Malware Analysis Report

2024-11-30 05:27

Sample ID 240711-cjmcbavgnh
Target 3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997
SHA256 3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997

Threat Level: Known bad

The file 3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997 was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Lumma Stealer

Drops startup file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 02:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 02:06

Reported

2024-07-11 02:07

Platform

win7-20240704-en

Max time kernel

17s

Max time network

19s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1420 created 1240 N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif C:\Windows\Explorer.EXE

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2800 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2800 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2800 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2800 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2800 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2800 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2800 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2800 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2800 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
PID 2800 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
PID 2800 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
PID 2800 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
PID 2800 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2800 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2800 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2800 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1420 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe

"C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Political Political.cmd & Political.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 395143

C:\Windows\SysWOW64\findstr.exe

findstr /V "HoursInfectionsBradfordStanford" Tribunal

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Arrived + Algebra + Newcastle + Frequencies + June + Therefore 395143\Y

C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif

395143\Situation.pif 395143\Y

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url" & echo URL="C:\Users\Admin\AppData\Local\HealthSync Innovations\AsclepiusConnect.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url" & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 PnOypdPQNoHlEEguKTXg.PnOypdPQNoHlEEguKTXg udp

Files

C:\Users\Admin\AppData\Local\Temp\Political

MD5 5f12f130e6c21c7918956ba48be2253a
SHA1 4f415d6963b58431e8d6057e855595176517a4d4
SHA256 db920145f0d0df011e854105c6053f1308ef796122e60be1b40a9d9811055fd8
SHA512 875ce0eb003d2acdd3407a53985ae25d2ca86707b72d8c79386a220bc474849cdb009eee6f1a4fefcce62c1aecd17a0aa00857568b031110149f2753b0e6f07b

C:\Users\Admin\AppData\Local\Temp\Tribunal

MD5 de0af2dabeb00b5af2d148e6548682f9
SHA1 a0dae15ca11c2921b7a935ea4e66e5af527f221c
SHA256 5d54695fa969070bb5ae9bf5a92c8d5dfaeff9acc610e95885cec4447896de32
SHA512 5f839f8cb3755bc0cbccab23bb32b71f6982a175d396e5463a03ca35ecf2d6c8d91ff586a7c6bc04f6435c332e424614d95d9c858194399ef1f53854492f32cb

C:\Users\Admin\AppData\Local\Temp\Greg

MD5 3ecd07f342e538de5cecc5484fbb7e60
SHA1 7de81cc3aa2a56e28a5728ab5aefbfc04e80199a
SHA256 a3308e30bf566a997ffbead0364fb8f4e20d1c78b8ccb29596285339173a842f
SHA512 1f83f052507678ebad2af659da53842542fb026bcd0f273b9b55439cd0e706db4d662fb5f15095ca76d09dfce8a4991f3344da365e7bd80bff56e94deb42036d

C:\Users\Admin\AppData\Local\Temp\Modern

MD5 9890ab611495674149f77d7e002a289d
SHA1 196667f70a0220987ddff024e9e30fe7be1a013c
SHA256 adf7d9256354ff7adbf5df3bd4a412377bc6d3fa9123c29baec8e699a7729e7b
SHA512 fcf81bc8df0bad884763528554da7bb49f8f407e2fe804d7fdf51b95a2aa790196c4617573a970e567bd5a43c1a1c7ed00ac4b53d6d90ec06640b47912e825ed

C:\Users\Admin\AppData\Local\Temp\Ambient

MD5 329c0e9c5a3030d88b2e7718adc70efc
SHA1 f2549271578e28567132240458eee525f8344029
SHA256 7dfffe1534f539dd69c01d549a8e7945236f182835c96eaba95763fb644670d3
SHA512 6284b2f8f22b39799366437c0f404e6b775e0bd77abe0c98449520f2fce2a933da4127ff0d2acb27522d85c572c30a97accaadaee0b4f0216c39b9d3637351ee

C:\Users\Admin\AppData\Local\Temp\Gi

MD5 a97bf57bda2df0b8f8fbe92a0749b480
SHA1 9eaadbcf26bdbcdbc9b326d61b351183ea38584e
SHA256 832da74e6970e44149540053850f450fc304e45c11dfcafd476d7630f89f5e47
SHA512 c29e63472db5b384eaae3ff625af439685d333edd6f9ebac7f585787b858a4e694e84b14488e93df7c892c36f992036f8d9669213d56119a81d47d182e39fd83

C:\Users\Admin\AppData\Local\Temp\Respective

MD5 da1d2dfc1b0a7433401a70baa5c98815
SHA1 20b4642bf4c5032b235cf799abfd15683fe747bc
SHA256 f9c4f65ef4250a3d86d47150ba1d5cf3698fcecc1a846ff639c833a0aba2e05f
SHA512 f47e111a42a06bf3953a73c3c922bbfcf1c1b6e4c5a36ac5e6f985307ede685ae47426ce1f1a9fda40a149a3facdffb78777658a83a4321b9a187e155bfb130a

C:\Users\Admin\AppData\Local\Temp\Shipments

MD5 e37139d9c0065fefd53e5450190d255d
SHA1 f9d79af76ff8a874799a5144bfe089ed4bab8bab
SHA256 822c6e118c91dd4fd5b5f73647166a3cf795a6584a6ca0803a082e8591e5fa4d
SHA512 f869cc7351c05d9f8b519bfab35524bf4cd5da568e9c17feb33343d9d89721b784860035a8a676b18a83c54435da20f786ca4c60d3731d24fafd205e288715b8

C:\Users\Admin\AppData\Local\Temp\Continually

MD5 9c6b453b6542b7744689673bbe5eb9df
SHA1 73c372c28c0b0d25ec474af7b95fb0fe44801185
SHA256 bd6fe81d09fe3ccaf5babf116661bc8f2c9fd941fd3b529f216178d30307ce5c
SHA512 9978e2f40cddad8703eab9ff6168a7e7b6e1c5bf5f7b539fe4fd892198d77e3df2fa63eacf6a7a7a2493c50ea2dbbded39da0300b280fa1eee54f9e243f9fa4b

C:\Users\Admin\AppData\Local\Temp\Ward

MD5 10b054278ef13a6067d1936b3b216d52
SHA1 104188fe5ef2d0969ddaed3c160caf30a6353f34
SHA256 b2b07ecfb6e4a7cb381e47e354d78b35fdbdc1f978a7f2257b96bc1a462cabf3
SHA512 5a48ab416c2a08e67479de2c91e30da347244e5ba9c3aa36b1ef9f6ddccb105de197ee1ea88d9a47c8cbb56fd0d8a43217ccacaeaff068c75d352b23f4c8544b

C:\Users\Admin\AppData\Local\Temp\Threatened

MD5 ce2aebdbdb1460a6726907548eebff7b
SHA1 2bb332f66cdb41e6c414ed833fa5d95c5cb1018c
SHA256 1146e5508fca73615b29d2b5c9d15bef28a2fc7445efe5d84858a742a7cd96a5
SHA512 942ab6ebc47d64467175cc92594db76e6c106f794bd74313d317c15df6a33137ddf579687354e2348a9812eb6d00cd1fb5b0f9ba00d9208eb1db3fad777b3be1

C:\Users\Admin\AppData\Local\Temp\Liabilities

MD5 b63a471bffbdf9da90d273b63a637787
SHA1 323a48491fd1392938c538c43e6460f9027d39b8
SHA256 933c2a98874ca5227d36c996524d34312f0dcae4b343150e6772dd26861c1f86
SHA512 44dc6da6db7a04780d958877ef9ebc6f6031a58ac3988b60ef3d4d34ac532991ad9ee2f058c1a77e9ed27b7193d025fa268ddd9d352cfc30a25c962770a5fea3

C:\Users\Admin\AppData\Local\Temp\Luggage

MD5 ba208d40e43b7b5289aa7a75a3f96f41
SHA1 23c3eb10abe126912f4fe2c757a7c3d4b011515e
SHA256 a2a6d3e24282268eeb3ae68defe87f2d0373668c32a959486a59e20f6b7e32a7
SHA512 badd302e0688e4e5c29167a01d9bc280166183bd13b54d0e66b3f3130988550eadb842a19c21e2d77c784186ba070e2077af16dce24aa16b1807a27a8ade12eb

C:\Users\Admin\AppData\Local\Temp\Murphy

MD5 18b8d47668e42d97dad25f4348ce7978
SHA1 1826f50fc81cb8c869ef85190aabf75a9e5e4c94
SHA256 afa44400d78b8d9152ea684363dfeab864517f8b560cb9e0c33bf4248eabe410
SHA512 2089599c5233b5cf3b3924ed6f7ed438b8b23b317de0cca16efd26490fb2d0dfa9668226c3209a765662c71e20947003771286e90580cc69f4a38c22757740d9

C:\Users\Admin\AppData\Local\Temp\Except

MD5 b3664cdac405996d599d284c501200e3
SHA1 2f63020e9bb6da2208d3717e6e40220627742956
SHA256 c2e249d990f00e24388a8a6cebe07c9a8dc894fd808f96ad09322bfd1071aea7
SHA512 f414ccbfd92270fc99ba83af7c44bb3bf3f0377dec7921e5595db8585e696af7647316081f22f92cd098733754bc610dede322bec16c182aeb06d60769e3e513

C:\Users\Admin\AppData\Local\Temp\Hospitality

MD5 bc142215eeeb8212b6b3b459dc043f68
SHA1 02e3a407c1671fb8bd5e65796ff93573ff14a37d
SHA256 ade420ffa2e119404857522304ecf571ccd765e0a6acbd037b39c326eee50752
SHA512 7feabbbb88ea6ecddff1772f0027c1a223ca6b621fe205ec478185f3daa25a276552373e6886d8c514cb707dfbd23f4b69c388d32d9bf2fd722eb33288abefaf

C:\Users\Admin\AppData\Local\Temp\Vital

MD5 ecf5af629b2736f70b0222870bcf33e7
SHA1 cff788cffa60655bece4ffa40ee6e1e70e406e61
SHA256 0a87c23f3845cee1daec56341e25ab53db0b1f150ef9556f3d6bf476a19f7eae
SHA512 a9039aa8f977eb3779247bcf576e618e96856fa72f6979059551758bc098236c28922b2bb1c96cbdbe4d5fc93d5a3a5346816ad4707ed27c82fffd2c4bcaaccc

C:\Users\Admin\AppData\Local\Temp\Fog

MD5 3cbdb805406510a163c5a097e001236d
SHA1 ce654f4b9fc33396e9adf185116bdfd866d01a0c
SHA256 ea91c3fdf35c997d094a71aba479205e659b06d721252d734cbdc44bc52cd33b
SHA512 727f768851bbbd4874658bd185bac06fc136900a871bfacd56c502b1e9e7284e6abf5f872207ed874790f2856b387197abbbfb49046b2cebee8c8075f2c9214d

C:\Users\Admin\AppData\Local\Temp\Copyrighted

MD5 b811219d80209416126a3d824d4dd107
SHA1 bf10cd8b6ec628df7af120f55a047b1634cc9914
SHA256 7903324b7d445f1cc108649d8f9b115f227eca2230071124e51ab35b401d944e
SHA512 4436cfc595a01044afa6e37f513b5e19da660d7a345bb4b1a97d4cd2f56f94fe2f06a1ccd60a2b4fb0ef22e4557457d8464c815a13ef3ea5a67ae58adad182eb

C:\Users\Admin\AppData\Local\Temp\View

MD5 6bcabed2119fcda2ad1351e34b33fd5f
SHA1 b9afc0536df6d7b14d6f56f2d4d1b2f2f606f9d7
SHA256 f3a307ccd9a955dd1ee842c9ddddb5b23987433f7d041ed0fc014c84aa693c53
SHA512 c20f2ef863ff7e3482e5917cab238b01df42e5885b0bf09180d9530b1a2cfc827c35efd73bd994af31cc0bfa16c80abcbc49d74ebefb3d95f1305d22266307b9

C:\Users\Admin\AppData\Local\Temp\Scholars

MD5 65c39c795896a326881f1f3bd50a2854
SHA1 c3fe82907a97a1a99f1972aed530cf94da5decf8
SHA256 ace1c7967cdc33794dc99711928f3397b060c61045289ee75b0c465bfc220ebb
SHA512 c2a66f65dee5525d1882018ef2fd33c6a5b8016ce6e9182938d6bb73b3a949ee65103bb068bd49c87d75d2e74112751e489d7924dec79ac15e50284d05c429b1

C:\Users\Admin\AppData\Local\Temp\Opera

MD5 d73ede165226cb2b3764e6ed4a5aaedc
SHA1 7e8e7103e12e1db90e5bab866d168ccfdc068eab
SHA256 fbcf085a6c821ca51e3206e3e5caba06d5c74620849a3da9e4716901a58e953e
SHA512 66e423c6e1b476311f31235212d025f0c588ec9378fa7de493f8323fc82862057f1e935f94c970f7166346ac0e86623162abddbbcfb07c2c404a616912caf59f

C:\Users\Admin\AppData\Local\Temp\Cat

MD5 bf3122a7bfddf1156b3f7e64588e9368
SHA1 a4d000c2787f9d9bf3692712f5b6717ba1186375
SHA256 012214bf9c6f5050b6d21abba12c44bf4c96db6940415d46967647fac9b3cb63
SHA512 93d8adcfdb23c7120e3cbbb123c4fae00111325be7594870e6660b1543d384b5321c9274eb31519279d6afc3d25e47e1320f48aceda8dddbf281b99bea29902d

C:\Users\Admin\AppData\Local\Temp\Hardly

MD5 fbe9eb05cd6768c40a895055024b45ca
SHA1 8630b3e4a0fc4d528fc21c87c0ba8a7d6a35dbdd
SHA256 554c2b1ff01c49b8e3a0ee57f0ee82c67a30324cabde352dd24d6a31c870a960
SHA512 7f4edc5bbc43b3770933b4023a0db23398877a7333aa4eae299bfddc787df170848ab5da1ab7884ec5897695fe9dd91a98c82c34ca60c4d907ffa3e14499547f

C:\Users\Admin\AppData\Local\Temp\Sand

MD5 71c733e8b5b8e036671a5204162bd0fd
SHA1 f7f3dbbf615a68df2b52c468427b6d4addb5d031
SHA256 255758438ba25147ec138c198ae0ecd261fc3f3b1d62d9b778634c31898cbc13
SHA512 b225cddbc6fec68f26bf4d46750df34049cbf0091c79fb2f25e714cef268e9a7f35b610575e3716824105e6a84c9c6125a5f82c31076c455ad67bef700cdb63f

C:\Users\Admin\AppData\Local\Temp\Guru

MD5 792477bb59d9b554274bf28d936efc74
SHA1 21ee1e6265f5a72c12cd7d9751d6201b793b8ad2
SHA256 630007a5729487c12adc2dcfff3f36b6c817ebaf2e4dacf9d0f0dc983e0fd529
SHA512 131cbfc54bf6a2d11cc92eaeb1a81e6ef9ca7387c31ecc98c916ec4dd2286b2d8f304eddfe13e3fffcf84259260ecacc648cdbbd95dc4da83e09d3cf45e14b90

C:\Users\Admin\AppData\Local\Temp\Periodically

MD5 bfd4a90a068ce4e09ec7462035252291
SHA1 4522d908766ced6140c45cb11fa90e7914c012f3
SHA256 a150383e93ca874fa86cdecd4625f8570118f504669a8a2b18ff85b844517a13
SHA512 d173db8467c000d3aabfb46d4559d3b1116fc64ee195410705935ab35934482c7f4c2673fd24f74092835acf4f5a3c62a7a537d1d2a8a53c22658906a12b295f

C:\Users\Admin\AppData\Local\Temp\Finished

MD5 c8270b8df541d73ae50b3d6bfa274ec1
SHA1 ffbf025714421c416c0c39089cc50b48850b8467
SHA256 7de1e550b196d943af05d5fc959cc91af893992f5f9bd8149ae11a08e40ccbfe
SHA512 89d7730bc35984b0b3742fb1c528256a6eb78b521e3cf366bfaee7ab11904bf90d859133c3eb87d767300135728d1883a3c4f809092a651c6009ac92453a37bc

C:\Users\Admin\AppData\Local\Temp\Amazon

MD5 09f0d100ad4c0a762e928b37c87bcb1f
SHA1 0adef098386d02d315310a68d99ed8360795d8bc
SHA256 b877260e7c7f801bc4beb7946cba2eafc9e35552e47d8c2a79f8eabaf991f89a
SHA512 871d46bd48b549b7e37743bebe91d3c70f42838270002e408c758d8ad2e783778d286ad5d6e3e57be72444153cdf5da95511abbd5fd1fd62d22459b4adce1667

C:\Users\Admin\AppData\Local\Temp\Required

MD5 b9c1ac31a98468de3a82d0a37e26589c
SHA1 88d1a5d2b1cab857a5710df6acd12a28c2ee6ea4
SHA256 bc6d515e6ee67909eeab8455ddba45ed12dd82c0bcfc367ad6568c7276b9eb6c
SHA512 4fdce06f2ffa1048ebf1d0a5ddf7fea5147c0c466b7b333f0a1ef8652c111c9d63c98f8209d8c3b600535d9686a41cda199ee68101bf86bbba61f1eb7eb778c6

C:\Users\Admin\AppData\Local\Temp\Und

MD5 ea922b2f08d7f38b5404edf4e3875bf2
SHA1 cba11424da4843aa5844a7465f7a4e21e9a78c5d
SHA256 eeb890caae35f6b44e93a5fa52dc8db4c17411ab1c55abaa74c36488fa01301e
SHA512 7587769c001e0e08d35a62c1504b9617becb59bd25a7180ac399c08663c8b0c19b61a3aeda3e07d3e7036311f9cd7a8934a9252b20d2c418f234276cf4b9a3f0

C:\Users\Admin\AppData\Local\Temp\Arrived

MD5 5c5f97a51d232e7c285357acf7479db7
SHA1 f8948d8317918318acbdd8322449f6eb293876f9
SHA256 b7622bd4b9f2ff575d66cb60492316ab489dab6754de12e1e7aebcb2c01b8707
SHA512 06c31c0ce3d269dc1f4c1cf9a471103a3253aef85895dca556b9875a4d503ce07a67eeb4cdefaa8e03bcd7fc06e2fea0485d110c58a1483fbf5d945ec6aec62d

C:\Users\Admin\AppData\Local\Temp\Algebra

MD5 8b307b862f3a190086dbf0a378e02719
SHA1 20607a9f59827c4d8fcc580ed9ac4bc25c95ac27
SHA256 ed17a9a60cbba30e49e4e9f11fd27cb70d766fd2ddcc9fec953833395927a10a
SHA512 d0ce2dfc8ae6acafb5ae4c92f7ce668a872f5b28dffc26db686295218a8e700abc202e6567f6893958a61e2903ecf8acc0ef66cf50d6742ad76517df8602d985

C:\Users\Admin\AppData\Local\Temp\Newcastle

MD5 1d15b76a8009684ba025f6fb7818712b
SHA1 2aead836acb328646b581faa9840022b7a17fb50
SHA256 367edecccb7ba1c0cabd380d26ae29e9af4459966b93980754070f59ac2e6bb3
SHA512 8ac1a9d53cf73bf9a035b944d2eefa77eee1633c62293a9322ab30a4be3aea491180a791bc2b9b14fabc327d70a88e2f89e99eba01ecc82a4012ef99aed2d508

C:\Users\Admin\AppData\Local\Temp\Frequencies

MD5 9f985bd3c2887feb8fb0e4b7dcb263c0
SHA1 d76201b00743d4d401e951447ffc11702f4a762e
SHA256 1d9868f3f53668e7b4975ccaca0a78fe17804217a9c1e8582a77138eac13ea4d
SHA512 52804a29bced75a90bafa10475baf0848141427e2468db0f279282c79cd01ce581448c8adb275b4ff8879715350d83480079014aa71133659049c0bc89538bff

C:\Users\Admin\AppData\Local\Temp\June

MD5 146fcc97c0f9cd5d1000b00328699d1e
SHA1 d64bdd06dcfa4dff09cc8450442b8de7536cabfe
SHA256 50fbb533262a5eb21bf27034bfadf727cbd74abe3f8e4a9429c57b3f7f4a12d6
SHA512 d8a0d75a97d0745833477a2fef4b75a9825dabdc641e38263936405cc1cb55953836e59cba1e839798d4f25a6e4c786e769f3c4ef3d1047bf279c4b28132693c

C:\Users\Admin\AppData\Local\Temp\Therefore

MD5 94dea993492c68a3d2b5fa684d04f5f5
SHA1 38212f101a050d11ca240380322dc473cca70cf9
SHA256 91a4be190363384ad345794bf67e9cbf2076fc2c1a6f3da8502ded5dede05dc3
SHA512 64f7dc8bf09a3a8b5e9b5675714cf29e4cfc4117a08afd33a2f07dbb3a66516d508d22f21cb3834a172b781bfd40b91a52e3972c0f24e428c9dbb96916f7cad1

\Users\Admin\AppData\Local\Temp\395143\Situation.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\395143\Y

MD5 210c564d31169e586e56131b0d33878b
SHA1 41c9d765de37e3b9a7f07a2a468e6ca8ac63ff94
SHA256 dc10b09237fbb140149128c46df7a9451b302e945eb399b06c0e4c64196ee92e
SHA512 bd8625e4571f428336f975cabbfec9c955b842183a2ab9bd11702aeb0e12220c1ccd5554040013fa1f5ea59b22c9db56dc77547b54ed16b95b0339d9fb2df021

memory/1420-656-0x0000000003620000-0x0000000003677000-memory.dmp

memory/1420-660-0x0000000003620000-0x0000000003677000-memory.dmp

memory/1420-659-0x0000000003620000-0x0000000003677000-memory.dmp

memory/1420-658-0x0000000003620000-0x0000000003677000-memory.dmp

memory/1420-657-0x0000000003620000-0x0000000003677000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 02:06

Reported

2024-07-11 02:07

Platform

win10v2004-20240709-en

Max time kernel

33s

Max time network

49s

Command Line

C:\Windows\Explorer.EXE

Signatures

Lumma Stealer

stealer lumma

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3312 created 3468 N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2784 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2784 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2784 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2784 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2784 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2784 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2784 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2784 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2784 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
PID 2784 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
PID 2784 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
PID 2784 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2784 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2784 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3312 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe

"C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Political Political.cmd & Political.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 395143

C:\Windows\SysWOW64\findstr.exe

findstr /V "HoursInfectionsBradfordStanford" Tribunal

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Arrived + Algebra + Newcastle + Frequencies + June + Therefore 395143\Y

C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif

395143\Situation.pif 395143\Y

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url" & echo URL="C:\Users\Admin\AppData\Local\HealthSync Innovations\AsclepiusConnect.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url" & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 PnOypdPQNoHlEEguKTXg.PnOypdPQNoHlEEguKTXg udp
US 8.8.8.8:53 whisperginkowp.xyz udp
US 172.67.132.142:443 whisperginkowp.xyz tcp
US 8.8.8.8:53 potterryisiw.shop udp
US 104.21.26.77:443 potterryisiw.shop tcp
US 8.8.8.8:53 142.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 foodypannyjsud.shop udp
US 104.21.49.164:443 foodypannyjsud.shop tcp
US 8.8.8.8:53 contintnetksows.shop udp
US 104.21.79.40:443 contintnetksows.shop tcp
US 8.8.8.8:53 swellfrrgwwos.xyz udp
US 8.8.8.8:53 penetratedpoopp.xyz udp
US 8.8.8.8:53 164.49.21.104.in-addr.arpa udp
US 8.8.8.8:53 77.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 40.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 ellaboratepwsz.xyz udp
US 8.8.8.8:53 towerxxuytwi.xyz udp
US 8.8.8.8:53 pedestriankodwu.xyz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Political

MD5 5f12f130e6c21c7918956ba48be2253a
SHA1 4f415d6963b58431e8d6057e855595176517a4d4
SHA256 db920145f0d0df011e854105c6053f1308ef796122e60be1b40a9d9811055fd8
SHA512 875ce0eb003d2acdd3407a53985ae25d2ca86707b72d8c79386a220bc474849cdb009eee6f1a4fefcce62c1aecd17a0aa00857568b031110149f2753b0e6f07b

C:\Users\Admin\AppData\Local\Temp\Tribunal

MD5 de0af2dabeb00b5af2d148e6548682f9
SHA1 a0dae15ca11c2921b7a935ea4e66e5af527f221c
SHA256 5d54695fa969070bb5ae9bf5a92c8d5dfaeff9acc610e95885cec4447896de32
SHA512 5f839f8cb3755bc0cbccab23bb32b71f6982a175d396e5463a03ca35ecf2d6c8d91ff586a7c6bc04f6435c332e424614d95d9c858194399ef1f53854492f32cb

C:\Users\Admin\AppData\Local\Temp\Greg

MD5 3ecd07f342e538de5cecc5484fbb7e60
SHA1 7de81cc3aa2a56e28a5728ab5aefbfc04e80199a
SHA256 a3308e30bf566a997ffbead0364fb8f4e20d1c78b8ccb29596285339173a842f
SHA512 1f83f052507678ebad2af659da53842542fb026bcd0f273b9b55439cd0e706db4d662fb5f15095ca76d09dfce8a4991f3344da365e7bd80bff56e94deb42036d

C:\Users\Admin\AppData\Local\Temp\Modern

MD5 9890ab611495674149f77d7e002a289d
SHA1 196667f70a0220987ddff024e9e30fe7be1a013c
SHA256 adf7d9256354ff7adbf5df3bd4a412377bc6d3fa9123c29baec8e699a7729e7b
SHA512 fcf81bc8df0bad884763528554da7bb49f8f407e2fe804d7fdf51b95a2aa790196c4617573a970e567bd5a43c1a1c7ed00ac4b53d6d90ec06640b47912e825ed

C:\Users\Admin\AppData\Local\Temp\Ambient

MD5 329c0e9c5a3030d88b2e7718adc70efc
SHA1 f2549271578e28567132240458eee525f8344029
SHA256 7dfffe1534f539dd69c01d549a8e7945236f182835c96eaba95763fb644670d3
SHA512 6284b2f8f22b39799366437c0f404e6b775e0bd77abe0c98449520f2fce2a933da4127ff0d2acb27522d85c572c30a97accaadaee0b4f0216c39b9d3637351ee

C:\Users\Admin\AppData\Local\Temp\Gi

MD5 a97bf57bda2df0b8f8fbe92a0749b480
SHA1 9eaadbcf26bdbcdbc9b326d61b351183ea38584e
SHA256 832da74e6970e44149540053850f450fc304e45c11dfcafd476d7630f89f5e47
SHA512 c29e63472db5b384eaae3ff625af439685d333edd6f9ebac7f585787b858a4e694e84b14488e93df7c892c36f992036f8d9669213d56119a81d47d182e39fd83

C:\Users\Admin\AppData\Local\Temp\Respective

MD5 da1d2dfc1b0a7433401a70baa5c98815
SHA1 20b4642bf4c5032b235cf799abfd15683fe747bc
SHA256 f9c4f65ef4250a3d86d47150ba1d5cf3698fcecc1a846ff639c833a0aba2e05f
SHA512 f47e111a42a06bf3953a73c3c922bbfcf1c1b6e4c5a36ac5e6f985307ede685ae47426ce1f1a9fda40a149a3facdffb78777658a83a4321b9a187e155bfb130a

C:\Users\Admin\AppData\Local\Temp\Shipments

MD5 e37139d9c0065fefd53e5450190d255d
SHA1 f9d79af76ff8a874799a5144bfe089ed4bab8bab
SHA256 822c6e118c91dd4fd5b5f73647166a3cf795a6584a6ca0803a082e8591e5fa4d
SHA512 f869cc7351c05d9f8b519bfab35524bf4cd5da568e9c17feb33343d9d89721b784860035a8a676b18a83c54435da20f786ca4c60d3731d24fafd205e288715b8

C:\Users\Admin\AppData\Local\Temp\Continually

MD5 9c6b453b6542b7744689673bbe5eb9df
SHA1 73c372c28c0b0d25ec474af7b95fb0fe44801185
SHA256 bd6fe81d09fe3ccaf5babf116661bc8f2c9fd941fd3b529f216178d30307ce5c
SHA512 9978e2f40cddad8703eab9ff6168a7e7b6e1c5bf5f7b539fe4fd892198d77e3df2fa63eacf6a7a7a2493c50ea2dbbded39da0300b280fa1eee54f9e243f9fa4b

C:\Users\Admin\AppData\Local\Temp\Ward

MD5 10b054278ef13a6067d1936b3b216d52
SHA1 104188fe5ef2d0969ddaed3c160caf30a6353f34
SHA256 b2b07ecfb6e4a7cb381e47e354d78b35fdbdc1f978a7f2257b96bc1a462cabf3
SHA512 5a48ab416c2a08e67479de2c91e30da347244e5ba9c3aa36b1ef9f6ddccb105de197ee1ea88d9a47c8cbb56fd0d8a43217ccacaeaff068c75d352b23f4c8544b

C:\Users\Admin\AppData\Local\Temp\Threatened

MD5 ce2aebdbdb1460a6726907548eebff7b
SHA1 2bb332f66cdb41e6c414ed833fa5d95c5cb1018c
SHA256 1146e5508fca73615b29d2b5c9d15bef28a2fc7445efe5d84858a742a7cd96a5
SHA512 942ab6ebc47d64467175cc92594db76e6c106f794bd74313d317c15df6a33137ddf579687354e2348a9812eb6d00cd1fb5b0f9ba00d9208eb1db3fad777b3be1

C:\Users\Admin\AppData\Local\Temp\Liabilities

MD5 b63a471bffbdf9da90d273b63a637787
SHA1 323a48491fd1392938c538c43e6460f9027d39b8
SHA256 933c2a98874ca5227d36c996524d34312f0dcae4b343150e6772dd26861c1f86
SHA512 44dc6da6db7a04780d958877ef9ebc6f6031a58ac3988b60ef3d4d34ac532991ad9ee2f058c1a77e9ed27b7193d025fa268ddd9d352cfc30a25c962770a5fea3

C:\Users\Admin\AppData\Local\Temp\Luggage

MD5 ba208d40e43b7b5289aa7a75a3f96f41
SHA1 23c3eb10abe126912f4fe2c757a7c3d4b011515e
SHA256 a2a6d3e24282268eeb3ae68defe87f2d0373668c32a959486a59e20f6b7e32a7
SHA512 badd302e0688e4e5c29167a01d9bc280166183bd13b54d0e66b3f3130988550eadb842a19c21e2d77c784186ba070e2077af16dce24aa16b1807a27a8ade12eb

C:\Users\Admin\AppData\Local\Temp\Murphy

MD5 18b8d47668e42d97dad25f4348ce7978
SHA1 1826f50fc81cb8c869ef85190aabf75a9e5e4c94
SHA256 afa44400d78b8d9152ea684363dfeab864517f8b560cb9e0c33bf4248eabe410
SHA512 2089599c5233b5cf3b3924ed6f7ed438b8b23b317de0cca16efd26490fb2d0dfa9668226c3209a765662c71e20947003771286e90580cc69f4a38c22757740d9

C:\Users\Admin\AppData\Local\Temp\Except

MD5 b3664cdac405996d599d284c501200e3
SHA1 2f63020e9bb6da2208d3717e6e40220627742956
SHA256 c2e249d990f00e24388a8a6cebe07c9a8dc894fd808f96ad09322bfd1071aea7
SHA512 f414ccbfd92270fc99ba83af7c44bb3bf3f0377dec7921e5595db8585e696af7647316081f22f92cd098733754bc610dede322bec16c182aeb06d60769e3e513

C:\Users\Admin\AppData\Local\Temp\Hospitality

MD5 bc142215eeeb8212b6b3b459dc043f68
SHA1 02e3a407c1671fb8bd5e65796ff93573ff14a37d
SHA256 ade420ffa2e119404857522304ecf571ccd765e0a6acbd037b39c326eee50752
SHA512 7feabbbb88ea6ecddff1772f0027c1a223ca6b621fe205ec478185f3daa25a276552373e6886d8c514cb707dfbd23f4b69c388d32d9bf2fd722eb33288abefaf

C:\Users\Admin\AppData\Local\Temp\Vital

MD5 ecf5af629b2736f70b0222870bcf33e7
SHA1 cff788cffa60655bece4ffa40ee6e1e70e406e61
SHA256 0a87c23f3845cee1daec56341e25ab53db0b1f150ef9556f3d6bf476a19f7eae
SHA512 a9039aa8f977eb3779247bcf576e618e96856fa72f6979059551758bc098236c28922b2bb1c96cbdbe4d5fc93d5a3a5346816ad4707ed27c82fffd2c4bcaaccc

C:\Users\Admin\AppData\Local\Temp\Fog

MD5 3cbdb805406510a163c5a097e001236d
SHA1 ce654f4b9fc33396e9adf185116bdfd866d01a0c
SHA256 ea91c3fdf35c997d094a71aba479205e659b06d721252d734cbdc44bc52cd33b
SHA512 727f768851bbbd4874658bd185bac06fc136900a871bfacd56c502b1e9e7284e6abf5f872207ed874790f2856b387197abbbfb49046b2cebee8c8075f2c9214d

C:\Users\Admin\AppData\Local\Temp\Copyrighted

MD5 b811219d80209416126a3d824d4dd107
SHA1 bf10cd8b6ec628df7af120f55a047b1634cc9914
SHA256 7903324b7d445f1cc108649d8f9b115f227eca2230071124e51ab35b401d944e
SHA512 4436cfc595a01044afa6e37f513b5e19da660d7a345bb4b1a97d4cd2f56f94fe2f06a1ccd60a2b4fb0ef22e4557457d8464c815a13ef3ea5a67ae58adad182eb

C:\Users\Admin\AppData\Local\Temp\View

MD5 6bcabed2119fcda2ad1351e34b33fd5f
SHA1 b9afc0536df6d7b14d6f56f2d4d1b2f2f606f9d7
SHA256 f3a307ccd9a955dd1ee842c9ddddb5b23987433f7d041ed0fc014c84aa693c53
SHA512 c20f2ef863ff7e3482e5917cab238b01df42e5885b0bf09180d9530b1a2cfc827c35efd73bd994af31cc0bfa16c80abcbc49d74ebefb3d95f1305d22266307b9

C:\Users\Admin\AppData\Local\Temp\Scholars

MD5 65c39c795896a326881f1f3bd50a2854
SHA1 c3fe82907a97a1a99f1972aed530cf94da5decf8
SHA256 ace1c7967cdc33794dc99711928f3397b060c61045289ee75b0c465bfc220ebb
SHA512 c2a66f65dee5525d1882018ef2fd33c6a5b8016ce6e9182938d6bb73b3a949ee65103bb068bd49c87d75d2e74112751e489d7924dec79ac15e50284d05c429b1

C:\Users\Admin\AppData\Local\Temp\Opera

MD5 d73ede165226cb2b3764e6ed4a5aaedc
SHA1 7e8e7103e12e1db90e5bab866d168ccfdc068eab
SHA256 fbcf085a6c821ca51e3206e3e5caba06d5c74620849a3da9e4716901a58e953e
SHA512 66e423c6e1b476311f31235212d025f0c588ec9378fa7de493f8323fc82862057f1e935f94c970f7166346ac0e86623162abddbbcfb07c2c404a616912caf59f

C:\Users\Admin\AppData\Local\Temp\Cat

MD5 bf3122a7bfddf1156b3f7e64588e9368
SHA1 a4d000c2787f9d9bf3692712f5b6717ba1186375
SHA256 012214bf9c6f5050b6d21abba12c44bf4c96db6940415d46967647fac9b3cb63
SHA512 93d8adcfdb23c7120e3cbbb123c4fae00111325be7594870e6660b1543d384b5321c9274eb31519279d6afc3d25e47e1320f48aceda8dddbf281b99bea29902d

C:\Users\Admin\AppData\Local\Temp\Hardly

MD5 fbe9eb05cd6768c40a895055024b45ca
SHA1 8630b3e4a0fc4d528fc21c87c0ba8a7d6a35dbdd
SHA256 554c2b1ff01c49b8e3a0ee57f0ee82c67a30324cabde352dd24d6a31c870a960
SHA512 7f4edc5bbc43b3770933b4023a0db23398877a7333aa4eae299bfddc787df170848ab5da1ab7884ec5897695fe9dd91a98c82c34ca60c4d907ffa3e14499547f

C:\Users\Admin\AppData\Local\Temp\Sand

MD5 71c733e8b5b8e036671a5204162bd0fd
SHA1 f7f3dbbf615a68df2b52c468427b6d4addb5d031
SHA256 255758438ba25147ec138c198ae0ecd261fc3f3b1d62d9b778634c31898cbc13
SHA512 b225cddbc6fec68f26bf4d46750df34049cbf0091c79fb2f25e714cef268e9a7f35b610575e3716824105e6a84c9c6125a5f82c31076c455ad67bef700cdb63f

C:\Users\Admin\AppData\Local\Temp\Guru

MD5 792477bb59d9b554274bf28d936efc74
SHA1 21ee1e6265f5a72c12cd7d9751d6201b793b8ad2
SHA256 630007a5729487c12adc2dcfff3f36b6c817ebaf2e4dacf9d0f0dc983e0fd529
SHA512 131cbfc54bf6a2d11cc92eaeb1a81e6ef9ca7387c31ecc98c916ec4dd2286b2d8f304eddfe13e3fffcf84259260ecacc648cdbbd95dc4da83e09d3cf45e14b90

C:\Users\Admin\AppData\Local\Temp\Periodically

MD5 bfd4a90a068ce4e09ec7462035252291
SHA1 4522d908766ced6140c45cb11fa90e7914c012f3
SHA256 a150383e93ca874fa86cdecd4625f8570118f504669a8a2b18ff85b844517a13
SHA512 d173db8467c000d3aabfb46d4559d3b1116fc64ee195410705935ab35934482c7f4c2673fd24f74092835acf4f5a3c62a7a537d1d2a8a53c22658906a12b295f

C:\Users\Admin\AppData\Local\Temp\Finished

MD5 c8270b8df541d73ae50b3d6bfa274ec1
SHA1 ffbf025714421c416c0c39089cc50b48850b8467
SHA256 7de1e550b196d943af05d5fc959cc91af893992f5f9bd8149ae11a08e40ccbfe
SHA512 89d7730bc35984b0b3742fb1c528256a6eb78b521e3cf366bfaee7ab11904bf90d859133c3eb87d767300135728d1883a3c4f809092a651c6009ac92453a37bc

C:\Users\Admin\AppData\Local\Temp\Amazon

MD5 09f0d100ad4c0a762e928b37c87bcb1f
SHA1 0adef098386d02d315310a68d99ed8360795d8bc
SHA256 b877260e7c7f801bc4beb7946cba2eafc9e35552e47d8c2a79f8eabaf991f89a
SHA512 871d46bd48b549b7e37743bebe91d3c70f42838270002e408c758d8ad2e783778d286ad5d6e3e57be72444153cdf5da95511abbd5fd1fd62d22459b4adce1667

C:\Users\Admin\AppData\Local\Temp\Required

MD5 b9c1ac31a98468de3a82d0a37e26589c
SHA1 88d1a5d2b1cab857a5710df6acd12a28c2ee6ea4
SHA256 bc6d515e6ee67909eeab8455ddba45ed12dd82c0bcfc367ad6568c7276b9eb6c
SHA512 4fdce06f2ffa1048ebf1d0a5ddf7fea5147c0c466b7b333f0a1ef8652c111c9d63c98f8209d8c3b600535d9686a41cda199ee68101bf86bbba61f1eb7eb778c6

C:\Users\Admin\AppData\Local\Temp\Und

MD5 ea922b2f08d7f38b5404edf4e3875bf2
SHA1 cba11424da4843aa5844a7465f7a4e21e9a78c5d
SHA256 eeb890caae35f6b44e93a5fa52dc8db4c17411ab1c55abaa74c36488fa01301e
SHA512 7587769c001e0e08d35a62c1504b9617becb59bd25a7180ac399c08663c8b0c19b61a3aeda3e07d3e7036311f9cd7a8934a9252b20d2c418f234276cf4b9a3f0

C:\Users\Admin\AppData\Local\Temp\Arrived

MD5 5c5f97a51d232e7c285357acf7479db7
SHA1 f8948d8317918318acbdd8322449f6eb293876f9
SHA256 b7622bd4b9f2ff575d66cb60492316ab489dab6754de12e1e7aebcb2c01b8707
SHA512 06c31c0ce3d269dc1f4c1cf9a471103a3253aef85895dca556b9875a4d503ce07a67eeb4cdefaa8e03bcd7fc06e2fea0485d110c58a1483fbf5d945ec6aec62d

C:\Users\Admin\AppData\Local\Temp\Algebra

MD5 8b307b862f3a190086dbf0a378e02719
SHA1 20607a9f59827c4d8fcc580ed9ac4bc25c95ac27
SHA256 ed17a9a60cbba30e49e4e9f11fd27cb70d766fd2ddcc9fec953833395927a10a
SHA512 d0ce2dfc8ae6acafb5ae4c92f7ce668a872f5b28dffc26db686295218a8e700abc202e6567f6893958a61e2903ecf8acc0ef66cf50d6742ad76517df8602d985

C:\Users\Admin\AppData\Local\Temp\Newcastle

MD5 1d15b76a8009684ba025f6fb7818712b
SHA1 2aead836acb328646b581faa9840022b7a17fb50
SHA256 367edecccb7ba1c0cabd380d26ae29e9af4459966b93980754070f59ac2e6bb3
SHA512 8ac1a9d53cf73bf9a035b944d2eefa77eee1633c62293a9322ab30a4be3aea491180a791bc2b9b14fabc327d70a88e2f89e99eba01ecc82a4012ef99aed2d508

C:\Users\Admin\AppData\Local\Temp\Frequencies

MD5 9f985bd3c2887feb8fb0e4b7dcb263c0
SHA1 d76201b00743d4d401e951447ffc11702f4a762e
SHA256 1d9868f3f53668e7b4975ccaca0a78fe17804217a9c1e8582a77138eac13ea4d
SHA512 52804a29bced75a90bafa10475baf0848141427e2468db0f279282c79cd01ce581448c8adb275b4ff8879715350d83480079014aa71133659049c0bc89538bff

C:\Users\Admin\AppData\Local\Temp\June

MD5 146fcc97c0f9cd5d1000b00328699d1e
SHA1 d64bdd06dcfa4dff09cc8450442b8de7536cabfe
SHA256 50fbb533262a5eb21bf27034bfadf727cbd74abe3f8e4a9429c57b3f7f4a12d6
SHA512 d8a0d75a97d0745833477a2fef4b75a9825dabdc641e38263936405cc1cb55953836e59cba1e839798d4f25a6e4c786e769f3c4ef3d1047bf279c4b28132693c

C:\Users\Admin\AppData\Local\Temp\Therefore

MD5 94dea993492c68a3d2b5fa684d04f5f5
SHA1 38212f101a050d11ca240380322dc473cca70cf9
SHA256 91a4be190363384ad345794bf67e9cbf2076fc2c1a6f3da8502ded5dede05dc3
SHA512 64f7dc8bf09a3a8b5e9b5675714cf29e4cfc4117a08afd33a2f07dbb3a66516d508d22f21cb3834a172b781bfd40b91a52e3972c0f24e428c9dbb96916f7cad1

C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\395143\Y

MD5 210c564d31169e586e56131b0d33878b
SHA1 41c9d765de37e3b9a7f07a2a468e6ca8ac63ff94
SHA256 dc10b09237fbb140149128c46df7a9451b302e945eb399b06c0e4c64196ee92e
SHA512 bd8625e4571f428336f975cabbfec9c955b842183a2ab9bd11702aeb0e12220c1ccd5554040013fa1f5ea59b22c9db56dc77547b54ed16b95b0339d9fb2df021

memory/3312-654-0x00000000044C0000-0x0000000004517000-memory.dmp

memory/3312-655-0x00000000044C0000-0x0000000004517000-memory.dmp

memory/3312-656-0x00000000044C0000-0x0000000004517000-memory.dmp

memory/3312-657-0x00000000044C0000-0x0000000004517000-memory.dmp

memory/3312-658-0x00000000044C0000-0x0000000004517000-memory.dmp