Malware Analysis Report

2024-11-30 05:26

Sample ID 240711-cb7naasejq
Target b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e
SHA256 b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e

Threat Level: Known bad

The file b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops startup file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Enumerates processes with tasklist

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 01:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 01:55

Reported

2024-07-11 01:56

Platform

win7-20240704-en

Max time kernel

21s

Max time network

16s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1996 created 1208 N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif C:\Windows\Explorer.EXE

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
PID 2844 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
PID 2844 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
PID 2844 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
PID 2844 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2844 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2844 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2844 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1996 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe

"C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Modes Modes.cmd & Modes.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 416420

C:\Windows\SysWOW64\findstr.exe

findstr /V "VolumeBroughtDairyVehicle" Customs

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Barbara + Graphics + Frog + Iron 416420\D

C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif

416420\Subsequent.pif 416420\D

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & echo URL="C:\Users\Admin\AppData\Local\CryptoSync360 Solutions Inc\CryptoSync360.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 hVcjGMjSjYYwEFEYBAbsQSqWJ.hVcjGMjSjYYwEFEYBAbsQSqWJ udp

Files

C:\Users\Admin\AppData\Local\Temp\Modes

MD5 80c9b29f953747b33727e2cb25a5bc58
SHA1 fe016de98036f9bb72bb72e687bd13c00594e16f
SHA256 c57ece1cdddbd9669c1b387dbd309b76844aacc426d903a7286923f92d9a9078
SHA512 7118526a0ba10240e63250ed1d1db974835a8b31ac6b3d376807d479b8de39df6232dfd9575d5516458a246696c39e2491ac800977b3a0153f2524adf0badeac

C:\Users\Admin\AppData\Local\Temp\Customs

MD5 08c2a95bde428fe23a964495cc245068
SHA1 75ed63efcc0a61f7b2a422389d7cfd11074c0159
SHA256 05b848741ea02cddd23efe9eced1464ac606cfdf6b0eceec8c08255677a9a5ad
SHA512 232a8036aa42df88ef84187294ed0ae629be5e5334b862befcd978869e4ad10a2a358aca4940df9ca8a09ea76c431c769a1452306d8c407b86b7745e4503518c

C:\Users\Admin\AppData\Local\Temp\Tears

MD5 4c1fb4d9eebff7cc26031d30a9659146
SHA1 45a5d417bfa9417e269c7f6a67160e61f7fe2e08
SHA256 4df99c64a81ecb9b1a724e8076593442493b64cc31fea4ead1b7eb84aaae467d
SHA512 58b506ce67c009233a7022bb3d8f8d54b7659f9b118d779602d4963186baf00dc3d35a35d3bc102162923676321859fdc34ce7415cfa15b00a09555b672bbc83

C:\Users\Admin\AppData\Local\Temp\Emissions

MD5 f087593718757a4ee96adfc81e55ca53
SHA1 d9a6fee40afb1bac51e2e9120369223746810e94
SHA256 d6dd01fb746d32ccb2c1a7292befcb5147f5e4d9d4a0d95c3a9776329442afa5
SHA512 0c21c6b58a37015f0b8d0b8d3d413663abe7daa3ea7e19a88b0d85b25e2fb071b25464fd507ee60b3894d075c4b1ef4300a7ec8ee77996ab2964d4ddf76ba93e

C:\Users\Admin\AppData\Local\Temp\Theater

MD5 d2be5b4014ed53d6b017de14df955af7
SHA1 63873a006ae83dc461eb9161628061a4d471a4bf
SHA256 ee8eea0306f480a520468a225fbca18d0ccda337ebf5c97e7635c813ddd93cd0
SHA512 780f5645f9ff51be6752f9f8942222e778364515ffd864d0d92b3236af58e75d62306a9def1264999e5ee31b2f7d3ad467d11cb345cf519f426506f33866003e

C:\Users\Admin\AppData\Local\Temp\Collections

MD5 096741cbee215bfacbbaa8bc7a10ffa1
SHA1 3989b296039ca4fff3e81051121430bac7c6a137
SHA256 e9354ab2cab4d2f7299c87dfd7657a6f900df4038df6e945a749e68dc2d17564
SHA512 43831a05fcd8095a460a5cab488629e82ed48e32736c7dacc9d140ef1442825206be9b4767fa97646dcc1570e4898264bef33271bd876cb96fccf42d5721f7c9

C:\Users\Admin\AppData\Local\Temp\Una

MD5 5d841256483994dff09339e8d310dfe9
SHA1 ffa60e1fe0aacf90a9562acb84eca85d1021b192
SHA256 9261ab183a8e573b9e628c2e1529558d0eb7aa601ae2f90298c0865be50e7422
SHA512 9879680bbea44527789607e694d073487b72c2fd027dce5580b47c6c446a67b5bf5807b172023b703ad84847a65ec93ad1572de10c9c6f10c711def1d04b1110

C:\Users\Admin\AppData\Local\Temp\Properly

MD5 7cb6ee72a8cab64c7f2e705966bad31d
SHA1 e82d7678de599ce44945b88edf301f4bde3cf142
SHA256 3685e5fe7f64c92174c302134bdfc4028afcf78b71a9d1fd8b0aff3e8e7bab72
SHA512 bd2cb13786fd610f1afd778a314efe34605bc7554101333141b4ed99b246a5e05b392f604ee1d4ab584201ccc27980782ecd38283c8511cd3e2232a6a5669dd1

C:\Users\Admin\AppData\Local\Temp\Ntsc

MD5 4a04e9af42fcbacd4da0c2715a555b87
SHA1 07e69ddb9b9d95d66016538d970a50ef67c7b8b3
SHA256 6e4053fb56747d7f8a058651ee746777042245c451e3b7f036a6619d8485732e
SHA512 4684ae3b55e8744fb92bbcb6ef50b772ce97ab5ddf1ca8fb244e6d4bf0ffb9d54c427eab8dd972c32a42b4f39801c71dd4bc3ab29ba3404a9bb63225bdb66164

C:\Users\Admin\AppData\Local\Temp\Jane

MD5 3e5a33740d9ecf41f380355cf26648ab
SHA1 5ca3ae9c2204eff3180b8183c1da54587bd8783a
SHA256 43ce5cc68e0128f9141b612852fdcdac699caba80decf4663c1763f74c2d71c1
SHA512 4b5a16f29962404075624b48f930c4ebed504d38fb968e4f49142178fea682c8d078d8a8754861d6672a289def100253b0f3fb33073934bd60af7683fc72ef0f

C:\Users\Admin\AppData\Local\Temp\Cedar

MD5 a0315db4108995ecbaa40ca1a75deee6
SHA1 7cf78507562d6da24fe3bfec1610a17f0f30a17d
SHA256 5dd3561bbc6fdaf2667a63406bed3378de6a4b70b31f3a5782fb51ceb7ce4438
SHA512 1efe57ab64f18a349baee203832ecfa8d79f97fcdce9416c5fff0e65a038506bacbd97d95c671edff0aced611c1d26113cd02ae0add035974fffec9a9de0aec0

C:\Users\Admin\AppData\Local\Temp\Before

MD5 8dd91898a6f99cb23ac36731f701dcb0
SHA1 85bd3600b8398671d1bc2ef16e373e157da206d9
SHA256 4d9aca414aa66b351303fb23e95bb22ba65b728d56d7de2272c778901c4d39f6
SHA512 63449d6622c7a3d1d549b03a9d3fffd277e31ff62cb1cbf687cb7d12e1443ba0154079fc81ad25b197cf37da2bc6a9ece041e55389ec26fcf8ec019c9435f316

C:\Users\Admin\AppData\Local\Temp\Rank

MD5 19bca4629e1e6ca48f539f950d5d7674
SHA1 cdd2f09d9a7f932f034698df19162bf681804d4c
SHA256 19e895c36fe5138556db7e0c99033235178df64e2e63ecc4d2e5ea06b63c3710
SHA512 9b94c78268d120a6f075c6ee37aa3b11ac71731a98936d8c60d4af62886bbb88b9ece3e525d2ba53d527f07177b619f5ead9e568c54c5e3599ee87ce583041a6

C:\Users\Admin\AppData\Local\Temp\Employee

MD5 04bc240e7a1a117a3db49382b3825e1e
SHA1 3343eb18d33dac8304f197b54ffc4b7afb2b0105
SHA256 d0e4bfe75bcb07f872f4b1ac8436c91517578e2c84b78f6fb0622df55d961d99
SHA512 b0b3e97f327c2d2757b546cf68845621af85b64d50cd4358f98183ff5089d9cd9b86bec8f1a08a96cf68013d110238f0d463657e16fb5b9257a25d84f4941dd2

C:\Users\Admin\AppData\Local\Temp\Sociology

MD5 ec77a342ff97b2f0bbae6a298e599ab5
SHA1 b7ae7cbf6b2f60cad6c73b7955cff9cab52f5268
SHA256 12c836c2e166bde49a6aa650814e3be01b35cb3dd3a1d048c36be975b44b1272
SHA512 81fba701a09a0cff55dd6d5c190d11d559bdb2a01be3d1cb451cb7b274ac8446956da42f7179e5584a0f99c3005dd93c289aadd8eb53cecac292f4d0fa0f9678

C:\Users\Admin\AppData\Local\Temp\Bbc

MD5 b5f8920a7e6408f0ad518c41db0b6ce2
SHA1 a613aa8821bc33f27a3ce7d57f0abd96391c9163
SHA256 8e94da2bfcaff3b86e58443a14c38e5e11c71dda48222d6d95067a95923cd652
SHA512 c7435437c556f601dfded2c914e007db534df2c42116353580cf086dfc638a9b20408fb3b42e715bae724c0d8d5ba54375ab4bca65669b6d65b2edc2be7a038c

C:\Users\Admin\AppData\Local\Temp\Olive

MD5 225d8001d5b10ae2d2dd2fad529262e5
SHA1 51ce0adf3cef9be80986e434880610d4de0aa64b
SHA256 a9f61c8f3cb2e6203aeb5b8a3c4479b02567241f97cd8c045a84697b6befa481
SHA512 c35c3731472c149553c49bc471fccb06696afca380489749a709cd4bf4a8c828b727877efe85dd53d4d96d130b14c5e46939775c796feb5143b1976c5b09b9c2

C:\Users\Admin\AppData\Local\Temp\Fda

MD5 dd44ab578a99db6f5a7946c6c210bdce
SHA1 5f9370a5a196468c8c02e1cbe4bb4a8ccad2e247
SHA256 4c5bf631e9ee85bbd7ce6a8c63f775eac8253e1a6e592c7bb242803e4220494a
SHA512 1998392f5f85e691deed726705804f220c7188c95f346d4e08b21459f5cfc04595dd183da9421c7853a3ffb5e2245a86eed71eba93b879532476a25d6ee69bcd

C:\Users\Admin\AppData\Local\Temp\Fits

MD5 2d20546995f3fa6c818e466f01f45a91
SHA1 1f2d7dd6e2335b24e982545cee60f80f4907d2b7
SHA256 7ea5761264c46345148d3f6ebfdabb8f2b876223907fe30b0ac7adae577b06cd
SHA512 f0fa91e6cac7e8dea07d0ff521f43c4a80f74ebaa2136b5653698b01b83e6d7478952dd563b6506f921b5d0f52c00304680dda6f92e5b8316bcbd26272ec39b3

C:\Users\Admin\AppData\Local\Temp\Needle

MD5 9e0a8e0c9d6ae85c0ab43aa1e67d4c8d
SHA1 5495a9b00a3c7e0e741a47225426e1e3250346f5
SHA256 c0a7ba97cd3283783db64b2f34766062a5400142872fe1082ed8e37298ecb3c5
SHA512 b49ce91f94664cb3a1d687623d716cbdb57aeb7277195aa4726f7e4b4a7e901c9507d19b67eb6aee360507461dcc5c79d5cbd8afae749cf8a09ff52f8936a0e9

C:\Users\Admin\AppData\Local\Temp\Momentum

MD5 2a29d8e9dfc9d83cf70a1f04077e0b36
SHA1 c49cc92751539db30f16661ebb420c94ae427bac
SHA256 7049b81d3b7b70d7f9d5b2459a7d5a6cd6c06963b076ce694bc7d24e65c2557c
SHA512 57f428cd171f2be35283916c084e06a36d0f0221354b81d49df75ff112b96cc28156f2143a68149768a506d8990b94f38a79cc29c3c44853ec99db049e65b334

C:\Users\Admin\AppData\Local\Temp\Arena

MD5 c1a7cb47fb484e7454bdb3f2c4fed27e
SHA1 9aeb335fd23bad0f7472a23cc215dba0b2f4711c
SHA256 244961c83e22b0828ef7b083917985ec01193efe0b3b0238791967cc1f16de20
SHA512 114261ccea17cddd232b8deca96e901dc669fe01d042551da4b33e1f748efa8d573d6b48be5f64590ae5ae338e4fa0893de2dba3136b53464b8bb17438b15c88

C:\Users\Admin\AppData\Local\Temp\Belt

MD5 c7f41b04c2ec473409962d016ea7ed36
SHA1 6a13a8cc8882a93506c1bc247c8c5de5fa51410e
SHA256 1014dd70d6db6ccab8aba83b77eb0c03ea2be026b5d58a9f65265c10f9782f1a
SHA512 627e7215c2c4b79f1152b02ddfd0313316d4f748633e364a2c5da7ecf9bda051ad0be3947d263ebbd97dd52eeee221fd8171f22b19a039a8a07d732e1f3969e6

C:\Users\Admin\AppData\Local\Temp\Into

MD5 2eb686b17306b9f1ae05c17622e8ec6f
SHA1 4ab2be215726f298afe28c0acd9db861a8076e03
SHA256 e15f2c1035a51d7c8d8c820fe3cecc5b4fd83e9946eecdf8d1453a86ff759e73
SHA512 f8d27c18494e41252943d69da8a0ab9c15d45141d2bffc5e678c34feea47593c82f97d8f6f991a9bc16631d82db6f8dbb59ef187a35893a7b48576c4da5b67ec

C:\Users\Admin\AppData\Local\Temp\Places

MD5 c3db33937395caba927f3c627cec3d28
SHA1 2605a0a160c89561fd295200e1a66399da449fc4
SHA256 bd32dd62bafc6bf65ba4c9bc34b6c45ef88afa671d382b7858d5737d4e9c255e
SHA512 df9529142ec4debe79f3917ce0072aff8234ac9fe93dba078229cd818da7bdfc59094210e0d7e61d0a051e17f923d537b775d1998df13558f25cfef663b140bc

C:\Users\Admin\AppData\Local\Temp\Barbara

MD5 2232a763d3492eacd4f49c56640b1467
SHA1 4470de0b1d31c6cb0927fad29d8786b8c2e20df3
SHA256 e5eb7d8e9cb16dd39a6a360ba82dc39d206563b1ba996dd0108e16bf31187cfd
SHA512 b898e311bc8be5a29b9f4a411b6edcb767d62b114dcf651341d2689a05a1cd5b2e32d6d05d62bc81ea8636063ee0f7b342050bd6e4c2a9af8d265b10e8ed4523

C:\Users\Admin\AppData\Local\Temp\Graphics

MD5 d1c125fe57c438d3080b89f206aea3eb
SHA1 c7d2956c9289282b9fa1892fba0b8d46fe9d390f
SHA256 e3d4a8ad5b3fa2f88799428ed6128954eef6503ff47ec9766ec997edac16370e
SHA512 b5ba512f9f96f876815459ae7dba34f3d3d1b682d61abde27e01b484df8b8471a2a1ea3bf27f6b395a2997af55403fd7c98570f37a24f060d2ce2120c993241f

C:\Users\Admin\AppData\Local\Temp\Frog

MD5 19073a4070f210bdb0b066b74879417f
SHA1 82af55dc6ba3dbdaa40e976f534a55b52a87a67c
SHA256 eda4c37f21565a6a1893997428f5c0e27c87c20c96a3a8391ffe1a62fb76cf64
SHA512 53786dc460a200b951afb3b1ce27f02a53376a12d0c181f0f80d359864372001d9cdc79e2c8e92536a3a9a1590f2847ba6912a4540425b4a1984be1b4eed7c67

C:\Users\Admin\AppData\Local\Temp\Iron

MD5 93bb091756f86ad0409df87d2a11272f
SHA1 0f497d21188e97b2790e069e6d227bb58c89aeb6
SHA256 b1e51319ba0ba4fac78fa8e34ee7b46d14fc5ed835f56f95a33b680990cd6ab7
SHA512 0442629d92bceba498e0e1c299668c68502e968df20851f5581d746bc83eecf512bb2ac3b7e761a2c5769ac5e920f298e1925766013dc47149c64cde6fbaa7ff

\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\416420\D

MD5 68a1fb89f18093ff6667acfc35733314
SHA1 f0641a40ed407f6ed6d0175bfadb27578c58c729
SHA256 29d9ac205d428f81c33683093de57c4c60df882ab349fcd297605510b37a33ea
SHA512 2120917b48df98064a33ac118f536e5f08032de0bcee7d1158a1aeccbcaf0c11ca24b48a3858f85e55654c8f73cd69015ad70ac90311eac87ac646c269e30c19

memory/1996-509-0x0000000003B10000-0x0000000003B5F000-memory.dmp

memory/1996-510-0x0000000003B10000-0x0000000003B5F000-memory.dmp

memory/1996-511-0x0000000003B10000-0x0000000003B5F000-memory.dmp

memory/1996-512-0x0000000003B10000-0x0000000003B5F000-memory.dmp

memory/1996-513-0x0000000003B10000-0x0000000003B5F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 01:55

Reported

2024-07-11 01:56

Platform

win10v2004-20240709-en

Max time kernel

35s

Max time network

40s

Command Line

C:\Windows\Explorer.EXE

Signatures

Lumma Stealer

stealer lumma

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3736 created 3576 N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3896 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1096 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1096 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1096 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1096 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1096 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1096 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1096 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1096 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1096 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1096 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1096 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1096 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1096 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1096 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1096 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
PID 1096 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
PID 1096 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
PID 1096 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1096 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1096 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3736 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe

"C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Modes Modes.cmd & Modes.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 416420

C:\Windows\SysWOW64\findstr.exe

findstr /V "VolumeBroughtDairyVehicle" Customs

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Barbara + Graphics + Frog + Iron 416420\D

C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif

416420\Subsequent.pif 416420\D

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & echo URL="C:\Users\Admin\AppData\Local\CryptoSync360 Solutions Inc\CryptoSync360.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 hVcjGMjSjYYwEFEYBAbsQSqWJ.hVcjGMjSjYYwEFEYBAbsQSqWJ udp
US 8.8.8.8:53 radiationnopp.shop udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 172.67.146.61:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 172.67.146.97:443 bargainnykwo.shop tcp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 61.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 104.21.6.254:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 104.21.44.192:443 answerrsdo.shop tcp
US 8.8.8.8:53 publicitttyps.shop udp
US 104.21.25.154:443 publicitttyps.shop tcp
US 8.8.8.8:53 97.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 254.6.21.104.in-addr.arpa udp
US 8.8.8.8:53 benchillppwo.shop udp
US 172.67.160.230:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 192.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 154.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 230.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Modes

MD5 80c9b29f953747b33727e2cb25a5bc58
SHA1 fe016de98036f9bb72bb72e687bd13c00594e16f
SHA256 c57ece1cdddbd9669c1b387dbd309b76844aacc426d903a7286923f92d9a9078
SHA512 7118526a0ba10240e63250ed1d1db974835a8b31ac6b3d376807d479b8de39df6232dfd9575d5516458a246696c39e2491ac800977b3a0153f2524adf0badeac

C:\Users\Admin\AppData\Local\Temp\Customs

MD5 08c2a95bde428fe23a964495cc245068
SHA1 75ed63efcc0a61f7b2a422389d7cfd11074c0159
SHA256 05b848741ea02cddd23efe9eced1464ac606cfdf6b0eceec8c08255677a9a5ad
SHA512 232a8036aa42df88ef84187294ed0ae629be5e5334b862befcd978869e4ad10a2a358aca4940df9ca8a09ea76c431c769a1452306d8c407b86b7745e4503518c

C:\Users\Admin\AppData\Local\Temp\Tears

MD5 4c1fb4d9eebff7cc26031d30a9659146
SHA1 45a5d417bfa9417e269c7f6a67160e61f7fe2e08
SHA256 4df99c64a81ecb9b1a724e8076593442493b64cc31fea4ead1b7eb84aaae467d
SHA512 58b506ce67c009233a7022bb3d8f8d54b7659f9b118d779602d4963186baf00dc3d35a35d3bc102162923676321859fdc34ce7415cfa15b00a09555b672bbc83

C:\Users\Admin\AppData\Local\Temp\Emissions

MD5 f087593718757a4ee96adfc81e55ca53
SHA1 d9a6fee40afb1bac51e2e9120369223746810e94
SHA256 d6dd01fb746d32ccb2c1a7292befcb5147f5e4d9d4a0d95c3a9776329442afa5
SHA512 0c21c6b58a37015f0b8d0b8d3d413663abe7daa3ea7e19a88b0d85b25e2fb071b25464fd507ee60b3894d075c4b1ef4300a7ec8ee77996ab2964d4ddf76ba93e

C:\Users\Admin\AppData\Local\Temp\Theater

MD5 d2be5b4014ed53d6b017de14df955af7
SHA1 63873a006ae83dc461eb9161628061a4d471a4bf
SHA256 ee8eea0306f480a520468a225fbca18d0ccda337ebf5c97e7635c813ddd93cd0
SHA512 780f5645f9ff51be6752f9f8942222e778364515ffd864d0d92b3236af58e75d62306a9def1264999e5ee31b2f7d3ad467d11cb345cf519f426506f33866003e

C:\Users\Admin\AppData\Local\Temp\Collections

MD5 096741cbee215bfacbbaa8bc7a10ffa1
SHA1 3989b296039ca4fff3e81051121430bac7c6a137
SHA256 e9354ab2cab4d2f7299c87dfd7657a6f900df4038df6e945a749e68dc2d17564
SHA512 43831a05fcd8095a460a5cab488629e82ed48e32736c7dacc9d140ef1442825206be9b4767fa97646dcc1570e4898264bef33271bd876cb96fccf42d5721f7c9

C:\Users\Admin\AppData\Local\Temp\Una

MD5 5d841256483994dff09339e8d310dfe9
SHA1 ffa60e1fe0aacf90a9562acb84eca85d1021b192
SHA256 9261ab183a8e573b9e628c2e1529558d0eb7aa601ae2f90298c0865be50e7422
SHA512 9879680bbea44527789607e694d073487b72c2fd027dce5580b47c6c446a67b5bf5807b172023b703ad84847a65ec93ad1572de10c9c6f10c711def1d04b1110

C:\Users\Admin\AppData\Local\Temp\Ntsc

MD5 4a04e9af42fcbacd4da0c2715a555b87
SHA1 07e69ddb9b9d95d66016538d970a50ef67c7b8b3
SHA256 6e4053fb56747d7f8a058651ee746777042245c451e3b7f036a6619d8485732e
SHA512 4684ae3b55e8744fb92bbcb6ef50b772ce97ab5ddf1ca8fb244e6d4bf0ffb9d54c427eab8dd972c32a42b4f39801c71dd4bc3ab29ba3404a9bb63225bdb66164

C:\Users\Admin\AppData\Local\Temp\Jane

MD5 3e5a33740d9ecf41f380355cf26648ab
SHA1 5ca3ae9c2204eff3180b8183c1da54587bd8783a
SHA256 43ce5cc68e0128f9141b612852fdcdac699caba80decf4663c1763f74c2d71c1
SHA512 4b5a16f29962404075624b48f930c4ebed504d38fb968e4f49142178fea682c8d078d8a8754861d6672a289def100253b0f3fb33073934bd60af7683fc72ef0f

C:\Users\Admin\AppData\Local\Temp\Cedar

MD5 a0315db4108995ecbaa40ca1a75deee6
SHA1 7cf78507562d6da24fe3bfec1610a17f0f30a17d
SHA256 5dd3561bbc6fdaf2667a63406bed3378de6a4b70b31f3a5782fb51ceb7ce4438
SHA512 1efe57ab64f18a349baee203832ecfa8d79f97fcdce9416c5fff0e65a038506bacbd97d95c671edff0aced611c1d26113cd02ae0add035974fffec9a9de0aec0

C:\Users\Admin\AppData\Local\Temp\Properly

MD5 7cb6ee72a8cab64c7f2e705966bad31d
SHA1 e82d7678de599ce44945b88edf301f4bde3cf142
SHA256 3685e5fe7f64c92174c302134bdfc4028afcf78b71a9d1fd8b0aff3e8e7bab72
SHA512 bd2cb13786fd610f1afd778a314efe34605bc7554101333141b4ed99b246a5e05b392f604ee1d4ab584201ccc27980782ecd38283c8511cd3e2232a6a5669dd1

C:\Users\Admin\AppData\Local\Temp\Rank

MD5 19bca4629e1e6ca48f539f950d5d7674
SHA1 cdd2f09d9a7f932f034698df19162bf681804d4c
SHA256 19e895c36fe5138556db7e0c99033235178df64e2e63ecc4d2e5ea06b63c3710
SHA512 9b94c78268d120a6f075c6ee37aa3b11ac71731a98936d8c60d4af62886bbb88b9ece3e525d2ba53d527f07177b619f5ead9e568c54c5e3599ee87ce583041a6

C:\Users\Admin\AppData\Local\Temp\Bbc

MD5 b5f8920a7e6408f0ad518c41db0b6ce2
SHA1 a613aa8821bc33f27a3ce7d57f0abd96391c9163
SHA256 8e94da2bfcaff3b86e58443a14c38e5e11c71dda48222d6d95067a95923cd652
SHA512 c7435437c556f601dfded2c914e007db534df2c42116353580cf086dfc638a9b20408fb3b42e715bae724c0d8d5ba54375ab4bca65669b6d65b2edc2be7a038c

C:\Users\Admin\AppData\Local\Temp\Sociology

MD5 ec77a342ff97b2f0bbae6a298e599ab5
SHA1 b7ae7cbf6b2f60cad6c73b7955cff9cab52f5268
SHA256 12c836c2e166bde49a6aa650814e3be01b35cb3dd3a1d048c36be975b44b1272
SHA512 81fba701a09a0cff55dd6d5c190d11d559bdb2a01be3d1cb451cb7b274ac8446956da42f7179e5584a0f99c3005dd93c289aadd8eb53cecac292f4d0fa0f9678

C:\Users\Admin\AppData\Local\Temp\Employee

MD5 04bc240e7a1a117a3db49382b3825e1e
SHA1 3343eb18d33dac8304f197b54ffc4b7afb2b0105
SHA256 d0e4bfe75bcb07f872f4b1ac8436c91517578e2c84b78f6fb0622df55d961d99
SHA512 b0b3e97f327c2d2757b546cf68845621af85b64d50cd4358f98183ff5089d9cd9b86bec8f1a08a96cf68013d110238f0d463657e16fb5b9257a25d84f4941dd2

C:\Users\Admin\AppData\Local\Temp\Before

MD5 8dd91898a6f99cb23ac36731f701dcb0
SHA1 85bd3600b8398671d1bc2ef16e373e157da206d9
SHA256 4d9aca414aa66b351303fb23e95bb22ba65b728d56d7de2272c778901c4d39f6
SHA512 63449d6622c7a3d1d549b03a9d3fffd277e31ff62cb1cbf687cb7d12e1443ba0154079fc81ad25b197cf37da2bc6a9ece041e55389ec26fcf8ec019c9435f316

C:\Users\Admin\AppData\Local\Temp\Fits

MD5 2d20546995f3fa6c818e466f01f45a91
SHA1 1f2d7dd6e2335b24e982545cee60f80f4907d2b7
SHA256 7ea5761264c46345148d3f6ebfdabb8f2b876223907fe30b0ac7adae577b06cd
SHA512 f0fa91e6cac7e8dea07d0ff521f43c4a80f74ebaa2136b5653698b01b83e6d7478952dd563b6506f921b5d0f52c00304680dda6f92e5b8316bcbd26272ec39b3

C:\Users\Admin\AppData\Local\Temp\Olive

MD5 225d8001d5b10ae2d2dd2fad529262e5
SHA1 51ce0adf3cef9be80986e434880610d4de0aa64b
SHA256 a9f61c8f3cb2e6203aeb5b8a3c4479b02567241f97cd8c045a84697b6befa481
SHA512 c35c3731472c149553c49bc471fccb06696afca380489749a709cd4bf4a8c828b727877efe85dd53d4d96d130b14c5e46939775c796feb5143b1976c5b09b9c2

C:\Users\Admin\AppData\Local\Temp\Fda

MD5 dd44ab578a99db6f5a7946c6c210bdce
SHA1 5f9370a5a196468c8c02e1cbe4bb4a8ccad2e247
SHA256 4c5bf631e9ee85bbd7ce6a8c63f775eac8253e1a6e592c7bb242803e4220494a
SHA512 1998392f5f85e691deed726705804f220c7188c95f346d4e08b21459f5cfc04595dd183da9421c7853a3ffb5e2245a86eed71eba93b879532476a25d6ee69bcd

C:\Users\Admin\AppData\Local\Temp\Needle

MD5 9e0a8e0c9d6ae85c0ab43aa1e67d4c8d
SHA1 5495a9b00a3c7e0e741a47225426e1e3250346f5
SHA256 c0a7ba97cd3283783db64b2f34766062a5400142872fe1082ed8e37298ecb3c5
SHA512 b49ce91f94664cb3a1d687623d716cbdb57aeb7277195aa4726f7e4b4a7e901c9507d19b67eb6aee360507461dcc5c79d5cbd8afae749cf8a09ff52f8936a0e9

C:\Users\Admin\AppData\Local\Temp\Momentum

MD5 2a29d8e9dfc9d83cf70a1f04077e0b36
SHA1 c49cc92751539db30f16661ebb420c94ae427bac
SHA256 7049b81d3b7b70d7f9d5b2459a7d5a6cd6c06963b076ce694bc7d24e65c2557c
SHA512 57f428cd171f2be35283916c084e06a36d0f0221354b81d49df75ff112b96cc28156f2143a68149768a506d8990b94f38a79cc29c3c44853ec99db049e65b334

C:\Users\Admin\AppData\Local\Temp\Arena

MD5 c1a7cb47fb484e7454bdb3f2c4fed27e
SHA1 9aeb335fd23bad0f7472a23cc215dba0b2f4711c
SHA256 244961c83e22b0828ef7b083917985ec01193efe0b3b0238791967cc1f16de20
SHA512 114261ccea17cddd232b8deca96e901dc669fe01d042551da4b33e1f748efa8d573d6b48be5f64590ae5ae338e4fa0893de2dba3136b53464b8bb17438b15c88

C:\Users\Admin\AppData\Local\Temp\Belt

MD5 c7f41b04c2ec473409962d016ea7ed36
SHA1 6a13a8cc8882a93506c1bc247c8c5de5fa51410e
SHA256 1014dd70d6db6ccab8aba83b77eb0c03ea2be026b5d58a9f65265c10f9782f1a
SHA512 627e7215c2c4b79f1152b02ddfd0313316d4f748633e364a2c5da7ecf9bda051ad0be3947d263ebbd97dd52eeee221fd8171f22b19a039a8a07d732e1f3969e6

C:\Users\Admin\AppData\Local\Temp\Places

MD5 c3db33937395caba927f3c627cec3d28
SHA1 2605a0a160c89561fd295200e1a66399da449fc4
SHA256 bd32dd62bafc6bf65ba4c9bc34b6c45ef88afa671d382b7858d5737d4e9c255e
SHA512 df9529142ec4debe79f3917ce0072aff8234ac9fe93dba078229cd818da7bdfc59094210e0d7e61d0a051e17f923d537b775d1998df13558f25cfef663b140bc

C:\Users\Admin\AppData\Local\Temp\Into

MD5 2eb686b17306b9f1ae05c17622e8ec6f
SHA1 4ab2be215726f298afe28c0acd9db861a8076e03
SHA256 e15f2c1035a51d7c8d8c820fe3cecc5b4fd83e9946eecdf8d1453a86ff759e73
SHA512 f8d27c18494e41252943d69da8a0ab9c15d45141d2bffc5e678c34feea47593c82f97d8f6f991a9bc16631d82db6f8dbb59ef187a35893a7b48576c4da5b67ec

C:\Users\Admin\AppData\Local\Temp\Barbara

MD5 2232a763d3492eacd4f49c56640b1467
SHA1 4470de0b1d31c6cb0927fad29d8786b8c2e20df3
SHA256 e5eb7d8e9cb16dd39a6a360ba82dc39d206563b1ba996dd0108e16bf31187cfd
SHA512 b898e311bc8be5a29b9f4a411b6edcb767d62b114dcf651341d2689a05a1cd5b2e32d6d05d62bc81ea8636063ee0f7b342050bd6e4c2a9af8d265b10e8ed4523

C:\Users\Admin\AppData\Local\Temp\Graphics

MD5 d1c125fe57c438d3080b89f206aea3eb
SHA1 c7d2956c9289282b9fa1892fba0b8d46fe9d390f
SHA256 e3d4a8ad5b3fa2f88799428ed6128954eef6503ff47ec9766ec997edac16370e
SHA512 b5ba512f9f96f876815459ae7dba34f3d3d1b682d61abde27e01b484df8b8471a2a1ea3bf27f6b395a2997af55403fd7c98570f37a24f060d2ce2120c993241f

C:\Users\Admin\AppData\Local\Temp\Frog

MD5 19073a4070f210bdb0b066b74879417f
SHA1 82af55dc6ba3dbdaa40e976f534a55b52a87a67c
SHA256 eda4c37f21565a6a1893997428f5c0e27c87c20c96a3a8391ffe1a62fb76cf64
SHA512 53786dc460a200b951afb3b1ce27f02a53376a12d0c181f0f80d359864372001d9cdc79e2c8e92536a3a9a1590f2847ba6912a4540425b4a1984be1b4eed7c67

C:\Users\Admin\AppData\Local\Temp\Iron

MD5 93bb091756f86ad0409df87d2a11272f
SHA1 0f497d21188e97b2790e069e6d227bb58c89aeb6
SHA256 b1e51319ba0ba4fac78fa8e34ee7b46d14fc5ed835f56f95a33b680990cd6ab7
SHA512 0442629d92bceba498e0e1c299668c68502e968df20851f5581d746bc83eecf512bb2ac3b7e761a2c5769ac5e920f298e1925766013dc47149c64cde6fbaa7ff

C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\416420\D

MD5 68a1fb89f18093ff6667acfc35733314
SHA1 f0641a40ed407f6ed6d0175bfadb27578c58c729
SHA256 29d9ac205d428f81c33683093de57c4c60df882ab349fcd297605510b37a33ea
SHA512 2120917b48df98064a33ac118f536e5f08032de0bcee7d1158a1aeccbcaf0c11ca24b48a3858f85e55654c8f73cd69015ad70ac90311eac87ac646c269e30c19

memory/3736-507-0x0000000004A40000-0x0000000004A8F000-memory.dmp

memory/3736-508-0x0000000004A40000-0x0000000004A8F000-memory.dmp

memory/3736-509-0x0000000004A40000-0x0000000004A8F000-memory.dmp

memory/3736-510-0x0000000004A40000-0x0000000004A8F000-memory.dmp

memory/3736-511-0x0000000004A40000-0x0000000004A8F000-memory.dmp