Analysis Overview
SHA256
b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e
Threat Level: Known bad
The file b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
Drops startup file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Enumerates processes with tasklist
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-11 01:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-11 01:55
Reported
2024-07-11 01:56
Platform
win7-20240704-en
Max time kernel
21s
Max time network
16s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1996 created 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | C:\Windows\Explorer.EXE |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe
"C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Modes Modes.cmd & Modes.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 416420
C:\Windows\SysWOW64\findstr.exe
findstr /V "VolumeBroughtDairyVehicle" Customs
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Barbara + Graphics + Frog + Iron 416420\D
C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
416420\Subsequent.pif 416420\D
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & echo URL="C:\Users\Admin\AppData\Local\CryptoSync360 Solutions Inc\CryptoSync360.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hVcjGMjSjYYwEFEYBAbsQSqWJ.hVcjGMjSjYYwEFEYBAbsQSqWJ | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Modes
| MD5 | 80c9b29f953747b33727e2cb25a5bc58 |
| SHA1 | fe016de98036f9bb72bb72e687bd13c00594e16f |
| SHA256 | c57ece1cdddbd9669c1b387dbd309b76844aacc426d903a7286923f92d9a9078 |
| SHA512 | 7118526a0ba10240e63250ed1d1db974835a8b31ac6b3d376807d479b8de39df6232dfd9575d5516458a246696c39e2491ac800977b3a0153f2524adf0badeac |
C:\Users\Admin\AppData\Local\Temp\Customs
| MD5 | 08c2a95bde428fe23a964495cc245068 |
| SHA1 | 75ed63efcc0a61f7b2a422389d7cfd11074c0159 |
| SHA256 | 05b848741ea02cddd23efe9eced1464ac606cfdf6b0eceec8c08255677a9a5ad |
| SHA512 | 232a8036aa42df88ef84187294ed0ae629be5e5334b862befcd978869e4ad10a2a358aca4940df9ca8a09ea76c431c769a1452306d8c407b86b7745e4503518c |
C:\Users\Admin\AppData\Local\Temp\Tears
| MD5 | 4c1fb4d9eebff7cc26031d30a9659146 |
| SHA1 | 45a5d417bfa9417e269c7f6a67160e61f7fe2e08 |
| SHA256 | 4df99c64a81ecb9b1a724e8076593442493b64cc31fea4ead1b7eb84aaae467d |
| SHA512 | 58b506ce67c009233a7022bb3d8f8d54b7659f9b118d779602d4963186baf00dc3d35a35d3bc102162923676321859fdc34ce7415cfa15b00a09555b672bbc83 |
C:\Users\Admin\AppData\Local\Temp\Emissions
| MD5 | f087593718757a4ee96adfc81e55ca53 |
| SHA1 | d9a6fee40afb1bac51e2e9120369223746810e94 |
| SHA256 | d6dd01fb746d32ccb2c1a7292befcb5147f5e4d9d4a0d95c3a9776329442afa5 |
| SHA512 | 0c21c6b58a37015f0b8d0b8d3d413663abe7daa3ea7e19a88b0d85b25e2fb071b25464fd507ee60b3894d075c4b1ef4300a7ec8ee77996ab2964d4ddf76ba93e |
C:\Users\Admin\AppData\Local\Temp\Theater
| MD5 | d2be5b4014ed53d6b017de14df955af7 |
| SHA1 | 63873a006ae83dc461eb9161628061a4d471a4bf |
| SHA256 | ee8eea0306f480a520468a225fbca18d0ccda337ebf5c97e7635c813ddd93cd0 |
| SHA512 | 780f5645f9ff51be6752f9f8942222e778364515ffd864d0d92b3236af58e75d62306a9def1264999e5ee31b2f7d3ad467d11cb345cf519f426506f33866003e |
C:\Users\Admin\AppData\Local\Temp\Collections
| MD5 | 096741cbee215bfacbbaa8bc7a10ffa1 |
| SHA1 | 3989b296039ca4fff3e81051121430bac7c6a137 |
| SHA256 | e9354ab2cab4d2f7299c87dfd7657a6f900df4038df6e945a749e68dc2d17564 |
| SHA512 | 43831a05fcd8095a460a5cab488629e82ed48e32736c7dacc9d140ef1442825206be9b4767fa97646dcc1570e4898264bef33271bd876cb96fccf42d5721f7c9 |
C:\Users\Admin\AppData\Local\Temp\Una
| MD5 | 5d841256483994dff09339e8d310dfe9 |
| SHA1 | ffa60e1fe0aacf90a9562acb84eca85d1021b192 |
| SHA256 | 9261ab183a8e573b9e628c2e1529558d0eb7aa601ae2f90298c0865be50e7422 |
| SHA512 | 9879680bbea44527789607e694d073487b72c2fd027dce5580b47c6c446a67b5bf5807b172023b703ad84847a65ec93ad1572de10c9c6f10c711def1d04b1110 |
C:\Users\Admin\AppData\Local\Temp\Properly
| MD5 | 7cb6ee72a8cab64c7f2e705966bad31d |
| SHA1 | e82d7678de599ce44945b88edf301f4bde3cf142 |
| SHA256 | 3685e5fe7f64c92174c302134bdfc4028afcf78b71a9d1fd8b0aff3e8e7bab72 |
| SHA512 | bd2cb13786fd610f1afd778a314efe34605bc7554101333141b4ed99b246a5e05b392f604ee1d4ab584201ccc27980782ecd38283c8511cd3e2232a6a5669dd1 |
C:\Users\Admin\AppData\Local\Temp\Ntsc
| MD5 | 4a04e9af42fcbacd4da0c2715a555b87 |
| SHA1 | 07e69ddb9b9d95d66016538d970a50ef67c7b8b3 |
| SHA256 | 6e4053fb56747d7f8a058651ee746777042245c451e3b7f036a6619d8485732e |
| SHA512 | 4684ae3b55e8744fb92bbcb6ef50b772ce97ab5ddf1ca8fb244e6d4bf0ffb9d54c427eab8dd972c32a42b4f39801c71dd4bc3ab29ba3404a9bb63225bdb66164 |
C:\Users\Admin\AppData\Local\Temp\Jane
| MD5 | 3e5a33740d9ecf41f380355cf26648ab |
| SHA1 | 5ca3ae9c2204eff3180b8183c1da54587bd8783a |
| SHA256 | 43ce5cc68e0128f9141b612852fdcdac699caba80decf4663c1763f74c2d71c1 |
| SHA512 | 4b5a16f29962404075624b48f930c4ebed504d38fb968e4f49142178fea682c8d078d8a8754861d6672a289def100253b0f3fb33073934bd60af7683fc72ef0f |
C:\Users\Admin\AppData\Local\Temp\Cedar
| MD5 | a0315db4108995ecbaa40ca1a75deee6 |
| SHA1 | 7cf78507562d6da24fe3bfec1610a17f0f30a17d |
| SHA256 | 5dd3561bbc6fdaf2667a63406bed3378de6a4b70b31f3a5782fb51ceb7ce4438 |
| SHA512 | 1efe57ab64f18a349baee203832ecfa8d79f97fcdce9416c5fff0e65a038506bacbd97d95c671edff0aced611c1d26113cd02ae0add035974fffec9a9de0aec0 |
C:\Users\Admin\AppData\Local\Temp\Before
| MD5 | 8dd91898a6f99cb23ac36731f701dcb0 |
| SHA1 | 85bd3600b8398671d1bc2ef16e373e157da206d9 |
| SHA256 | 4d9aca414aa66b351303fb23e95bb22ba65b728d56d7de2272c778901c4d39f6 |
| SHA512 | 63449d6622c7a3d1d549b03a9d3fffd277e31ff62cb1cbf687cb7d12e1443ba0154079fc81ad25b197cf37da2bc6a9ece041e55389ec26fcf8ec019c9435f316 |
C:\Users\Admin\AppData\Local\Temp\Rank
| MD5 | 19bca4629e1e6ca48f539f950d5d7674 |
| SHA1 | cdd2f09d9a7f932f034698df19162bf681804d4c |
| SHA256 | 19e895c36fe5138556db7e0c99033235178df64e2e63ecc4d2e5ea06b63c3710 |
| SHA512 | 9b94c78268d120a6f075c6ee37aa3b11ac71731a98936d8c60d4af62886bbb88b9ece3e525d2ba53d527f07177b619f5ead9e568c54c5e3599ee87ce583041a6 |
C:\Users\Admin\AppData\Local\Temp\Employee
| MD5 | 04bc240e7a1a117a3db49382b3825e1e |
| SHA1 | 3343eb18d33dac8304f197b54ffc4b7afb2b0105 |
| SHA256 | d0e4bfe75bcb07f872f4b1ac8436c91517578e2c84b78f6fb0622df55d961d99 |
| SHA512 | b0b3e97f327c2d2757b546cf68845621af85b64d50cd4358f98183ff5089d9cd9b86bec8f1a08a96cf68013d110238f0d463657e16fb5b9257a25d84f4941dd2 |
C:\Users\Admin\AppData\Local\Temp\Sociology
| MD5 | ec77a342ff97b2f0bbae6a298e599ab5 |
| SHA1 | b7ae7cbf6b2f60cad6c73b7955cff9cab52f5268 |
| SHA256 | 12c836c2e166bde49a6aa650814e3be01b35cb3dd3a1d048c36be975b44b1272 |
| SHA512 | 81fba701a09a0cff55dd6d5c190d11d559bdb2a01be3d1cb451cb7b274ac8446956da42f7179e5584a0f99c3005dd93c289aadd8eb53cecac292f4d0fa0f9678 |
C:\Users\Admin\AppData\Local\Temp\Bbc
| MD5 | b5f8920a7e6408f0ad518c41db0b6ce2 |
| SHA1 | a613aa8821bc33f27a3ce7d57f0abd96391c9163 |
| SHA256 | 8e94da2bfcaff3b86e58443a14c38e5e11c71dda48222d6d95067a95923cd652 |
| SHA512 | c7435437c556f601dfded2c914e007db534df2c42116353580cf086dfc638a9b20408fb3b42e715bae724c0d8d5ba54375ab4bca65669b6d65b2edc2be7a038c |
C:\Users\Admin\AppData\Local\Temp\Olive
| MD5 | 225d8001d5b10ae2d2dd2fad529262e5 |
| SHA1 | 51ce0adf3cef9be80986e434880610d4de0aa64b |
| SHA256 | a9f61c8f3cb2e6203aeb5b8a3c4479b02567241f97cd8c045a84697b6befa481 |
| SHA512 | c35c3731472c149553c49bc471fccb06696afca380489749a709cd4bf4a8c828b727877efe85dd53d4d96d130b14c5e46939775c796feb5143b1976c5b09b9c2 |
C:\Users\Admin\AppData\Local\Temp\Fda
| MD5 | dd44ab578a99db6f5a7946c6c210bdce |
| SHA1 | 5f9370a5a196468c8c02e1cbe4bb4a8ccad2e247 |
| SHA256 | 4c5bf631e9ee85bbd7ce6a8c63f775eac8253e1a6e592c7bb242803e4220494a |
| SHA512 | 1998392f5f85e691deed726705804f220c7188c95f346d4e08b21459f5cfc04595dd183da9421c7853a3ffb5e2245a86eed71eba93b879532476a25d6ee69bcd |
C:\Users\Admin\AppData\Local\Temp\Fits
| MD5 | 2d20546995f3fa6c818e466f01f45a91 |
| SHA1 | 1f2d7dd6e2335b24e982545cee60f80f4907d2b7 |
| SHA256 | 7ea5761264c46345148d3f6ebfdabb8f2b876223907fe30b0ac7adae577b06cd |
| SHA512 | f0fa91e6cac7e8dea07d0ff521f43c4a80f74ebaa2136b5653698b01b83e6d7478952dd563b6506f921b5d0f52c00304680dda6f92e5b8316bcbd26272ec39b3 |
C:\Users\Admin\AppData\Local\Temp\Needle
| MD5 | 9e0a8e0c9d6ae85c0ab43aa1e67d4c8d |
| SHA1 | 5495a9b00a3c7e0e741a47225426e1e3250346f5 |
| SHA256 | c0a7ba97cd3283783db64b2f34766062a5400142872fe1082ed8e37298ecb3c5 |
| SHA512 | b49ce91f94664cb3a1d687623d716cbdb57aeb7277195aa4726f7e4b4a7e901c9507d19b67eb6aee360507461dcc5c79d5cbd8afae749cf8a09ff52f8936a0e9 |
C:\Users\Admin\AppData\Local\Temp\Momentum
| MD5 | 2a29d8e9dfc9d83cf70a1f04077e0b36 |
| SHA1 | c49cc92751539db30f16661ebb420c94ae427bac |
| SHA256 | 7049b81d3b7b70d7f9d5b2459a7d5a6cd6c06963b076ce694bc7d24e65c2557c |
| SHA512 | 57f428cd171f2be35283916c084e06a36d0f0221354b81d49df75ff112b96cc28156f2143a68149768a506d8990b94f38a79cc29c3c44853ec99db049e65b334 |
C:\Users\Admin\AppData\Local\Temp\Arena
| MD5 | c1a7cb47fb484e7454bdb3f2c4fed27e |
| SHA1 | 9aeb335fd23bad0f7472a23cc215dba0b2f4711c |
| SHA256 | 244961c83e22b0828ef7b083917985ec01193efe0b3b0238791967cc1f16de20 |
| SHA512 | 114261ccea17cddd232b8deca96e901dc669fe01d042551da4b33e1f748efa8d573d6b48be5f64590ae5ae338e4fa0893de2dba3136b53464b8bb17438b15c88 |
C:\Users\Admin\AppData\Local\Temp\Belt
| MD5 | c7f41b04c2ec473409962d016ea7ed36 |
| SHA1 | 6a13a8cc8882a93506c1bc247c8c5de5fa51410e |
| SHA256 | 1014dd70d6db6ccab8aba83b77eb0c03ea2be026b5d58a9f65265c10f9782f1a |
| SHA512 | 627e7215c2c4b79f1152b02ddfd0313316d4f748633e364a2c5da7ecf9bda051ad0be3947d263ebbd97dd52eeee221fd8171f22b19a039a8a07d732e1f3969e6 |
C:\Users\Admin\AppData\Local\Temp\Into
| MD5 | 2eb686b17306b9f1ae05c17622e8ec6f |
| SHA1 | 4ab2be215726f298afe28c0acd9db861a8076e03 |
| SHA256 | e15f2c1035a51d7c8d8c820fe3cecc5b4fd83e9946eecdf8d1453a86ff759e73 |
| SHA512 | f8d27c18494e41252943d69da8a0ab9c15d45141d2bffc5e678c34feea47593c82f97d8f6f991a9bc16631d82db6f8dbb59ef187a35893a7b48576c4da5b67ec |
C:\Users\Admin\AppData\Local\Temp\Places
| MD5 | c3db33937395caba927f3c627cec3d28 |
| SHA1 | 2605a0a160c89561fd295200e1a66399da449fc4 |
| SHA256 | bd32dd62bafc6bf65ba4c9bc34b6c45ef88afa671d382b7858d5737d4e9c255e |
| SHA512 | df9529142ec4debe79f3917ce0072aff8234ac9fe93dba078229cd818da7bdfc59094210e0d7e61d0a051e17f923d537b775d1998df13558f25cfef663b140bc |
C:\Users\Admin\AppData\Local\Temp\Barbara
| MD5 | 2232a763d3492eacd4f49c56640b1467 |
| SHA1 | 4470de0b1d31c6cb0927fad29d8786b8c2e20df3 |
| SHA256 | e5eb7d8e9cb16dd39a6a360ba82dc39d206563b1ba996dd0108e16bf31187cfd |
| SHA512 | b898e311bc8be5a29b9f4a411b6edcb767d62b114dcf651341d2689a05a1cd5b2e32d6d05d62bc81ea8636063ee0f7b342050bd6e4c2a9af8d265b10e8ed4523 |
C:\Users\Admin\AppData\Local\Temp\Graphics
| MD5 | d1c125fe57c438d3080b89f206aea3eb |
| SHA1 | c7d2956c9289282b9fa1892fba0b8d46fe9d390f |
| SHA256 | e3d4a8ad5b3fa2f88799428ed6128954eef6503ff47ec9766ec997edac16370e |
| SHA512 | b5ba512f9f96f876815459ae7dba34f3d3d1b682d61abde27e01b484df8b8471a2a1ea3bf27f6b395a2997af55403fd7c98570f37a24f060d2ce2120c993241f |
C:\Users\Admin\AppData\Local\Temp\Frog
| MD5 | 19073a4070f210bdb0b066b74879417f |
| SHA1 | 82af55dc6ba3dbdaa40e976f534a55b52a87a67c |
| SHA256 | eda4c37f21565a6a1893997428f5c0e27c87c20c96a3a8391ffe1a62fb76cf64 |
| SHA512 | 53786dc460a200b951afb3b1ce27f02a53376a12d0c181f0f80d359864372001d9cdc79e2c8e92536a3a9a1590f2847ba6912a4540425b4a1984be1b4eed7c67 |
C:\Users\Admin\AppData\Local\Temp\Iron
| MD5 | 93bb091756f86ad0409df87d2a11272f |
| SHA1 | 0f497d21188e97b2790e069e6d227bb58c89aeb6 |
| SHA256 | b1e51319ba0ba4fac78fa8e34ee7b46d14fc5ed835f56f95a33b680990cd6ab7 |
| SHA512 | 0442629d92bceba498e0e1c299668c68502e968df20851f5581d746bc83eecf512bb2ac3b7e761a2c5769ac5e920f298e1925766013dc47149c64cde6fbaa7ff |
\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\416420\D
| MD5 | 68a1fb89f18093ff6667acfc35733314 |
| SHA1 | f0641a40ed407f6ed6d0175bfadb27578c58c729 |
| SHA256 | 29d9ac205d428f81c33683093de57c4c60df882ab349fcd297605510b37a33ea |
| SHA512 | 2120917b48df98064a33ac118f536e5f08032de0bcee7d1158a1aeccbcaf0c11ca24b48a3858f85e55654c8f73cd69015ad70ac90311eac87ac646c269e30c19 |
memory/1996-509-0x0000000003B10000-0x0000000003B5F000-memory.dmp
memory/1996-510-0x0000000003B10000-0x0000000003B5F000-memory.dmp
memory/1996-511-0x0000000003B10000-0x0000000003B5F000-memory.dmp
memory/1996-512-0x0000000003B10000-0x0000000003B5F000-memory.dmp
memory/1996-513-0x0000000003B10000-0x0000000003B5F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-11 01:55
Reported
2024-07-11 01:56
Platform
win10v2004-20240709-en
Max time kernel
35s
Max time network
40s
Command Line
Signatures
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3736 created 3576 | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe
"C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Modes Modes.cmd & Modes.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 416420
C:\Windows\SysWOW64\findstr.exe
findstr /V "VolumeBroughtDairyVehicle" Customs
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Barbara + Graphics + Frog + Iron 416420\D
C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
416420\Subsequent.pif 416420\D
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & echo URL="C:\Users\Admin\AppData\Local\CryptoSync360 Solutions Inc\CryptoSync360.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hVcjGMjSjYYwEFEYBAbsQSqWJ.hVcjGMjSjYYwEFEYBAbsQSqWJ | udp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 172.67.196.169:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 172.67.146.97:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | 169.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 104.21.6.254:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | 97.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.6.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 172.67.160.230:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 172.67.214.98:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 192.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Modes
| MD5 | 80c9b29f953747b33727e2cb25a5bc58 |
| SHA1 | fe016de98036f9bb72bb72e687bd13c00594e16f |
| SHA256 | c57ece1cdddbd9669c1b387dbd309b76844aacc426d903a7286923f92d9a9078 |
| SHA512 | 7118526a0ba10240e63250ed1d1db974835a8b31ac6b3d376807d479b8de39df6232dfd9575d5516458a246696c39e2491ac800977b3a0153f2524adf0badeac |
C:\Users\Admin\AppData\Local\Temp\Customs
| MD5 | 08c2a95bde428fe23a964495cc245068 |
| SHA1 | 75ed63efcc0a61f7b2a422389d7cfd11074c0159 |
| SHA256 | 05b848741ea02cddd23efe9eced1464ac606cfdf6b0eceec8c08255677a9a5ad |
| SHA512 | 232a8036aa42df88ef84187294ed0ae629be5e5334b862befcd978869e4ad10a2a358aca4940df9ca8a09ea76c431c769a1452306d8c407b86b7745e4503518c |
C:\Users\Admin\AppData\Local\Temp\Tears
| MD5 | 4c1fb4d9eebff7cc26031d30a9659146 |
| SHA1 | 45a5d417bfa9417e269c7f6a67160e61f7fe2e08 |
| SHA256 | 4df99c64a81ecb9b1a724e8076593442493b64cc31fea4ead1b7eb84aaae467d |
| SHA512 | 58b506ce67c009233a7022bb3d8f8d54b7659f9b118d779602d4963186baf00dc3d35a35d3bc102162923676321859fdc34ce7415cfa15b00a09555b672bbc83 |
C:\Users\Admin\AppData\Local\Temp\Emissions
| MD5 | f087593718757a4ee96adfc81e55ca53 |
| SHA1 | d9a6fee40afb1bac51e2e9120369223746810e94 |
| SHA256 | d6dd01fb746d32ccb2c1a7292befcb5147f5e4d9d4a0d95c3a9776329442afa5 |
| SHA512 | 0c21c6b58a37015f0b8d0b8d3d413663abe7daa3ea7e19a88b0d85b25e2fb071b25464fd507ee60b3894d075c4b1ef4300a7ec8ee77996ab2964d4ddf76ba93e |
C:\Users\Admin\AppData\Local\Temp\Theater
| MD5 | d2be5b4014ed53d6b017de14df955af7 |
| SHA1 | 63873a006ae83dc461eb9161628061a4d471a4bf |
| SHA256 | ee8eea0306f480a520468a225fbca18d0ccda337ebf5c97e7635c813ddd93cd0 |
| SHA512 | 780f5645f9ff51be6752f9f8942222e778364515ffd864d0d92b3236af58e75d62306a9def1264999e5ee31b2f7d3ad467d11cb345cf519f426506f33866003e |
C:\Users\Admin\AppData\Local\Temp\Collections
| MD5 | 096741cbee215bfacbbaa8bc7a10ffa1 |
| SHA1 | 3989b296039ca4fff3e81051121430bac7c6a137 |
| SHA256 | e9354ab2cab4d2f7299c87dfd7657a6f900df4038df6e945a749e68dc2d17564 |
| SHA512 | 43831a05fcd8095a460a5cab488629e82ed48e32736c7dacc9d140ef1442825206be9b4767fa97646dcc1570e4898264bef33271bd876cb96fccf42d5721f7c9 |
C:\Users\Admin\AppData\Local\Temp\Una
| MD5 | 5d841256483994dff09339e8d310dfe9 |
| SHA1 | ffa60e1fe0aacf90a9562acb84eca85d1021b192 |
| SHA256 | 9261ab183a8e573b9e628c2e1529558d0eb7aa601ae2f90298c0865be50e7422 |
| SHA512 | 9879680bbea44527789607e694d073487b72c2fd027dce5580b47c6c446a67b5bf5807b172023b703ad84847a65ec93ad1572de10c9c6f10c711def1d04b1110 |
C:\Users\Admin\AppData\Local\Temp\Ntsc
| MD5 | 4a04e9af42fcbacd4da0c2715a555b87 |
| SHA1 | 07e69ddb9b9d95d66016538d970a50ef67c7b8b3 |
| SHA256 | 6e4053fb56747d7f8a058651ee746777042245c451e3b7f036a6619d8485732e |
| SHA512 | 4684ae3b55e8744fb92bbcb6ef50b772ce97ab5ddf1ca8fb244e6d4bf0ffb9d54c427eab8dd972c32a42b4f39801c71dd4bc3ab29ba3404a9bb63225bdb66164 |
C:\Users\Admin\AppData\Local\Temp\Jane
| MD5 | 3e5a33740d9ecf41f380355cf26648ab |
| SHA1 | 5ca3ae9c2204eff3180b8183c1da54587bd8783a |
| SHA256 | 43ce5cc68e0128f9141b612852fdcdac699caba80decf4663c1763f74c2d71c1 |
| SHA512 | 4b5a16f29962404075624b48f930c4ebed504d38fb968e4f49142178fea682c8d078d8a8754861d6672a289def100253b0f3fb33073934bd60af7683fc72ef0f |
C:\Users\Admin\AppData\Local\Temp\Cedar
| MD5 | a0315db4108995ecbaa40ca1a75deee6 |
| SHA1 | 7cf78507562d6da24fe3bfec1610a17f0f30a17d |
| SHA256 | 5dd3561bbc6fdaf2667a63406bed3378de6a4b70b31f3a5782fb51ceb7ce4438 |
| SHA512 | 1efe57ab64f18a349baee203832ecfa8d79f97fcdce9416c5fff0e65a038506bacbd97d95c671edff0aced611c1d26113cd02ae0add035974fffec9a9de0aec0 |
C:\Users\Admin\AppData\Local\Temp\Properly
| MD5 | 7cb6ee72a8cab64c7f2e705966bad31d |
| SHA1 | e82d7678de599ce44945b88edf301f4bde3cf142 |
| SHA256 | 3685e5fe7f64c92174c302134bdfc4028afcf78b71a9d1fd8b0aff3e8e7bab72 |
| SHA512 | bd2cb13786fd610f1afd778a314efe34605bc7554101333141b4ed99b246a5e05b392f604ee1d4ab584201ccc27980782ecd38283c8511cd3e2232a6a5669dd1 |
C:\Users\Admin\AppData\Local\Temp\Rank
| MD5 | 19bca4629e1e6ca48f539f950d5d7674 |
| SHA1 | cdd2f09d9a7f932f034698df19162bf681804d4c |
| SHA256 | 19e895c36fe5138556db7e0c99033235178df64e2e63ecc4d2e5ea06b63c3710 |
| SHA512 | 9b94c78268d120a6f075c6ee37aa3b11ac71731a98936d8c60d4af62886bbb88b9ece3e525d2ba53d527f07177b619f5ead9e568c54c5e3599ee87ce583041a6 |
C:\Users\Admin\AppData\Local\Temp\Bbc
| MD5 | b5f8920a7e6408f0ad518c41db0b6ce2 |
| SHA1 | a613aa8821bc33f27a3ce7d57f0abd96391c9163 |
| SHA256 | 8e94da2bfcaff3b86e58443a14c38e5e11c71dda48222d6d95067a95923cd652 |
| SHA512 | c7435437c556f601dfded2c914e007db534df2c42116353580cf086dfc638a9b20408fb3b42e715bae724c0d8d5ba54375ab4bca65669b6d65b2edc2be7a038c |
C:\Users\Admin\AppData\Local\Temp\Sociology
| MD5 | ec77a342ff97b2f0bbae6a298e599ab5 |
| SHA1 | b7ae7cbf6b2f60cad6c73b7955cff9cab52f5268 |
| SHA256 | 12c836c2e166bde49a6aa650814e3be01b35cb3dd3a1d048c36be975b44b1272 |
| SHA512 | 81fba701a09a0cff55dd6d5c190d11d559bdb2a01be3d1cb451cb7b274ac8446956da42f7179e5584a0f99c3005dd93c289aadd8eb53cecac292f4d0fa0f9678 |
C:\Users\Admin\AppData\Local\Temp\Employee
| MD5 | 04bc240e7a1a117a3db49382b3825e1e |
| SHA1 | 3343eb18d33dac8304f197b54ffc4b7afb2b0105 |
| SHA256 | d0e4bfe75bcb07f872f4b1ac8436c91517578e2c84b78f6fb0622df55d961d99 |
| SHA512 | b0b3e97f327c2d2757b546cf68845621af85b64d50cd4358f98183ff5089d9cd9b86bec8f1a08a96cf68013d110238f0d463657e16fb5b9257a25d84f4941dd2 |
C:\Users\Admin\AppData\Local\Temp\Before
| MD5 | 8dd91898a6f99cb23ac36731f701dcb0 |
| SHA1 | 85bd3600b8398671d1bc2ef16e373e157da206d9 |
| SHA256 | 4d9aca414aa66b351303fb23e95bb22ba65b728d56d7de2272c778901c4d39f6 |
| SHA512 | 63449d6622c7a3d1d549b03a9d3fffd277e31ff62cb1cbf687cb7d12e1443ba0154079fc81ad25b197cf37da2bc6a9ece041e55389ec26fcf8ec019c9435f316 |
C:\Users\Admin\AppData\Local\Temp\Fits
| MD5 | 2d20546995f3fa6c818e466f01f45a91 |
| SHA1 | 1f2d7dd6e2335b24e982545cee60f80f4907d2b7 |
| SHA256 | 7ea5761264c46345148d3f6ebfdabb8f2b876223907fe30b0ac7adae577b06cd |
| SHA512 | f0fa91e6cac7e8dea07d0ff521f43c4a80f74ebaa2136b5653698b01b83e6d7478952dd563b6506f921b5d0f52c00304680dda6f92e5b8316bcbd26272ec39b3 |
C:\Users\Admin\AppData\Local\Temp\Olive
| MD5 | 225d8001d5b10ae2d2dd2fad529262e5 |
| SHA1 | 51ce0adf3cef9be80986e434880610d4de0aa64b |
| SHA256 | a9f61c8f3cb2e6203aeb5b8a3c4479b02567241f97cd8c045a84697b6befa481 |
| SHA512 | c35c3731472c149553c49bc471fccb06696afca380489749a709cd4bf4a8c828b727877efe85dd53d4d96d130b14c5e46939775c796feb5143b1976c5b09b9c2 |
C:\Users\Admin\AppData\Local\Temp\Fda
| MD5 | dd44ab578a99db6f5a7946c6c210bdce |
| SHA1 | 5f9370a5a196468c8c02e1cbe4bb4a8ccad2e247 |
| SHA256 | 4c5bf631e9ee85bbd7ce6a8c63f775eac8253e1a6e592c7bb242803e4220494a |
| SHA512 | 1998392f5f85e691deed726705804f220c7188c95f346d4e08b21459f5cfc04595dd183da9421c7853a3ffb5e2245a86eed71eba93b879532476a25d6ee69bcd |
C:\Users\Admin\AppData\Local\Temp\Needle
| MD5 | 9e0a8e0c9d6ae85c0ab43aa1e67d4c8d |
| SHA1 | 5495a9b00a3c7e0e741a47225426e1e3250346f5 |
| SHA256 | c0a7ba97cd3283783db64b2f34766062a5400142872fe1082ed8e37298ecb3c5 |
| SHA512 | b49ce91f94664cb3a1d687623d716cbdb57aeb7277195aa4726f7e4b4a7e901c9507d19b67eb6aee360507461dcc5c79d5cbd8afae749cf8a09ff52f8936a0e9 |
C:\Users\Admin\AppData\Local\Temp\Momentum
| MD5 | 2a29d8e9dfc9d83cf70a1f04077e0b36 |
| SHA1 | c49cc92751539db30f16661ebb420c94ae427bac |
| SHA256 | 7049b81d3b7b70d7f9d5b2459a7d5a6cd6c06963b076ce694bc7d24e65c2557c |
| SHA512 | 57f428cd171f2be35283916c084e06a36d0f0221354b81d49df75ff112b96cc28156f2143a68149768a506d8990b94f38a79cc29c3c44853ec99db049e65b334 |
C:\Users\Admin\AppData\Local\Temp\Arena
| MD5 | c1a7cb47fb484e7454bdb3f2c4fed27e |
| SHA1 | 9aeb335fd23bad0f7472a23cc215dba0b2f4711c |
| SHA256 | 244961c83e22b0828ef7b083917985ec01193efe0b3b0238791967cc1f16de20 |
| SHA512 | 114261ccea17cddd232b8deca96e901dc669fe01d042551da4b33e1f748efa8d573d6b48be5f64590ae5ae338e4fa0893de2dba3136b53464b8bb17438b15c88 |
C:\Users\Admin\AppData\Local\Temp\Belt
| MD5 | c7f41b04c2ec473409962d016ea7ed36 |
| SHA1 | 6a13a8cc8882a93506c1bc247c8c5de5fa51410e |
| SHA256 | 1014dd70d6db6ccab8aba83b77eb0c03ea2be026b5d58a9f65265c10f9782f1a |
| SHA512 | 627e7215c2c4b79f1152b02ddfd0313316d4f748633e364a2c5da7ecf9bda051ad0be3947d263ebbd97dd52eeee221fd8171f22b19a039a8a07d732e1f3969e6 |
C:\Users\Admin\AppData\Local\Temp\Places
| MD5 | c3db33937395caba927f3c627cec3d28 |
| SHA1 | 2605a0a160c89561fd295200e1a66399da449fc4 |
| SHA256 | bd32dd62bafc6bf65ba4c9bc34b6c45ef88afa671d382b7858d5737d4e9c255e |
| SHA512 | df9529142ec4debe79f3917ce0072aff8234ac9fe93dba078229cd818da7bdfc59094210e0d7e61d0a051e17f923d537b775d1998df13558f25cfef663b140bc |
C:\Users\Admin\AppData\Local\Temp\Into
| MD5 | 2eb686b17306b9f1ae05c17622e8ec6f |
| SHA1 | 4ab2be215726f298afe28c0acd9db861a8076e03 |
| SHA256 | e15f2c1035a51d7c8d8c820fe3cecc5b4fd83e9946eecdf8d1453a86ff759e73 |
| SHA512 | f8d27c18494e41252943d69da8a0ab9c15d45141d2bffc5e678c34feea47593c82f97d8f6f991a9bc16631d82db6f8dbb59ef187a35893a7b48576c4da5b67ec |
C:\Users\Admin\AppData\Local\Temp\Barbara
| MD5 | 2232a763d3492eacd4f49c56640b1467 |
| SHA1 | 4470de0b1d31c6cb0927fad29d8786b8c2e20df3 |
| SHA256 | e5eb7d8e9cb16dd39a6a360ba82dc39d206563b1ba996dd0108e16bf31187cfd |
| SHA512 | b898e311bc8be5a29b9f4a411b6edcb767d62b114dcf651341d2689a05a1cd5b2e32d6d05d62bc81ea8636063ee0f7b342050bd6e4c2a9af8d265b10e8ed4523 |
C:\Users\Admin\AppData\Local\Temp\Graphics
| MD5 | d1c125fe57c438d3080b89f206aea3eb |
| SHA1 | c7d2956c9289282b9fa1892fba0b8d46fe9d390f |
| SHA256 | e3d4a8ad5b3fa2f88799428ed6128954eef6503ff47ec9766ec997edac16370e |
| SHA512 | b5ba512f9f96f876815459ae7dba34f3d3d1b682d61abde27e01b484df8b8471a2a1ea3bf27f6b395a2997af55403fd7c98570f37a24f060d2ce2120c993241f |
C:\Users\Admin\AppData\Local\Temp\Frog
| MD5 | 19073a4070f210bdb0b066b74879417f |
| SHA1 | 82af55dc6ba3dbdaa40e976f534a55b52a87a67c |
| SHA256 | eda4c37f21565a6a1893997428f5c0e27c87c20c96a3a8391ffe1a62fb76cf64 |
| SHA512 | 53786dc460a200b951afb3b1ce27f02a53376a12d0c181f0f80d359864372001d9cdc79e2c8e92536a3a9a1590f2847ba6912a4540425b4a1984be1b4eed7c67 |
C:\Users\Admin\AppData\Local\Temp\Iron
| MD5 | 93bb091756f86ad0409df87d2a11272f |
| SHA1 | 0f497d21188e97b2790e069e6d227bb58c89aeb6 |
| SHA256 | b1e51319ba0ba4fac78fa8e34ee7b46d14fc5ed835f56f95a33b680990cd6ab7 |
| SHA512 | 0442629d92bceba498e0e1c299668c68502e968df20851f5581d746bc83eecf512bb2ac3b7e761a2c5769ac5e920f298e1925766013dc47149c64cde6fbaa7ff |
C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\416420\D
| MD5 | 68a1fb89f18093ff6667acfc35733314 |
| SHA1 | f0641a40ed407f6ed6d0175bfadb27578c58c729 |
| SHA256 | 29d9ac205d428f81c33683093de57c4c60df882ab349fcd297605510b37a33ea |
| SHA512 | 2120917b48df98064a33ac118f536e5f08032de0bcee7d1158a1aeccbcaf0c11ca24b48a3858f85e55654c8f73cd69015ad70ac90311eac87ac646c269e30c19 |
memory/3736-507-0x0000000004A40000-0x0000000004A8F000-memory.dmp
memory/3736-508-0x0000000004A40000-0x0000000004A8F000-memory.dmp
memory/3736-509-0x0000000004A40000-0x0000000004A8F000-memory.dmp
memory/3736-510-0x0000000004A40000-0x0000000004A8F000-memory.dmp
memory/3736-511-0x0000000004A40000-0x0000000004A8F000-memory.dmp