA256 eca98f09593aeb1e80faf85b1382b81b4d41505907895c3aa85014857d590bac
SHA512 894682d9104ab09e7412d27ff0c3accdb23439c3fc54aa4d1fa2eab1dfb74c46e1da0a7783491107dffb9fa5f8eace8fe7b43c36d40f4972b1271237e7107568

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Brands

MD5 a28c5d0fd153e738bd7490d40a7f90aa
SHA1 7f90643dbe9b2299d6e5ad8ea8ce399fb17f2729
SHA256 11d60f1410e177bd60f74bedb9b9075753b01da04cc345592aa15a162d523645
SHA512 66c07d5ecb31dd499380a9387b8c99e985ba9a4c51f816ec6d22ce7792babc2f55a0c1c68038582f2bfdca8d229d0e48edeb58081a51d66a0c689b2c8dddd3c2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Blow

MD5 6e3ae77006b653af3b7acb1fa4fbd4a2
SHA1 a11c0a1bcba10e60ce20e54b01f88974979fe4b6
SHA256 130a1ad302d586e32ed226565b1972d65fff771141a41591c0a8c7d9e6dc7156
SHA512 d54b4becbae6d2fdc5334f9e6268d875b46938936ff474328034388d15821fc54984167b74bc8c61103691101b31c4322741087ed2f5c90446a6de1324c43a32

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\130845\Privilege.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\130845\d

MD5 5cbe1af51900d5ef5bfcb4fdb4ea1c4a
SHA1 36c2d18e732550e1f4b4f900d03d1e3054596d37
SHA256 f3c24ca299b0c9f88f55566a5f4cf1010ace547e63cecb2462eed471314d8cd5
SHA512 08e3363f4926bd14c3c7423aeeeb1220403372b501e1c709629d7308969adbe3fda58b414bfbc6c0e08461b592eb0018f9a98f6c51867fc5e2b572b709365e08

memory/3392-464-0x00000000043C0000-0x0000000004415000-memory.dmp

memory/3392-466-0x00000000043C0000-0x0000000004415000-memory.dmp

memory/3392-465-0x00000000043C0000-0x0000000004415000-memory.dmp

memory/3392-467-0x00000000043C0000-0x0000000004415000-memory.dmp

memory/3392-468-0x00000000043C0000-0x0000000004415000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 16:01

Reported

2024-05-19 16:05

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Executor.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\Privilege.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Executor.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Executor.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Executor.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Executor.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2564 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2564 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2564 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2564 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2564 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2564 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2564 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2564 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\Privilege.pif
PID 2564 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\Privilege.pif
PID 2564 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\Privilege.pif
PID 2564 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\Privilege.pif
PID 2564 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2564 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2564 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2564 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Executor.exe

"C:\Users\Admin\AppData\Local\Temp\Executor.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Metro Metro.cmd & Metro.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 130825

C:\Windows\SysWOW64\findstr.exe

findstr /V "InfectionIgnoreAssociateWearing" Rome

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Sigma + Eos + Brands + Blow 130825\d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\Privilege.pif

130825\Privilege.pif 130825\d

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bnOGPmXeWBLdpFCY.bnOGPmXeWBLdpFCY udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Metro

MD5 529318b4637822bb81772a455bea46c7
SHA1 3b7848e175f78066c4fd2f8be16360c6d2b91900
SHA256 4f135f7ce8dfcddd12a5cb395dc0b5960d07da0b8e2be9190387f30e4465f580
SHA512 7311284add8ce333274cb8d6dffe008741acc72edca661e8793af62d11a0250fe6c28ad2ef17a89c42a76f1b067d359eea7dfd29456e4f89f58d8da17ae880f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rome

MD5 a81b50587fffe8e1b1cfc3a36cefa803
SHA1 93ea5dd986f8874c276b8577834ce50c6657464c
SHA256 b0d6c11a0d73a8b097a1d1ed0243aeecc551dc9560689c832ebf1d4663ab0a49
SHA512 980eb2c3cd5ef1c936f4dfbb44395867346e0e3647610c8069ee70f07be5b7d2e974bf29ea38a77804fad77272aef9e26170353c6d1a88a43ec75aa843f82197

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Singh

MD5 fe625ed79aeef81fcd7d06ad55e0a64e
SHA1 595c78b50c735fcd6052df9545aa279f1b6c5d2c
SHA256 2e2756802e58e5cce0f5c54dbe1cd75ca0e04f77bf745f5615f1ff002a95c8fb
SHA512 1e70fa190f19aee7068a3eb0931364ac3e06b7a06aad44c713db888879872a7bbf6cb2adbd1f97237f7a68bbdd04038aa5ecc2739a3f7c5ffc1aa8c2df2443ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Birds

MD5 061e6ab37aaeeefefe843608e4a83e07
SHA1 520ef9065524b92dc02018f1f691f1cf73f977a7
SHA256 d4c724c047ccc8ba8255461952a72ae9ccd32c3ea5a2212e630bcb53027de2fd
SHA512 eba212ebfe9938b290261b6065289c94c8b1028e20039b0f3b986d4398b9b6149e94965a824405f412d7d712e9263163862cba4d1504401e972af4b6a67ffe00

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Director

MD5 2bfd98e50bef1683cb5a0f353ed97d3e
SHA1 fc3c8acd8bf5da7068b0d6253d7ec9cc019dccd3
SHA256 dca382a4d289a0ec7588b117b2615636f1db5538bb2e4d9f26362af2577b9600
SHA512 283588b37a484acb53d511b21d2cc393131be40b3b0784c9cde0fa4e7f79c865a609e73ec1339bf91b5dce433e8235e1998f098e9311f48e01f2437f51c8bf59

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Task

MD5 5ee3af1803c12416a3ec9244d9fda5f9
SHA1 109b43cfcd6ffbddb2c96f76e3586c91f38d9d45
SHA256 9d0e1fa7ed2c3905b372db6154a19f734025f3a2e977d5f4b9f76070cc8589db
SHA512 99fdda1a014e7eb100d992475350c581d2ca0024c4f6c2dbcc7ee09df3bb1395797cd17b7f59ae2b9dc6b829a02e749d60ba595e9d29d248fd2f84cb5616e038

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ghana

MD5 1aa8c7aa85671acc44078621388c6aa4
SHA1 4c442a9fa86838025aca4a65cbdae3ec444175e5
SHA256 1cca146f78ec42806dcffcbc8d520d7c896363700db4b52421cf2fadbe738ade
SHA512 dcc1ab9febd25564696a38d5790b50afd6761a468417a41a049e252f738395fb0e0aa1ea309ca307c8b53f5dacb9442fa4ae89fb5923ea7f05eb554535617a17

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Showers

MD5 d2d5406873838230085ddf08c7479678
SHA1 f9d5e93bad73173b1c455671a5c83f3768b94e74
SHA256 33cfaac76dc8fad958a8822cd776fb40a2abee77a497b018b4907e01dc530866
SHA512 8930d62670a7ac69b965477fe45135058a531817d7bc3ebf937390f7ca20cc11e58585824395ee4f324595ff807fbf76463a101a43ee2b3bedb5e02bf94a88d7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Inns

MD5 d1e101e9f46d0b73a4b5511c4a80acd7
SHA1 f91f20bde323bf0bc707674013b3d8e1e00f2263
SHA256 482ec36107781521a60e9a87a5daa386743ead904c7afd85803f23b0b4e13f8a
SHA512 f38272d8d10052b959547c957f512c5f45610e0aeeb5978c34ec25527af1c6ad323fa30357c84d41017d0793330c6b1ddeaacff48edab3d62decd125c90c0345

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Coordination

MD5 892f570c0fc0e834a71dd9bb5e67606e
SHA1 41309f1a1ff910208ff14aa64fb2e1a542bd5c5b
SHA256 6ed06c1942381c70c72ec240d3903e14392e14b97a1222e4d4122de6a54038d7
SHA512 9dac0439df7ccec2924bb776ec534b57c113fb87c59b80011b3c492065f8cbf582130a0fb0095dd6a4a0e8adc4ba3e7b19041f857ef70a90e1fa7c9d783db372

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Constant

MD5 38aa563b528925068c1f6d6b9af55d73
SHA1 e8f8741f0951a711c11242d18ad7539f5cd1d518
SHA256 c7ad37c1a3763ab5088d6669833e4385de3bf6a88e44df74fa1f557a3e5d1ed0
SHA512 c3dec23b493dff7d5f8858fc32e19329394c10f983d0821a71428b3f50f7c2efad0e7721a8bef23fa91173f99797aee6bf965b28d538e69ed5397bc8d19bcef2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Quite

MD5 71006ce34e715137a7610d11e852fbe6
SHA1 296282c5858f258e11ab9bf05fd552a37c9e2aaa
SHA256 3f663d70bbbb50e83a21d0e92c3cdf6c435c76c81f796a095f4647acfc89de52
SHA512 220c38efbffcfdb682911e3dda7c14a547dea1b9eb4682e2011b3e9a9e2c18308dc77ec85b25a60a179953ecc2319be6ed3aa4e511bd3fa83541b11b2c5b1411

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Laid

MD5 67f0dc55bcc26b8dc34558f23fecb60b
SHA1 af768a87d1cea6a9b00891fe57c0e82ded54cdc5
SHA256 28f973112d9b1103c7fbc01ff733477af543b0cb4946fa7fa526ffb96bf1a39b
SHA512 d513196240c2f1dd7a5bc15f27efbe8f84a3e1f589aa8345ac55b07ae0536e71099c35ecdc30e7075d746410fe47bc2c997c11dfbe46941544c6080a50cc3dea

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sharon

MD5 2b05aabcaf790eadde849a6d4b54253d
SHA1 742162373e4d0a9c575f5985f12c32da4c65c176
SHA256 feb7374a70e68a1cc672b06d9c0cd0fdebcd4c4efb48a689044f60b17d13495a
SHA512 3429903cf1aec713b25d266d6c76f9707dc3c6bb07c31fc336d967606205875d0e3781e719f106a0145e6b9e6914a558dbbc98d0dabe87723d98853a6a44146f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Providence

MD5 decd26014fbd5abe6ed80b7583dc527a
SHA1 aa91f6cbdada247440efff25949babf848170129
SHA256 e9f3ad3b58e254dc9de4e5b86b7d5b46757929586ac2944a7ba5202513b26ab3
SHA512 d5f83539ffe74ddb6eefa32275d64f39ba137705f0ee84f87f17da0a208de67dfca2da53df09f08c014e138753d22e6c8433c9e820fa43f2775a2e6fb5a98aff

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Viruses

MD5 37bff008c6fe8861842a0a3e36b7f746
SHA1 4fae05e6690e0069bdc8c8348f69446b1cd89aca
SHA256 ccfb6cc405f8d43769669941e99813ce9e5d55c850abe192b2a69c5984fcc9d0
SHA512 b3f335e9dcfdd3b39f28e9a57bcfc85a25cead5c9c2b684c9791a6af28496230514b23f8c580995d561d57b898796b47615c1d6cb1511bd755a3ef2bb8e638a8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Viagra

MD5 7b6fb0ecb28ea334f6a76912da366dfc
SHA1 2447a7bccf099779c2eee1b4d344c75cd8dff49d
SHA256 ea7cb8ac2eb3fdd83853edefdaa2024abef510c9a25154498c3427cab75d8779
SHA512 c72b731086f4d0e5dc86ff12795f09275611908f4cc543106a78f62b6068d39ae7454ae00e71dffdeb723ba1c97c628476e0c347d3f646ebb169ccd905bd4f66

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Prison

MD5 66ffc62dbafb938f66464610d6511b11
SHA1 dc1744680db6152b0881ebd0a262916a63bed0ae
SHA256 8932b1f713a396fdd5324100dacf7d0051b9b5b3d323b0493b0c0d7f252acf90
SHA512 844bc2a3c037cba10655298d972497693e3cf24f3a95757c97130705570a50e29dc40ecc5f8b51ed4b8e95d1f4fd67e5dcaba8ea1f1de34ed2a99ad263e2dcac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Arm

MD5 1a16c56400ede15690fc870e1053e223
SHA1 703362b886a1c6713a896cc5755d05e06311b91f
SHA256 dbdf08b64842d4f00367c25da43cca6bf85fab72a9c55b6d06cd0b0e5ec31faf
SHA512 0f35abf084a9a282819d841cb70be22560e903b05cbbdf9ef4aced9854a252c5b76a70dfa07af381a708da25b1d86f823d2697e71bd4ed9a490ca86d457abad1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Follows

MD5 6d6e6ddd5cfee1050fee08f02749e7fc
SHA1 c03520e023c05c002e6eca1aebbc328d1fe18343
SHA256 7bc69d65942991ba08d04713989e50dfb777585428cd2eb735efc3c463a3fd8f
SHA512 b3073852962847847cd9b0a9f9faace556ebd83ac7499cf684e8328b8304e6eb8fd6aa48873ed395bd26c3fa9c9997050a68f3e796613742a0b6feada42e80cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Submission

MD5 c1d093c050669eb14404d62e217756e9
SHA1 10175077e7e90e406979e0bd59a24ceb577b41df
SHA256 500482c1f24463a3b6a5a44eea28173f68278433efde17471e69ca4f64ffa616
SHA512 78ef0c1319b255b4444cce8fdd9adadfcaecade22d67231bf8c2d9813d93b7d9b594e61481a64a7f306d6c35603dd62e25e437bd8e5ac14b5014250a303f5d2d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jesse

MD5 cf276a25adaf52a56d239fe985490455
SHA1 fc15727354542eca8cd996113a981385f9ecded0
SHA256 0b58d77540928e63d40b86fa1e19e8c855cfbc3a6e4909b501106571711c00d4
SHA512 386673fc22f56e169c4142fcf8f55df469d84dea527d42bf8020bcd87018f1a7d6109ccaa2dd428222c5b1c50474c5a8717b1e2e9ef15bed30ec09cf21468e07

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Smtp

MD5 2f32c58d36254a94c201b6c9e91ece87
SHA1 4ecb74faa65bef9d83a104a6c61b18ffd695d447
SHA256 50000c49e90d5d64e12267bcd640a927f879aab6e3ca8983b2134652de889b15
SHA512 3321d89cc96e2f9ff16b3a7c5363363f24987fa9ce5a328988cdfc834ce2313affb095d9276afc263179edc4f5d6e6b40ec7017a7e2a3b6395ee9b952f9cb0f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cnetcom

MD5 34b02e5084dda63a75ae542c81fde8fc
SHA1 067316a417545e56bcef48a18590922f857e606e
SHA256 d477894f3d86ae890b109d5780038519e116704cc6395389fb4e8d9cb7c8a8b2
SHA512 4e2b9158f1d7b8af017ea05746086a1ba2097302dadb4e1e45e6d51553485f3f31cf20c6804e31c03b9b404670b71940918428e1e18e1573f52cfb80dc2ff14a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Em

MD5 044674df6d2fb6c5395f795b52a5e8cd
SHA1 8c2103dbd136902dd623c6359494fffa2facc8ed
SHA256 b601e90d114dc793eae0dcfb1cdf6f60559d757306d3262daa9195536d0d7075
SHA512 b333d2a6fc8a11befe3d45c6d557713344fedaab513fd025022f5cf1b24131c02f8e9a1a5ccc99b70e17523d00eccabb68695a55cc26d613c367785d15d716f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sigma

MD5 99bb55b842811deda1364bd60cccc858
SHA1 3f4f212b2be26f708f97455703bb0cd339c2bb1d
SHA256 a5261b273662aa0beddcd849073c64493d0c9a3e2b9645ffa0caedc0f76b27ac
SHA512 a5ccd3b853d608f010e57246aebb064356a69466a4508ae7b27aa70f5e7a77262e93f6bce69b5dd654583f03616d7299669f4ef4c208ae9c81f2dba69ab723ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Eos

MD5 323eed53c9441cad43c3b022f4c78a62
SHA1 7340809c3bf99b0c7c12855503d131fab56ff724
SHA256 eca98f09593aeb1e80faf85b1382b81b4d41505907895c3aa85014857d590bac
SHA512 894682d9104ab09e7412d27ff0c3accdb23439c3fc54aa4d1fa2eab1dfb74c46e1da0a7783491107dffb9fa5f8eace8fe7b43c36d40f4972b1271237e7107568

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Brands

MD5 a28c5d0fd153e738bd7490d40a7f90aa
SHA1 7f90643dbe9b2299d6e5ad8ea8ce399fb17f2729
SHA256 11d60f1410e177bd60f74bedb9b9075753b01da04cc345592aa15a162d523645
SHA512 66c07d5ecb31dd499380a9387b8c99e985ba9a4c51f816ec6d22ce7792babc2f55a0c1c68038582f2bfdca8d229d0e48edeb58081a51d66a0c689b2c8dddd3c2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Blow

MD5 6e3ae77006b653af3b7acb1fa4fbd4a2
SHA1 a11c0a1bcba10e60ce20e54b01f88974979fe4b6
SHA256 130a1ad302d586e32ed226565b1972d65fff771141a41591c0a8c7d9e6dc7156
SHA512 d54b4becbae6d2fdc5334f9e6268d875b46938936ff474328034388d15821fc54984167b74bc8c61103691101b31c4322741087ed2f5c90446a6de1324c43a32

\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\Privilege.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\d

MD5 5cbe1af51900d5ef5bfcb4fdb4ea1c4a
SHA1 36c2d18e732550e1f4b4f900d03d1e3054596d37
SHA256 f3c24ca299b0c9f88f55566a5f4cf1010ace547e63cecb2462eed471314d8cd5
SHA512 08e3363f4926bd14c3c7423aeeeb1220403372b501e1c709629d7308969adbe3fda58b414bfbc6c0e08461b592eb0018f9a98f6c51867fc5e2b572b709365e08

memory/1196-466-0x00000000035B0000-0x0000000003605000-memory.dmp

memory/1196-467-0x00000000035B0000-0x0000000003605000-memory.dmp

memory/1196-468-0x00000000035B0000-0x0000000003605000-memory.dmp

memory/1196-469-0x00000000035B0000-0x0000000003605000-memory.dmp

memory/1196-470-0x00000000035B0000-0x0000000003605000-memory.dmp