Malware Analysis Report

2024-11-30 05:27

Sample ID 240710-yhq5rsygpd
Target ##!!SetUp_2244_Pa$sW0rd$$!!.zip
SHA256 98c5e35d44da52d963e466216156cec0f62832fb03e3d27ac4bfa63b567639c5
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98c5e35d44da52d963e466216156cec0f62832fb03e3d27ac4bfa63b567639c5

Threat Level: Known bad

The file ##!!SetUp_2244_Pa$sW0rd$$!!.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 19:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-10 19:47

Reported

2024-07-10 19:53

Platform

win11-20240709-en

Max time kernel

91s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2176 set thread context of 1448 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 492 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 492 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 492 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 2460 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 2460 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 2460 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 2176 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 2176 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 2176 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 2176 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 1448 wrote to memory of 4976 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1448 wrote to memory of 4976 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1448 wrote to memory of 4976 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1448 wrote to memory of 4976 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe

"C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"

C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe

C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bittercoldzzdwu.shop udp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 172.67.214.52:443 bouncedgowp.shop tcp
US 172.67.146.61:443 bannngwko.shop tcp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 8.8.8.8:53 179.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 52.214.67.172.in-addr.arpa udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 104.21.68.158:443 radiationnopp.shop tcp
US 104.21.44.192:443 answerrsdo.shop tcp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 104.21.25.154:443 publicitttyps.shop tcp
US 104.21.81.128:443 benchillppwo.shop tcp
FR 104.85.26.126:443 steamcommunity.com tcp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp

Files

C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe

MD5 95387cc85dacad60b3e10665b43602e6
SHA1 d9aafd45fe3ad10d28716d6289fe76b4fdce1869
SHA256 3c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a
SHA512 82cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b

C:\Users\Admin\AppData\Local\Temp\madExcept_.bpl

MD5 21068dfd733435c866312d35b9432733
SHA1 3d5336c676d3dd94500d0d2fe853b9de457f10fd
SHA256 835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299
SHA512 54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7

C:\Users\Admin\AppData\Local\Temp\pdf2bmp.dll

MD5 f65c3b116281fd23e5748ad73e9501cf
SHA1 ebda8a741833c4fcbfcb72591a7c173d69a01ebd
SHA256 eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725
SHA512 78ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc

C:\Users\Admin\AppData\Local\Temp\pdfium.dll

MD5 65a63bd3e6c4ce54299bf494582304f3
SHA1 e6f63f69388dd5a3cda90403711b78fe5c667981
SHA256 5b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335
SHA512 f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59

C:\Users\Admin\AppData\Local\Temp\datastate.dll

MD5 626dd52ec6cf2e1e00948586b649cb2a
SHA1 b8aaee43554ec9eb6d0d05a81cf186b330390745
SHA256 4696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd
SHA512 e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b

C:\Users\Admin\AppData\Local\Temp\vclx120.bpl

MD5 7daa2b7fe529b45101a399b5ebf0a416
SHA1 fd73f3561d0cebe341a6c380681fb08841fa5ce6
SHA256 2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed
SHA512 8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96

C:\Users\Admin\AppData\Local\Temp\vcl120.bpl

MD5 849070ebd34cbaedc525599d6c3f8914
SHA1 b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa
SHA256 b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628
SHA512 f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb

C:\Users\Admin\AppData\Local\Temp\maddisAsm_.bpl

MD5 84bc072f8ea30746f0982afbda3c638f
SHA1 f39343933ff3fc7934814d6d3b7b098bc92540a0
SHA256 52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006
SHA512 6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5

C:\Users\Admin\AppData\Local\Temp\rtl120.bpl

MD5 630991830afe0b969bd0995e697ab16e
SHA1 feda243d83fba15b23d654513dc1f0d70787ba18
SHA256 b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3
SHA512 2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692

C:\Users\Admin\AppData\Local\Temp\madbasic_.bpl

MD5 dc6655a38ffdc3c349f13828fc8ec36e
SHA1 95db71ef7bff8c16ce955c760292bad9f09bb06d
SHA256 16126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a
SHA512 84b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69

C:\Users\Admin\AppData\Local\Temp\charr.dbf

MD5 9424382dbaeb4890c9c1a52fc90f712a
SHA1 6f4d7fe82fbd617b7bea45e9f18a195ebfbd3042
SHA256 7ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168
SHA512 138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949

C:\Users\Admin\AppData\Local\Temp\rebbe.pkg

MD5 3456f0fe789f38cf5d58b359ac1e8727
SHA1 5b39e9e71a07102036386bdd0651dcc267400723
SHA256 c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65
SHA512 bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed

memory/2460-57-0x0000000073180000-0x0000000073195000-memory.dmp

memory/2460-58-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp

memory/2460-75-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2460-80-0x0000000050310000-0x0000000050349000-memory.dmp

memory/2460-79-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2460-78-0x0000000057800000-0x0000000057812000-memory.dmp

memory/2460-77-0x0000000059800000-0x000000005986E000-memory.dmp

memory/2460-76-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2460-74-0x0000000000400000-0x0000000000845000-memory.dmp

memory/2176-102-0x0000000075140000-0x0000000075155000-memory.dmp

memory/2176-103-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp

memory/2176-104-0x0000000075140000-0x0000000075155000-memory.dmp

memory/2176-111-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2176-109-0x0000000059800000-0x000000005986E000-memory.dmp

memory/2176-107-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2176-106-0x0000000000400000-0x0000000000845000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15a4b15f

MD5 8e09ecc2c3197e4e97e1aba0de94f438
SHA1 06ebb8ea17d070d0947ab667bac21d83010cde3f
SHA256 e9ce8f5d88dcbdd0856db902a6796fad499a5b2b74190592747fe55959321898
SHA512 aa8c79b8664ecc0f5093031bda9fa46725cb3b6796edb5803f74b0e9dbf79f97dd33d74c6668f7f699eab937ad998937f0894963bce823060ebd3dca90ebae6a

memory/1448-115-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp

memory/1448-116-0x0000000075140000-0x0000000075155000-memory.dmp

memory/4976-118-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp

memory/4976-119-0x0000000000A90000-0x0000000000AF9000-memory.dmp

memory/4976-120-0x0000000000A90000-0x0000000000AF9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 19:47

Reported

2024-07-10 19:53

Platform

win7-20240704-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2564 set thread context of 2484 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 2156 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 2156 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 2156 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 1872 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 1872 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 1872 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 1872 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 2564 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 2564 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 2564 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 2564 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 2564 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 2484 wrote to memory of 1752 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 2484 wrote to memory of 1752 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 2484 wrote to memory of 1752 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 2484 wrote to memory of 1752 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 2484 wrote to memory of 1752 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe

"C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"

C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe

C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe

MD5 95387cc85dacad60b3e10665b43602e6
SHA1 d9aafd45fe3ad10d28716d6289fe76b4fdce1869
SHA256 3c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a
SHA512 82cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b

\Users\Admin\AppData\Local\Temp\rtl120.bpl

MD5 630991830afe0b969bd0995e697ab16e
SHA1 feda243d83fba15b23d654513dc1f0d70787ba18
SHA256 b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3
SHA512 2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692

C:\Users\Admin\AppData\Local\Temp\madBasic_.bpl

MD5 dc6655a38ffdc3c349f13828fc8ec36e
SHA1 95db71ef7bff8c16ce955c760292bad9f09bb06d
SHA256 16126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a
SHA512 84b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69

C:\Users\Admin\AppData\Local\Temp\vcl120.bpl

MD5 849070ebd34cbaedc525599d6c3f8914
SHA1 b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa
SHA256 b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628
SHA512 f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb

C:\Users\Admin\AppData\Local\Temp\madExcept_.bpl

MD5 21068dfd733435c866312d35b9432733
SHA1 3d5336c676d3dd94500d0d2fe853b9de457f10fd
SHA256 835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299
SHA512 54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7

C:\Users\Admin\AppData\Local\Temp\madDisAsm_.bpl

MD5 84bc072f8ea30746f0982afbda3c638f
SHA1 f39343933ff3fc7934814d6d3b7b098bc92540a0
SHA256 52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006
SHA512 6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5

\Users\Admin\AppData\Local\Temp\vclx120.bpl

MD5 7daa2b7fe529b45101a399b5ebf0a416
SHA1 fd73f3561d0cebe341a6c380681fb08841fa5ce6
SHA256 2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed
SHA512 8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96

C:\Users\Admin\AppData\Local\Temp\pdfium.dll

MD5 65a63bd3e6c4ce54299bf494582304f3
SHA1 e6f63f69388dd5a3cda90403711b78fe5c667981
SHA256 5b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335
SHA512 f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59

\Users\Admin\AppData\Local\Temp\pdf2bmp.dll

MD5 f65c3b116281fd23e5748ad73e9501cf
SHA1 ebda8a741833c4fcbfcb72591a7c173d69a01ebd
SHA256 eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725
SHA512 78ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc

C:\Users\Admin\AppData\Local\Temp\datastate.dll

MD5 626dd52ec6cf2e1e00948586b649cb2a
SHA1 b8aaee43554ec9eb6d0d05a81cf186b330390745
SHA256 4696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd
SHA512 e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b

C:\Users\Admin\AppData\Local\Temp\charr.dbf

MD5 9424382dbaeb4890c9c1a52fc90f712a
SHA1 6f4d7fe82fbd617b7bea45e9f18a195ebfbd3042
SHA256 7ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168
SHA512 138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949

C:\Users\Admin\AppData\Local\Temp\rebbe.pkg

MD5 3456f0fe789f38cf5d58b359ac1e8727
SHA1 5b39e9e71a07102036386bdd0651dcc267400723
SHA256 c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65
SHA512 bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed

memory/1872-49-0x0000000073FE0000-0x0000000074077000-memory.dmp

memory/1872-50-0x0000000077410000-0x00000000775B9000-memory.dmp

memory/1872-78-0x0000000057800000-0x0000000057812000-memory.dmp

memory/1872-79-0x0000000050310000-0x0000000050349000-memory.dmp

memory/1872-77-0x0000000059800000-0x000000005986E000-memory.dmp

memory/1872-76-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2564-97-0x0000000077410000-0x00000000775B9000-memory.dmp

memory/1872-75-0x0000000057000000-0x000000005703F000-memory.dmp

memory/1872-71-0x0000000050000000-0x0000000050116000-memory.dmp

memory/1872-69-0x0000000000400000-0x0000000000845000-memory.dmp

memory/2564-104-0x0000000059800000-0x000000005986E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ac1af14c

MD5 45aa5e81fd75c7a776fbe51deb2ac9e5
SHA1 d031c134a8ef66e97828c6b09b5325346e386af9
SHA256 3da6d99b5081b38e745700b8df7ce77570483c248e6199eb4e3c65bdd5323507
SHA512 a84a867aeca86c216f00d364362f2c926625d754eb7bfbfb28c21b98dde97e51b2e611a87ac8b27e4346de7ec8f9e7f1d7235bca081e0bcc70c9860ca7f7fe28

memory/2564-98-0x0000000073FE0000-0x0000000074077000-memory.dmp

memory/2564-103-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2564-101-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2564-100-0x0000000000400000-0x0000000000845000-memory.dmp

memory/2484-109-0x0000000077410000-0x00000000775B9000-memory.dmp

memory/2484-110-0x0000000073FE0000-0x0000000074077000-memory.dmp

memory/1752-112-0x0000000077410000-0x00000000775B9000-memory.dmp

memory/1752-113-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1752-114-0x0000000000400000-0x0000000000469000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 19:47

Reported

2024-07-10 19:53

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

207s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4964 set thread context of 4688 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 4504 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 4504 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
PID 4760 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 4760 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 4760 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
PID 4964 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 4964 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 4964 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 4964 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe C:\Windows\SysWOW64\more.com
PID 4688 wrote to memory of 5032 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4688 wrote to memory of 5032 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4688 wrote to memory of 5032 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4688 wrote to memory of 5032 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe

"C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"

C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe

C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 bittercoldzzdwu.shop udp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 104.21.81.196:443 bannngwko.shop tcp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 113.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 bargainnykwo.shop udp
US 172.67.146.97:443 bargainnykwo.shop tcp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 196.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 radiationnopp.shop udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 104.21.44.192:443 answerrsdo.shop tcp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 publicitttyps.shop udp
US 172.67.134.88:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 104.21.81.128:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
FR 104.85.26.126:443 steamcommunity.com tcp
US 8.8.8.8:53 192.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 88.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 128.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 48.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 126.26.85.104.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe

MD5 95387cc85dacad60b3e10665b43602e6
SHA1 d9aafd45fe3ad10d28716d6289fe76b4fdce1869
SHA256 3c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a
SHA512 82cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b

C:\Users\Admin\AppData\Local\Temp\madBasic_.bpl

MD5 dc6655a38ffdc3c349f13828fc8ec36e
SHA1 95db71ef7bff8c16ce955c760292bad9f09bb06d
SHA256 16126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a
SHA512 84b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69

C:\Users\Admin\AppData\Local\Temp\rtl120.bpl

MD5 630991830afe0b969bd0995e697ab16e
SHA1 feda243d83fba15b23d654513dc1f0d70787ba18
SHA256 b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3
SHA512 2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692

C:\Users\Admin\AppData\Local\Temp\vcl120.bpl

MD5 849070ebd34cbaedc525599d6c3f8914
SHA1 b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa
SHA256 b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628
SHA512 f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb

C:\Users\Admin\AppData\Local\Temp\datastate.dll

MD5 626dd52ec6cf2e1e00948586b649cb2a
SHA1 b8aaee43554ec9eb6d0d05a81cf186b330390745
SHA256 4696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd
SHA512 e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b

C:\Users\Admin\AppData\Local\Temp\pdfium.dll

MD5 65a63bd3e6c4ce54299bf494582304f3
SHA1 e6f63f69388dd5a3cda90403711b78fe5c667981
SHA256 5b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335
SHA512 f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59

C:\Users\Admin\AppData\Local\Temp\pdf2bmp.dll

MD5 f65c3b116281fd23e5748ad73e9501cf
SHA1 ebda8a741833c4fcbfcb72591a7c173d69a01ebd
SHA256 eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725
SHA512 78ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc

C:\Users\Admin\AppData\Local\Temp\vclx120.bpl

MD5 7daa2b7fe529b45101a399b5ebf0a416
SHA1 fd73f3561d0cebe341a6c380681fb08841fa5ce6
SHA256 2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed
SHA512 8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96

C:\Users\Admin\AppData\Local\Temp\maddisAsm_.bpl

MD5 84bc072f8ea30746f0982afbda3c638f
SHA1 f39343933ff3fc7934814d6d3b7b098bc92540a0
SHA256 52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006
SHA512 6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5

C:\Users\Admin\AppData\Local\Temp\madexcept_.bpl

MD5 21068dfd733435c866312d35b9432733
SHA1 3d5336c676d3dd94500d0d2fe853b9de457f10fd
SHA256 835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299
SHA512 54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7

C:\Users\Admin\AppData\Local\Temp\charr.dbf

MD5 9424382dbaeb4890c9c1a52fc90f712a
SHA1 6f4d7fe82fbd617b7bea45e9f18a195ebfbd3042
SHA256 7ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168
SHA512 138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949

C:\Users\Admin\AppData\Local\Temp\rebbe.pkg

MD5 3456f0fe789f38cf5d58b359ac1e8727
SHA1 5b39e9e71a07102036386bdd0651dcc267400723
SHA256 c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65
SHA512 bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed

memory/4760-58-0x0000000072CC0000-0x0000000072CD4000-memory.dmp

memory/4760-59-0x00007FFD87230000-0x00007FFD87425000-memory.dmp

memory/4760-75-0x0000000050000000-0x0000000050116000-memory.dmp

memory/4760-80-0x0000000050310000-0x0000000050349000-memory.dmp

memory/4964-107-0x00000000749C0000-0x00000000749D4000-memory.dmp

memory/4964-108-0x00007FFD87230000-0x00007FFD87425000-memory.dmp

memory/4760-79-0x0000000050120000-0x000000005030D000-memory.dmp

memory/4760-78-0x0000000057800000-0x0000000057812000-memory.dmp

memory/4760-77-0x0000000057000000-0x000000005703F000-memory.dmp

memory/4760-76-0x0000000059800000-0x000000005986E000-memory.dmp

memory/4760-74-0x0000000000400000-0x0000000000845000-memory.dmp

memory/4964-109-0x00000000749C0000-0x00000000749D4000-memory.dmp

memory/4964-111-0x0000000000400000-0x0000000000845000-memory.dmp

memory/4964-117-0x0000000050310000-0x0000000050349000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53d56564

MD5 eb0cbdd7068e206d8217ef85361de801
SHA1 046a62486954898cec3aade62cc9001b1327fafe
SHA256 6b44a1abb191730b51b14122943190cba632948dab06dc9bfe4f0f6db1775508
SHA512 cba594433749e0faac07b94d22378bdee4035f12ef7ffd872f54401a130ded6d828809214dc44e63015d29af30b659385ce7e8d502c52ee9d1c88aa100c88a8b

memory/4964-116-0x0000000050120000-0x000000005030D000-memory.dmp

memory/4964-114-0x0000000059800000-0x000000005986E000-memory.dmp

memory/4964-112-0x0000000050000000-0x0000000050116000-memory.dmp

memory/4688-120-0x00007FFD87230000-0x00007FFD87425000-memory.dmp

memory/4688-121-0x00000000749C0000-0x00000000749D4000-memory.dmp

memory/5032-123-0x00007FFD87230000-0x00007FFD87425000-memory.dmp

memory/5032-124-0x0000000001200000-0x0000000001269000-memory.dmp

memory/5032-127-0x0000000001200000-0x0000000001269000-memory.dmp