Malware Analysis Report

2024-11-30 05:29

Sample ID 240710-tr7rnaxdmn
Target Trust Launcher.exe
SHA256 e12353f4d5f68aea92424cf34972738128fc010fe4fe3072d7098f9a299ed559
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e12353f4d5f68aea92424cf34972738128fc010fe4fe3072d7098f9a299ed559

Threat Level: Known bad

The file Trust Launcher.exe was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 16:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 16:18

Reported

2024-07-10 16:23

Platform

win7-20240704-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1336

Network

Country Destination Domain Proto
US 8.8.8.8:53 blastpremierhub.com udp
FR 154.56.33.86:443 blastpremierhub.com tcp

Files

memory/3032-0-0x000000007495E000-0x000000007495F000-memory.dmp

memory/3032-1-0x00000000008F0000-0x0000000000D6A000-memory.dmp

memory/3032-2-0x0000000074950000-0x000000007503E000-memory.dmp

memory/3032-3-0x0000000074950000-0x000000007503E000-memory.dmp

memory/3032-4-0x0000000074950000-0x000000007503E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 16:18

Reported

2024-07-10 16:23

Platform

win10v2004-20240709-en

Max time kernel

185s

Max time network

281s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe"

Signatures

Lumma Stealer

stealer lumma

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe
PID 3120 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe
PID 3120 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe
PID 1072 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3124 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3124 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3124 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3124 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3124 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3124 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3124 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3124 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3124 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3124 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3124 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3124 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3124 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3124 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3124 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif
PID 3124 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif
PID 3124 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif
PID 3124 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3124 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3124 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe"

C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe

"C:\Users\Admin\AppData\Roaming\1hzvr3ew.2i1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Invision Invision.cmd & Invision.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 622814

C:\Windows\SysWOW64\findstr.exe

findstr /V "hophierarchychildrensfour" Close

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Figure + Giant + Realm + Weapon 622814\e

C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif

622814\Stockholm.pif 622814\e

C:\Windows\SysWOW64\timeout.exe

timeout 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 22.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 blastpremierhub.com udp
FR 154.56.33.86:443 blastpremierhub.com tcp
US 8.8.8.8:53 86.33.56.154.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 bgRrCYIpXQsqtNfiG.bgRrCYIpXQsqtNfiG udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 welfaredcattewd.xyz udp
US 8.8.8.8:53 bouncedgowp.shop udp
US 172.67.214.52:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 104.21.81.196:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 172.67.146.97:443 bargainnykwo.shop tcp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 52.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 196.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 radiationnopp.shop udp
US 104.21.68.158:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 172.67.203.63:443 answerrsdo.shop tcp
US 8.8.8.8:53 publicitttyps.shop udp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 158.68.21.104.in-addr.arpa udp
US 172.67.134.88:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 104.21.81.128:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 88.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 63.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 128.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

memory/3120-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/3120-1-0x0000000000AE0000-0x0000000000F5A000-memory.dmp

memory/3120-2-0x0000000005D50000-0x00000000062F4000-memory.dmp

memory/3120-3-0x0000000005840000-0x00000000058D2000-memory.dmp

memory/3120-4-0x0000000005A00000-0x0000000005A0A000-memory.dmp

memory/3120-5-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3120-6-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3120-7-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3120-8-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3120-9-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/3120-10-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3120-11-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3120-12-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3120-13-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3120-14-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3120-15-0x0000000074BF0000-0x00000000753A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Invision

MD5 dcd6244f36dbb6cb09977c90c3f08e20
SHA1 5989ff1e3ab91157e3cd8b9baa8256bae1255c42
SHA256 413373ebd5dc4adb95caa56c4f923f9b213357038a23fce617894cbbc7d4bb37
SHA512 9bebba4f6d47956643f335fd4ba308089af5219bf20ddbd8b53ab5bd4050cf81b3054ff53c93d4490c7fbbd1b42abceba2388f019376c46a8add5773c5315b41

C:\Users\Admin\AppData\Local\Temp\Close

MD5 fddd5bae9019ac4a197c26d8944bb5d1
SHA1 5460f00dcc6933fdc62553ab956e82b338972c8e
SHA256 6860467d64e2a7362de6e1c55e85598a86f9fe15e6c54f5ceaeefd5dc4fba563
SHA512 55abe3af6cfca3402982d3cbf4ff2172b6a552f626f980b5529c9f717aaae4df783afa820441a4a524cd4fee85af7a257b7ceeb415821445f17f52e1b17f2322

C:\Users\Admin\AppData\Local\Temp\Amendment

MD5 453f0ddf29f36cb5fcec3f426b7a7ddc
SHA1 bc81c8f56b09930b40e25a03bd4941f1143d0b6c
SHA256 dafb6fc32ceb25827d274e2ae8f55ab9ad725aabda56570a61b56ab2ead85296
SHA512 3756ba383998df8838e98931ce85e678edd56e002e5a35f66f6def30051564f7ecf0eb9a6e9442ff350dd056a7eae038abd8a411a7ccadfafc5aad3d893328de

C:\Users\Admin\AppData\Local\Temp\Aurora

MD5 a25452465661fb6f3a9027001a7c14d3
SHA1 f1d68c34717fcabd4d1666c114ce237b4250358b
SHA256 66d354ce428008d553566746da683ccf7b1879319b4e6029c1b3ac2b15c66aae
SHA512 0eb25915b1c55fd78a5260f70c3394d73756dcffe6eee86539828d05752f8f23467daf9a5cf651570494bd102e0c4c265fa358ef5b419451f78556ee6b9f7d6d

C:\Users\Admin\AppData\Local\Temp\Burns

MD5 3e3070d01e9a68967db526012a723e9c
SHA1 abcd6b9569d50cac6931e1463a0826d96bf963eb
SHA256 fbf73914ec14497be89e9e4ade9e295cc7aa6a5a0910a0943fc21c712be159fe
SHA512 ecc66b2f5cffa44cc52eda1dd9e1bbcb9cc5d26091d2a60e23966fe5e198317d24260aea666a68404618e0cf3c58c1325e2bbeaba0007b25f1dc2971d8714920

C:\Users\Admin\AppData\Local\Temp\Talking

MD5 413cf0d0ca1fdf9f2fbb5ba37568f37a
SHA1 48fcdc4aa18001251f18e86fbc24fcbfee6d575f
SHA256 c9a27bf0a0c40a5f205453a870eb48db476b2f737b9a96114f00ff3ceebc3f72
SHA512 085f63dc907f610a062adbe43cf09b9fcec17c52e3cae78e1e1675ede831e480eeb7bd725e8802d9258672b16cea9fd16acfb2a1e8becbbe13de991a8f95b878

C:\Users\Admin\AppData\Local\Temp\Frank

MD5 1c1561abe23a61fc6971de6bff07020d
SHA1 e9ca9aba0fb64ac201b12ac13addb6d0fd1397f1
SHA256 501e0d995c4e628c03f9fb7ec72dd8c654b6d13618e72c790e3a163dcc0a0c6b
SHA512 3e4a1aaad536d1828caaeba0f7f774cca44dfb24b6657c03e2e4e88b3fc904074a5a8c0c3cce22c9b8d1e055ba8b47d0cb24b2c481a7781516677e8bd587a42d

C:\Users\Admin\AppData\Local\Temp\Bronze

MD5 e63819404f9b7d6dab058ffdc4895e99
SHA1 77353c249c437550146c655b8566bd788f35cc56
SHA256 a007ae12a8f23611f64e253b23a09e664368b6e2cfb1160aafe38d26145532eb
SHA512 a7379b6a763d637be374c954a7ecc7f38c1b9802564a0f095384ac63d1a9287ead24d9b475d49506ce90a0ec4fe4a01e20a8f4921cdbcb89a0acbbe8dc21ced8

C:\Users\Admin\AppData\Local\Temp\Insider

MD5 d43818576168fbadaa89df997710407e
SHA1 b9018909cf7a8c3208b0819ac2575b20fcf13f7d
SHA256 5255752930a5b78a905850f08f2c0876932e7ebd38f7939c4d503566cc51ebe4
SHA512 adf0cb98cd49579f9ee6c6cab8ce0f13a012096289adaea9fcff95a24c59f9a9d6d9847a24603a48be727269982519ca78f89eca82ba00beab0e01f40097d1ab

C:\Users\Admin\AppData\Local\Temp\Aside

MD5 61c5ff2c456d6723243b5a92e5ac313f
SHA1 734c2eccde8c43fbfea9397f95d116aad5215ceb
SHA256 f835f0e90904f9753cf9082a6fa99fe4a91f06046bfd24dc7d26004248a43cd6
SHA512 6f732bc206b9a8ba2f57fd562f29481ac57966a1fc5df4ae6081da85db305de9b08f05aacff10145c4fb55513963035a3ac95ae57fee83e15a896ac43ff90b43

C:\Users\Admin\AppData\Local\Temp\Pins

MD5 739f8cde6bc9fd4301625c8617abecfe
SHA1 03bbf91e7a80355ed2a50e2dec6f222f83e822ff
SHA256 7ef482eea81ba12c367cd2ee1879fba072dc17a1b05be7b5533b886f23b8e7bb
SHA512 d303155dc840fa7f81a2555819e5a94ed2b911ad85a0732564fe060a83252f1eda50049c5bcfb85c4040aad2339e2a1622b1629f09ab4ae0e958c1c34d83ecd0

C:\Users\Admin\AppData\Local\Temp\Gay

MD5 e473cb4d32454de289570e72449b46cd
SHA1 b887710f9baebf5ba07a9bfcd620a7f2f12bbb34
SHA256 29ad8606520a87efbf25527cd0d22b92963d65fef45dace7c78fa09714ac0195
SHA512 e45125ea88cdb30af17761688fbc986f6d78441b27e80d184fd946e8c5dae87203d943977bfc077a974cae026f121c881efade3863c2e018b14b908df8b3fbfe

C:\Users\Admin\AppData\Local\Temp\Functioning

MD5 8e9f571afaaaa2312f5e902a8194a335
SHA1 0e514ab6750b6f4c00e5b828f57b68e4eb41e4f6
SHA256 d7d36c1fd43de3c93869f2015e29386a234faea9f9c3e2aa18d240834e36a723
SHA512 bf3be6b891b4b5039439ef6db81dd80f675dc834d05d45cd8f7bee3d2818baa59639289350abbd519451789b8864e5790b99cdd8602240a46098a9409bf2250f

C:\Users\Admin\AppData\Local\Temp\Hair

MD5 4c20543e6137dd6bb2189482b02ca073
SHA1 4fbe6d8305c4b28e44330d5ad3b15f94d487d79f
SHA256 217ada2347aab3bc1cab4efb945371e8102ea11be07248ec34c9d709e971d535
SHA512 3850126336deb39a22bc05d970b9129f0a485f06fb0a6db29617d9dfc497a9d2cd06f1509be30e532c4fa1e3bb0ae7230a03353ede2b059dd71ab40674085cdd

C:\Users\Admin\AppData\Local\Temp\Four

MD5 14cbdbd43de0b6d63c087119f4fdd80d
SHA1 e1ed33a79e9be261d5c68812d36e7c3860508403
SHA256 7102938b273ea82d8db39b5ff476c56793677ce175cffe72ab250bab3db97804
SHA512 05c5da429afa87bec26817e011391a54ff133aca29d0506af14c97a22861595c6af2e3d5f607124f2392b78af812a5cef92e7ed9f438aaf9215d264dcb5542c4

C:\Users\Admin\AppData\Local\Temp\Linear

MD5 347ea445947fce26069d1416df1231d9
SHA1 75bf8c7828a35b894519eb64593b9af4d05a7f24
SHA256 0ff46454fcd0acb98a0a65f44a7b9104d3f4f9bcf813dd669e0f4e95dd5a5de4
SHA512 3df4dc4d5bbe1fff0527443502458f1dccbee250a9a4e48df7b81d34b94da5f4f9436420bdb88bad8321d131aec759e8f92fc6af436659275aa6567d8ccd30da

C:\Users\Admin\AppData\Local\Temp\Hydrogen

MD5 25555d9adbfe77a93e02ed0aea4b70ac
SHA1 b6136ab724b57bb0ce3aefa49cc742ae34d694f5
SHA256 cbd0eabd3f26ca1ce25a3385a6b75b3fb49ed04ce6bbf63749e3229ddb527c2e
SHA512 685f62f68462f1225bc6b6cc434ac8ab85ce3e3a47eea24415b1f505098394381eca6b8a3f19138e27364bc693bdcb2f9c53090aa8bf4acea7be4539dfcb7903

C:\Users\Admin\AppData\Local\Temp\Chrome

MD5 0cd67281cc0f3992643872064ae936a9
SHA1 440d9eb5accd108e6972c7ba08071a4a75da17f7
SHA256 2bf63cdffa011a72134b8a0e7e0e152f53d8546bd768c96f422a525cd83ecf22
SHA512 98a5f9834245d89f05aef2077a5306bfda4c44aed16b8a116b1295bbfc248d1a9d9e06bd0db7e0fcab81dac9b4483c5728f7adc9bf608850b74b89a06c2dea92

C:\Users\Admin\AppData\Local\Temp\Completed

MD5 2974a3776121de0ff4af26b3a61f2404
SHA1 dcb283d4818bb93817f46073ad1134859aaf675e
SHA256 9f50b41bb9e5ba70cc52504397108fd09ea615f81648c53f5b639ee65b3aeaa7
SHA512 cfe74b89ea5e77aa4d1cd12420490e656e9790d6a741b479605e1d66ea0a82a8b9203277b9c71bfbe1599d7a33390084bb6e0fc59f5ce390bd32d1ad46b949da

C:\Users\Admin\AppData\Local\Temp\Builds

MD5 4dde4b052ded57bb35720230c2a1bfd3
SHA1 b963d77130b85c8a822a3760fc91ff826927691f
SHA256 30f1a95b9680f38d85b62710d4c7a5bdf9fb440bd82574ede85b93cc54f8e8af
SHA512 2350d5774297da327ae290b041a44d91cfdd79626a51ee4d461b85cf1046b9e348eb05e38930ac37818039570b7cfa88e0ac971be009c0e0116d66825bc14a12

C:\Users\Admin\AppData\Local\Temp\Ga

MD5 fc5b5c4895f21b3f1d53ab1ceb41b053
SHA1 927c30832191ff5b2ab98521f8ec42bcec2a5ad1
SHA256 7f37cc5de00dd606cd81cb98bc57ff42df2428cdcefcb6ff8f02cb6791a4b604
SHA512 786656a7e582395d649b58ad4b48a4782d378f279493a017b1161638f892c9abef8d6812af82a630e60d396a116fd061ac80e860e34d63f669d7da4725d7fcb1

C:\Users\Admin\AppData\Local\Temp\Please

MD5 6b528946c33427972a15d8eabfab0686
SHA1 c1c877784d64b434de8fed5bc948536bd6311f19
SHA256 1256b7d69423a99ba7abbf92402ba1fd8ad4e58cb80bbc299bc48286d032cfd1
SHA512 2f1c2c5e8f8a94c023904e5f51d8c10111cec3c59fcf5dfd496e7cb8610eb412516d71405f0745961c8c101bf791ed980cdf1d5215a710b1ab738e436f6fe164

C:\Users\Admin\AppData\Local\Temp\Academy

MD5 616f8d3eb30081aa0206a7a65fff97cf
SHA1 c25f90bb63dc1f2078a953cf35dd46e0ceff68da
SHA256 11b40328101cf6cac85f825d8800e98a7c472f0dad428fb584c7379d663da9a1
SHA512 734ac4907825a83cc51c1501b5d024d5c2e41a4c0f9feda23732a0d38f5fd12e8e266d8e83462425f06e54bab359b1175f67987286b8dec41bc76176042cba52

C:\Users\Admin\AppData\Local\Temp\Doe

MD5 95eda64bc162b005b8868c77107b844c
SHA1 1dde05abd0e55bfabd55d2ad5720dba15003dcea
SHA256 0d1dda9cc11bcfad0877b168726e95c69aee15ecf32029bd32bf37df19b29666
SHA512 2e18168865520ed59fc8467b7099cb24f5b41b7a557f4e938f02018bba12095e5048bc36e07738d723c58091fe4ae6aa3121bb0409831bb78639f41f186c7e1d

C:\Users\Admin\AppData\Local\Temp\Crack

MD5 ec57171d25cb585020d8cacddec8d0e7
SHA1 c4c31f8737cf02466e4c8ab36bf112f5ffc501f0
SHA256 f01c60c8a2e6ed32e58f5ccc2af697a9f7474074529adcd0f2ce2620db9c08f4
SHA512 b20c7f6edc5980c06534a8ea08a0077ab41ce07f91e8b4cb9858f8b032809a867bcf402ed77e917b54665c2712334be6af33fc1467fbe097bbfcf4b406120fbc

C:\Users\Admin\AppData\Local\Temp\Issue

MD5 1e7217ae13ed72520376be8165ded9f2
SHA1 36bfef64fb0210ddac354fd6f9f46e9fd8aa73cd
SHA256 2aaf0e8af02c0bfe0c667cedcd37ca01adc56cd7591f3a8f0d4ffb79a35033ba
SHA512 e2d10df193367f9c088808a345b845cb92edd18fe276ae45955aaed6e3fbc2982f129d340f9e5f05f3823f400bd036f0aa7353d3349ade1a1bb09d8a96ebde7e

C:\Users\Admin\AppData\Local\Temp\Showers

MD5 962acba697097e36e2c65cd88226b703
SHA1 f5a1e30490704344d85c3e90c5ee612595874be5
SHA256 b5888f7da8149b258908a7b48d04f5f020a57622387fc4dfefc845e3ecf59e5a
SHA512 be764a1a73da6df738dc7b00fbfe86ad4ad0a8ec77f5582e0e81f203dc8b5e01b73cda7834d0c23f1d722ba256f2857ecb4e263fb8262ccdf8a00080f8dcbe1d

C:\Users\Admin\AppData\Local\Temp\Extras

MD5 ca4270d699eb0ddaf60f97c8931bfc37
SHA1 5052bb712499b3f93ebb88b36ae07071489117c2
SHA256 2586c6793bf69b70fb7dc6e3c1c3dcb1392d18dd27fc757c52459de6d2b2ec25
SHA512 b7ccdd38b9a4e85d420d114ef0d0c588da1cd9988ac0f6645cbca9e7ffeef80b63f0d9eaba5f77f2a2113f2c1dac7b2ed00bb3dfc3b7ddfe14fe4d6ab5a8678e

C:\Users\Admin\AppData\Local\Temp\Realm

MD5 3c410e0b87de4c6d20454567bdf3188c
SHA1 d18d0cce032454672c7e241648b981764c9689c3
SHA256 b9a2616461913d1198b81bdf59bc032fb8a0dc64cd1065a3f923dfeb51fef6d8
SHA512 a1c4d2a9c9062f83c4f02aebb88a89685ad06de099a4636d7a244f289e397da9604ebd8c4c0e1eee86138d88d188168c3dd4174e94259c58bd524999527c9879

C:\Users\Admin\AppData\Local\Temp\Giant

MD5 5a95cd6ebb447b6d1458e19d54a1bea9
SHA1 0c6b6436d1033e97fb469279f39b877a47f3e74b
SHA256 b94db5888d3655d56369ec0fad7f767d3e35ecd7d115544dd520786403cf8cc5
SHA512 040832ac89d1f540ab50c7042d3df3a20ac4d95f8db770b4de3c156d19ff42736687160d4d7ffca9df5cd31a5fec442b4a92f1fffd36d7ca8ac691581a2bff51

C:\Users\Admin\AppData\Local\Temp\Weapon

MD5 a016f2931a9c72aef52e32f77ea02c5d
SHA1 f2ab1dc6f41f655f191a6893913970f0a2e153fa
SHA256 d2bb028bd1d52358dcacea6d6ce33d8c9361342b64167fc1d89676471520bf29
SHA512 1985772d2cff33887ec89852de4bca48a38ccb9a3aada653ffb4edc4c9b90fe7d0963b606806759e200424b4b642bb4982c6e007d6bd4dcb40b973ee5abf86fe

C:\Users\Admin\AppData\Local\Temp\Figure

MD5 e4fee1c5de030b78acbfcf715ae5ad55
SHA1 217654be1469e0a54a663742115f0ecf8d31053d
SHA256 4bf3c79babba096fb1f6190857da49310f51a3b743aac3e64c14c995e90b3807
SHA512 e97e48f4f01f44ecfbe23150d72583850fb675bb2a936022c7efc69c88451cc4d42742a59c074f97f999c942d90557fdebde0e82625b34e9fbd81da8a332b36d

C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\622814\e

MD5 65ac9eade3494b6424b2d31ba75be325
SHA1 767e2fd28c8363fc4775aa1dea99200f390adf13
SHA256 3104004ba01526e82382f0fbbb4eb659e36d074a8caab787b84bc1f92a0316a2
SHA512 76273e30f2da05791506c7758c4b4a29f5a4410428ec4ad0c3d7fd888bbcc106a73c40945fc16e814a2114ae56baff1e39c0d01102cca97b33ab05d46626f5c9

memory/764-437-0x00000000000E0000-0x000000000012F000-memory.dmp

memory/764-438-0x00000000000E0000-0x000000000012F000-memory.dmp

memory/764-439-0x00000000000E0000-0x000000000012F000-memory.dmp

memory/764-440-0x00000000000E0000-0x000000000012F000-memory.dmp

memory/764-441-0x00000000000E0000-0x000000000012F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-10 16:18

Reported

2024-07-10 16:23

Platform

win11-20240709-en

Max time kernel

246s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\50cffk0o.mvv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe C:\Users\Admin\AppData\Roaming\50cffk0o.mvv.exe
PID 5112 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe C:\Users\Admin\AppData\Roaming\50cffk0o.mvv.exe
PID 5112 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe C:\Users\Admin\AppData\Roaming\50cffk0o.mvv.exe
PID 1656 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\50cffk0o.mvv.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\50cffk0o.mvv.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\50cffk0o.mvv.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1884 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1884 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1884 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1884 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1884 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1884 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1884 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1884 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1884 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1884 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1884 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1884 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1884 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1884 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1884 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif
PID 1884 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif
PID 1884 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif
PID 1884 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1884 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1884 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Trust Launcher.exe"

C:\Users\Admin\AppData\Roaming\50cffk0o.mvv.exe

"C:\Users\Admin\AppData\Roaming\50cffk0o.mvv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Invision Invision.cmd & Invision.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 622814

C:\Windows\SysWOW64\findstr.exe

findstr /V "hophierarchychildrensfour" Close

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Figure + Giant + Realm + Weapon 622814\e

C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif

622814\Stockholm.pif 622814\e

C:\Windows\SysWOW64\timeout.exe

timeout 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 blastpremierhub.com udp
FR 154.56.33.86:443 blastpremierhub.com tcp
NL 52.111.243.30:443 tcp
US 172.67.214.52:443 bouncedgowp.shop tcp
US 172.67.146.61:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 104.21.68.158:443 radiationnopp.shop tcp
US 172.67.203.63:443 answerrsdo.shop tcp
US 104.21.25.154:443 publicitttyps.shop tcp
US 172.67.160.230:443 benchillppwo.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 63.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 158.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 154.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 230.160.67.172.in-addr.arpa udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp

Files

memory/5112-0-0x000000007478E000-0x000000007478F000-memory.dmp

memory/5112-1-0x0000000000150000-0x00000000005CA000-memory.dmp

memory/5112-2-0x00000000054D0000-0x0000000005A76000-memory.dmp

memory/5112-3-0x0000000004FC0000-0x0000000005052000-memory.dmp

memory/5112-4-0x0000000004F60000-0x0000000004F6A000-memory.dmp

memory/5112-5-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/5112-6-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/5112-7-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/5112-8-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/5112-9-0x000000007478E000-0x000000007478F000-memory.dmp

memory/5112-10-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/5112-11-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/5112-12-0x0000000074780000-0x0000000074F31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Invision

MD5 dcd6244f36dbb6cb09977c90c3f08e20
SHA1 5989ff1e3ab91157e3cd8b9baa8256bae1255c42
SHA256 413373ebd5dc4adb95caa56c4f923f9b213357038a23fce617894cbbc7d4bb37
SHA512 9bebba4f6d47956643f335fd4ba308089af5219bf20ddbd8b53ab5bd4050cf81b3054ff53c93d4490c7fbbd1b42abceba2388f019376c46a8add5773c5315b41

C:\Users\Admin\AppData\Local\Temp\Close

MD5 fddd5bae9019ac4a197c26d8944bb5d1
SHA1 5460f00dcc6933fdc62553ab956e82b338972c8e
SHA256 6860467d64e2a7362de6e1c55e85598a86f9fe15e6c54f5ceaeefd5dc4fba563
SHA512 55abe3af6cfca3402982d3cbf4ff2172b6a552f626f980b5529c9f717aaae4df783afa820441a4a524cd4fee85af7a257b7ceeb415821445f17f52e1b17f2322

C:\Users\Admin\AppData\Local\Temp\Amendment

MD5 453f0ddf29f36cb5fcec3f426b7a7ddc
SHA1 bc81c8f56b09930b40e25a03bd4941f1143d0b6c
SHA256 dafb6fc32ceb25827d274e2ae8f55ab9ad725aabda56570a61b56ab2ead85296
SHA512 3756ba383998df8838e98931ce85e678edd56e002e5a35f66f6def30051564f7ecf0eb9a6e9442ff350dd056a7eae038abd8a411a7ccadfafc5aad3d893328de

C:\Users\Admin\AppData\Local\Temp\Aurora

MD5 a25452465661fb6f3a9027001a7c14d3
SHA1 f1d68c34717fcabd4d1666c114ce237b4250358b
SHA256 66d354ce428008d553566746da683ccf7b1879319b4e6029c1b3ac2b15c66aae
SHA512 0eb25915b1c55fd78a5260f70c3394d73756dcffe6eee86539828d05752f8f23467daf9a5cf651570494bd102e0c4c265fa358ef5b419451f78556ee6b9f7d6d

C:\Users\Admin\AppData\Local\Temp\Burns

MD5 3e3070d01e9a68967db526012a723e9c
SHA1 abcd6b9569d50cac6931e1463a0826d96bf963eb
SHA256 fbf73914ec14497be89e9e4ade9e295cc7aa6a5a0910a0943fc21c712be159fe
SHA512 ecc66b2f5cffa44cc52eda1dd9e1bbcb9cc5d26091d2a60e23966fe5e198317d24260aea666a68404618e0cf3c58c1325e2bbeaba0007b25f1dc2971d8714920

C:\Users\Admin\AppData\Local\Temp\Talking

MD5 413cf0d0ca1fdf9f2fbb5ba37568f37a
SHA1 48fcdc4aa18001251f18e86fbc24fcbfee6d575f
SHA256 c9a27bf0a0c40a5f205453a870eb48db476b2f737b9a96114f00ff3ceebc3f72
SHA512 085f63dc907f610a062adbe43cf09b9fcec17c52e3cae78e1e1675ede831e480eeb7bd725e8802d9258672b16cea9fd16acfb2a1e8becbbe13de991a8f95b878

C:\Users\Admin\AppData\Local\Temp\Frank

MD5 1c1561abe23a61fc6971de6bff07020d
SHA1 e9ca9aba0fb64ac201b12ac13addb6d0fd1397f1
SHA256 501e0d995c4e628c03f9fb7ec72dd8c654b6d13618e72c790e3a163dcc0a0c6b
SHA512 3e4a1aaad536d1828caaeba0f7f774cca44dfb24b6657c03e2e4e88b3fc904074a5a8c0c3cce22c9b8d1e055ba8b47d0cb24b2c481a7781516677e8bd587a42d

C:\Users\Admin\AppData\Local\Temp\Bronze

MD5 e63819404f9b7d6dab058ffdc4895e99
SHA1 77353c249c437550146c655b8566bd788f35cc56
SHA256 a007ae12a8f23611f64e253b23a09e664368b6e2cfb1160aafe38d26145532eb
SHA512 a7379b6a763d637be374c954a7ecc7f38c1b9802564a0f095384ac63d1a9287ead24d9b475d49506ce90a0ec4fe4a01e20a8f4921cdbcb89a0acbbe8dc21ced8

C:\Users\Admin\AppData\Local\Temp\Insider

MD5 d43818576168fbadaa89df997710407e
SHA1 b9018909cf7a8c3208b0819ac2575b20fcf13f7d
SHA256 5255752930a5b78a905850f08f2c0876932e7ebd38f7939c4d503566cc51ebe4
SHA512 adf0cb98cd49579f9ee6c6cab8ce0f13a012096289adaea9fcff95a24c59f9a9d6d9847a24603a48be727269982519ca78f89eca82ba00beab0e01f40097d1ab

C:\Users\Admin\AppData\Local\Temp\Aside

MD5 61c5ff2c456d6723243b5a92e5ac313f
SHA1 734c2eccde8c43fbfea9397f95d116aad5215ceb
SHA256 f835f0e90904f9753cf9082a6fa99fe4a91f06046bfd24dc7d26004248a43cd6
SHA512 6f732bc206b9a8ba2f57fd562f29481ac57966a1fc5df4ae6081da85db305de9b08f05aacff10145c4fb55513963035a3ac95ae57fee83e15a896ac43ff90b43

C:\Users\Admin\AppData\Local\Temp\Pins

MD5 739f8cde6bc9fd4301625c8617abecfe
SHA1 03bbf91e7a80355ed2a50e2dec6f222f83e822ff
SHA256 7ef482eea81ba12c367cd2ee1879fba072dc17a1b05be7b5533b886f23b8e7bb
SHA512 d303155dc840fa7f81a2555819e5a94ed2b911ad85a0732564fe060a83252f1eda50049c5bcfb85c4040aad2339e2a1622b1629f09ab4ae0e958c1c34d83ecd0

C:\Users\Admin\AppData\Local\Temp\Gay

MD5 e473cb4d32454de289570e72449b46cd
SHA1 b887710f9baebf5ba07a9bfcd620a7f2f12bbb34
SHA256 29ad8606520a87efbf25527cd0d22b92963d65fef45dace7c78fa09714ac0195
SHA512 e45125ea88cdb30af17761688fbc986f6d78441b27e80d184fd946e8c5dae87203d943977bfc077a974cae026f121c881efade3863c2e018b14b908df8b3fbfe

C:\Users\Admin\AppData\Local\Temp\Functioning

MD5 8e9f571afaaaa2312f5e902a8194a335
SHA1 0e514ab6750b6f4c00e5b828f57b68e4eb41e4f6
SHA256 d7d36c1fd43de3c93869f2015e29386a234faea9f9c3e2aa18d240834e36a723
SHA512 bf3be6b891b4b5039439ef6db81dd80f675dc834d05d45cd8f7bee3d2818baa59639289350abbd519451789b8864e5790b99cdd8602240a46098a9409bf2250f

C:\Users\Admin\AppData\Local\Temp\Hair

MD5 4c20543e6137dd6bb2189482b02ca073
SHA1 4fbe6d8305c4b28e44330d5ad3b15f94d487d79f
SHA256 217ada2347aab3bc1cab4efb945371e8102ea11be07248ec34c9d709e971d535
SHA512 3850126336deb39a22bc05d970b9129f0a485f06fb0a6db29617d9dfc497a9d2cd06f1509be30e532c4fa1e3bb0ae7230a03353ede2b059dd71ab40674085cdd

C:\Users\Admin\AppData\Local\Temp\Four

MD5 14cbdbd43de0b6d63c087119f4fdd80d
SHA1 e1ed33a79e9be261d5c68812d36e7c3860508403
SHA256 7102938b273ea82d8db39b5ff476c56793677ce175cffe72ab250bab3db97804
SHA512 05c5da429afa87bec26817e011391a54ff133aca29d0506af14c97a22861595c6af2e3d5f607124f2392b78af812a5cef92e7ed9f438aaf9215d264dcb5542c4

C:\Users\Admin\AppData\Local\Temp\Linear

MD5 347ea445947fce26069d1416df1231d9
SHA1 75bf8c7828a35b894519eb64593b9af4d05a7f24
SHA256 0ff46454fcd0acb98a0a65f44a7b9104d3f4f9bcf813dd669e0f4e95dd5a5de4
SHA512 3df4dc4d5bbe1fff0527443502458f1dccbee250a9a4e48df7b81d34b94da5f4f9436420bdb88bad8321d131aec759e8f92fc6af436659275aa6567d8ccd30da

C:\Users\Admin\AppData\Local\Temp\Hydrogen

MD5 25555d9adbfe77a93e02ed0aea4b70ac
SHA1 b6136ab724b57bb0ce3aefa49cc742ae34d694f5
SHA256 cbd0eabd3f26ca1ce25a3385a6b75b3fb49ed04ce6bbf63749e3229ddb527c2e
SHA512 685f62f68462f1225bc6b6cc434ac8ab85ce3e3a47eea24415b1f505098394381eca6b8a3f19138e27364bc693bdcb2f9c53090aa8bf4acea7be4539dfcb7903

C:\Users\Admin\AppData\Local\Temp\Chrome

MD5 0cd67281cc0f3992643872064ae936a9
SHA1 440d9eb5accd108e6972c7ba08071a4a75da17f7
SHA256 2bf63cdffa011a72134b8a0e7e0e152f53d8546bd768c96f422a525cd83ecf22
SHA512 98a5f9834245d89f05aef2077a5306bfda4c44aed16b8a116b1295bbfc248d1a9d9e06bd0db7e0fcab81dac9b4483c5728f7adc9bf608850b74b89a06c2dea92

C:\Users\Admin\AppData\Local\Temp\Completed

MD5 2974a3776121de0ff4af26b3a61f2404
SHA1 dcb283d4818bb93817f46073ad1134859aaf675e
SHA256 9f50b41bb9e5ba70cc52504397108fd09ea615f81648c53f5b639ee65b3aeaa7
SHA512 cfe74b89ea5e77aa4d1cd12420490e656e9790d6a741b479605e1d66ea0a82a8b9203277b9c71bfbe1599d7a33390084bb6e0fc59f5ce390bd32d1ad46b949da

C:\Users\Admin\AppData\Local\Temp\Builds

MD5 4dde4b052ded57bb35720230c2a1bfd3
SHA1 b963d77130b85c8a822a3760fc91ff826927691f
SHA256 30f1a95b9680f38d85b62710d4c7a5bdf9fb440bd82574ede85b93cc54f8e8af
SHA512 2350d5774297da327ae290b041a44d91cfdd79626a51ee4d461b85cf1046b9e348eb05e38930ac37818039570b7cfa88e0ac971be009c0e0116d66825bc14a12

C:\Users\Admin\AppData\Local\Temp\Ga

MD5 fc5b5c4895f21b3f1d53ab1ceb41b053
SHA1 927c30832191ff5b2ab98521f8ec42bcec2a5ad1
SHA256 7f37cc5de00dd606cd81cb98bc57ff42df2428cdcefcb6ff8f02cb6791a4b604
SHA512 786656a7e582395d649b58ad4b48a4782d378f279493a017b1161638f892c9abef8d6812af82a630e60d396a116fd061ac80e860e34d63f669d7da4725d7fcb1

C:\Users\Admin\AppData\Local\Temp\Issue

MD5 1e7217ae13ed72520376be8165ded9f2
SHA1 36bfef64fb0210ddac354fd6f9f46e9fd8aa73cd
SHA256 2aaf0e8af02c0bfe0c667cedcd37ca01adc56cd7591f3a8f0d4ffb79a35033ba
SHA512 e2d10df193367f9c088808a345b845cb92edd18fe276ae45955aaed6e3fbc2982f129d340f9e5f05f3823f400bd036f0aa7353d3349ade1a1bb09d8a96ebde7e

C:\Users\Admin\AppData\Local\Temp\Please

MD5 6b528946c33427972a15d8eabfab0686
SHA1 c1c877784d64b434de8fed5bc948536bd6311f19
SHA256 1256b7d69423a99ba7abbf92402ba1fd8ad4e58cb80bbc299bc48286d032cfd1
SHA512 2f1c2c5e8f8a94c023904e5f51d8c10111cec3c59fcf5dfd496e7cb8610eb412516d71405f0745961c8c101bf791ed980cdf1d5215a710b1ab738e436f6fe164

C:\Users\Admin\AppData\Local\Temp\Showers

MD5 962acba697097e36e2c65cd88226b703
SHA1 f5a1e30490704344d85c3e90c5ee612595874be5
SHA256 b5888f7da8149b258908a7b48d04f5f020a57622387fc4dfefc845e3ecf59e5a
SHA512 be764a1a73da6df738dc7b00fbfe86ad4ad0a8ec77f5582e0e81f203dc8b5e01b73cda7834d0c23f1d722ba256f2857ecb4e263fb8262ccdf8a00080f8dcbe1d

C:\Users\Admin\AppData\Local\Temp\Crack

MD5 ec57171d25cb585020d8cacddec8d0e7
SHA1 c4c31f8737cf02466e4c8ab36bf112f5ffc501f0
SHA256 f01c60c8a2e6ed32e58f5ccc2af697a9f7474074529adcd0f2ce2620db9c08f4
SHA512 b20c7f6edc5980c06534a8ea08a0077ab41ce07f91e8b4cb9858f8b032809a867bcf402ed77e917b54665c2712334be6af33fc1467fbe097bbfcf4b406120fbc

C:\Users\Admin\AppData\Local\Temp\Doe

MD5 95eda64bc162b005b8868c77107b844c
SHA1 1dde05abd0e55bfabd55d2ad5720dba15003dcea
SHA256 0d1dda9cc11bcfad0877b168726e95c69aee15ecf32029bd32bf37df19b29666
SHA512 2e18168865520ed59fc8467b7099cb24f5b41b7a557f4e938f02018bba12095e5048bc36e07738d723c58091fe4ae6aa3121bb0409831bb78639f41f186c7e1d

C:\Users\Admin\AppData\Local\Temp\Extras

MD5 ca4270d699eb0ddaf60f97c8931bfc37
SHA1 5052bb712499b3f93ebb88b36ae07071489117c2
SHA256 2586c6793bf69b70fb7dc6e3c1c3dcb1392d18dd27fc757c52459de6d2b2ec25
SHA512 b7ccdd38b9a4e85d420d114ef0d0c588da1cd9988ac0f6645cbca9e7ffeef80b63f0d9eaba5f77f2a2113f2c1dac7b2ed00bb3dfc3b7ddfe14fe4d6ab5a8678e

C:\Users\Admin\AppData\Local\Temp\Academy

MD5 616f8d3eb30081aa0206a7a65fff97cf
SHA1 c25f90bb63dc1f2078a953cf35dd46e0ceff68da
SHA256 11b40328101cf6cac85f825d8800e98a7c472f0dad428fb584c7379d663da9a1
SHA512 734ac4907825a83cc51c1501b5d024d5c2e41a4c0f9feda23732a0d38f5fd12e8e266d8e83462425f06e54bab359b1175f67987286b8dec41bc76176042cba52

C:\Users\Admin\AppData\Local\Temp\Figure

MD5 e4fee1c5de030b78acbfcf715ae5ad55
SHA1 217654be1469e0a54a663742115f0ecf8d31053d
SHA256 4bf3c79babba096fb1f6190857da49310f51a3b743aac3e64c14c995e90b3807
SHA512 e97e48f4f01f44ecfbe23150d72583850fb675bb2a936022c7efc69c88451cc4d42742a59c074f97f999c942d90557fdebde0e82625b34e9fbd81da8a332b36d

C:\Users\Admin\AppData\Local\Temp\Giant

MD5 5a95cd6ebb447b6d1458e19d54a1bea9
SHA1 0c6b6436d1033e97fb469279f39b877a47f3e74b
SHA256 b94db5888d3655d56369ec0fad7f767d3e35ecd7d115544dd520786403cf8cc5
SHA512 040832ac89d1f540ab50c7042d3df3a20ac4d95f8db770b4de3c156d19ff42736687160d4d7ffca9df5cd31a5fec442b4a92f1fffd36d7ca8ac691581a2bff51

C:\Users\Admin\AppData\Local\Temp\Realm

MD5 3c410e0b87de4c6d20454567bdf3188c
SHA1 d18d0cce032454672c7e241648b981764c9689c3
SHA256 b9a2616461913d1198b81bdf59bc032fb8a0dc64cd1065a3f923dfeb51fef6d8
SHA512 a1c4d2a9c9062f83c4f02aebb88a89685ad06de099a4636d7a244f289e397da9604ebd8c4c0e1eee86138d88d188168c3dd4174e94259c58bd524999527c9879

C:\Users\Admin\AppData\Local\Temp\Weapon

MD5 a016f2931a9c72aef52e32f77ea02c5d
SHA1 f2ab1dc6f41f655f191a6893913970f0a2e153fa
SHA256 d2bb028bd1d52358dcacea6d6ce33d8c9361342b64167fc1d89676471520bf29
SHA512 1985772d2cff33887ec89852de4bca48a38ccb9a3aada653ffb4edc4c9b90fe7d0963b606806759e200424b4b642bb4982c6e007d6bd4dcb40b973ee5abf86fe

C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\622814\e

MD5 65ac9eade3494b6424b2d31ba75be325
SHA1 767e2fd28c8363fc4775aa1dea99200f390adf13
SHA256 3104004ba01526e82382f0fbbb4eb659e36d074a8caab787b84bc1f92a0316a2
SHA512 76273e30f2da05791506c7758c4b4a29f5a4410428ec4ad0c3d7fd888bbcc106a73c40945fc16e814a2114ae56baff1e39c0d01102cca97b33ab05d46626f5c9

memory/1428-434-0x00000000008A0000-0x00000000008EF000-memory.dmp

memory/1428-435-0x00000000008A0000-0x00000000008EF000-memory.dmp

memory/1428-436-0x00000000008A0000-0x00000000008EF000-memory.dmp

memory/1428-437-0x00000000008A0000-0x00000000008EF000-memory.dmp

memory/1428-438-0x00000000008A0000-0x00000000008EF000-memory.dmp