Malware Analysis Report

2024-11-30 05:28

Sample ID 240711-ce4e2asfqr
Target 123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e
SHA256 123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e

Threat Level: Known bad

The file 123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Lumma Stealer

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 02:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 02:00

Reported

2024-07-11 02:02

Platform

win7-20240708-en

Max time kernel

28s

Max time network

18s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2208 created 1240 N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif C:\Windows\Explorer.EXE

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
PID 1888 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
PID 1888 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
PID 1888 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
PID 1888 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1888 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1888 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1888 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2208 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe

"C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Tgp Tgp.cmd & Tgp.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 651629

C:\Windows\SysWOW64\findstr.exe

findstr /V "RossLighterInclCookie" Suitable

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Horses + Difficulties + Adventure 651629\U

C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif

651629\Foundations.pif 651629\U

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url" & echo URL="C:\Users\Admin\AppData\Local\ColorSync Dynamics\PeacockSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url" & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 WdmsqZPefqHAfesRQ.WdmsqZPefqHAfesRQ udp

Files

C:\Users\Admin\AppData\Local\Temp\Tgp

MD5 04c3e1fe509b289d0954988a11c5945d
SHA1 4540b87534167185f3d96071f42c1d044e010fa3
SHA256 a6dd96ab306afc8e9fbca6147290eee8caccbe69b120e695cdbad04cec19c889
SHA512 9f4582c580c9b8d27188f4ac5a0887b358b311dd4dde3bdd1d3b66cb47afba62188df7f26373d01c4bb85765d5c26d1576e13f298f862d41892f5ae9398d23af

C:\Users\Admin\AppData\Local\Temp\Suitable

MD5 96eff773b3f6110a9c8625fb18d2cc1b
SHA1 aab16460911e16e8398ae7a279522f4a120b7750
SHA256 3d24288b2b98bdfd94cd24efc6c2b3b2c09194a243904b72236eca0c6c31010e
SHA512 24d31136bf7c3a89c734772fb71ef4f65ec8b2ff0d9ea04136cf76409ccc377f3092e7586ae39379b173a028118f6f41419b65fe2a4a3f97f5d1125681938aa5

C:\Users\Admin\AppData\Local\Temp\Hotmail

MD5 cd7e67082ef7590c4bc0328b5637d232
SHA1 f27eeaa31097cebddfc7d609904b93f4c903054e
SHA256 976bbb03d98c3afbd416bb8f6ff22e2b300c2d01a79c7cd0d3fda55064ca4762
SHA512 c3dde88a2f24d473c20a5c9df4dc53d6f06561535ed92d404ee0966e5a17b0213b1742a6dee9c22c5c4a59849955e6784f10711351837d9f2c30d28fd3acaa96

C:\Users\Admin\AppData\Local\Temp\Grace

MD5 eb634d2be4dedb7a70ff45d1c3e20357
SHA1 79f42f200da78a0912b545780cc18314bef43a42
SHA256 e163108df2a86f45fd9a5108d85c211a2868ccbf603cd64a852b17791240dfcb
SHA512 d988075cd84ff4649622b00e1cf86d6a666c1320ce0481e62e134ff9996bd1f6ce1d8391a50bb8a97f3cd97cb3a448ea79d78ba75e761524e02d0878f3381625

C:\Users\Admin\AppData\Local\Temp\Vitamin

MD5 1bfe3556cf9ebcb5629c6a1b7ef22d1b
SHA1 0f588767539c25e7d29dc0416fbdb65ea2e2f22f
SHA256 d94995cf898f26fa196588ab1abec90a0b3ec83c83684aa8d93753201e9a753b
SHA512 8ba73c19a8adeb82681a5766e5c6a7813b9185168de8d3dae28e167115ef31e16d37f83e1717862f52ab47ff3845123c871a50d9bde1ff4cd33878f1c425264e

C:\Users\Admin\AppData\Local\Temp\Rs

MD5 9ef2eecccce8204fc7b37804592d624e
SHA1 ab4b49e0722c2392bef36891f2bb7a927979c4bc
SHA256 7eea47d4fdc62aa3807047bb89f4d29f8d40a0380331e9f2ed79529a21588939
SHA512 f2f8064575dbbcb6a268e27eb540a3847fe59ea2484726a460197802e906664b0dc2db94c22d0d56ada71df2e045bd368d641d27e6caf5289de60ac6cb5efe9e

C:\Users\Admin\AppData\Local\Temp\Cakes

MD5 d3f3e097a88f9d03330992737d9326f6
SHA1 c5b791183ead1e226f1c76beb05a15f9405e5595
SHA256 c7acc1bab794003162ed042c9f8feab0a4d9e65f6f9d67cc057327459630defa
SHA512 7c7c20ddd7c388067f8af3eb5fd3faa32246111516835f580ee02126c45749b3cfb468668007ad3e6d3d4c7f12691af8c4286cd688484332ed9b7e0120f7fccb

C:\Users\Admin\AppData\Local\Temp\Mathematics

MD5 3a846de9e24b0c20a1a8d6f868b7f8fc
SHA1 145bde661b617986cbf951b0d7ff479b279a5668
SHA256 51940f1b9f60f40fade1ac5e47c5a5b9275386c323727b89177eb52a9f68886d
SHA512 eda72151185ca3b7060c7cf93c03dffb16bb76de11c105da34148f07c37643f6196bed76e1edac7e8da892c7b9d7eb7d39298536f226615e3e22e31cec9adfc0

C:\Users\Admin\AppData\Local\Temp\Brief

MD5 c99e427b33f232ede1c3e043d8d9c018
SHA1 43cbd5ba270051d007825e754d9d80d1161ae61c
SHA256 f626cff54e9f917fb0a8f55c2b8af27cf1afc4697a0db37e468b2a76af0ec252
SHA512 4975489bdf9782118724b04425eb659b47834d30e2a91c80808bd89dd0f244eed776d1a583a98e81d77b68fe2a3886477d82647561fbc9d00e3a121d9c8aecab

C:\Users\Admin\AppData\Local\Temp\Yemen

MD5 de50ecbbe54b03cdc2fbceebc3d52a5f
SHA1 51c46b71241d92a0dc574b7695712aae4c4dca7c
SHA256 c8139cf08b7dc1b445281a222c5887abacecda7b61b0f8d4d0a93a0b01e4f79f
SHA512 c209961f832f0588db690cec8d02d10e2356037fe6fae743f34dd0092222bf661890982dbf1dbd993179b74b286a7f10df855039eb51d9996cc1bd259b88a805

C:\Users\Admin\AppData\Local\Temp\Gothic

MD5 a16566e806dbb4fbea12c967d1752c21
SHA1 348e8c601a175372cfefa819ae8308e0a7bab4c2
SHA256 59c6ee39413859f2140af7df317a40a493ec47287f7008b04c1ff0f05cc98b3c
SHA512 3cc379ec6e5273433c9bbce0af0dbd7c185a7978b1226cc2b7fe5209a562b60a519126c06d533c056e2f3433417bc26840829024ec0ea7b68c22dffad5faf3a3

C:\Users\Admin\AppData\Local\Temp\Origin

MD5 e91a7e74a06da01ef6a1e16054b9865c
SHA1 5f3de93704a868a93f85fac907c044e9d47e6a26
SHA256 7c429658cc1c50a7946589578c976c6f74c4be60f14ea31e426abbdd39655223
SHA512 992eb83618d282d4f82dac298969f31b7613bb1f95eafac0a9d6b67fe96e6a1d9fd822f58828ca15c6e6529d0e1b4fa88c03b3431b5e9b3b02a0df2212b84dcb

C:\Users\Admin\AppData\Local\Temp\Begun

MD5 25eb540c590829bfb603686af8a41648
SHA1 576f2ede2f703462dc5b6738fb4d7719766cdf56
SHA256 47d487a26e6a1eccbbd9fda052b6ec474135d9b3291b0246909abb78436c2a11
SHA512 8dfa86c9836b07cd72910efb5e30d4db81a0735cb5192fa6eb6d311f0e15fb12cb7e20e00db2a0b7a0c16671867c0db8a8e3e9d3ab6042f18e2aca601f933216

C:\Users\Admin\AppData\Local\Temp\Liabilities

MD5 3fb3e8e1584ff8e9ebdbff88e1edd791
SHA1 8d65f058a425a02f14f0ae4fcb51723bef2dc163
SHA256 e8177dfb2845d13ca8504899cb4a12a8de8fd5a09d4fc915e939c661827450a3
SHA512 c8607f449bee25934423e20473ba926caee0e342e892b53c8857027d4188e4c949a808ce50327d4f333527f98d28a96f6ed7329c208346bb9d2b1cdd1949467b

C:\Users\Admin\AppData\Local\Temp\Watson

MD5 cdd647870713be6aecae5cd60bce7743
SHA1 2149a9e77f24d4a0d923bb4b3bb67c45094eb043
SHA256 491baaf85c4219d38b8643c57fad7ef0cc9f0237097108417af492f0667c21f4
SHA512 ea900b24b51dc36b9d049e40ec8c6ff4f0000098fdfc08c3972ad4c3b79b534ebaae8f6f4a97d2c6ce99bdf351877163b2983e70ec8d5c4531e5c4144b8c8a74

C:\Users\Admin\AppData\Local\Temp\Bloggers

MD5 22da89159d0634b750d8211d8f8aa21a
SHA1 d53eacc23c217d9faa60c4033b1e2c3d2eacf033
SHA256 4846ae4c5e2e988220d27a698fe8a76751b5a33282e0b1a7b9639f56f1c90ccb
SHA512 0935c7aaed51b6c9b56138b6e413e8738851550dc984223ce4e224882f1e7f86219eb86f54f299f900852b4b4be36810e0117a0e56cd51d4907bdb3f6ca083f6

C:\Users\Admin\AppData\Local\Temp\Dispatch

MD5 73a19dbe924110db1e1f7d57ea91ebc3
SHA1 a6383e01b378e78a72abfa7cccfa40d0590ac53d
SHA256 5c86622831c41a0bb282acc35f1cdff0f462b52c4a9678367531b53c1bcdd1bf
SHA512 4a42e2b371dd2fe4b2d9545fb7870fafb7e84f94cd07d55a87e6fb43c1d0c5db714b232174915d6772cb68f2bc294d103b47470438201e15f49f2cf20bcbd3c9

C:\Users\Admin\AppData\Local\Temp\Characterization

MD5 9b5af47f431b946046ec996f7f4e999b
SHA1 5801430dff5a8459ce274db78e1057348cfe8416
SHA256 feb8d87c6462fe556d7d8ab4344be2da327f0a3c0e4a1a1f7de301ff4f757d77
SHA512 c2aaf211b0a12e2d9207d28dbba4d89ae2c36ed8637fa1ae1047b3a2ddf34864d3e3abaa1f6927139f5fb38678782512e65a7d982e6c7b4bfb21842afba12131

C:\Users\Admin\AppData\Local\Temp\Warrior

MD5 6caa2bd0c15d9f1ca3b910d1f8579c09
SHA1 3e9322c646486c9aef1a87b18c6b4aa599782cc8
SHA256 93bcb0f75cc3fccae11453a6478e13bb5ef229edbbba7f20da59a79ea9f1a387
SHA512 f6228a41efb547eea0d6d165278c7b0fa19bd57418a45fa2265db8fb21f330eb113237600b7ddb371002c590cb0d9575ddbe1d4c76ff093f28667d893c9b0b62

C:\Users\Admin\AppData\Local\Temp\Finger

MD5 070543f59d7cd07aa4b3fc4bc305d81c
SHA1 f1e9188ce0e913a5e89c1ba1a083d0a0aca457c4
SHA256 13e495412664969c3fd46708e917fd99ea54f8e34c4ba4837037b10e6a8b233a
SHA512 a657d60813d632599d83ee559ab18874201ac0f279c5f2e9632973181b866073d850897d1329b41f5b8c4bf4227003da6daf8f8153eaafc408540ab8aebaddeb

C:\Users\Admin\AppData\Local\Temp\Vista

MD5 5d09310a1d87f36ff9452d39a8172b9f
SHA1 9b846dd3802db88fb9d90510cca3a7743e07fe26
SHA256 e1c72cbe0d26e5b245e773f1ecd0da93030e481c533e045b4911590a1ff1dc42
SHA512 4871d16a91f4153a5016db43397a60dec41f8a3b1ebc278e0e1cf8ffaae6df7526b9db3f28f4e2500748d9dceea14339b84de91f4b71dd0fe62a98a134613b44

C:\Users\Admin\AppData\Local\Temp\Handled

MD5 be31546a5c8a2186b8a72bdeaf1d2d69
SHA1 492ab580d7011843658d3ae311a8b01bf298b05f
SHA256 c1d22f0f8bc7a4be420ccbfe9a3ae157e5d7d3f93f80a2c6cfacc3024336397c
SHA512 0f7d26fb98c8aa4cd34e52f5d7318b5907b6d3ac7c05677bb3431d532894d0387f4c7ce80bd66e1ea8eba85b70a8772722f09ce9885a806544a5e7f3d19575c4

C:\Users\Admin\AppData\Local\Temp\Validity

MD5 77e16a5c465e42f6ff0ec7cb6585844f
SHA1 8369b87a1f2996b8521c7ad1fa88c4cd8123fa1d
SHA256 86841ad0b10d407d06809916481518f2917391d922c9cdc41c689e0321e54ea0
SHA512 f99184cb38121ed1e3dba32995db8ea67aa9ddc649fce5070729ddba63d53592ba626be16b9209884c89265d2574b2e61ecb63eebad352621aa1232f59a22c4e

C:\Users\Admin\AppData\Local\Temp\Llp

MD5 e963867fefe95f7cc5470ab48555f4fc
SHA1 b187370521980857adae6a345912ecf35511f735
SHA256 cf99e743170f22eb422ba6f33a968ef9cc2ef15697620bbaa36564b869be5139
SHA512 36a43bc5e7d632fc8664147d233b990138de02efea7604f3d8c99bd0903ca0d53ab510289e3d18709c3cf51c32872254b0d3efb6b9ba502197e323b1501ec83c

C:\Users\Admin\AppData\Local\Temp\Per

MD5 4a8c72c956b05b2a162d7aada25ca35d
SHA1 f35f0d53bc18e9a2091d35f397e0cbe35527eb09
SHA256 005b5e3adeabbce126fc6d0d60735bc1f1493e4d9cf38ecd932a83c68f0e3b79
SHA512 1ab0b6dad8c6caed84a8a4af979ebe69adddb0c318d0d6c07800c7f584fe0ed58d85f490f7a97563c26b520d7c67018852a774b8a225c2673fd23f0b4d344f66

C:\Users\Admin\AppData\Local\Temp\Chairman

MD5 6a228f861d4f766294c98410e5017d4c
SHA1 f41fbdbd611443acedda18fa31aeffbc8e6457f9
SHA256 667cd5883d39a3e51d553b295458577580ac6a20da1e01e637edefcba80650d5
SHA512 ae9da3eb8c2c70d1b51c8ebb1cfa7068e8cf95ad0ec4157e2e5af5dda6e0f9a2f46e688f5db43775161abd1117ce4fd21695f8d5f825a6d7f3b6b70e8485ff35

C:\Users\Admin\AppData\Local\Temp\Russell

MD5 dca0639c684e9dff96b08571fa70b860
SHA1 45c6cfd4d62bf2bbc09a2f5839c7a1d8212a6296
SHA256 d9c121c8a5b3c3c3c34dc9204696e4edba766da41a0ebec32d2e28aa6e2cbdc4
SHA512 749a6ee9571e93062d5f10ce9027de5e8159f23f465756dcc3a487e5a0b4a6b422fa186f5d180d4c4e14c3d1a063eb7e3515a2e28229c4d3756a06f56ebf91ee

C:\Users\Admin\AppData\Local\Temp\Difficulties

MD5 a3fbddb5503c1bc2e961976de90d635c
SHA1 cd0b66f2c9969b438b452cef882881d09b1fd355
SHA256 ea66152f72412042ea380e8d63f83d921cf51eb7807a6730b7ebd11601b0ddab
SHA512 339aab2150338368cc2f42a87ca448049790bffe2c907dbd61d1be71c73a194692a5d5c724b56d9b21692208478059928eb8426e986bbb71e581e4977f997a77

C:\Users\Admin\AppData\Local\Temp\Horses

MD5 c54270e0880a99debbcf0f5d6a62768c
SHA1 5bd789ffe10003ec6ea9af0c0cb84b34ce27f6e8
SHA256 c58ac2e714ef30e563c132db53ef1f2cd7008b9139d360179b76b2b619ec7144
SHA512 1812a3f52680a83e38844882db6cd8fc00e63c1185390aa370daaf3ecc67ac7e4f86c02254714a45ab66421f3b42cfcc208235bb4a10e191f3a3ca20cc11132a

C:\Users\Admin\AppData\Local\Temp\Adventure

MD5 019ac46c0c005fd044118406763c4eaa
SHA1 84ec0e7a5a16469581f9d26e7b537945bff91b2e
SHA256 c0a5dd443fafbcf8df746adba9c4cc91ee8a7029615e50c34b7cd9752a39f894
SHA512 c893e0a8e01d9acee69d2ebfc16837431640445680f20627b5cc838f6c08d3402e93631d826e6625ab46d7bb471fde58a9c358ba73648b5e62c15316ee14279a

\Users\Admin\AppData\Local\Temp\651629\Foundations.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\651629\U

MD5 5c9860ed27775885917401f530af86f7
SHA1 a96f0e06fcfc7bab8b97ba69a9e03f3984039a2d
SHA256 e3e483e51bec0b0f938532a0b1fc6971ce822e477fd86a40fcf64a4dbe60a938
SHA512 c914d6412fffec508ed20d57013c477e3f549cac6f93fca38489f2e15f35f9bff870c1f050c8ef3ee72a4e1c6f10479bccae85a1d7f6f69f828e9a47ce71a172

memory/2208-313-0x0000000005FB0000-0x0000000006007000-memory.dmp

memory/2208-315-0x0000000005FB0000-0x0000000006007000-memory.dmp

memory/2208-317-0x0000000005FB0000-0x0000000006007000-memory.dmp

memory/2208-316-0x0000000005FB0000-0x0000000006007000-memory.dmp

memory/2208-314-0x0000000005FB0000-0x0000000006007000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 02:00

Reported

2024-07-11 02:02

Platform

win10v2004-20240709-en

Max time kernel

38s

Max time network

40s

Command Line

C:\Windows\Explorer.EXE

Signatures

Lumma Stealer

stealer lumma

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2808 created 3444 N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1592 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1592 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1592 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1592 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1592 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1592 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1592 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1592 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1592 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1592 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1592 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1592 wrote to memory of 3824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 3824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 3824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1592 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1592 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1592 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
PID 1592 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
PID 1592 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
PID 1592 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1592 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1592 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2808 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe

"C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Tgp Tgp.cmd & Tgp.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 651629

C:\Windows\SysWOW64\findstr.exe

findstr /V "RossLighterInclCookie" Suitable

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Horses + Difficulties + Adventure 651629\U

C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif

651629\Foundations.pif 651629\U

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url" & echo URL="C:\Users\Admin\AppData\Local\ColorSync Dynamics\PeacockSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url" & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 WdmsqZPefqHAfesRQ.WdmsqZPefqHAfesRQ udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 penetratedpoopp.xyz udp
US 8.8.8.8:53 potterryisiw.shop udp
US 172.67.135.160:443 potterryisiw.shop tcp
US 8.8.8.8:53 foodypannyjsud.shop udp
US 172.67.164.248:443 foodypannyjsud.shop tcp
US 8.8.8.8:53 contintnetksows.shop udp
US 104.21.79.40:443 contintnetksows.shop tcp
US 8.8.8.8:53 swellfrrgwwos.xyz udp
US 8.8.8.8:53 ellaboratepwsz.xyz udp
US 8.8.8.8:53 towerxxuytwi.xyz udp
US 8.8.8.8:53 pedestriankodwu.xyz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 160.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 248.164.67.172.in-addr.arpa udp
US 8.8.8.8:53 40.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Tgp

MD5 04c3e1fe509b289d0954988a11c5945d
SHA1 4540b87534167185f3d96071f42c1d044e010fa3
SHA256 a6dd96ab306afc8e9fbca6147290eee8caccbe69b120e695cdbad04cec19c889
SHA512 9f4582c580c9b8d27188f4ac5a0887b358b311dd4dde3bdd1d3b66cb47afba62188df7f26373d01c4bb85765d5c26d1576e13f298f862d41892f5ae9398d23af

C:\Users\Admin\AppData\Local\Temp\Suitable

MD5 96eff773b3f6110a9c8625fb18d2cc1b
SHA1 aab16460911e16e8398ae7a279522f4a120b7750
SHA256 3d24288b2b98bdfd94cd24efc6c2b3b2c09194a243904b72236eca0c6c31010e
SHA512 24d31136bf7c3a89c734772fb71ef4f65ec8b2ff0d9ea04136cf76409ccc377f3092e7586ae39379b173a028118f6f41419b65fe2a4a3f97f5d1125681938aa5

C:\Users\Admin\AppData\Local\Temp\Hotmail

MD5 cd7e67082ef7590c4bc0328b5637d232
SHA1 f27eeaa31097cebddfc7d609904b93f4c903054e
SHA256 976bbb03d98c3afbd416bb8f6ff22e2b300c2d01a79c7cd0d3fda55064ca4762
SHA512 c3dde88a2f24d473c20a5c9df4dc53d6f06561535ed92d404ee0966e5a17b0213b1742a6dee9c22c5c4a59849955e6784f10711351837d9f2c30d28fd3acaa96

C:\Users\Admin\AppData\Local\Temp\Grace

MD5 eb634d2be4dedb7a70ff45d1c3e20357
SHA1 79f42f200da78a0912b545780cc18314bef43a42
SHA256 e163108df2a86f45fd9a5108d85c211a2868ccbf603cd64a852b17791240dfcb
SHA512 d988075cd84ff4649622b00e1cf86d6a666c1320ce0481e62e134ff9996bd1f6ce1d8391a50bb8a97f3cd97cb3a448ea79d78ba75e761524e02d0878f3381625

C:\Users\Admin\AppData\Local\Temp\Vitamin

MD5 1bfe3556cf9ebcb5629c6a1b7ef22d1b
SHA1 0f588767539c25e7d29dc0416fbdb65ea2e2f22f
SHA256 d94995cf898f26fa196588ab1abec90a0b3ec83c83684aa8d93753201e9a753b
SHA512 8ba73c19a8adeb82681a5766e5c6a7813b9185168de8d3dae28e167115ef31e16d37f83e1717862f52ab47ff3845123c871a50d9bde1ff4cd33878f1c425264e

C:\Users\Admin\AppData\Local\Temp\Rs

MD5 9ef2eecccce8204fc7b37804592d624e
SHA1 ab4b49e0722c2392bef36891f2bb7a927979c4bc
SHA256 7eea47d4fdc62aa3807047bb89f4d29f8d40a0380331e9f2ed79529a21588939
SHA512 f2f8064575dbbcb6a268e27eb540a3847fe59ea2484726a460197802e906664b0dc2db94c22d0d56ada71df2e045bd368d641d27e6caf5289de60ac6cb5efe9e

C:\Users\Admin\AppData\Local\Temp\Cakes

MD5 d3f3e097a88f9d03330992737d9326f6
SHA1 c5b791183ead1e226f1c76beb05a15f9405e5595
SHA256 c7acc1bab794003162ed042c9f8feab0a4d9e65f6f9d67cc057327459630defa
SHA512 7c7c20ddd7c388067f8af3eb5fd3faa32246111516835f580ee02126c45749b3cfb468668007ad3e6d3d4c7f12691af8c4286cd688484332ed9b7e0120f7fccb

C:\Users\Admin\AppData\Local\Temp\Mathematics

MD5 3a846de9e24b0c20a1a8d6f868b7f8fc
SHA1 145bde661b617986cbf951b0d7ff479b279a5668
SHA256 51940f1b9f60f40fade1ac5e47c5a5b9275386c323727b89177eb52a9f68886d
SHA512 eda72151185ca3b7060c7cf93c03dffb16bb76de11c105da34148f07c37643f6196bed76e1edac7e8da892c7b9d7eb7d39298536f226615e3e22e31cec9adfc0

C:\Users\Admin\AppData\Local\Temp\Brief

MD5 c99e427b33f232ede1c3e043d8d9c018
SHA1 43cbd5ba270051d007825e754d9d80d1161ae61c
SHA256 f626cff54e9f917fb0a8f55c2b8af27cf1afc4697a0db37e468b2a76af0ec252
SHA512 4975489bdf9782118724b04425eb659b47834d30e2a91c80808bd89dd0f244eed776d1a583a98e81d77b68fe2a3886477d82647561fbc9d00e3a121d9c8aecab

C:\Users\Admin\AppData\Local\Temp\Yemen

MD5 de50ecbbe54b03cdc2fbceebc3d52a5f
SHA1 51c46b71241d92a0dc574b7695712aae4c4dca7c
SHA256 c8139cf08b7dc1b445281a222c5887abacecda7b61b0f8d4d0a93a0b01e4f79f
SHA512 c209961f832f0588db690cec8d02d10e2356037fe6fae743f34dd0092222bf661890982dbf1dbd993179b74b286a7f10df855039eb51d9996cc1bd259b88a805

C:\Users\Admin\AppData\Local\Temp\Gothic

MD5 a16566e806dbb4fbea12c967d1752c21
SHA1 348e8c601a175372cfefa819ae8308e0a7bab4c2
SHA256 59c6ee39413859f2140af7df317a40a493ec47287f7008b04c1ff0f05cc98b3c
SHA512 3cc379ec6e5273433c9bbce0af0dbd7c185a7978b1226cc2b7fe5209a562b60a519126c06d533c056e2f3433417bc26840829024ec0ea7b68c22dffad5faf3a3

C:\Users\Admin\AppData\Local\Temp\Origin

MD5 e91a7e74a06da01ef6a1e16054b9865c
SHA1 5f3de93704a868a93f85fac907c044e9d47e6a26
SHA256 7c429658cc1c50a7946589578c976c6f74c4be60f14ea31e426abbdd39655223
SHA512 992eb83618d282d4f82dac298969f31b7613bb1f95eafac0a9d6b67fe96e6a1d9fd822f58828ca15c6e6529d0e1b4fa88c03b3431b5e9b3b02a0df2212b84dcb

C:\Users\Admin\AppData\Local\Temp\Begun

MD5 25eb540c590829bfb603686af8a41648
SHA1 576f2ede2f703462dc5b6738fb4d7719766cdf56
SHA256 47d487a26e6a1eccbbd9fda052b6ec474135d9b3291b0246909abb78436c2a11
SHA512 8dfa86c9836b07cd72910efb5e30d4db81a0735cb5192fa6eb6d311f0e15fb12cb7e20e00db2a0b7a0c16671867c0db8a8e3e9d3ab6042f18e2aca601f933216

C:\Users\Admin\AppData\Local\Temp\Liabilities

MD5 3fb3e8e1584ff8e9ebdbff88e1edd791
SHA1 8d65f058a425a02f14f0ae4fcb51723bef2dc163
SHA256 e8177dfb2845d13ca8504899cb4a12a8de8fd5a09d4fc915e939c661827450a3
SHA512 c8607f449bee25934423e20473ba926caee0e342e892b53c8857027d4188e4c949a808ce50327d4f333527f98d28a96f6ed7329c208346bb9d2b1cdd1949467b

C:\Users\Admin\AppData\Local\Temp\Watson

MD5 cdd647870713be6aecae5cd60bce7743
SHA1 2149a9e77f24d4a0d923bb4b3bb67c45094eb043
SHA256 491baaf85c4219d38b8643c57fad7ef0cc9f0237097108417af492f0667c21f4
SHA512 ea900b24b51dc36b9d049e40ec8c6ff4f0000098fdfc08c3972ad4c3b79b534ebaae8f6f4a97d2c6ce99bdf351877163b2983e70ec8d5c4531e5c4144b8c8a74

C:\Users\Admin\AppData\Local\Temp\Dispatch

MD5 73a19dbe924110db1e1f7d57ea91ebc3
SHA1 a6383e01b378e78a72abfa7cccfa40d0590ac53d
SHA256 5c86622831c41a0bb282acc35f1cdff0f462b52c4a9678367531b53c1bcdd1bf
SHA512 4a42e2b371dd2fe4b2d9545fb7870fafb7e84f94cd07d55a87e6fb43c1d0c5db714b232174915d6772cb68f2bc294d103b47470438201e15f49f2cf20bcbd3c9

C:\Users\Admin\AppData\Local\Temp\Bloggers

MD5 22da89159d0634b750d8211d8f8aa21a
SHA1 d53eacc23c217d9faa60c4033b1e2c3d2eacf033
SHA256 4846ae4c5e2e988220d27a698fe8a76751b5a33282e0b1a7b9639f56f1c90ccb
SHA512 0935c7aaed51b6c9b56138b6e413e8738851550dc984223ce4e224882f1e7f86219eb86f54f299f900852b4b4be36810e0117a0e56cd51d4907bdb3f6ca083f6

C:\Users\Admin\AppData\Local\Temp\Characterization

MD5 9b5af47f431b946046ec996f7f4e999b
SHA1 5801430dff5a8459ce274db78e1057348cfe8416
SHA256 feb8d87c6462fe556d7d8ab4344be2da327f0a3c0e4a1a1f7de301ff4f757d77
SHA512 c2aaf211b0a12e2d9207d28dbba4d89ae2c36ed8637fa1ae1047b3a2ddf34864d3e3abaa1f6927139f5fb38678782512e65a7d982e6c7b4bfb21842afba12131

C:\Users\Admin\AppData\Local\Temp\Warrior

MD5 6caa2bd0c15d9f1ca3b910d1f8579c09
SHA1 3e9322c646486c9aef1a87b18c6b4aa599782cc8
SHA256 93bcb0f75cc3fccae11453a6478e13bb5ef229edbbba7f20da59a79ea9f1a387
SHA512 f6228a41efb547eea0d6d165278c7b0fa19bd57418a45fa2265db8fb21f330eb113237600b7ddb371002c590cb0d9575ddbe1d4c76ff093f28667d893c9b0b62

C:\Users\Admin\AppData\Local\Temp\Finger

MD5 070543f59d7cd07aa4b3fc4bc305d81c
SHA1 f1e9188ce0e913a5e89c1ba1a083d0a0aca457c4
SHA256 13e495412664969c3fd46708e917fd99ea54f8e34c4ba4837037b10e6a8b233a
SHA512 a657d60813d632599d83ee559ab18874201ac0f279c5f2e9632973181b866073d850897d1329b41f5b8c4bf4227003da6daf8f8153eaafc408540ab8aebaddeb

C:\Users\Admin\AppData\Local\Temp\Vista

MD5 5d09310a1d87f36ff9452d39a8172b9f
SHA1 9b846dd3802db88fb9d90510cca3a7743e07fe26
SHA256 e1c72cbe0d26e5b245e773f1ecd0da93030e481c533e045b4911590a1ff1dc42
SHA512 4871d16a91f4153a5016db43397a60dec41f8a3b1ebc278e0e1cf8ffaae6df7526b9db3f28f4e2500748d9dceea14339b84de91f4b71dd0fe62a98a134613b44

C:\Users\Admin\AppData\Local\Temp\Handled

MD5 be31546a5c8a2186b8a72bdeaf1d2d69
SHA1 492ab580d7011843658d3ae311a8b01bf298b05f
SHA256 c1d22f0f8bc7a4be420ccbfe9a3ae157e5d7d3f93f80a2c6cfacc3024336397c
SHA512 0f7d26fb98c8aa4cd34e52f5d7318b5907b6d3ac7c05677bb3431d532894d0387f4c7ce80bd66e1ea8eba85b70a8772722f09ce9885a806544a5e7f3d19575c4

C:\Users\Admin\AppData\Local\Temp\Validity

MD5 77e16a5c465e42f6ff0ec7cb6585844f
SHA1 8369b87a1f2996b8521c7ad1fa88c4cd8123fa1d
SHA256 86841ad0b10d407d06809916481518f2917391d922c9cdc41c689e0321e54ea0
SHA512 f99184cb38121ed1e3dba32995db8ea67aa9ddc649fce5070729ddba63d53592ba626be16b9209884c89265d2574b2e61ecb63eebad352621aa1232f59a22c4e

C:\Users\Admin\AppData\Local\Temp\Llp

MD5 e963867fefe95f7cc5470ab48555f4fc
SHA1 b187370521980857adae6a345912ecf35511f735
SHA256 cf99e743170f22eb422ba6f33a968ef9cc2ef15697620bbaa36564b869be5139
SHA512 36a43bc5e7d632fc8664147d233b990138de02efea7604f3d8c99bd0903ca0d53ab510289e3d18709c3cf51c32872254b0d3efb6b9ba502197e323b1501ec83c

C:\Users\Admin\AppData\Local\Temp\Per

MD5 4a8c72c956b05b2a162d7aada25ca35d
SHA1 f35f0d53bc18e9a2091d35f397e0cbe35527eb09
SHA256 005b5e3adeabbce126fc6d0d60735bc1f1493e4d9cf38ecd932a83c68f0e3b79
SHA512 1ab0b6dad8c6caed84a8a4af979ebe69adddb0c318d0d6c07800c7f584fe0ed58d85f490f7a97563c26b520d7c67018852a774b8a225c2673fd23f0b4d344f66

C:\Users\Admin\AppData\Local\Temp\Chairman

MD5 6a228f861d4f766294c98410e5017d4c
SHA1 f41fbdbd611443acedda18fa31aeffbc8e6457f9
SHA256 667cd5883d39a3e51d553b295458577580ac6a20da1e01e637edefcba80650d5
SHA512 ae9da3eb8c2c70d1b51c8ebb1cfa7068e8cf95ad0ec4157e2e5af5dda6e0f9a2f46e688f5db43775161abd1117ce4fd21695f8d5f825a6d7f3b6b70e8485ff35

C:\Users\Admin\AppData\Local\Temp\Russell

MD5 dca0639c684e9dff96b08571fa70b860
SHA1 45c6cfd4d62bf2bbc09a2f5839c7a1d8212a6296
SHA256 d9c121c8a5b3c3c3c34dc9204696e4edba766da41a0ebec32d2e28aa6e2cbdc4
SHA512 749a6ee9571e93062d5f10ce9027de5e8159f23f465756dcc3a487e5a0b4a6b422fa186f5d180d4c4e14c3d1a063eb7e3515a2e28229c4d3756a06f56ebf91ee

C:\Users\Admin\AppData\Local\Temp\Horses

MD5 c54270e0880a99debbcf0f5d6a62768c
SHA1 5bd789ffe10003ec6ea9af0c0cb84b34ce27f6e8
SHA256 c58ac2e714ef30e563c132db53ef1f2cd7008b9139d360179b76b2b619ec7144
SHA512 1812a3f52680a83e38844882db6cd8fc00e63c1185390aa370daaf3ecc67ac7e4f86c02254714a45ab66421f3b42cfcc208235bb4a10e191f3a3ca20cc11132a

C:\Users\Admin\AppData\Local\Temp\Difficulties

MD5 a3fbddb5503c1bc2e961976de90d635c
SHA1 cd0b66f2c9969b438b452cef882881d09b1fd355
SHA256 ea66152f72412042ea380e8d63f83d921cf51eb7807a6730b7ebd11601b0ddab
SHA512 339aab2150338368cc2f42a87ca448049790bffe2c907dbd61d1be71c73a194692a5d5c724b56d9b21692208478059928eb8426e986bbb71e581e4977f997a77

C:\Users\Admin\AppData\Local\Temp\Adventure

MD5 019ac46c0c005fd044118406763c4eaa
SHA1 84ec0e7a5a16469581f9d26e7b537945bff91b2e
SHA256 c0a5dd443fafbcf8df746adba9c4cc91ee8a7029615e50c34b7cd9752a39f894
SHA512 c893e0a8e01d9acee69d2ebfc16837431640445680f20627b5cc838f6c08d3402e93631d826e6625ab46d7bb471fde58a9c358ba73648b5e62c15316ee14279a

C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\651629\U

MD5 5c9860ed27775885917401f530af86f7
SHA1 a96f0e06fcfc7bab8b97ba69a9e03f3984039a2d
SHA256 e3e483e51bec0b0f938532a0b1fc6971ce822e477fd86a40fcf64a4dbe60a938
SHA512 c914d6412fffec508ed20d57013c477e3f549cac6f93fca38489f2e15f35f9bff870c1f050c8ef3ee72a4e1c6f10479bccae85a1d7f6f69f828e9a47ce71a172

memory/2808-311-0x0000000007020000-0x0000000007077000-memory.dmp

memory/2808-312-0x0000000007020000-0x0000000007077000-memory.dmp

memory/2808-313-0x0000000007020000-0x0000000007077000-memory.dmp

memory/2808-314-0x0000000007020000-0x0000000007077000-memory.dmp

memory/2808-315-0x0000000007020000-0x0000000007077000-memory.dmp