Analysis Overview
SHA256
3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997
Threat Level: Known bad
The file 3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Lumma Stealer
Drops startup file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-11 02:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-11 02:06
Reported
2024-07-11 02:07
Platform
win7-20240704-en
Max time kernel
17s
Max time network
19s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1420 created 1240 | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | C:\Windows\Explorer.EXE |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe
"C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Political Political.cmd & Political.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 395143
C:\Windows\SysWOW64\findstr.exe
findstr /V "HoursInfectionsBradfordStanford" Tribunal
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Arrived + Algebra + Newcastle + Frequencies + June + Therefore 395143\Y
C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
395143\Situation.pif 395143\Y
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url" & echo URL="C:\Users\Admin\AppData\Local\HealthSync Innovations\AsclepiusConnect.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url" & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | PnOypdPQNoHlEEguKTXg.PnOypdPQNoHlEEguKTXg | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Political
| MD5 | 5f12f130e6c21c7918956ba48be2253a |
| SHA1 | 4f415d6963b58431e8d6057e855595176517a4d4 |
| SHA256 | db920145f0d0df011e854105c6053f1308ef796122e60be1b40a9d9811055fd8 |
| SHA512 | 875ce0eb003d2acdd3407a53985ae25d2ca86707b72d8c79386a220bc474849cdb009eee6f1a4fefcce62c1aecd17a0aa00857568b031110149f2753b0e6f07b |
C:\Users\Admin\AppData\Local\Temp\Tribunal
| MD5 | de0af2dabeb00b5af2d148e6548682f9 |
| SHA1 | a0dae15ca11c2921b7a935ea4e66e5af527f221c |
| SHA256 | 5d54695fa969070bb5ae9bf5a92c8d5dfaeff9acc610e95885cec4447896de32 |
| SHA512 | 5f839f8cb3755bc0cbccab23bb32b71f6982a175d396e5463a03ca35ecf2d6c8d91ff586a7c6bc04f6435c332e424614d95d9c858194399ef1f53854492f32cb |
C:\Users\Admin\AppData\Local\Temp\Greg
| MD5 | 3ecd07f342e538de5cecc5484fbb7e60 |
| SHA1 | 7de81cc3aa2a56e28a5728ab5aefbfc04e80199a |
| SHA256 | a3308e30bf566a997ffbead0364fb8f4e20d1c78b8ccb29596285339173a842f |
| SHA512 | 1f83f052507678ebad2af659da53842542fb026bcd0f273b9b55439cd0e706db4d662fb5f15095ca76d09dfce8a4991f3344da365e7bd80bff56e94deb42036d |
C:\Users\Admin\AppData\Local\Temp\Modern
| MD5 | 9890ab611495674149f77d7e002a289d |
| SHA1 | 196667f70a0220987ddff024e9e30fe7be1a013c |
| SHA256 | adf7d9256354ff7adbf5df3bd4a412377bc6d3fa9123c29baec8e699a7729e7b |
| SHA512 | fcf81bc8df0bad884763528554da7bb49f8f407e2fe804d7fdf51b95a2aa790196c4617573a970e567bd5a43c1a1c7ed00ac4b53d6d90ec06640b47912e825ed |
C:\Users\Admin\AppData\Local\Temp\Ambient
| MD5 | 329c0e9c5a3030d88b2e7718adc70efc |
| SHA1 | f2549271578e28567132240458eee525f8344029 |
| SHA256 | 7dfffe1534f539dd69c01d549a8e7945236f182835c96eaba95763fb644670d3 |
| SHA512 | 6284b2f8f22b39799366437c0f404e6b775e0bd77abe0c98449520f2fce2a933da4127ff0d2acb27522d85c572c30a97accaadaee0b4f0216c39b9d3637351ee |
C:\Users\Admin\AppData\Local\Temp\Gi
| MD5 | a97bf57bda2df0b8f8fbe92a0749b480 |
| SHA1 | 9eaadbcf26bdbcdbc9b326d61b351183ea38584e |
| SHA256 | 832da74e6970e44149540053850f450fc304e45c11dfcafd476d7630f89f5e47 |
| SHA512 | c29e63472db5b384eaae3ff625af439685d333edd6f9ebac7f585787b858a4e694e84b14488e93df7c892c36f992036f8d9669213d56119a81d47d182e39fd83 |
C:\Users\Admin\AppData\Local\Temp\Respective
| MD5 | da1d2dfc1b0a7433401a70baa5c98815 |
| SHA1 | 20b4642bf4c5032b235cf799abfd15683fe747bc |
| SHA256 | f9c4f65ef4250a3d86d47150ba1d5cf3698fcecc1a846ff639c833a0aba2e05f |
| SHA512 | f47e111a42a06bf3953a73c3c922bbfcf1c1b6e4c5a36ac5e6f985307ede685ae47426ce1f1a9fda40a149a3facdffb78777658a83a4321b9a187e155bfb130a |
C:\Users\Admin\AppData\Local\Temp\Shipments
| MD5 | e37139d9c0065fefd53e5450190d255d |
| SHA1 | f9d79af76ff8a874799a5144bfe089ed4bab8bab |
| SHA256 | 822c6e118c91dd4fd5b5f73647166a3cf795a6584a6ca0803a082e8591e5fa4d |
| SHA512 | f869cc7351c05d9f8b519bfab35524bf4cd5da568e9c17feb33343d9d89721b784860035a8a676b18a83c54435da20f786ca4c60d3731d24fafd205e288715b8 |
C:\Users\Admin\AppData\Local\Temp\Continually
| MD5 | 9c6b453b6542b7744689673bbe5eb9df |
| SHA1 | 73c372c28c0b0d25ec474af7b95fb0fe44801185 |
| SHA256 | bd6fe81d09fe3ccaf5babf116661bc8f2c9fd941fd3b529f216178d30307ce5c |
| SHA512 | 9978e2f40cddad8703eab9ff6168a7e7b6e1c5bf5f7b539fe4fd892198d77e3df2fa63eacf6a7a7a2493c50ea2dbbded39da0300b280fa1eee54f9e243f9fa4b |
C:\Users\Admin\AppData\Local\Temp\Ward
| MD5 | 10b054278ef13a6067d1936b3b216d52 |
| SHA1 | 104188fe5ef2d0969ddaed3c160caf30a6353f34 |
| SHA256 | b2b07ecfb6e4a7cb381e47e354d78b35fdbdc1f978a7f2257b96bc1a462cabf3 |
| SHA512 | 5a48ab416c2a08e67479de2c91e30da347244e5ba9c3aa36b1ef9f6ddccb105de197ee1ea88d9a47c8cbb56fd0d8a43217ccacaeaff068c75d352b23f4c8544b |
C:\Users\Admin\AppData\Local\Temp\Threatened
| MD5 | ce2aebdbdb1460a6726907548eebff7b |
| SHA1 | 2bb332f66cdb41e6c414ed833fa5d95c5cb1018c |
| SHA256 | 1146e5508fca73615b29d2b5c9d15bef28a2fc7445efe5d84858a742a7cd96a5 |
| SHA512 | 942ab6ebc47d64467175cc92594db76e6c106f794bd74313d317c15df6a33137ddf579687354e2348a9812eb6d00cd1fb5b0f9ba00d9208eb1db3fad777b3be1 |
C:\Users\Admin\AppData\Local\Temp\Liabilities
| MD5 | b63a471bffbdf9da90d273b63a637787 |
| SHA1 | 323a48491fd1392938c538c43e6460f9027d39b8 |
| SHA256 | 933c2a98874ca5227d36c996524d34312f0dcae4b343150e6772dd26861c1f86 |
| SHA512 | 44dc6da6db7a04780d958877ef9ebc6f6031a58ac3988b60ef3d4d34ac532991ad9ee2f058c1a77e9ed27b7193d025fa268ddd9d352cfc30a25c962770a5fea3 |
C:\Users\Admin\AppData\Local\Temp\Luggage
| MD5 | ba208d40e43b7b5289aa7a75a3f96f41 |
| SHA1 | 23c3eb10abe126912f4fe2c757a7c3d4b011515e |
| SHA256 | a2a6d3e24282268eeb3ae68defe87f2d0373668c32a959486a59e20f6b7e32a7 |
| SHA512 | badd302e0688e4e5c29167a01d9bc280166183bd13b54d0e66b3f3130988550eadb842a19c21e2d77c784186ba070e2077af16dce24aa16b1807a27a8ade12eb |
C:\Users\Admin\AppData\Local\Temp\Murphy
| MD5 | 18b8d47668e42d97dad25f4348ce7978 |
| SHA1 | 1826f50fc81cb8c869ef85190aabf75a9e5e4c94 |
| SHA256 | afa44400d78b8d9152ea684363dfeab864517f8b560cb9e0c33bf4248eabe410 |
| SHA512 | 2089599c5233b5cf3b3924ed6f7ed438b8b23b317de0cca16efd26490fb2d0dfa9668226c3209a765662c71e20947003771286e90580cc69f4a38c22757740d9 |
C:\Users\Admin\AppData\Local\Temp\Except
| MD5 | b3664cdac405996d599d284c501200e3 |
| SHA1 | 2f63020e9bb6da2208d3717e6e40220627742956 |
| SHA256 | c2e249d990f00e24388a8a6cebe07c9a8dc894fd808f96ad09322bfd1071aea7 |
| SHA512 | f414ccbfd92270fc99ba83af7c44bb3bf3f0377dec7921e5595db8585e696af7647316081f22f92cd098733754bc610dede322bec16c182aeb06d60769e3e513 |
C:\Users\Admin\AppData\Local\Temp\Hospitality
| MD5 | bc142215eeeb8212b6b3b459dc043f68 |
| SHA1 | 02e3a407c1671fb8bd5e65796ff93573ff14a37d |
| SHA256 | ade420ffa2e119404857522304ecf571ccd765e0a6acbd037b39c326eee50752 |
| SHA512 | 7feabbbb88ea6ecddff1772f0027c1a223ca6b621fe205ec478185f3daa25a276552373e6886d8c514cb707dfbd23f4b69c388d32d9bf2fd722eb33288abefaf |
C:\Users\Admin\AppData\Local\Temp\Vital
| MD5 | ecf5af629b2736f70b0222870bcf33e7 |
| SHA1 | cff788cffa60655bece4ffa40ee6e1e70e406e61 |
| SHA256 | 0a87c23f3845cee1daec56341e25ab53db0b1f150ef9556f3d6bf476a19f7eae |
| SHA512 | a9039aa8f977eb3779247bcf576e618e96856fa72f6979059551758bc098236c28922b2bb1c96cbdbe4d5fc93d5a3a5346816ad4707ed27c82fffd2c4bcaaccc |
C:\Users\Admin\AppData\Local\Temp\Fog
| MD5 | 3cbdb805406510a163c5a097e001236d |
| SHA1 | ce654f4b9fc33396e9adf185116bdfd866d01a0c |
| SHA256 | ea91c3fdf35c997d094a71aba479205e659b06d721252d734cbdc44bc52cd33b |
| SHA512 | 727f768851bbbd4874658bd185bac06fc136900a871bfacd56c502b1e9e7284e6abf5f872207ed874790f2856b387197abbbfb49046b2cebee8c8075f2c9214d |
C:\Users\Admin\AppData\Local\Temp\Copyrighted
| MD5 | b811219d80209416126a3d824d4dd107 |
| SHA1 | bf10cd8b6ec628df7af120f55a047b1634cc9914 |
| SHA256 | 7903324b7d445f1cc108649d8f9b115f227eca2230071124e51ab35b401d944e |
| SHA512 | 4436cfc595a01044afa6e37f513b5e19da660d7a345bb4b1a97d4cd2f56f94fe2f06a1ccd60a2b4fb0ef22e4557457d8464c815a13ef3ea5a67ae58adad182eb |
C:\Users\Admin\AppData\Local\Temp\View
| MD5 | 6bcabed2119fcda2ad1351e34b33fd5f |
| SHA1 | b9afc0536df6d7b14d6f56f2d4d1b2f2f606f9d7 |
| SHA256 | f3a307ccd9a955dd1ee842c9ddddb5b23987433f7d041ed0fc014c84aa693c53 |
| SHA512 | c20f2ef863ff7e3482e5917cab238b01df42e5885b0bf09180d9530b1a2cfc827c35efd73bd994af31cc0bfa16c80abcbc49d74ebefb3d95f1305d22266307b9 |
C:\Users\Admin\AppData\Local\Temp\Scholars
| MD5 | 65c39c795896a326881f1f3bd50a2854 |
| SHA1 | c3fe82907a97a1a99f1972aed530cf94da5decf8 |
| SHA256 | ace1c7967cdc33794dc99711928f3397b060c61045289ee75b0c465bfc220ebb |
| SHA512 | c2a66f65dee5525d1882018ef2fd33c6a5b8016ce6e9182938d6bb73b3a949ee65103bb068bd49c87d75d2e74112751e489d7924dec79ac15e50284d05c429b1 |
C:\Users\Admin\AppData\Local\Temp\Opera
| MD5 | d73ede165226cb2b3764e6ed4a5aaedc |
| SHA1 | 7e8e7103e12e1db90e5bab866d168ccfdc068eab |
| SHA256 | fbcf085a6c821ca51e3206e3e5caba06d5c74620849a3da9e4716901a58e953e |
| SHA512 | 66e423c6e1b476311f31235212d025f0c588ec9378fa7de493f8323fc82862057f1e935f94c970f7166346ac0e86623162abddbbcfb07c2c404a616912caf59f |
C:\Users\Admin\AppData\Local\Temp\Cat
| MD5 | bf3122a7bfddf1156b3f7e64588e9368 |
| SHA1 | a4d000c2787f9d9bf3692712f5b6717ba1186375 |
| SHA256 | 012214bf9c6f5050b6d21abba12c44bf4c96db6940415d46967647fac9b3cb63 |
| SHA512 | 93d8adcfdb23c7120e3cbbb123c4fae00111325be7594870e6660b1543d384b5321c9274eb31519279d6afc3d25e47e1320f48aceda8dddbf281b99bea29902d |
C:\Users\Admin\AppData\Local\Temp\Hardly
| MD5 | fbe9eb05cd6768c40a895055024b45ca |
| SHA1 | 8630b3e4a0fc4d528fc21c87c0ba8a7d6a35dbdd |
| SHA256 | 554c2b1ff01c49b8e3a0ee57f0ee82c67a30324cabde352dd24d6a31c870a960 |
| SHA512 | 7f4edc5bbc43b3770933b4023a0db23398877a7333aa4eae299bfddc787df170848ab5da1ab7884ec5897695fe9dd91a98c82c34ca60c4d907ffa3e14499547f |
C:\Users\Admin\AppData\Local\Temp\Sand
| MD5 | 71c733e8b5b8e036671a5204162bd0fd |
| SHA1 | f7f3dbbf615a68df2b52c468427b6d4addb5d031 |
| SHA256 | 255758438ba25147ec138c198ae0ecd261fc3f3b1d62d9b778634c31898cbc13 |
| SHA512 | b225cddbc6fec68f26bf4d46750df34049cbf0091c79fb2f25e714cef268e9a7f35b610575e3716824105e6a84c9c6125a5f82c31076c455ad67bef700cdb63f |
C:\Users\Admin\AppData\Local\Temp\Guru
| MD5 | 792477bb59d9b554274bf28d936efc74 |
| SHA1 | 21ee1e6265f5a72c12cd7d9751d6201b793b8ad2 |
| SHA256 | 630007a5729487c12adc2dcfff3f36b6c817ebaf2e4dacf9d0f0dc983e0fd529 |
| SHA512 | 131cbfc54bf6a2d11cc92eaeb1a81e6ef9ca7387c31ecc98c916ec4dd2286b2d8f304eddfe13e3fffcf84259260ecacc648cdbbd95dc4da83e09d3cf45e14b90 |
C:\Users\Admin\AppData\Local\Temp\Periodically
| MD5 | bfd4a90a068ce4e09ec7462035252291 |
| SHA1 | 4522d908766ced6140c45cb11fa90e7914c012f3 |
| SHA256 | a150383e93ca874fa86cdecd4625f8570118f504669a8a2b18ff85b844517a13 |
| SHA512 | d173db8467c000d3aabfb46d4559d3b1116fc64ee195410705935ab35934482c7f4c2673fd24f74092835acf4f5a3c62a7a537d1d2a8a53c22658906a12b295f |
C:\Users\Admin\AppData\Local\Temp\Finished
| MD5 | c8270b8df541d73ae50b3d6bfa274ec1 |
| SHA1 | ffbf025714421c416c0c39089cc50b48850b8467 |
| SHA256 | 7de1e550b196d943af05d5fc959cc91af893992f5f9bd8149ae11a08e40ccbfe |
| SHA512 | 89d7730bc35984b0b3742fb1c528256a6eb78b521e3cf366bfaee7ab11904bf90d859133c3eb87d767300135728d1883a3c4f809092a651c6009ac92453a37bc |
C:\Users\Admin\AppData\Local\Temp\Amazon
| MD5 | 09f0d100ad4c0a762e928b37c87bcb1f |
| SHA1 | 0adef098386d02d315310a68d99ed8360795d8bc |
| SHA256 | b877260e7c7f801bc4beb7946cba2eafc9e35552e47d8c2a79f8eabaf991f89a |
| SHA512 | 871d46bd48b549b7e37743bebe91d3c70f42838270002e408c758d8ad2e783778d286ad5d6e3e57be72444153cdf5da95511abbd5fd1fd62d22459b4adce1667 |
C:\Users\Admin\AppData\Local\Temp\Required
| MD5 | b9c1ac31a98468de3a82d0a37e26589c |
| SHA1 | 88d1a5d2b1cab857a5710df6acd12a28c2ee6ea4 |
| SHA256 | bc6d515e6ee67909eeab8455ddba45ed12dd82c0bcfc367ad6568c7276b9eb6c |
| SHA512 | 4fdce06f2ffa1048ebf1d0a5ddf7fea5147c0c466b7b333f0a1ef8652c111c9d63c98f8209d8c3b600535d9686a41cda199ee68101bf86bbba61f1eb7eb778c6 |
C:\Users\Admin\AppData\Local\Temp\Und
| MD5 | ea922b2f08d7f38b5404edf4e3875bf2 |
| SHA1 | cba11424da4843aa5844a7465f7a4e21e9a78c5d |
| SHA256 | eeb890caae35f6b44e93a5fa52dc8db4c17411ab1c55abaa74c36488fa01301e |
| SHA512 | 7587769c001e0e08d35a62c1504b9617becb59bd25a7180ac399c08663c8b0c19b61a3aeda3e07d3e7036311f9cd7a8934a9252b20d2c418f234276cf4b9a3f0 |
C:\Users\Admin\AppData\Local\Temp\Arrived
| MD5 | 5c5f97a51d232e7c285357acf7479db7 |
| SHA1 | f8948d8317918318acbdd8322449f6eb293876f9 |
| SHA256 | b7622bd4b9f2ff575d66cb60492316ab489dab6754de12e1e7aebcb2c01b8707 |
| SHA512 | 06c31c0ce3d269dc1f4c1cf9a471103a3253aef85895dca556b9875a4d503ce07a67eeb4cdefaa8e03bcd7fc06e2fea0485d110c58a1483fbf5d945ec6aec62d |
C:\Users\Admin\AppData\Local\Temp\Algebra
| MD5 | 8b307b862f3a190086dbf0a378e02719 |
| SHA1 | 20607a9f59827c4d8fcc580ed9ac4bc25c95ac27 |
| SHA256 | ed17a9a60cbba30e49e4e9f11fd27cb70d766fd2ddcc9fec953833395927a10a |
| SHA512 | d0ce2dfc8ae6acafb5ae4c92f7ce668a872f5b28dffc26db686295218a8e700abc202e6567f6893958a61e2903ecf8acc0ef66cf50d6742ad76517df8602d985 |
C:\Users\Admin\AppData\Local\Temp\Newcastle
| MD5 | 1d15b76a8009684ba025f6fb7818712b |
| SHA1 | 2aead836acb328646b581faa9840022b7a17fb50 |
| SHA256 | 367edecccb7ba1c0cabd380d26ae29e9af4459966b93980754070f59ac2e6bb3 |
| SHA512 | 8ac1a9d53cf73bf9a035b944d2eefa77eee1633c62293a9322ab30a4be3aea491180a791bc2b9b14fabc327d70a88e2f89e99eba01ecc82a4012ef99aed2d508 |
C:\Users\Admin\AppData\Local\Temp\Frequencies
| MD5 | 9f985bd3c2887feb8fb0e4b7dcb263c0 |
| SHA1 | d76201b00743d4d401e951447ffc11702f4a762e |
| SHA256 | 1d9868f3f53668e7b4975ccaca0a78fe17804217a9c1e8582a77138eac13ea4d |
| SHA512 | 52804a29bced75a90bafa10475baf0848141427e2468db0f279282c79cd01ce581448c8adb275b4ff8879715350d83480079014aa71133659049c0bc89538bff |
C:\Users\Admin\AppData\Local\Temp\June
| MD5 | 146fcc97c0f9cd5d1000b00328699d1e |
| SHA1 | d64bdd06dcfa4dff09cc8450442b8de7536cabfe |
| SHA256 | 50fbb533262a5eb21bf27034bfadf727cbd74abe3f8e4a9429c57b3f7f4a12d6 |
| SHA512 | d8a0d75a97d0745833477a2fef4b75a9825dabdc641e38263936405cc1cb55953836e59cba1e839798d4f25a6e4c786e769f3c4ef3d1047bf279c4b28132693c |
C:\Users\Admin\AppData\Local\Temp\Therefore
| MD5 | 94dea993492c68a3d2b5fa684d04f5f5 |
| SHA1 | 38212f101a050d11ca240380322dc473cca70cf9 |
| SHA256 | 91a4be190363384ad345794bf67e9cbf2076fc2c1a6f3da8502ded5dede05dc3 |
| SHA512 | 64f7dc8bf09a3a8b5e9b5675714cf29e4cfc4117a08afd33a2f07dbb3a66516d508d22f21cb3834a172b781bfd40b91a52e3972c0f24e428c9dbb96916f7cad1 |
\Users\Admin\AppData\Local\Temp\395143\Situation.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\395143\Y
| MD5 | 210c564d31169e586e56131b0d33878b |
| SHA1 | 41c9d765de37e3b9a7f07a2a468e6ca8ac63ff94 |
| SHA256 | dc10b09237fbb140149128c46df7a9451b302e945eb399b06c0e4c64196ee92e |
| SHA512 | bd8625e4571f428336f975cabbfec9c955b842183a2ab9bd11702aeb0e12220c1ccd5554040013fa1f5ea59b22c9db56dc77547b54ed16b95b0339d9fb2df021 |
memory/1420-656-0x0000000003620000-0x0000000003677000-memory.dmp
memory/1420-660-0x0000000003620000-0x0000000003677000-memory.dmp
memory/1420-659-0x0000000003620000-0x0000000003677000-memory.dmp
memory/1420-658-0x0000000003620000-0x0000000003677000-memory.dmp
memory/1420-657-0x0000000003620000-0x0000000003677000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-11 02:06
Reported
2024-07-11 02:07
Platform
win10v2004-20240709-en
Max time kernel
33s
Max time network
49s
Command Line
Signatures
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3312 created 3468 | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe
"C:\Users\Admin\AppData\Local\Temp\3b2d9552c63d3f16ccd2b16e2581bf02035149a52f221ffbaa6a3db26338f997.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Political Political.cmd & Political.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 395143
C:\Windows\SysWOW64\findstr.exe
findstr /V "HoursInfectionsBradfordStanford" Tribunal
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Arrived + Algebra + Newcastle + Frequencies + June + Therefore 395143\Y
C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
395143\Situation.pif 395143\Y
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url" & echo URL="C:\Users\Admin\AppData\Local\HealthSync Innovations\AsclepiusConnect.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsclepiusConnect.url" & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | PnOypdPQNoHlEEguKTXg.PnOypdPQNoHlEEguKTXg | udp |
| US | 8.8.8.8:53 | whisperginkowp.xyz | udp |
| US | 172.67.132.142:443 | whisperginkowp.xyz | tcp |
| US | 8.8.8.8:53 | potterryisiw.shop | udp |
| US | 104.21.26.77:443 | potterryisiw.shop | tcp |
| US | 8.8.8.8:53 | 142.132.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | foodypannyjsud.shop | udp |
| US | 104.21.49.164:443 | foodypannyjsud.shop | tcp |
| US | 8.8.8.8:53 | contintnetksows.shop | udp |
| US | 104.21.79.40:443 | contintnetksows.shop | tcp |
| US | 8.8.8.8:53 | swellfrrgwwos.xyz | udp |
| US | 8.8.8.8:53 | penetratedpoopp.xyz | udp |
| US | 8.8.8.8:53 | 164.49.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ellaboratepwsz.xyz | udp |
| US | 8.8.8.8:53 | towerxxuytwi.xyz | udp |
| US | 8.8.8.8:53 | pedestriankodwu.xyz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 172.67.214.98:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 98.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Political
| MD5 | 5f12f130e6c21c7918956ba48be2253a |
| SHA1 | 4f415d6963b58431e8d6057e855595176517a4d4 |
| SHA256 | db920145f0d0df011e854105c6053f1308ef796122e60be1b40a9d9811055fd8 |
| SHA512 | 875ce0eb003d2acdd3407a53985ae25d2ca86707b72d8c79386a220bc474849cdb009eee6f1a4fefcce62c1aecd17a0aa00857568b031110149f2753b0e6f07b |
C:\Users\Admin\AppData\Local\Temp\Tribunal
| MD5 | de0af2dabeb00b5af2d148e6548682f9 |
| SHA1 | a0dae15ca11c2921b7a935ea4e66e5af527f221c |
| SHA256 | 5d54695fa969070bb5ae9bf5a92c8d5dfaeff9acc610e95885cec4447896de32 |
| SHA512 | 5f839f8cb3755bc0cbccab23bb32b71f6982a175d396e5463a03ca35ecf2d6c8d91ff586a7c6bc04f6435c332e424614d95d9c858194399ef1f53854492f32cb |
C:\Users\Admin\AppData\Local\Temp\Greg
| MD5 | 3ecd07f342e538de5cecc5484fbb7e60 |
| SHA1 | 7de81cc3aa2a56e28a5728ab5aefbfc04e80199a |
| SHA256 | a3308e30bf566a997ffbead0364fb8f4e20d1c78b8ccb29596285339173a842f |
| SHA512 | 1f83f052507678ebad2af659da53842542fb026bcd0f273b9b55439cd0e706db4d662fb5f15095ca76d09dfce8a4991f3344da365e7bd80bff56e94deb42036d |
C:\Users\Admin\AppData\Local\Temp\Modern
| MD5 | 9890ab611495674149f77d7e002a289d |
| SHA1 | 196667f70a0220987ddff024e9e30fe7be1a013c |
| SHA256 | adf7d9256354ff7adbf5df3bd4a412377bc6d3fa9123c29baec8e699a7729e7b |
| SHA512 | fcf81bc8df0bad884763528554da7bb49f8f407e2fe804d7fdf51b95a2aa790196c4617573a970e567bd5a43c1a1c7ed00ac4b53d6d90ec06640b47912e825ed |
C:\Users\Admin\AppData\Local\Temp\Ambient
| MD5 | 329c0e9c5a3030d88b2e7718adc70efc |
| SHA1 | f2549271578e28567132240458eee525f8344029 |
| SHA256 | 7dfffe1534f539dd69c01d549a8e7945236f182835c96eaba95763fb644670d3 |
| SHA512 | 6284b2f8f22b39799366437c0f404e6b775e0bd77abe0c98449520f2fce2a933da4127ff0d2acb27522d85c572c30a97accaadaee0b4f0216c39b9d3637351ee |
C:\Users\Admin\AppData\Local\Temp\Gi
| MD5 | a97bf57bda2df0b8f8fbe92a0749b480 |
| SHA1 | 9eaadbcf26bdbcdbc9b326d61b351183ea38584e |
| SHA256 | 832da74e6970e44149540053850f450fc304e45c11dfcafd476d7630f89f5e47 |
| SHA512 | c29e63472db5b384eaae3ff625af439685d333edd6f9ebac7f585787b858a4e694e84b14488e93df7c892c36f992036f8d9669213d56119a81d47d182e39fd83 |
C:\Users\Admin\AppData\Local\Temp\Respective
| MD5 | da1d2dfc1b0a7433401a70baa5c98815 |
| SHA1 | 20b4642bf4c5032b235cf799abfd15683fe747bc |
| SHA256 | f9c4f65ef4250a3d86d47150ba1d5cf3698fcecc1a846ff639c833a0aba2e05f |
| SHA512 | f47e111a42a06bf3953a73c3c922bbfcf1c1b6e4c5a36ac5e6f985307ede685ae47426ce1f1a9fda40a149a3facdffb78777658a83a4321b9a187e155bfb130a |
C:\Users\Admin\AppData\Local\Temp\Shipments
| MD5 | e37139d9c0065fefd53e5450190d255d |
| SHA1 | f9d79af76ff8a874799a5144bfe089ed4bab8bab |
| SHA256 | 822c6e118c91dd4fd5b5f73647166a3cf795a6584a6ca0803a082e8591e5fa4d |
| SHA512 | f869cc7351c05d9f8b519bfab35524bf4cd5da568e9c17feb33343d9d89721b784860035a8a676b18a83c54435da20f786ca4c60d3731d24fafd205e288715b8 |
C:\Users\Admin\AppData\Local\Temp\Continually
| MD5 | 9c6b453b6542b7744689673bbe5eb9df |
| SHA1 | 73c372c28c0b0d25ec474af7b95fb0fe44801185 |
| SHA256 | bd6fe81d09fe3ccaf5babf116661bc8f2c9fd941fd3b529f216178d30307ce5c |
| SHA512 | 9978e2f40cddad8703eab9ff6168a7e7b6e1c5bf5f7b539fe4fd892198d77e3df2fa63eacf6a7a7a2493c50ea2dbbded39da0300b280fa1eee54f9e243f9fa4b |
C:\Users\Admin\AppData\Local\Temp\Ward
| MD5 | 10b054278ef13a6067d1936b3b216d52 |
| SHA1 | 104188fe5ef2d0969ddaed3c160caf30a6353f34 |
| SHA256 | b2b07ecfb6e4a7cb381e47e354d78b35fdbdc1f978a7f2257b96bc1a462cabf3 |
| SHA512 | 5a48ab416c2a08e67479de2c91e30da347244e5ba9c3aa36b1ef9f6ddccb105de197ee1ea88d9a47c8cbb56fd0d8a43217ccacaeaff068c75d352b23f4c8544b |
C:\Users\Admin\AppData\Local\Temp\Threatened
| MD5 | ce2aebdbdb1460a6726907548eebff7b |
| SHA1 | 2bb332f66cdb41e6c414ed833fa5d95c5cb1018c |
| SHA256 | 1146e5508fca73615b29d2b5c9d15bef28a2fc7445efe5d84858a742a7cd96a5 |
| SHA512 | 942ab6ebc47d64467175cc92594db76e6c106f794bd74313d317c15df6a33137ddf579687354e2348a9812eb6d00cd1fb5b0f9ba00d9208eb1db3fad777b3be1 |
C:\Users\Admin\AppData\Local\Temp\Liabilities
| MD5 | b63a471bffbdf9da90d273b63a637787 |
| SHA1 | 323a48491fd1392938c538c43e6460f9027d39b8 |
| SHA256 | 933c2a98874ca5227d36c996524d34312f0dcae4b343150e6772dd26861c1f86 |
| SHA512 | 44dc6da6db7a04780d958877ef9ebc6f6031a58ac3988b60ef3d4d34ac532991ad9ee2f058c1a77e9ed27b7193d025fa268ddd9d352cfc30a25c962770a5fea3 |
C:\Users\Admin\AppData\Local\Temp\Luggage
| MD5 | ba208d40e43b7b5289aa7a75a3f96f41 |
| SHA1 | 23c3eb10abe126912f4fe2c757a7c3d4b011515e |
| SHA256 | a2a6d3e24282268eeb3ae68defe87f2d0373668c32a959486a59e20f6b7e32a7 |
| SHA512 | badd302e0688e4e5c29167a01d9bc280166183bd13b54d0e66b3f3130988550eadb842a19c21e2d77c784186ba070e2077af16dce24aa16b1807a27a8ade12eb |
C:\Users\Admin\AppData\Local\Temp\Murphy
| MD5 | 18b8d47668e42d97dad25f4348ce7978 |
| SHA1 | 1826f50fc81cb8c869ef85190aabf75a9e5e4c94 |
| SHA256 | afa44400d78b8d9152ea684363dfeab864517f8b560cb9e0c33bf4248eabe410 |
| SHA512 | 2089599c5233b5cf3b3924ed6f7ed438b8b23b317de0cca16efd26490fb2d0dfa9668226c3209a765662c71e20947003771286e90580cc69f4a38c22757740d9 |
C:\Users\Admin\AppData\Local\Temp\Except
| MD5 | b3664cdac405996d599d284c501200e3 |
| SHA1 | 2f63020e9bb6da2208d3717e6e40220627742956 |
| SHA256 | c2e249d990f00e24388a8a6cebe07c9a8dc894fd808f96ad09322bfd1071aea7 |
| SHA512 | f414ccbfd92270fc99ba83af7c44bb3bf3f0377dec7921e5595db8585e696af7647316081f22f92cd098733754bc610dede322bec16c182aeb06d60769e3e513 |
C:\Users\Admin\AppData\Local\Temp\Hospitality
| MD5 | bc142215eeeb8212b6b3b459dc043f68 |
| SHA1 | 02e3a407c1671fb8bd5e65796ff93573ff14a37d |
| SHA256 | ade420ffa2e119404857522304ecf571ccd765e0a6acbd037b39c326eee50752 |
| SHA512 | 7feabbbb88ea6ecddff1772f0027c1a223ca6b621fe205ec478185f3daa25a276552373e6886d8c514cb707dfbd23f4b69c388d32d9bf2fd722eb33288abefaf |
C:\Users\Admin\AppData\Local\Temp\Vital
| MD5 | ecf5af629b2736f70b0222870bcf33e7 |
| SHA1 | cff788cffa60655bece4ffa40ee6e1e70e406e61 |
| SHA256 | 0a87c23f3845cee1daec56341e25ab53db0b1f150ef9556f3d6bf476a19f7eae |
| SHA512 | a9039aa8f977eb3779247bcf576e618e96856fa72f6979059551758bc098236c28922b2bb1c96cbdbe4d5fc93d5a3a5346816ad4707ed27c82fffd2c4bcaaccc |
C:\Users\Admin\AppData\Local\Temp\Fog
| MD5 | 3cbdb805406510a163c5a097e001236d |
| SHA1 | ce654f4b9fc33396e9adf185116bdfd866d01a0c |
| SHA256 | ea91c3fdf35c997d094a71aba479205e659b06d721252d734cbdc44bc52cd33b |
| SHA512 | 727f768851bbbd4874658bd185bac06fc136900a871bfacd56c502b1e9e7284e6abf5f872207ed874790f2856b387197abbbfb49046b2cebee8c8075f2c9214d |
C:\Users\Admin\AppData\Local\Temp\Copyrighted
| MD5 | b811219d80209416126a3d824d4dd107 |
| SHA1 | bf10cd8b6ec628df7af120f55a047b1634cc9914 |
| SHA256 | 7903324b7d445f1cc108649d8f9b115f227eca2230071124e51ab35b401d944e |
| SHA512 | 4436cfc595a01044afa6e37f513b5e19da660d7a345bb4b1a97d4cd2f56f94fe2f06a1ccd60a2b4fb0ef22e4557457d8464c815a13ef3ea5a67ae58adad182eb |
C:\Users\Admin\AppData\Local\Temp\View
| MD5 | 6bcabed2119fcda2ad1351e34b33fd5f |
| SHA1 | b9afc0536df6d7b14d6f56f2d4d1b2f2f606f9d7 |
| SHA256 | f3a307ccd9a955dd1ee842c9ddddb5b23987433f7d041ed0fc014c84aa693c53 |
| SHA512 | c20f2ef863ff7e3482e5917cab238b01df42e5885b0bf09180d9530b1a2cfc827c35efd73bd994af31cc0bfa16c80abcbc49d74ebefb3d95f1305d22266307b9 |
C:\Users\Admin\AppData\Local\Temp\Scholars
| MD5 | 65c39c795896a326881f1f3bd50a2854 |
| SHA1 | c3fe82907a97a1a99f1972aed530cf94da5decf8 |
| SHA256 | ace1c7967cdc33794dc99711928f3397b060c61045289ee75b0c465bfc220ebb |
| SHA512 | c2a66f65dee5525d1882018ef2fd33c6a5b8016ce6e9182938d6bb73b3a949ee65103bb068bd49c87d75d2e74112751e489d7924dec79ac15e50284d05c429b1 |
C:\Users\Admin\AppData\Local\Temp\Opera
| MD5 | d73ede165226cb2b3764e6ed4a5aaedc |
| SHA1 | 7e8e7103e12e1db90e5bab866d168ccfdc068eab |
| SHA256 | fbcf085a6c821ca51e3206e3e5caba06d5c74620849a3da9e4716901a58e953e |
| SHA512 | 66e423c6e1b476311f31235212d025f0c588ec9378fa7de493f8323fc82862057f1e935f94c970f7166346ac0e86623162abddbbcfb07c2c404a616912caf59f |
C:\Users\Admin\AppData\Local\Temp\Cat
| MD5 | bf3122a7bfddf1156b3f7e64588e9368 |
| SHA1 | a4d000c2787f9d9bf3692712f5b6717ba1186375 |
| SHA256 | 012214bf9c6f5050b6d21abba12c44bf4c96db6940415d46967647fac9b3cb63 |
| SHA512 | 93d8adcfdb23c7120e3cbbb123c4fae00111325be7594870e6660b1543d384b5321c9274eb31519279d6afc3d25e47e1320f48aceda8dddbf281b99bea29902d |
C:\Users\Admin\AppData\Local\Temp\Hardly
| MD5 | fbe9eb05cd6768c40a895055024b45ca |
| SHA1 | 8630b3e4a0fc4d528fc21c87c0ba8a7d6a35dbdd |
| SHA256 | 554c2b1ff01c49b8e3a0ee57f0ee82c67a30324cabde352dd24d6a31c870a960 |
| SHA512 | 7f4edc5bbc43b3770933b4023a0db23398877a7333aa4eae299bfddc787df170848ab5da1ab7884ec5897695fe9dd91a98c82c34ca60c4d907ffa3e14499547f |
C:\Users\Admin\AppData\Local\Temp\Sand
| MD5 | 71c733e8b5b8e036671a5204162bd0fd |
| SHA1 | f7f3dbbf615a68df2b52c468427b6d4addb5d031 |
| SHA256 | 255758438ba25147ec138c198ae0ecd261fc3f3b1d62d9b778634c31898cbc13 |
| SHA512 | b225cddbc6fec68f26bf4d46750df34049cbf0091c79fb2f25e714cef268e9a7f35b610575e3716824105e6a84c9c6125a5f82c31076c455ad67bef700cdb63f |
C:\Users\Admin\AppData\Local\Temp\Guru
| MD5 | 792477bb59d9b554274bf28d936efc74 |
| SHA1 | 21ee1e6265f5a72c12cd7d9751d6201b793b8ad2 |
| SHA256 | 630007a5729487c12adc2dcfff3f36b6c817ebaf2e4dacf9d0f0dc983e0fd529 |
| SHA512 | 131cbfc54bf6a2d11cc92eaeb1a81e6ef9ca7387c31ecc98c916ec4dd2286b2d8f304eddfe13e3fffcf84259260ecacc648cdbbd95dc4da83e09d3cf45e14b90 |
C:\Users\Admin\AppData\Local\Temp\Periodically
| MD5 | bfd4a90a068ce4e09ec7462035252291 |
| SHA1 | 4522d908766ced6140c45cb11fa90e7914c012f3 |
| SHA256 | a150383e93ca874fa86cdecd4625f8570118f504669a8a2b18ff85b844517a13 |
| SHA512 | d173db8467c000d3aabfb46d4559d3b1116fc64ee195410705935ab35934482c7f4c2673fd24f74092835acf4f5a3c62a7a537d1d2a8a53c22658906a12b295f |
C:\Users\Admin\AppData\Local\Temp\Finished
| MD5 | c8270b8df541d73ae50b3d6bfa274ec1 |
| SHA1 | ffbf025714421c416c0c39089cc50b48850b8467 |
| SHA256 | 7de1e550b196d943af05d5fc959cc91af893992f5f9bd8149ae11a08e40ccbfe |
| SHA512 | 89d7730bc35984b0b3742fb1c528256a6eb78b521e3cf366bfaee7ab11904bf90d859133c3eb87d767300135728d1883a3c4f809092a651c6009ac92453a37bc |
C:\Users\Admin\AppData\Local\Temp\Amazon
| MD5 | 09f0d100ad4c0a762e928b37c87bcb1f |
| SHA1 | 0adef098386d02d315310a68d99ed8360795d8bc |
| SHA256 | b877260e7c7f801bc4beb7946cba2eafc9e35552e47d8c2a79f8eabaf991f89a |
| SHA512 | 871d46bd48b549b7e37743bebe91d3c70f42838270002e408c758d8ad2e783778d286ad5d6e3e57be72444153cdf5da95511abbd5fd1fd62d22459b4adce1667 |
C:\Users\Admin\AppData\Local\Temp\Required
| MD5 | b9c1ac31a98468de3a82d0a37e26589c |
| SHA1 | 88d1a5d2b1cab857a5710df6acd12a28c2ee6ea4 |
| SHA256 | bc6d515e6ee67909eeab8455ddba45ed12dd82c0bcfc367ad6568c7276b9eb6c |
| SHA512 | 4fdce06f2ffa1048ebf1d0a5ddf7fea5147c0c466b7b333f0a1ef8652c111c9d63c98f8209d8c3b600535d9686a41cda199ee68101bf86bbba61f1eb7eb778c6 |
C:\Users\Admin\AppData\Local\Temp\Und
| MD5 | ea922b2f08d7f38b5404edf4e3875bf2 |
| SHA1 | cba11424da4843aa5844a7465f7a4e21e9a78c5d |
| SHA256 | eeb890caae35f6b44e93a5fa52dc8db4c17411ab1c55abaa74c36488fa01301e |
| SHA512 | 7587769c001e0e08d35a62c1504b9617becb59bd25a7180ac399c08663c8b0c19b61a3aeda3e07d3e7036311f9cd7a8934a9252b20d2c418f234276cf4b9a3f0 |
C:\Users\Admin\AppData\Local\Temp\Arrived
| MD5 | 5c5f97a51d232e7c285357acf7479db7 |
| SHA1 | f8948d8317918318acbdd8322449f6eb293876f9 |
| SHA256 | b7622bd4b9f2ff575d66cb60492316ab489dab6754de12e1e7aebcb2c01b8707 |
| SHA512 | 06c31c0ce3d269dc1f4c1cf9a471103a3253aef85895dca556b9875a4d503ce07a67eeb4cdefaa8e03bcd7fc06e2fea0485d110c58a1483fbf5d945ec6aec62d |
C:\Users\Admin\AppData\Local\Temp\Algebra
| MD5 | 8b307b862f3a190086dbf0a378e02719 |
| SHA1 | 20607a9f59827c4d8fcc580ed9ac4bc25c95ac27 |
| SHA256 | ed17a9a60cbba30e49e4e9f11fd27cb70d766fd2ddcc9fec953833395927a10a |
| SHA512 | d0ce2dfc8ae6acafb5ae4c92f7ce668a872f5b28dffc26db686295218a8e700abc202e6567f6893958a61e2903ecf8acc0ef66cf50d6742ad76517df8602d985 |
C:\Users\Admin\AppData\Local\Temp\Newcastle
| MD5 | 1d15b76a8009684ba025f6fb7818712b |
| SHA1 | 2aead836acb328646b581faa9840022b7a17fb50 |
| SHA256 | 367edecccb7ba1c0cabd380d26ae29e9af4459966b93980754070f59ac2e6bb3 |
| SHA512 | 8ac1a9d53cf73bf9a035b944d2eefa77eee1633c62293a9322ab30a4be3aea491180a791bc2b9b14fabc327d70a88e2f89e99eba01ecc82a4012ef99aed2d508 |
C:\Users\Admin\AppData\Local\Temp\Frequencies
| MD5 | 9f985bd3c2887feb8fb0e4b7dcb263c0 |
| SHA1 | d76201b00743d4d401e951447ffc11702f4a762e |
| SHA256 | 1d9868f3f53668e7b4975ccaca0a78fe17804217a9c1e8582a77138eac13ea4d |
| SHA512 | 52804a29bced75a90bafa10475baf0848141427e2468db0f279282c79cd01ce581448c8adb275b4ff8879715350d83480079014aa71133659049c0bc89538bff |
C:\Users\Admin\AppData\Local\Temp\June
| MD5 | 146fcc97c0f9cd5d1000b00328699d1e |
| SHA1 | d64bdd06dcfa4dff09cc8450442b8de7536cabfe |
| SHA256 | 50fbb533262a5eb21bf27034bfadf727cbd74abe3f8e4a9429c57b3f7f4a12d6 |
| SHA512 | d8a0d75a97d0745833477a2fef4b75a9825dabdc641e38263936405cc1cb55953836e59cba1e839798d4f25a6e4c786e769f3c4ef3d1047bf279c4b28132693c |
C:\Users\Admin\AppData\Local\Temp\Therefore
| MD5 | 94dea993492c68a3d2b5fa684d04f5f5 |
| SHA1 | 38212f101a050d11ca240380322dc473cca70cf9 |
| SHA256 | 91a4be190363384ad345794bf67e9cbf2076fc2c1a6f3da8502ded5dede05dc3 |
| SHA512 | 64f7dc8bf09a3a8b5e9b5675714cf29e4cfc4117a08afd33a2f07dbb3a66516d508d22f21cb3834a172b781bfd40b91a52e3972c0f24e428c9dbb96916f7cad1 |
C:\Users\Admin\AppData\Local\Temp\395143\Situation.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\395143\Y
| MD5 | 210c564d31169e586e56131b0d33878b |
| SHA1 | 41c9d765de37e3b9a7f07a2a468e6ca8ac63ff94 |
| SHA256 | dc10b09237fbb140149128c46df7a9451b302e945eb399b06c0e4c64196ee92e |
| SHA512 | bd8625e4571f428336f975cabbfec9c955b842183a2ab9bd11702aeb0e12220c1ccd5554040013fa1f5ea59b22c9db56dc77547b54ed16b95b0339d9fb2df021 |
memory/3312-654-0x00000000044C0000-0x0000000004517000-memory.dmp
memory/3312-655-0x00000000044C0000-0x0000000004517000-memory.dmp
memory/3312-656-0x00000000044C0000-0x0000000004517000-memory.dmp
memory/3312-657-0x00000000044C0000-0x0000000004517000-memory.dmp
memory/3312-658-0x00000000044C0000-0x0000000004517000-memory.dmp