Analysis Overview
SHA256
123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e
Threat Level: Known bad
The file 123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Lumma Stealer
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Enumerates processes with tasklist
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-11 02:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-11 02:00
Reported
2024-07-11 02:02
Platform
win7-20240708-en
Max time kernel
28s
Max time network
18s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2208 created 1240 | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | C:\Windows\Explorer.EXE |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe
"C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Tgp Tgp.cmd & Tgp.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 651629
C:\Windows\SysWOW64\findstr.exe
findstr /V "RossLighterInclCookie" Suitable
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Horses + Difficulties + Adventure 651629\U
C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
651629\Foundations.pif 651629\U
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url" & echo URL="C:\Users\Admin\AppData\Local\ColorSync Dynamics\PeacockSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url" & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | WdmsqZPefqHAfesRQ.WdmsqZPefqHAfesRQ | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Tgp
| MD5 | 04c3e1fe509b289d0954988a11c5945d |
| SHA1 | 4540b87534167185f3d96071f42c1d044e010fa3 |
| SHA256 | a6dd96ab306afc8e9fbca6147290eee8caccbe69b120e695cdbad04cec19c889 |
| SHA512 | 9f4582c580c9b8d27188f4ac5a0887b358b311dd4dde3bdd1d3b66cb47afba62188df7f26373d01c4bb85765d5c26d1576e13f298f862d41892f5ae9398d23af |
C:\Users\Admin\AppData\Local\Temp\Suitable
| MD5 | 96eff773b3f6110a9c8625fb18d2cc1b |
| SHA1 | aab16460911e16e8398ae7a279522f4a120b7750 |
| SHA256 | 3d24288b2b98bdfd94cd24efc6c2b3b2c09194a243904b72236eca0c6c31010e |
| SHA512 | 24d31136bf7c3a89c734772fb71ef4f65ec8b2ff0d9ea04136cf76409ccc377f3092e7586ae39379b173a028118f6f41419b65fe2a4a3f97f5d1125681938aa5 |
C:\Users\Admin\AppData\Local\Temp\Hotmail
| MD5 | cd7e67082ef7590c4bc0328b5637d232 |
| SHA1 | f27eeaa31097cebddfc7d609904b93f4c903054e |
| SHA256 | 976bbb03d98c3afbd416bb8f6ff22e2b300c2d01a79c7cd0d3fda55064ca4762 |
| SHA512 | c3dde88a2f24d473c20a5c9df4dc53d6f06561535ed92d404ee0966e5a17b0213b1742a6dee9c22c5c4a59849955e6784f10711351837d9f2c30d28fd3acaa96 |
C:\Users\Admin\AppData\Local\Temp\Grace
| MD5 | eb634d2be4dedb7a70ff45d1c3e20357 |
| SHA1 | 79f42f200da78a0912b545780cc18314bef43a42 |
| SHA256 | e163108df2a86f45fd9a5108d85c211a2868ccbf603cd64a852b17791240dfcb |
| SHA512 | d988075cd84ff4649622b00e1cf86d6a666c1320ce0481e62e134ff9996bd1f6ce1d8391a50bb8a97f3cd97cb3a448ea79d78ba75e761524e02d0878f3381625 |
C:\Users\Admin\AppData\Local\Temp\Vitamin
| MD5 | 1bfe3556cf9ebcb5629c6a1b7ef22d1b |
| SHA1 | 0f588767539c25e7d29dc0416fbdb65ea2e2f22f |
| SHA256 | d94995cf898f26fa196588ab1abec90a0b3ec83c83684aa8d93753201e9a753b |
| SHA512 | 8ba73c19a8adeb82681a5766e5c6a7813b9185168de8d3dae28e167115ef31e16d37f83e1717862f52ab47ff3845123c871a50d9bde1ff4cd33878f1c425264e |
C:\Users\Admin\AppData\Local\Temp\Rs
| MD5 | 9ef2eecccce8204fc7b37804592d624e |
| SHA1 | ab4b49e0722c2392bef36891f2bb7a927979c4bc |
| SHA256 | 7eea47d4fdc62aa3807047bb89f4d29f8d40a0380331e9f2ed79529a21588939 |
| SHA512 | f2f8064575dbbcb6a268e27eb540a3847fe59ea2484726a460197802e906664b0dc2db94c22d0d56ada71df2e045bd368d641d27e6caf5289de60ac6cb5efe9e |
C:\Users\Admin\AppData\Local\Temp\Cakes
| MD5 | d3f3e097a88f9d03330992737d9326f6 |
| SHA1 | c5b791183ead1e226f1c76beb05a15f9405e5595 |
| SHA256 | c7acc1bab794003162ed042c9f8feab0a4d9e65f6f9d67cc057327459630defa |
| SHA512 | 7c7c20ddd7c388067f8af3eb5fd3faa32246111516835f580ee02126c45749b3cfb468668007ad3e6d3d4c7f12691af8c4286cd688484332ed9b7e0120f7fccb |
C:\Users\Admin\AppData\Local\Temp\Mathematics
| MD5 | 3a846de9e24b0c20a1a8d6f868b7f8fc |
| SHA1 | 145bde661b617986cbf951b0d7ff479b279a5668 |
| SHA256 | 51940f1b9f60f40fade1ac5e47c5a5b9275386c323727b89177eb52a9f68886d |
| SHA512 | eda72151185ca3b7060c7cf93c03dffb16bb76de11c105da34148f07c37643f6196bed76e1edac7e8da892c7b9d7eb7d39298536f226615e3e22e31cec9adfc0 |
C:\Users\Admin\AppData\Local\Temp\Brief
| MD5 | c99e427b33f232ede1c3e043d8d9c018 |
| SHA1 | 43cbd5ba270051d007825e754d9d80d1161ae61c |
| SHA256 | f626cff54e9f917fb0a8f55c2b8af27cf1afc4697a0db37e468b2a76af0ec252 |
| SHA512 | 4975489bdf9782118724b04425eb659b47834d30e2a91c80808bd89dd0f244eed776d1a583a98e81d77b68fe2a3886477d82647561fbc9d00e3a121d9c8aecab |
C:\Users\Admin\AppData\Local\Temp\Yemen
| MD5 | de50ecbbe54b03cdc2fbceebc3d52a5f |
| SHA1 | 51c46b71241d92a0dc574b7695712aae4c4dca7c |
| SHA256 | c8139cf08b7dc1b445281a222c5887abacecda7b61b0f8d4d0a93a0b01e4f79f |
| SHA512 | c209961f832f0588db690cec8d02d10e2356037fe6fae743f34dd0092222bf661890982dbf1dbd993179b74b286a7f10df855039eb51d9996cc1bd259b88a805 |
C:\Users\Admin\AppData\Local\Temp\Gothic
| MD5 | a16566e806dbb4fbea12c967d1752c21 |
| SHA1 | 348e8c601a175372cfefa819ae8308e0a7bab4c2 |
| SHA256 | 59c6ee39413859f2140af7df317a40a493ec47287f7008b04c1ff0f05cc98b3c |
| SHA512 | 3cc379ec6e5273433c9bbce0af0dbd7c185a7978b1226cc2b7fe5209a562b60a519126c06d533c056e2f3433417bc26840829024ec0ea7b68c22dffad5faf3a3 |
C:\Users\Admin\AppData\Local\Temp\Origin
| MD5 | e91a7e74a06da01ef6a1e16054b9865c |
| SHA1 | 5f3de93704a868a93f85fac907c044e9d47e6a26 |
| SHA256 | 7c429658cc1c50a7946589578c976c6f74c4be60f14ea31e426abbdd39655223 |
| SHA512 | 992eb83618d282d4f82dac298969f31b7613bb1f95eafac0a9d6b67fe96e6a1d9fd822f58828ca15c6e6529d0e1b4fa88c03b3431b5e9b3b02a0df2212b84dcb |
C:\Users\Admin\AppData\Local\Temp\Begun
| MD5 | 25eb540c590829bfb603686af8a41648 |
| SHA1 | 576f2ede2f703462dc5b6738fb4d7719766cdf56 |
| SHA256 | 47d487a26e6a1eccbbd9fda052b6ec474135d9b3291b0246909abb78436c2a11 |
| SHA512 | 8dfa86c9836b07cd72910efb5e30d4db81a0735cb5192fa6eb6d311f0e15fb12cb7e20e00db2a0b7a0c16671867c0db8a8e3e9d3ab6042f18e2aca601f933216 |
C:\Users\Admin\AppData\Local\Temp\Liabilities
| MD5 | 3fb3e8e1584ff8e9ebdbff88e1edd791 |
| SHA1 | 8d65f058a425a02f14f0ae4fcb51723bef2dc163 |
| SHA256 | e8177dfb2845d13ca8504899cb4a12a8de8fd5a09d4fc915e939c661827450a3 |
| SHA512 | c8607f449bee25934423e20473ba926caee0e342e892b53c8857027d4188e4c949a808ce50327d4f333527f98d28a96f6ed7329c208346bb9d2b1cdd1949467b |
C:\Users\Admin\AppData\Local\Temp\Watson
| MD5 | cdd647870713be6aecae5cd60bce7743 |
| SHA1 | 2149a9e77f24d4a0d923bb4b3bb67c45094eb043 |
| SHA256 | 491baaf85c4219d38b8643c57fad7ef0cc9f0237097108417af492f0667c21f4 |
| SHA512 | ea900b24b51dc36b9d049e40ec8c6ff4f0000098fdfc08c3972ad4c3b79b534ebaae8f6f4a97d2c6ce99bdf351877163b2983e70ec8d5c4531e5c4144b8c8a74 |
C:\Users\Admin\AppData\Local\Temp\Bloggers
| MD5 | 22da89159d0634b750d8211d8f8aa21a |
| SHA1 | d53eacc23c217d9faa60c4033b1e2c3d2eacf033 |
| SHA256 | 4846ae4c5e2e988220d27a698fe8a76751b5a33282e0b1a7b9639f56f1c90ccb |
| SHA512 | 0935c7aaed51b6c9b56138b6e413e8738851550dc984223ce4e224882f1e7f86219eb86f54f299f900852b4b4be36810e0117a0e56cd51d4907bdb3f6ca083f6 |
C:\Users\Admin\AppData\Local\Temp\Dispatch
| MD5 | 73a19dbe924110db1e1f7d57ea91ebc3 |
| SHA1 | a6383e01b378e78a72abfa7cccfa40d0590ac53d |
| SHA256 | 5c86622831c41a0bb282acc35f1cdff0f462b52c4a9678367531b53c1bcdd1bf |
| SHA512 | 4a42e2b371dd2fe4b2d9545fb7870fafb7e84f94cd07d55a87e6fb43c1d0c5db714b232174915d6772cb68f2bc294d103b47470438201e15f49f2cf20bcbd3c9 |
C:\Users\Admin\AppData\Local\Temp\Characterization
| MD5 | 9b5af47f431b946046ec996f7f4e999b |
| SHA1 | 5801430dff5a8459ce274db78e1057348cfe8416 |
| SHA256 | feb8d87c6462fe556d7d8ab4344be2da327f0a3c0e4a1a1f7de301ff4f757d77 |
| SHA512 | c2aaf211b0a12e2d9207d28dbba4d89ae2c36ed8637fa1ae1047b3a2ddf34864d3e3abaa1f6927139f5fb38678782512e65a7d982e6c7b4bfb21842afba12131 |
C:\Users\Admin\AppData\Local\Temp\Warrior
| MD5 | 6caa2bd0c15d9f1ca3b910d1f8579c09 |
| SHA1 | 3e9322c646486c9aef1a87b18c6b4aa599782cc8 |
| SHA256 | 93bcb0f75cc3fccae11453a6478e13bb5ef229edbbba7f20da59a79ea9f1a387 |
| SHA512 | f6228a41efb547eea0d6d165278c7b0fa19bd57418a45fa2265db8fb21f330eb113237600b7ddb371002c590cb0d9575ddbe1d4c76ff093f28667d893c9b0b62 |
C:\Users\Admin\AppData\Local\Temp\Finger
| MD5 | 070543f59d7cd07aa4b3fc4bc305d81c |
| SHA1 | f1e9188ce0e913a5e89c1ba1a083d0a0aca457c4 |
| SHA256 | 13e495412664969c3fd46708e917fd99ea54f8e34c4ba4837037b10e6a8b233a |
| SHA512 | a657d60813d632599d83ee559ab18874201ac0f279c5f2e9632973181b866073d850897d1329b41f5b8c4bf4227003da6daf8f8153eaafc408540ab8aebaddeb |
C:\Users\Admin\AppData\Local\Temp\Vista
| MD5 | 5d09310a1d87f36ff9452d39a8172b9f |
| SHA1 | 9b846dd3802db88fb9d90510cca3a7743e07fe26 |
| SHA256 | e1c72cbe0d26e5b245e773f1ecd0da93030e481c533e045b4911590a1ff1dc42 |
| SHA512 | 4871d16a91f4153a5016db43397a60dec41f8a3b1ebc278e0e1cf8ffaae6df7526b9db3f28f4e2500748d9dceea14339b84de91f4b71dd0fe62a98a134613b44 |
C:\Users\Admin\AppData\Local\Temp\Handled
| MD5 | be31546a5c8a2186b8a72bdeaf1d2d69 |
| SHA1 | 492ab580d7011843658d3ae311a8b01bf298b05f |
| SHA256 | c1d22f0f8bc7a4be420ccbfe9a3ae157e5d7d3f93f80a2c6cfacc3024336397c |
| SHA512 | 0f7d26fb98c8aa4cd34e52f5d7318b5907b6d3ac7c05677bb3431d532894d0387f4c7ce80bd66e1ea8eba85b70a8772722f09ce9885a806544a5e7f3d19575c4 |
C:\Users\Admin\AppData\Local\Temp\Validity
| MD5 | 77e16a5c465e42f6ff0ec7cb6585844f |
| SHA1 | 8369b87a1f2996b8521c7ad1fa88c4cd8123fa1d |
| SHA256 | 86841ad0b10d407d06809916481518f2917391d922c9cdc41c689e0321e54ea0 |
| SHA512 | f99184cb38121ed1e3dba32995db8ea67aa9ddc649fce5070729ddba63d53592ba626be16b9209884c89265d2574b2e61ecb63eebad352621aa1232f59a22c4e |
C:\Users\Admin\AppData\Local\Temp\Llp
| MD5 | e963867fefe95f7cc5470ab48555f4fc |
| SHA1 | b187370521980857adae6a345912ecf35511f735 |
| SHA256 | cf99e743170f22eb422ba6f33a968ef9cc2ef15697620bbaa36564b869be5139 |
| SHA512 | 36a43bc5e7d632fc8664147d233b990138de02efea7604f3d8c99bd0903ca0d53ab510289e3d18709c3cf51c32872254b0d3efb6b9ba502197e323b1501ec83c |
C:\Users\Admin\AppData\Local\Temp\Per
| MD5 | 4a8c72c956b05b2a162d7aada25ca35d |
| SHA1 | f35f0d53bc18e9a2091d35f397e0cbe35527eb09 |
| SHA256 | 005b5e3adeabbce126fc6d0d60735bc1f1493e4d9cf38ecd932a83c68f0e3b79 |
| SHA512 | 1ab0b6dad8c6caed84a8a4af979ebe69adddb0c318d0d6c07800c7f584fe0ed58d85f490f7a97563c26b520d7c67018852a774b8a225c2673fd23f0b4d344f66 |
C:\Users\Admin\AppData\Local\Temp\Chairman
| MD5 | 6a228f861d4f766294c98410e5017d4c |
| SHA1 | f41fbdbd611443acedda18fa31aeffbc8e6457f9 |
| SHA256 | 667cd5883d39a3e51d553b295458577580ac6a20da1e01e637edefcba80650d5 |
| SHA512 | ae9da3eb8c2c70d1b51c8ebb1cfa7068e8cf95ad0ec4157e2e5af5dda6e0f9a2f46e688f5db43775161abd1117ce4fd21695f8d5f825a6d7f3b6b70e8485ff35 |
C:\Users\Admin\AppData\Local\Temp\Russell
| MD5 | dca0639c684e9dff96b08571fa70b860 |
| SHA1 | 45c6cfd4d62bf2bbc09a2f5839c7a1d8212a6296 |
| SHA256 | d9c121c8a5b3c3c3c34dc9204696e4edba766da41a0ebec32d2e28aa6e2cbdc4 |
| SHA512 | 749a6ee9571e93062d5f10ce9027de5e8159f23f465756dcc3a487e5a0b4a6b422fa186f5d180d4c4e14c3d1a063eb7e3515a2e28229c4d3756a06f56ebf91ee |
C:\Users\Admin\AppData\Local\Temp\Difficulties
| MD5 | a3fbddb5503c1bc2e961976de90d635c |
| SHA1 | cd0b66f2c9969b438b452cef882881d09b1fd355 |
| SHA256 | ea66152f72412042ea380e8d63f83d921cf51eb7807a6730b7ebd11601b0ddab |
| SHA512 | 339aab2150338368cc2f42a87ca448049790bffe2c907dbd61d1be71c73a194692a5d5c724b56d9b21692208478059928eb8426e986bbb71e581e4977f997a77 |
C:\Users\Admin\AppData\Local\Temp\Horses
| MD5 | c54270e0880a99debbcf0f5d6a62768c |
| SHA1 | 5bd789ffe10003ec6ea9af0c0cb84b34ce27f6e8 |
| SHA256 | c58ac2e714ef30e563c132db53ef1f2cd7008b9139d360179b76b2b619ec7144 |
| SHA512 | 1812a3f52680a83e38844882db6cd8fc00e63c1185390aa370daaf3ecc67ac7e4f86c02254714a45ab66421f3b42cfcc208235bb4a10e191f3a3ca20cc11132a |
C:\Users\Admin\AppData\Local\Temp\Adventure
| MD5 | 019ac46c0c005fd044118406763c4eaa |
| SHA1 | 84ec0e7a5a16469581f9d26e7b537945bff91b2e |
| SHA256 | c0a5dd443fafbcf8df746adba9c4cc91ee8a7029615e50c34b7cd9752a39f894 |
| SHA512 | c893e0a8e01d9acee69d2ebfc16837431640445680f20627b5cc838f6c08d3402e93631d826e6625ab46d7bb471fde58a9c358ba73648b5e62c15316ee14279a |
\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\651629\U
| MD5 | 5c9860ed27775885917401f530af86f7 |
| SHA1 | a96f0e06fcfc7bab8b97ba69a9e03f3984039a2d |
| SHA256 | e3e483e51bec0b0f938532a0b1fc6971ce822e477fd86a40fcf64a4dbe60a938 |
| SHA512 | c914d6412fffec508ed20d57013c477e3f549cac6f93fca38489f2e15f35f9bff870c1f050c8ef3ee72a4e1c6f10479bccae85a1d7f6f69f828e9a47ce71a172 |
memory/2208-313-0x0000000005FB0000-0x0000000006007000-memory.dmp
memory/2208-315-0x0000000005FB0000-0x0000000006007000-memory.dmp
memory/2208-317-0x0000000005FB0000-0x0000000006007000-memory.dmp
memory/2208-316-0x0000000005FB0000-0x0000000006007000-memory.dmp
memory/2208-314-0x0000000005FB0000-0x0000000006007000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-11 02:00
Reported
2024-07-11 02:02
Platform
win10v2004-20240709-en
Max time kernel
38s
Max time network
40s
Command Line
Signatures
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2808 created 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe
"C:\Users\Admin\AppData\Local\Temp\123ea084efadcb985bbcebfe0613c0785db3012d16b9765a8a6c3bcebfa3cc2e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Tgp Tgp.cmd & Tgp.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 651629
C:\Windows\SysWOW64\findstr.exe
findstr /V "RossLighterInclCookie" Suitable
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Horses + Difficulties + Adventure 651629\U
C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
651629\Foundations.pif 651629\U
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url" & echo URL="C:\Users\Admin\AppData\Local\ColorSync Dynamics\PeacockSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeacockSync.url" & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | WdmsqZPefqHAfesRQ.WdmsqZPefqHAfesRQ | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | penetratedpoopp.xyz | udp |
| US | 8.8.8.8:53 | potterryisiw.shop | udp |
| US | 172.67.135.160:443 | potterryisiw.shop | tcp |
| US | 8.8.8.8:53 | foodypannyjsud.shop | udp |
| US | 172.67.164.248:443 | foodypannyjsud.shop | tcp |
| US | 8.8.8.8:53 | contintnetksows.shop | udp |
| US | 104.21.79.40:443 | contintnetksows.shop | tcp |
| US | 8.8.8.8:53 | swellfrrgwwos.xyz | udp |
| US | 8.8.8.8:53 | ellaboratepwsz.xyz | udp |
| US | 8.8.8.8:53 | towerxxuytwi.xyz | udp |
| US | 8.8.8.8:53 | pedestriankodwu.xyz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 160.135.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.164.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 172.67.214.98:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 98.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Tgp
| MD5 | 04c3e1fe509b289d0954988a11c5945d |
| SHA1 | 4540b87534167185f3d96071f42c1d044e010fa3 |
| SHA256 | a6dd96ab306afc8e9fbca6147290eee8caccbe69b120e695cdbad04cec19c889 |
| SHA512 | 9f4582c580c9b8d27188f4ac5a0887b358b311dd4dde3bdd1d3b66cb47afba62188df7f26373d01c4bb85765d5c26d1576e13f298f862d41892f5ae9398d23af |
C:\Users\Admin\AppData\Local\Temp\Suitable
| MD5 | 96eff773b3f6110a9c8625fb18d2cc1b |
| SHA1 | aab16460911e16e8398ae7a279522f4a120b7750 |
| SHA256 | 3d24288b2b98bdfd94cd24efc6c2b3b2c09194a243904b72236eca0c6c31010e |
| SHA512 | 24d31136bf7c3a89c734772fb71ef4f65ec8b2ff0d9ea04136cf76409ccc377f3092e7586ae39379b173a028118f6f41419b65fe2a4a3f97f5d1125681938aa5 |
C:\Users\Admin\AppData\Local\Temp\Hotmail
| MD5 | cd7e67082ef7590c4bc0328b5637d232 |
| SHA1 | f27eeaa31097cebddfc7d609904b93f4c903054e |
| SHA256 | 976bbb03d98c3afbd416bb8f6ff22e2b300c2d01a79c7cd0d3fda55064ca4762 |
| SHA512 | c3dde88a2f24d473c20a5c9df4dc53d6f06561535ed92d404ee0966e5a17b0213b1742a6dee9c22c5c4a59849955e6784f10711351837d9f2c30d28fd3acaa96 |
C:\Users\Admin\AppData\Local\Temp\Grace
| MD5 | eb634d2be4dedb7a70ff45d1c3e20357 |
| SHA1 | 79f42f200da78a0912b545780cc18314bef43a42 |
| SHA256 | e163108df2a86f45fd9a5108d85c211a2868ccbf603cd64a852b17791240dfcb |
| SHA512 | d988075cd84ff4649622b00e1cf86d6a666c1320ce0481e62e134ff9996bd1f6ce1d8391a50bb8a97f3cd97cb3a448ea79d78ba75e761524e02d0878f3381625 |
C:\Users\Admin\AppData\Local\Temp\Vitamin
| MD5 | 1bfe3556cf9ebcb5629c6a1b7ef22d1b |
| SHA1 | 0f588767539c25e7d29dc0416fbdb65ea2e2f22f |
| SHA256 | d94995cf898f26fa196588ab1abec90a0b3ec83c83684aa8d93753201e9a753b |
| SHA512 | 8ba73c19a8adeb82681a5766e5c6a7813b9185168de8d3dae28e167115ef31e16d37f83e1717862f52ab47ff3845123c871a50d9bde1ff4cd33878f1c425264e |
C:\Users\Admin\AppData\Local\Temp\Rs
| MD5 | 9ef2eecccce8204fc7b37804592d624e |
| SHA1 | ab4b49e0722c2392bef36891f2bb7a927979c4bc |
| SHA256 | 7eea47d4fdc62aa3807047bb89f4d29f8d40a0380331e9f2ed79529a21588939 |
| SHA512 | f2f8064575dbbcb6a268e27eb540a3847fe59ea2484726a460197802e906664b0dc2db94c22d0d56ada71df2e045bd368d641d27e6caf5289de60ac6cb5efe9e |
C:\Users\Admin\AppData\Local\Temp\Cakes
| MD5 | d3f3e097a88f9d03330992737d9326f6 |
| SHA1 | c5b791183ead1e226f1c76beb05a15f9405e5595 |
| SHA256 | c7acc1bab794003162ed042c9f8feab0a4d9e65f6f9d67cc057327459630defa |
| SHA512 | 7c7c20ddd7c388067f8af3eb5fd3faa32246111516835f580ee02126c45749b3cfb468668007ad3e6d3d4c7f12691af8c4286cd688484332ed9b7e0120f7fccb |
C:\Users\Admin\AppData\Local\Temp\Mathematics
| MD5 | 3a846de9e24b0c20a1a8d6f868b7f8fc |
| SHA1 | 145bde661b617986cbf951b0d7ff479b279a5668 |
| SHA256 | 51940f1b9f60f40fade1ac5e47c5a5b9275386c323727b89177eb52a9f68886d |
| SHA512 | eda72151185ca3b7060c7cf93c03dffb16bb76de11c105da34148f07c37643f6196bed76e1edac7e8da892c7b9d7eb7d39298536f226615e3e22e31cec9adfc0 |
C:\Users\Admin\AppData\Local\Temp\Brief
| MD5 | c99e427b33f232ede1c3e043d8d9c018 |
| SHA1 | 43cbd5ba270051d007825e754d9d80d1161ae61c |
| SHA256 | f626cff54e9f917fb0a8f55c2b8af27cf1afc4697a0db37e468b2a76af0ec252 |
| SHA512 | 4975489bdf9782118724b04425eb659b47834d30e2a91c80808bd89dd0f244eed776d1a583a98e81d77b68fe2a3886477d82647561fbc9d00e3a121d9c8aecab |
C:\Users\Admin\AppData\Local\Temp\Yemen
| MD5 | de50ecbbe54b03cdc2fbceebc3d52a5f |
| SHA1 | 51c46b71241d92a0dc574b7695712aae4c4dca7c |
| SHA256 | c8139cf08b7dc1b445281a222c5887abacecda7b61b0f8d4d0a93a0b01e4f79f |
| SHA512 | c209961f832f0588db690cec8d02d10e2356037fe6fae743f34dd0092222bf661890982dbf1dbd993179b74b286a7f10df855039eb51d9996cc1bd259b88a805 |
C:\Users\Admin\AppData\Local\Temp\Gothic
| MD5 | a16566e806dbb4fbea12c967d1752c21 |
| SHA1 | 348e8c601a175372cfefa819ae8308e0a7bab4c2 |
| SHA256 | 59c6ee39413859f2140af7df317a40a493ec47287f7008b04c1ff0f05cc98b3c |
| SHA512 | 3cc379ec6e5273433c9bbce0af0dbd7c185a7978b1226cc2b7fe5209a562b60a519126c06d533c056e2f3433417bc26840829024ec0ea7b68c22dffad5faf3a3 |
C:\Users\Admin\AppData\Local\Temp\Origin
| MD5 | e91a7e74a06da01ef6a1e16054b9865c |
| SHA1 | 5f3de93704a868a93f85fac907c044e9d47e6a26 |
| SHA256 | 7c429658cc1c50a7946589578c976c6f74c4be60f14ea31e426abbdd39655223 |
| SHA512 | 992eb83618d282d4f82dac298969f31b7613bb1f95eafac0a9d6b67fe96e6a1d9fd822f58828ca15c6e6529d0e1b4fa88c03b3431b5e9b3b02a0df2212b84dcb |
C:\Users\Admin\AppData\Local\Temp\Begun
| MD5 | 25eb540c590829bfb603686af8a41648 |
| SHA1 | 576f2ede2f703462dc5b6738fb4d7719766cdf56 |
| SHA256 | 47d487a26e6a1eccbbd9fda052b6ec474135d9b3291b0246909abb78436c2a11 |
| SHA512 | 8dfa86c9836b07cd72910efb5e30d4db81a0735cb5192fa6eb6d311f0e15fb12cb7e20e00db2a0b7a0c16671867c0db8a8e3e9d3ab6042f18e2aca601f933216 |
C:\Users\Admin\AppData\Local\Temp\Liabilities
| MD5 | 3fb3e8e1584ff8e9ebdbff88e1edd791 |
| SHA1 | 8d65f058a425a02f14f0ae4fcb51723bef2dc163 |
| SHA256 | e8177dfb2845d13ca8504899cb4a12a8de8fd5a09d4fc915e939c661827450a3 |
| SHA512 | c8607f449bee25934423e20473ba926caee0e342e892b53c8857027d4188e4c949a808ce50327d4f333527f98d28a96f6ed7329c208346bb9d2b1cdd1949467b |
C:\Users\Admin\AppData\Local\Temp\Watson
| MD5 | cdd647870713be6aecae5cd60bce7743 |
| SHA1 | 2149a9e77f24d4a0d923bb4b3bb67c45094eb043 |
| SHA256 | 491baaf85c4219d38b8643c57fad7ef0cc9f0237097108417af492f0667c21f4 |
| SHA512 | ea900b24b51dc36b9d049e40ec8c6ff4f0000098fdfc08c3972ad4c3b79b534ebaae8f6f4a97d2c6ce99bdf351877163b2983e70ec8d5c4531e5c4144b8c8a74 |
C:\Users\Admin\AppData\Local\Temp\Dispatch
| MD5 | 73a19dbe924110db1e1f7d57ea91ebc3 |
| SHA1 | a6383e01b378e78a72abfa7cccfa40d0590ac53d |
| SHA256 | 5c86622831c41a0bb282acc35f1cdff0f462b52c4a9678367531b53c1bcdd1bf |
| SHA512 | 4a42e2b371dd2fe4b2d9545fb7870fafb7e84f94cd07d55a87e6fb43c1d0c5db714b232174915d6772cb68f2bc294d103b47470438201e15f49f2cf20bcbd3c9 |
C:\Users\Admin\AppData\Local\Temp\Bloggers
| MD5 | 22da89159d0634b750d8211d8f8aa21a |
| SHA1 | d53eacc23c217d9faa60c4033b1e2c3d2eacf033 |
| SHA256 | 4846ae4c5e2e988220d27a698fe8a76751b5a33282e0b1a7b9639f56f1c90ccb |
| SHA512 | 0935c7aaed51b6c9b56138b6e413e8738851550dc984223ce4e224882f1e7f86219eb86f54f299f900852b4b4be36810e0117a0e56cd51d4907bdb3f6ca083f6 |
C:\Users\Admin\AppData\Local\Temp\Characterization
| MD5 | 9b5af47f431b946046ec996f7f4e999b |
| SHA1 | 5801430dff5a8459ce274db78e1057348cfe8416 |
| SHA256 | feb8d87c6462fe556d7d8ab4344be2da327f0a3c0e4a1a1f7de301ff4f757d77 |
| SHA512 | c2aaf211b0a12e2d9207d28dbba4d89ae2c36ed8637fa1ae1047b3a2ddf34864d3e3abaa1f6927139f5fb38678782512e65a7d982e6c7b4bfb21842afba12131 |
C:\Users\Admin\AppData\Local\Temp\Warrior
| MD5 | 6caa2bd0c15d9f1ca3b910d1f8579c09 |
| SHA1 | 3e9322c646486c9aef1a87b18c6b4aa599782cc8 |
| SHA256 | 93bcb0f75cc3fccae11453a6478e13bb5ef229edbbba7f20da59a79ea9f1a387 |
| SHA512 | f6228a41efb547eea0d6d165278c7b0fa19bd57418a45fa2265db8fb21f330eb113237600b7ddb371002c590cb0d9575ddbe1d4c76ff093f28667d893c9b0b62 |
C:\Users\Admin\AppData\Local\Temp\Finger
| MD5 | 070543f59d7cd07aa4b3fc4bc305d81c |
| SHA1 | f1e9188ce0e913a5e89c1ba1a083d0a0aca457c4 |
| SHA256 | 13e495412664969c3fd46708e917fd99ea54f8e34c4ba4837037b10e6a8b233a |
| SHA512 | a657d60813d632599d83ee559ab18874201ac0f279c5f2e9632973181b866073d850897d1329b41f5b8c4bf4227003da6daf8f8153eaafc408540ab8aebaddeb |
C:\Users\Admin\AppData\Local\Temp\Vista
| MD5 | 5d09310a1d87f36ff9452d39a8172b9f |
| SHA1 | 9b846dd3802db88fb9d90510cca3a7743e07fe26 |
| SHA256 | e1c72cbe0d26e5b245e773f1ecd0da93030e481c533e045b4911590a1ff1dc42 |
| SHA512 | 4871d16a91f4153a5016db43397a60dec41f8a3b1ebc278e0e1cf8ffaae6df7526b9db3f28f4e2500748d9dceea14339b84de91f4b71dd0fe62a98a134613b44 |
C:\Users\Admin\AppData\Local\Temp\Handled
| MD5 | be31546a5c8a2186b8a72bdeaf1d2d69 |
| SHA1 | 492ab580d7011843658d3ae311a8b01bf298b05f |
| SHA256 | c1d22f0f8bc7a4be420ccbfe9a3ae157e5d7d3f93f80a2c6cfacc3024336397c |
| SHA512 | 0f7d26fb98c8aa4cd34e52f5d7318b5907b6d3ac7c05677bb3431d532894d0387f4c7ce80bd66e1ea8eba85b70a8772722f09ce9885a806544a5e7f3d19575c4 |
C:\Users\Admin\AppData\Local\Temp\Validity
| MD5 | 77e16a5c465e42f6ff0ec7cb6585844f |
| SHA1 | 8369b87a1f2996b8521c7ad1fa88c4cd8123fa1d |
| SHA256 | 86841ad0b10d407d06809916481518f2917391d922c9cdc41c689e0321e54ea0 |
| SHA512 | f99184cb38121ed1e3dba32995db8ea67aa9ddc649fce5070729ddba63d53592ba626be16b9209884c89265d2574b2e61ecb63eebad352621aa1232f59a22c4e |
C:\Users\Admin\AppData\Local\Temp\Llp
| MD5 | e963867fefe95f7cc5470ab48555f4fc |
| SHA1 | b187370521980857adae6a345912ecf35511f735 |
| SHA256 | cf99e743170f22eb422ba6f33a968ef9cc2ef15697620bbaa36564b869be5139 |
| SHA512 | 36a43bc5e7d632fc8664147d233b990138de02efea7604f3d8c99bd0903ca0d53ab510289e3d18709c3cf51c32872254b0d3efb6b9ba502197e323b1501ec83c |
C:\Users\Admin\AppData\Local\Temp\Per
| MD5 | 4a8c72c956b05b2a162d7aada25ca35d |
| SHA1 | f35f0d53bc18e9a2091d35f397e0cbe35527eb09 |
| SHA256 | 005b5e3adeabbce126fc6d0d60735bc1f1493e4d9cf38ecd932a83c68f0e3b79 |
| SHA512 | 1ab0b6dad8c6caed84a8a4af979ebe69adddb0c318d0d6c07800c7f584fe0ed58d85f490f7a97563c26b520d7c67018852a774b8a225c2673fd23f0b4d344f66 |
C:\Users\Admin\AppData\Local\Temp\Chairman
| MD5 | 6a228f861d4f766294c98410e5017d4c |
| SHA1 | f41fbdbd611443acedda18fa31aeffbc8e6457f9 |
| SHA256 | 667cd5883d39a3e51d553b295458577580ac6a20da1e01e637edefcba80650d5 |
| SHA512 | ae9da3eb8c2c70d1b51c8ebb1cfa7068e8cf95ad0ec4157e2e5af5dda6e0f9a2f46e688f5db43775161abd1117ce4fd21695f8d5f825a6d7f3b6b70e8485ff35 |
C:\Users\Admin\AppData\Local\Temp\Russell
| MD5 | dca0639c684e9dff96b08571fa70b860 |
| SHA1 | 45c6cfd4d62bf2bbc09a2f5839c7a1d8212a6296 |
| SHA256 | d9c121c8a5b3c3c3c34dc9204696e4edba766da41a0ebec32d2e28aa6e2cbdc4 |
| SHA512 | 749a6ee9571e93062d5f10ce9027de5e8159f23f465756dcc3a487e5a0b4a6b422fa186f5d180d4c4e14c3d1a063eb7e3515a2e28229c4d3756a06f56ebf91ee |
C:\Users\Admin\AppData\Local\Temp\Horses
| MD5 | c54270e0880a99debbcf0f5d6a62768c |
| SHA1 | 5bd789ffe10003ec6ea9af0c0cb84b34ce27f6e8 |
| SHA256 | c58ac2e714ef30e563c132db53ef1f2cd7008b9139d360179b76b2b619ec7144 |
| SHA512 | 1812a3f52680a83e38844882db6cd8fc00e63c1185390aa370daaf3ecc67ac7e4f86c02254714a45ab66421f3b42cfcc208235bb4a10e191f3a3ca20cc11132a |
C:\Users\Admin\AppData\Local\Temp\Difficulties
| MD5 | a3fbddb5503c1bc2e961976de90d635c |
| SHA1 | cd0b66f2c9969b438b452cef882881d09b1fd355 |
| SHA256 | ea66152f72412042ea380e8d63f83d921cf51eb7807a6730b7ebd11601b0ddab |
| SHA512 | 339aab2150338368cc2f42a87ca448049790bffe2c907dbd61d1be71c73a194692a5d5c724b56d9b21692208478059928eb8426e986bbb71e581e4977f997a77 |
C:\Users\Admin\AppData\Local\Temp\Adventure
| MD5 | 019ac46c0c005fd044118406763c4eaa |
| SHA1 | 84ec0e7a5a16469581f9d26e7b537945bff91b2e |
| SHA256 | c0a5dd443fafbcf8df746adba9c4cc91ee8a7029615e50c34b7cd9752a39f894 |
| SHA512 | c893e0a8e01d9acee69d2ebfc16837431640445680f20627b5cc838f6c08d3402e93631d826e6625ab46d7bb471fde58a9c358ba73648b5e62c15316ee14279a |
C:\Users\Admin\AppData\Local\Temp\651629\Foundations.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\651629\U
| MD5 | 5c9860ed27775885917401f530af86f7 |
| SHA1 | a96f0e06fcfc7bab8b97ba69a9e03f3984039a2d |
| SHA256 | e3e483e51bec0b0f938532a0b1fc6971ce822e477fd86a40fcf64a4dbe60a938 |
| SHA512 | c914d6412fffec508ed20d57013c477e3f549cac6f93fca38489f2e15f35f9bff870c1f050c8ef3ee72a4e1c6f10479bccae85a1d7f6f69f828e9a47ce71a172 |
memory/2808-311-0x0000000007020000-0x0000000007077000-memory.dmp
memory/2808-312-0x0000000007020000-0x0000000007077000-memory.dmp
memory/2808-313-0x0000000007020000-0x0000000007077000-memory.dmp
memory/2808-314-0x0000000007020000-0x0000000007077000-memory.dmp
memory/2808-315-0x0000000007020000-0x0000000007077000-memory.dmp