Malware Analysis Report

2024-11-30 05:11

Sample ID 240520-bq6tvsde2z
Target Ex3cutor Launcher.exe
SHA256 5d4a1d9250a57c5f889ee37a8262bd850bf7ac50e7bc82588b22d2ea3ac36166
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d4a1d9250a57c5f889ee37a8262bd850bf7ac50e7bc82588b22d2ea3ac36166

Threat Level: Known bad

The file Ex3cutor Launcher.exe was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 01:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 01:21

Reported

2024-05-20 01:24

Platform

win10v2004-20240508-es

Max time kernel

110s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ex3cutor Launcher.exe"

Signatures

Lumma Stealer

stealer lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ex3cutor Launcher.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\24605\Privilege.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\Ex3cutor Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\Ex3cutor Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\Ex3cutor Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 3212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4856 wrote to memory of 3212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4856 wrote to memory of 3212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4856 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4856 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4856 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4856 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4856 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4856 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4856 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4856 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4856 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4856 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4856 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4856 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4856 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\24605\Privilege.pif
PID 4856 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\24605\Privilege.pif
PID 4856 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\24605\Privilege.pif
PID 4856 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4856 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4856 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Ex3cutor Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Ex3cutor Launcher.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Metro Metro.cmd & Metro.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 24605

C:\Windows\SysWOW64\findstr.exe

findstr /V "InfectionIgnoreAssociateWearing" Rome

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Sigma + Eos + Brands + Blow 24605\d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\24605\Privilege.pif

24605\Privilege.pif 24605\d

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 bnOGPmXeWBLdpFCY.bnOGPmXeWBLdpFCY udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 employeedscratshj.shop udp
US 172.67.186.163:443 employeedscratshj.shop tcp
US 8.8.8.8:53 museumtespaceorsp.shop udp
US 104.21.32.80:443 museumtespaceorsp.shop tcp
US 8.8.8.8:53 buttockdecarderwiso.shop udp
US 172.67.218.187:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 80.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 163.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 averageaattractiionsl.shop udp
US 104.21.62.60:443 averageaattractiionsl.shop tcp
US 8.8.8.8:53 femininiespywageg.shop udp
US 104.21.71.3:443 femininiespywageg.shop tcp
US 8.8.8.8:53 employhabragaomlsp.shop udp
US 104.21.85.81:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 stalfbaclcalorieeis.shop udp
US 8.8.8.8:53 187.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 60.62.21.104.in-addr.arpa udp
US 8.8.8.8:53 81.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.71.21.104.in-addr.arpa udp
US 172.67.131.36:443 stalfbaclcalorieeis.shop tcp
US 8.8.8.8:53 civilianurinedtsraov.shop udp
US 104.21.49.245:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 roomabolishsnifftwk.shop udp
US 8.8.8.8:53 36.131.67.172.in-addr.arpa udp
US 172.67.146.92:443 roomabolishsnifftwk.shop tcp
US 8.8.8.8:53 245.49.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Metro

MD5 529318b4637822bb81772a455bea46c7
SHA1 3b7848e175f78066c4fd2f8be16360c6d2b91900
SHA256 4f135f7ce8dfcddd12a5cb395dc0b5960d07da0b8e2be9190387f30e4465f580
SHA512 7311284add8ce333274cb8d6dffe008741acc72edca661e8793af62d11a0250fe6c28ad2ef17a89c42a76f1b067d359eea7dfd29456e4f89f58d8da17ae880f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rome

MD5 a81b50587fffe8e1b1cfc3a36cefa803
SHA1 93ea5dd986f8874c276b8577834ce50c6657464c
SHA256 b0d6c11a0d73a8b097a1d1ed0243aeecc551dc9560689c832ebf1d4663ab0a49
SHA512 980eb2c3cd5ef1c936f4dfbb44395867346e0e3647610c8069ee70f07be5b7d2e974bf29ea38a77804fad77272aef9e26170353c6d1a88a43ec75aa843f82197

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Singh

MD5 fe625ed79aeef81fcd7d06ad55e0a64e
SHA1 595c78b50c735fcd6052df9545aa279f1b6c5d2c
SHA256 2e2756802e58e5cce0f5c54dbe1cd75ca0e04f77bf745f5615f1ff002a95c8fb
SHA512 1e70fa190f19aee7068a3eb0931364ac3e06b7a06aad44c713db888879872a7bbf6cb2adbd1f97237f7a68bbdd04038aa5ecc2739a3f7c5ffc1aa8c2df2443ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Birds

MD5 061e6ab37aaeeefefe843608e4a83e07
SHA1 520ef9065524b92dc02018f1f691f1cf73f977a7
SHA256 d4c724c047ccc8ba8255461952a72ae9ccd32c3ea5a2212e630bcb53027de2fd
SHA512 eba212ebfe9938b290261b6065289c94c8b1028e20039b0f3b986d4398b9b6149e94965a824405f412d7d712e9263163862cba4d1504401e972af4b6a67ffe00

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Task

MD5 5ee3af1803c12416a3ec9244d9fda5f9
SHA1 109b43cfcd6ffbddb2c96f76e3586c91f38d9d45
SHA256 9d0e1fa7ed2c3905b372db6154a19f734025f3a2e977d5f4b9f76070cc8589db
SHA512 99fdda1a014e7eb100d992475350c581d2ca0024c4f6c2dbcc7ee09df3bb1395797cd17b7f59ae2b9dc6b829a02e749d60ba595e9d29d248fd2f84cb5616e038

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Director

MD5 2bfd98e50bef1683cb5a0f353ed97d3e
SHA1 fc3c8acd8bf5da7068b0d6253d7ec9cc019dccd3
SHA256 dca382a4d289a0ec7588b117b2615636f1db5538bb2e4d9f26362af2577b9600
SHA512 283588b37a484acb53d511b21d2cc393131be40b3b0784c9cde0fa4e7f79c865a609e73ec1339bf91b5dce433e8235e1998f098e9311f48e01f2437f51c8bf59

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Viruses

MD5 37bff008c6fe8861842a0a3e36b7f746
SHA1 4fae05e6690e0069bdc8c8348f69446b1cd89aca
SHA256 ccfb6cc405f8d43769669941e99813ce9e5d55c850abe192b2a69c5984fcc9d0
SHA512 b3f335e9dcfdd3b39f28e9a57bcfc85a25cead5c9c2b684c9791a6af28496230514b23f8c580995d561d57b898796b47615c1d6cb1511bd755a3ef2bb8e638a8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Arm

MD5 1a16c56400ede15690fc870e1053e223
SHA1 703362b886a1c6713a896cc5755d05e06311b91f
SHA256 dbdf08b64842d4f00367c25da43cca6bf85fab72a9c55b6d06cd0b0e5ec31faf
SHA512 0f35abf084a9a282819d841cb70be22560e903b05cbbdf9ef4aced9854a252c5b76a70dfa07af381a708da25b1d86f823d2697e71bd4ed9a490ca86d457abad1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Prison

MD5 66ffc62dbafb938f66464610d6511b11
SHA1 dc1744680db6152b0881ebd0a262916a63bed0ae
SHA256 8932b1f713a396fdd5324100dacf7d0051b9b5b3d323b0493b0c0d7f252acf90
SHA512 844bc2a3c037cba10655298d972497693e3cf24f3a95757c97130705570a50e29dc40ecc5f8b51ed4b8e95d1f4fd67e5dcaba8ea1f1de34ed2a99ad263e2dcac

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Em

MD5 044674df6d2fb6c5395f795b52a5e8cd
SHA1 8c2103dbd136902dd623c6359494fffa2facc8ed
SHA256 b601e90d114dc793eae0dcfb1cdf6f60559d757306d3262daa9195536d0d7075
SHA512 b333d2a6fc8a11befe3d45c6d557713344fedaab513fd025022f5cf1b24131c02f8e9a1a5ccc99b70e17523d00eccabb68695a55cc26d613c367785d15d716f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cnetcom

MD5 34b02e5084dda63a75ae542c81fde8fc
SHA1 067316a417545e56bcef48a18590922f857e606e
SHA256 d477894f3d86ae890b109d5780038519e116704cc6395389fb4e8d9cb7c8a8b2
SHA512 4e2b9158f1d7b8af017ea05746086a1ba2097302dadb4e1e45e6d51553485f3f31cf20c6804e31c03b9b404670b71940918428e1e18e1573f52cfb80dc2ff14a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Smtp

MD5 2f32c58d36254a94c201b6c9e91ece87
SHA1 4ecb74faa65bef9d83a104a6c61b18ffd695d447
SHA256 50000c49e90d5d64e12267bcd640a927f879aab6e3ca8983b2134652de889b15
SHA512 3321d89cc96e2f9ff16b3a7c5363363f24987fa9ce5a328988cdfc834ce2313affb095d9276afc263179edc4f5d6e6b40ec7017a7e2a3b6395ee9b952f9cb0f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jesse

MD5 cf276a25adaf52a56d239fe985490455
SHA1 fc15727354542eca8cd996113a981385f9ecded0
SHA256 0b58d77540928e63d40b86fa1e19e8c855cfbc3a6e4909b501106571711c00d4
SHA512 386673fc22f56e169c4142fcf8f55df469d84dea527d42bf8020bcd87018f1a7d6109ccaa2dd428222c5b1c50474c5a8717b1e2e9ef15bed30ec09cf21468e07

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Submission

MD5 c1d093c050669eb14404d62e217756e9
SHA1 10175077e7e90e406979e0bd59a24ceb577b41df
SHA256 500482c1f24463a3b6a5a44eea28173f68278433efde17471e69ca4f64ffa616
SHA512 78ef0c1319b255b4444cce8fdd9adadfcaecade22d67231bf8c2d9813d93b7d9b594e61481a64a7f306d6c35603dd62e25e437bd8e5ac14b5014250a303f5d2d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Follows

MD5 6d6e6ddd5cfee1050fee08f02749e7fc
SHA1 c03520e023c05c002e6eca1aebbc328d1fe18343
SHA256 7bc69d65942991ba08d04713989e50dfb777585428cd2eb735efc3c463a3fd8f
SHA512 b3073852962847847cd9b0a9f9faace556ebd83ac7499cf684e8328b8304e6eb8fd6aa48873ed395bd26c3fa9c9997050a68f3e796613742a0b6feada42e80cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Viagra

MD5 7b6fb0ecb28ea334f6a76912da366dfc
SHA1 2447a7bccf099779c2eee1b4d344c75cd8dff49d
SHA256 ea7cb8ac2eb3fdd83853edefdaa2024abef510c9a25154498c3427cab75d8779
SHA512 c72b731086f4d0e5dc86ff12795f09275611908f4cc543106a78f62b6068d39ae7454ae00e71dffdeb723ba1c97c628476e0c347d3f646ebb169ccd905bd4f66

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Providence

MD5 decd26014fbd5abe6ed80b7583dc527a
SHA1 aa91f6cbdada247440efff25949babf848170129
SHA256 e9f3ad3b58e254dc9de4e5b86b7d5b46757929586ac2944a7ba5202513b26ab3
SHA512 d5f83539ffe74ddb6eefa32275d64f39ba137705f0ee84f87f17da0a208de67dfca2da53df09f08c014e138753d22e6c8433c9e820fa43f2775a2e6fb5a98aff

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sharon

MD5 2b05aabcaf790eadde849a6d4b54253d
SHA1 742162373e4d0a9c575f5985f12c32da4c65c176
SHA256 feb7374a70e68a1cc672b06d9c0cd0fdebcd4c4efb48a689044f60b17d13495a
SHA512 3429903cf1aec713b25d266d6c76f9707dc3c6bb07c31fc336d967606205875d0e3781e719f106a0145e6b9e6914a558dbbc98d0dabe87723d98853a6a44146f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Laid

MD5 67f0dc55bcc26b8dc34558f23fecb60b
SHA1 af768a87d1cea6a9b00891fe57c0e82ded54cdc5
SHA256 28f973112d9b1103c7fbc01ff733477af543b0cb4946fa7fa526ffb96bf1a39b
SHA512 d513196240c2f1dd7a5bc15f27efbe8f84a3e1f589aa8345ac55b07ae0536e71099c35ecdc30e7075d746410fe47bc2c997c11dfbe46941544c6080a50cc3dea

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Quite

MD5 71006ce34e715137a7610d11e852fbe6
SHA1 296282c5858f258e11ab9bf05fd552a37c9e2aaa
SHA256 3f663d70bbbb50e83a21d0e92c3cdf6c435c76c81f796a095f4647acfc89de52
SHA512 220c38efbffcfdb682911e3dda7c14a547dea1b9eb4682e2011b3e9a9e2c18308dc77ec85b25a60a179953ecc2319be6ed3aa4e511bd3fa83541b11b2c5b1411

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Constant

MD5 38aa563b528925068c1f6d6b9af55d73
SHA1 e8f8741f0951a711c11242d18ad7539f5cd1d518
SHA256 c7ad37c1a3763ab5088d6669833e4385de3bf6a88e44df74fa1f557a3e5d1ed0
SHA512 c3dec23b493dff7d5f8858fc32e19329394c10f983d0821a71428b3f50f7c2efad0e7721a8bef23fa91173f99797aee6bf965b28d538e69ed5397bc8d19bcef2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coordination

MD5 892f570c0fc0e834a71dd9bb5e67606e
SHA1 41309f1a1ff910208ff14aa64fb2e1a542bd5c5b
SHA256 6ed06c1942381c70c72ec240d3903e14392e14b97a1222e4d4122de6a54038d7
SHA512 9dac0439df7ccec2924bb776ec534b57c113fb87c59b80011b3c492065f8cbf582130a0fb0095dd6a4a0e8adc4ba3e7b19041f857ef70a90e1fa7c9d783db372

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Showers

MD5 d2d5406873838230085ddf08c7479678
SHA1 f9d5e93bad73173b1c455671a5c83f3768b94e74
SHA256 33cfaac76dc8fad958a8822cd776fb40a2abee77a497b018b4907e01dc530866
SHA512 8930d62670a7ac69b965477fe45135058a531817d7bc3ebf937390f7ca20cc11e58585824395ee4f324595ff807fbf76463a101a43ee2b3bedb5e02bf94a88d7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Inns

MD5 d1e101e9f46d0b73a4b5511c4a80acd7
SHA1 f91f20bde323bf0bc707674013b3d8e1e00f2263
SHA256 482ec36107781521a60e9a87a5daa386743ead904c7afd85803f23b0b4e13f8a
SHA512 f38272d8d10052b959547c957f512c5f45610e0aeeb5978c34ec25527af1c6ad323fa30357c84d41017d0793330c6b1ddeaacff48edab3d62decd125c90c0345

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ghana

MD5 1aa8c7aa85671acc44078621388c6aa4
SHA1 4c442a9fa86838025aca4a65cbdae3ec444175e5
SHA256 1cca146f78ec42806dcffcbc8d520d7c896363700db4b52421cf2fadbe738ade
SHA512 dcc1ab9febd25564696a38d5790b50afd6761a468417a41a049e252f738395fb0e0aa1ea309ca307c8b53f5dacb9442fa4ae89fb5923ea7f05eb554535617a17

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sigma

MD5 99bb55b842811deda1364bd60cccc858
SHA1 3f4f212b2be26f708f97455703bb0cd339c2bb1d
SHA256 a5261b273662aa0beddcd849073c64493d0c9a3e2b9645ffa0caedc0f76b27ac
SHA512 a5ccd3b853d608f010e57246aebb064356a69466a4508ae7b27aa70f5e7a77262e93f6bce69b5dd654583f03616d7299669f4ef4c208ae9c81f2dba69ab723ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Eos

MD5 323eed53c9441cad43c3b022f4c78a62
SHA1 7340809c3bf99b0c7c12855503d131fab56ff724
SHA256 eca98f09593aeb1e80faf85b1382b81b4d41505907895c3aa85014857d590bac
SHA512 894682d9104ab09e7412d27ff0c3accdb23439c3fc54aa4d1fa2eab1dfb74c46e1da0a7783491107dffb9fa5f8eace8fe7b43c36d40f4972b1271237e7107568

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Brands

MD5 a28c5d0fd153e738bd7490d40a7f90aa
SHA1 7f90643dbe9b2299d6e5ad8ea8ce399fb17f2729
SHA256 11d60f1410e177bd60f74bedb9b9075753b01da04cc345592aa15a162d523645
SHA512 66c07d5ecb31dd499380a9387b8c99e985ba9a4c51f816ec6d22ce7792babc2f55a0c1c68038582f2bfdca8d229d0e48edeb58081a51d66a0c689b2c8dddd3c2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Blow

MD5 6e3ae77006b653af3b7acb1fa4fbd4a2
SHA1 a11c0a1bcba10e60ce20e54b01f88974979fe4b6
SHA256 130a1ad302d586e32ed226565b1972d65fff771141a41591c0a8c7d9e6dc7156
SHA512 d54b4becbae6d2fdc5334f9e6268d875b46938936ff474328034388d15821fc54984167b74bc8c61103691101b31c4322741087ed2f5c90446a6de1324c43a32

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\24605\Privilege.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\24605\d

MD5 5cbe1af51900d5ef5bfcb4fdb4ea1c4a
SHA1 36c2d18e732550e1f4b4f900d03d1e3054596d37
SHA256 f3c24ca299b0c9f88f55566a5f4cf1010ace547e63cecb2462eed471314d8cd5
SHA512 08e3363f4926bd14c3c7423aeeeb1220403372b501e1c709629d7308969adbe3fda58b414bfbc6c0e08461b592eb0018f9a98f6c51867fc5e2b572b709365e08

memory/2644-465-0x00000000043F0000-0x0000000004445000-memory.dmp

memory/2644-466-0x00000000043F0000-0x0000000004445000-memory.dmp

memory/2644-467-0x00000000043F0000-0x0000000004445000-memory.dmp

memory/2644-468-0x00000000043F0000-0x0000000004445000-memory.dmp

memory/2644-469-0x00000000043F0000-0x0000000004445000-memory.dmp