Analysis

  • max time kernel
    132s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 05:05

General

  • Target

    https://ibf.tw/3Lbmp

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ibf.tw/3Lbmp
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab1f046f8,0x7ffab1f04708,0x7ffab1f04718
      2⤵
        PID:3384
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        2⤵
          PID:4908
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2160
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
          2⤵
            PID:948
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
            2⤵
              PID:3776
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
              2⤵
                PID:2104
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
                2⤵
                  PID:3288
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4644
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
                  2⤵
                    PID:2892
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
                    2⤵
                      PID:3344
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3348 /prefetch:8
                      2⤵
                        PID:4536
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
                        2⤵
                          PID:1064
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:8
                          2⤵
                            PID:4700
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
                            2⤵
                              PID:2208
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
                              2⤵
                                PID:1248
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1396
                              • C:\Users\Admin\Downloads\Trust Launcher.exe
                                "C:\Users\Admin\Downloads\Trust Launcher.exe"
                                2⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:3224
                                • C:\Users\Admin\AppData\Roaming\5a1sgpgc.2vo.exe
                                  "C:\Users\Admin\AppData\Roaming\5a1sgpgc.2vo.exe"
                                  3⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  PID:2788
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /k copy Invision Invision.cmd & Invision.cmd & exit
                                    4⤵
                                      PID:4216
                                      • C:\Windows\SysWOW64\tasklist.exe
                                        tasklist
                                        5⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4136
                                      • C:\Windows\SysWOW64\findstr.exe
                                        findstr /I "wrsa.exe opssvc.exe"
                                        5⤵
                                          PID:4048
                                        • C:\Windows\SysWOW64\tasklist.exe
                                          tasklist
                                          5⤵
                                          • Enumerates processes with tasklist
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4816
                                        • C:\Windows\SysWOW64\findstr.exe
                                          findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                                          5⤵
                                            PID:336
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c md 622814
                                            5⤵
                                              PID:2092
                                            • C:\Windows\SysWOW64\findstr.exe
                                              findstr /V "hophierarchychildrensfour" Close
                                              5⤵
                                                PID:4664
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c copy /b Figure + Giant + Realm + Weapon 622814\e
                                                5⤵
                                                  PID:3504
                                                • C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif
                                                  622814\Stockholm.pif 622814\e
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:2700
                                                • C:\Windows\SysWOW64\timeout.exe
                                                  timeout 5
                                                  5⤵
                                                  • Delays execution with timeout.exe
                                                  PID:620
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13643065175078630790,1639979872713820373,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:2
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:3108
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:3044
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:4040
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:3012
                                              • C:\Windows\system32\taskmgr.exe
                                                "C:\Windows\system32\taskmgr.exe" /7
                                                1⤵
                                                • Checks SCSI registry key(s)
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:3872

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                6c86c838cf1dc704d2be375f04e1e6c6

                                                SHA1

                                                ad2911a13a3addc86cc46d4329b2b1621cbe7e35

                                                SHA256

                                                dff0886331bb45ec7711af92ab10be76291fde729dff23ca3270c86fb6e606bb

                                                SHA512

                                                a120248263919c687f09615fed56c7cac825c8c93c104488632cebc1abfa338c39ebdc191e5f0c45ff30f054f08d4c02d12b013de6322490197606ce0c0b4f37

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                27f3335bf37563e4537db3624ee378da

                                                SHA1

                                                57543abc3d97c2a2b251b446820894f4b0111aeb

                                                SHA256

                                                494425284ba12ee2fb07890e268be7890b258e1b1e5ecfa4a4dbc3411ab93b1a

                                                SHA512

                                                2bef861f9d2d916272f6014110fdee84afced515710c9d69b3c310f6bf41728d1b2d41fee3c86441ff96c08c7d474f9326e992b9164b9a3f13627f7d24d0c485

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                Filesize

                                                359B

                                                MD5

                                                c32f478428f43b6a224ec916657d9a2f

                                                SHA1

                                                39642127d13df207a65fe56a33afa57a7f4d0c79

                                                SHA256

                                                e57738871f0f49b81a8d4b55f10a98981f0af63f1c0de97eb2e31f5a420f1195

                                                SHA512

                                                68c8f14fd7aa48186f3d98e2ea96dd6c08ecb43e01d1e30d2ef766e482e5c4606abc48093249b076789211da86b70cb701b62acd5d5814ea0aeebefa885f6e92

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                7702a6d8a83d7c8e97af977dd5ce72f0

                                                SHA1

                                                b83dee08857ccd460bcf06624843f549a25dd80f

                                                SHA256

                                                0c4985625ef9ae3fac4832ca767a6f72ddf94a8f3b80fc474ebf47a7a45b2bfe

                                                SHA512

                                                a622653973501e0c969890968442d56fddc9cc533785bc2c37fc31fe958cc5eb1bf938e5a454b65d982b975540e53d46c3e12afd59a95055e276c83a38764dcc

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                0e84260d473ea82cc2e534480c1e6060

                                                SHA1

                                                99e5a081d90be9fcb79fd98fced4114e980fbba2

                                                SHA256

                                                b351df20fcf5f68f26c1d7130793bf31c7d90bc48258f68e3212be16b1fbe811

                                                SHA512

                                                f3e8e6e914ba31472936bef018581b9648b1fe808bbeb1e9cac317adea4d7b4839973fa865c83e269cefe0a5e67f50a67bd7e390608450bf75b23556cf178378

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                455f867b8a9d6c68499340960065a079

                                                SHA1

                                                2f9c2e9c416345a494849d21a15e466b5c402a33

                                                SHA256

                                                237113ab4712bb7f3c7c2b1837a6c3043c5e7dade77e1a849f99f696b1f1908b

                                                SHA512

                                                1f590858dccb620bdc9475a337677010828e57d9bc0fdd7c2ea2856764f28337e549375121ddb864fb5122be9991e0cb4992ce723569ca13b43a6a206fb249ed

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                74acf0c5591546b844ac2ece9d406f70

                                                SHA1

                                                97f3365d9775ad436102ce2b9f4f82738e4ac494

                                                SHA256

                                                0028c1e232dd14c83a2435c55b13db13f841a8a670c4faa342e840571ade8700

                                                SHA512

                                                103186adf0773a724e3f94ff4d5ccf44535fbe020ab0a2781f483b1594582bb7800c2a6245966957a4590eadfd05e4bb7df6bc44f6d2a5f9c1ec90492764ea5a

                                              • C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif

                                                Filesize

                                                915KB

                                                MD5

                                                b06e67f9767e5023892d9698703ad098

                                                SHA1

                                                acc07666f4c1d4461d3e1c263cf6a194a8dd1544

                                                SHA256

                                                8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

                                                SHA512

                                                7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

                                              • C:\Users\Admin\AppData\Local\Temp\622814\e

                                                Filesize

                                                399KB

                                                MD5

                                                65ac9eade3494b6424b2d31ba75be325

                                                SHA1

                                                767e2fd28c8363fc4775aa1dea99200f390adf13

                                                SHA256

                                                3104004ba01526e82382f0fbbb4eb659e36d074a8caab787b84bc1f92a0316a2

                                                SHA512

                                                76273e30f2da05791506c7758c4b4a29f5a4410428ec4ad0c3d7fd888bbcc106a73c40945fc16e814a2114ae56baff1e39c0d01102cca97b33ab05d46626f5c9

                                              • C:\Users\Admin\AppData\Local\Temp\Academy

                                                Filesize

                                                39KB

                                                MD5

                                                616f8d3eb30081aa0206a7a65fff97cf

                                                SHA1

                                                c25f90bb63dc1f2078a953cf35dd46e0ceff68da

                                                SHA256

                                                11b40328101cf6cac85f825d8800e98a7c472f0dad428fb584c7379d663da9a1

                                                SHA512

                                                734ac4907825a83cc51c1501b5d024d5c2e41a4c0f9feda23732a0d38f5fd12e8e266d8e83462425f06e54bab359b1175f67987286b8dec41bc76176042cba52

                                              • C:\Users\Admin\AppData\Local\Temp\Amendment

                                                Filesize

                                                6KB

                                                MD5

                                                453f0ddf29f36cb5fcec3f426b7a7ddc

                                                SHA1

                                                bc81c8f56b09930b40e25a03bd4941f1143d0b6c

                                                SHA256

                                                dafb6fc32ceb25827d274e2ae8f55ab9ad725aabda56570a61b56ab2ead85296

                                                SHA512

                                                3756ba383998df8838e98931ce85e678edd56e002e5a35f66f6def30051564f7ecf0eb9a6e9442ff350dd056a7eae038abd8a411a7ccadfafc5aad3d893328de

                                              • C:\Users\Admin\AppData\Local\Temp\Aside

                                                Filesize

                                                42KB

                                                MD5

                                                61c5ff2c456d6723243b5a92e5ac313f

                                                SHA1

                                                734c2eccde8c43fbfea9397f95d116aad5215ceb

                                                SHA256

                                                f835f0e90904f9753cf9082a6fa99fe4a91f06046bfd24dc7d26004248a43cd6

                                                SHA512

                                                6f732bc206b9a8ba2f57fd562f29481ac57966a1fc5df4ae6081da85db305de9b08f05aacff10145c4fb55513963035a3ac95ae57fee83e15a896ac43ff90b43

                                              • C:\Users\Admin\AppData\Local\Temp\Aurora

                                                Filesize

                                                49KB

                                                MD5

                                                a25452465661fb6f3a9027001a7c14d3

                                                SHA1

                                                f1d68c34717fcabd4d1666c114ce237b4250358b

                                                SHA256

                                                66d354ce428008d553566746da683ccf7b1879319b4e6029c1b3ac2b15c66aae

                                                SHA512

                                                0eb25915b1c55fd78a5260f70c3394d73756dcffe6eee86539828d05752f8f23467daf9a5cf651570494bd102e0c4c265fa358ef5b419451f78556ee6b9f7d6d

                                              • C:\Users\Admin\AppData\Local\Temp\Bronze

                                                Filesize

                                                66KB

                                                MD5

                                                e63819404f9b7d6dab058ffdc4895e99

                                                SHA1

                                                77353c249c437550146c655b8566bd788f35cc56

                                                SHA256

                                                a007ae12a8f23611f64e253b23a09e664368b6e2cfb1160aafe38d26145532eb

                                                SHA512

                                                a7379b6a763d637be374c954a7ecc7f38c1b9802564a0f095384ac63d1a9287ead24d9b475d49506ce90a0ec4fe4a01e20a8f4921cdbcb89a0acbbe8dc21ced8

                                              • C:\Users\Admin\AppData\Local\Temp\Builds

                                                Filesize

                                                63KB

                                                MD5

                                                4dde4b052ded57bb35720230c2a1bfd3

                                                SHA1

                                                b963d77130b85c8a822a3760fc91ff826927691f

                                                SHA256

                                                30f1a95b9680f38d85b62710d4c7a5bdf9fb440bd82574ede85b93cc54f8e8af

                                                SHA512

                                                2350d5774297da327ae290b041a44d91cfdd79626a51ee4d461b85cf1046b9e348eb05e38930ac37818039570b7cfa88e0ac971be009c0e0116d66825bc14a12

                                              • C:\Users\Admin\AppData\Local\Temp\Burns

                                                Filesize

                                                19KB

                                                MD5

                                                3e3070d01e9a68967db526012a723e9c

                                                SHA1

                                                abcd6b9569d50cac6931e1463a0826d96bf963eb

                                                SHA256

                                                fbf73914ec14497be89e9e4ade9e295cc7aa6a5a0910a0943fc21c712be159fe

                                                SHA512

                                                ecc66b2f5cffa44cc52eda1dd9e1bbcb9cc5d26091d2a60e23966fe5e198317d24260aea666a68404618e0cf3c58c1325e2bbeaba0007b25f1dc2971d8714920

                                              • C:\Users\Admin\AppData\Local\Temp\Chrome

                                                Filesize

                                                32KB

                                                MD5

                                                0cd67281cc0f3992643872064ae936a9

                                                SHA1

                                                440d9eb5accd108e6972c7ba08071a4a75da17f7

                                                SHA256

                                                2bf63cdffa011a72134b8a0e7e0e152f53d8546bd768c96f422a525cd83ecf22

                                                SHA512

                                                98a5f9834245d89f05aef2077a5306bfda4c44aed16b8a116b1295bbfc248d1a9d9e06bd0db7e0fcab81dac9b4483c5728f7adc9bf608850b74b89a06c2dea92

                                              • C:\Users\Admin\AppData\Local\Temp\Close

                                                Filesize

                                                166B

                                                MD5

                                                fddd5bae9019ac4a197c26d8944bb5d1

                                                SHA1

                                                5460f00dcc6933fdc62553ab956e82b338972c8e

                                                SHA256

                                                6860467d64e2a7362de6e1c55e85598a86f9fe15e6c54f5ceaeefd5dc4fba563

                                                SHA512

                                                55abe3af6cfca3402982d3cbf4ff2172b6a552f626f980b5529c9f717aaae4df783afa820441a4a524cd4fee85af7a257b7ceeb415821445f17f52e1b17f2322

                                              • C:\Users\Admin\AppData\Local\Temp\Completed

                                                Filesize

                                                5KB

                                                MD5

                                                2974a3776121de0ff4af26b3a61f2404

                                                SHA1

                                                dcb283d4818bb93817f46073ad1134859aaf675e

                                                SHA256

                                                9f50b41bb9e5ba70cc52504397108fd09ea615f81648c53f5b639ee65b3aeaa7

                                                SHA512

                                                cfe74b89ea5e77aa4d1cd12420490e656e9790d6a741b479605e1d66ea0a82a8b9203277b9c71bfbe1599d7a33390084bb6e0fc59f5ce390bd32d1ad46b949da

                                              • C:\Users\Admin\AppData\Local\Temp\Crack

                                                Filesize

                                                51KB

                                                MD5

                                                ec57171d25cb585020d8cacddec8d0e7

                                                SHA1

                                                c4c31f8737cf02466e4c8ab36bf112f5ffc501f0

                                                SHA256

                                                f01c60c8a2e6ed32e58f5ccc2af697a9f7474074529adcd0f2ce2620db9c08f4

                                                SHA512

                                                b20c7f6edc5980c06534a8ea08a0077ab41ce07f91e8b4cb9858f8b032809a867bcf402ed77e917b54665c2712334be6af33fc1467fbe097bbfcf4b406120fbc

                                              • C:\Users\Admin\AppData\Local\Temp\Doe

                                                Filesize

                                                49KB

                                                MD5

                                                95eda64bc162b005b8868c77107b844c

                                                SHA1

                                                1dde05abd0e55bfabd55d2ad5720dba15003dcea

                                                SHA256

                                                0d1dda9cc11bcfad0877b168726e95c69aee15ecf32029bd32bf37df19b29666

                                                SHA512

                                                2e18168865520ed59fc8467b7099cb24f5b41b7a557f4e938f02018bba12095e5048bc36e07738d723c58091fe4ae6aa3121bb0409831bb78639f41f186c7e1d

                                              • C:\Users\Admin\AppData\Local\Temp\Extras

                                                Filesize

                                                7KB

                                                MD5

                                                ca4270d699eb0ddaf60f97c8931bfc37

                                                SHA1

                                                5052bb712499b3f93ebb88b36ae07071489117c2

                                                SHA256

                                                2586c6793bf69b70fb7dc6e3c1c3dcb1392d18dd27fc757c52459de6d2b2ec25

                                                SHA512

                                                b7ccdd38b9a4e85d420d114ef0d0c588da1cd9988ac0f6645cbca9e7ffeef80b63f0d9eaba5f77f2a2113f2c1dac7b2ed00bb3dfc3b7ddfe14fe4d6ab5a8678e

                                              • C:\Users\Admin\AppData\Local\Temp\Figure

                                                Filesize

                                                181KB

                                                MD5

                                                e4fee1c5de030b78acbfcf715ae5ad55

                                                SHA1

                                                217654be1469e0a54a663742115f0ecf8d31053d

                                                SHA256

                                                4bf3c79babba096fb1f6190857da49310f51a3b743aac3e64c14c995e90b3807

                                                SHA512

                                                e97e48f4f01f44ecfbe23150d72583850fb675bb2a936022c7efc69c88451cc4d42742a59c074f97f999c942d90557fdebde0e82625b34e9fbd81da8a332b36d

                                              • C:\Users\Admin\AppData\Local\Temp\Four

                                                Filesize

                                                6KB

                                                MD5

                                                14cbdbd43de0b6d63c087119f4fdd80d

                                                SHA1

                                                e1ed33a79e9be261d5c68812d36e7c3860508403

                                                SHA256

                                                7102938b273ea82d8db39b5ff476c56793677ce175cffe72ab250bab3db97804

                                                SHA512

                                                05c5da429afa87bec26817e011391a54ff133aca29d0506af14c97a22861595c6af2e3d5f607124f2392b78af812a5cef92e7ed9f438aaf9215d264dcb5542c4

                                              • C:\Users\Admin\AppData\Local\Temp\Frank

                                                Filesize

                                                27KB

                                                MD5

                                                1c1561abe23a61fc6971de6bff07020d

                                                SHA1

                                                e9ca9aba0fb64ac201b12ac13addb6d0fd1397f1

                                                SHA256

                                                501e0d995c4e628c03f9fb7ec72dd8c654b6d13618e72c790e3a163dcc0a0c6b

                                                SHA512

                                                3e4a1aaad536d1828caaeba0f7f774cca44dfb24b6657c03e2e4e88b3fc904074a5a8c0c3cce22c9b8d1e055ba8b47d0cb24b2c481a7781516677e8bd587a42d

                                              • C:\Users\Admin\AppData\Local\Temp\Functioning

                                                Filesize

                                                54KB

                                                MD5

                                                8e9f571afaaaa2312f5e902a8194a335

                                                SHA1

                                                0e514ab6750b6f4c00e5b828f57b68e4eb41e4f6

                                                SHA256

                                                d7d36c1fd43de3c93869f2015e29386a234faea9f9c3e2aa18d240834e36a723

                                                SHA512

                                                bf3be6b891b4b5039439ef6db81dd80f675dc834d05d45cd8f7bee3d2818baa59639289350abbd519451789b8864e5790b99cdd8602240a46098a9409bf2250f

                                              • C:\Users\Admin\AppData\Local\Temp\Ga

                                                Filesize

                                                46KB

                                                MD5

                                                fc5b5c4895f21b3f1d53ab1ceb41b053

                                                SHA1

                                                927c30832191ff5b2ab98521f8ec42bcec2a5ad1

                                                SHA256

                                                7f37cc5de00dd606cd81cb98bc57ff42df2428cdcefcb6ff8f02cb6791a4b604

                                                SHA512

                                                786656a7e582395d649b58ad4b48a4782d378f279493a017b1161638f892c9abef8d6812af82a630e60d396a116fd061ac80e860e34d63f669d7da4725d7fcb1

                                              • C:\Users\Admin\AppData\Local\Temp\Gay

                                                Filesize

                                                8KB

                                                MD5

                                                e473cb4d32454de289570e72449b46cd

                                                SHA1

                                                b887710f9baebf5ba07a9bfcd620a7f2f12bbb34

                                                SHA256

                                                29ad8606520a87efbf25527cd0d22b92963d65fef45dace7c78fa09714ac0195

                                                SHA512

                                                e45125ea88cdb30af17761688fbc986f6d78441b27e80d184fd946e8c5dae87203d943977bfc077a974cae026f121c881efade3863c2e018b14b908df8b3fbfe

                                              • C:\Users\Admin\AppData\Local\Temp\Giant

                                                Filesize

                                                41KB

                                                MD5

                                                5a95cd6ebb447b6d1458e19d54a1bea9

                                                SHA1

                                                0c6b6436d1033e97fb469279f39b877a47f3e74b

                                                SHA256

                                                b94db5888d3655d56369ec0fad7f767d3e35ecd7d115544dd520786403cf8cc5

                                                SHA512

                                                040832ac89d1f540ab50c7042d3df3a20ac4d95f8db770b4de3c156d19ff42736687160d4d7ffca9df5cd31a5fec442b4a92f1fffd36d7ca8ac691581a2bff51

                                              • C:\Users\Admin\AppData\Local\Temp\Hair

                                                Filesize

                                                69KB

                                                MD5

                                                4c20543e6137dd6bb2189482b02ca073

                                                SHA1

                                                4fbe6d8305c4b28e44330d5ad3b15f94d487d79f

                                                SHA256

                                                217ada2347aab3bc1cab4efb945371e8102ea11be07248ec34c9d709e971d535

                                                SHA512

                                                3850126336deb39a22bc05d970b9129f0a485f06fb0a6db29617d9dfc497a9d2cd06f1509be30e532c4fa1e3bb0ae7230a03353ede2b059dd71ab40674085cdd

                                              • C:\Users\Admin\AppData\Local\Temp\Hydrogen

                                                Filesize

                                                61KB

                                                MD5

                                                25555d9adbfe77a93e02ed0aea4b70ac

                                                SHA1

                                                b6136ab724b57bb0ce3aefa49cc742ae34d694f5

                                                SHA256

                                                cbd0eabd3f26ca1ce25a3385a6b75b3fb49ed04ce6bbf63749e3229ddb527c2e

                                                SHA512

                                                685f62f68462f1225bc6b6cc434ac8ab85ce3e3a47eea24415b1f505098394381eca6b8a3f19138e27364bc693bdcb2f9c53090aa8bf4acea7be4539dfcb7903

                                              • C:\Users\Admin\AppData\Local\Temp\Insider

                                                Filesize

                                                35KB

                                                MD5

                                                d43818576168fbadaa89df997710407e

                                                SHA1

                                                b9018909cf7a8c3208b0819ac2575b20fcf13f7d

                                                SHA256

                                                5255752930a5b78a905850f08f2c0876932e7ebd38f7939c4d503566cc51ebe4

                                                SHA512

                                                adf0cb98cd49579f9ee6c6cab8ce0f13a012096289adaea9fcff95a24c59f9a9d6d9847a24603a48be727269982519ca78f89eca82ba00beab0e01f40097d1ab

                                              • C:\Users\Admin\AppData\Local\Temp\Invision

                                                Filesize

                                                16KB

                                                MD5

                                                dcd6244f36dbb6cb09977c90c3f08e20

                                                SHA1

                                                5989ff1e3ab91157e3cd8b9baa8256bae1255c42

                                                SHA256

                                                413373ebd5dc4adb95caa56c4f923f9b213357038a23fce617894cbbc7d4bb37

                                                SHA512

                                                9bebba4f6d47956643f335fd4ba308089af5219bf20ddbd8b53ab5bd4050cf81b3054ff53c93d4490c7fbbd1b42abceba2388f019376c46a8add5773c5315b41

                                              • C:\Users\Admin\AppData\Local\Temp\Issue

                                                Filesize

                                                38KB

                                                MD5

                                                1e7217ae13ed72520376be8165ded9f2

                                                SHA1

                                                36bfef64fb0210ddac354fd6f9f46e9fd8aa73cd

                                                SHA256

                                                2aaf0e8af02c0bfe0c667cedcd37ca01adc56cd7591f3a8f0d4ffb79a35033ba

                                                SHA512

                                                e2d10df193367f9c088808a345b845cb92edd18fe276ae45955aaed6e3fbc2982f129d340f9e5f05f3823f400bd036f0aa7353d3349ade1a1bb09d8a96ebde7e

                                              • C:\Users\Admin\AppData\Local\Temp\Linear

                                                Filesize

                                                63KB

                                                MD5

                                                347ea445947fce26069d1416df1231d9

                                                SHA1

                                                75bf8c7828a35b894519eb64593b9af4d05a7f24

                                                SHA256

                                                0ff46454fcd0acb98a0a65f44a7b9104d3f4f9bcf813dd669e0f4e95dd5a5de4

                                                SHA512

                                                3df4dc4d5bbe1fff0527443502458f1dccbee250a9a4e48df7b81d34b94da5f4f9436420bdb88bad8321d131aec759e8f92fc6af436659275aa6567d8ccd30da

                                              • C:\Users\Admin\AppData\Local\Temp\Pins

                                                Filesize

                                                12KB

                                                MD5

                                                739f8cde6bc9fd4301625c8617abecfe

                                                SHA1

                                                03bbf91e7a80355ed2a50e2dec6f222f83e822ff

                                                SHA256

                                                7ef482eea81ba12c367cd2ee1879fba072dc17a1b05be7b5533b886f23b8e7bb

                                                SHA512

                                                d303155dc840fa7f81a2555819e5a94ed2b911ad85a0732564fe060a83252f1eda50049c5bcfb85c4040aad2339e2a1622b1629f09ab4ae0e958c1c34d83ecd0

                                              • C:\Users\Admin\AppData\Local\Temp\Please

                                                Filesize

                                                18KB

                                                MD5

                                                6b528946c33427972a15d8eabfab0686

                                                SHA1

                                                c1c877784d64b434de8fed5bc948536bd6311f19

                                                SHA256

                                                1256b7d69423a99ba7abbf92402ba1fd8ad4e58cb80bbc299bc48286d032cfd1

                                                SHA512

                                                2f1c2c5e8f8a94c023904e5f51d8c10111cec3c59fcf5dfd496e7cb8610eb412516d71405f0745961c8c101bf791ed980cdf1d5215a710b1ab738e436f6fe164

                                              • C:\Users\Admin\AppData\Local\Temp\Realm

                                                Filesize

                                                127KB

                                                MD5

                                                3c410e0b87de4c6d20454567bdf3188c

                                                SHA1

                                                d18d0cce032454672c7e241648b981764c9689c3

                                                SHA256

                                                b9a2616461913d1198b81bdf59bc032fb8a0dc64cd1065a3f923dfeb51fef6d8

                                                SHA512

                                                a1c4d2a9c9062f83c4f02aebb88a89685ad06de099a4636d7a244f289e397da9604ebd8c4c0e1eee86138d88d188168c3dd4174e94259c58bd524999527c9879

                                              • C:\Users\Admin\AppData\Local\Temp\Showers

                                                Filesize

                                                21KB

                                                MD5

                                                962acba697097e36e2c65cd88226b703

                                                SHA1

                                                f5a1e30490704344d85c3e90c5ee612595874be5

                                                SHA256

                                                b5888f7da8149b258908a7b48d04f5f020a57622387fc4dfefc845e3ecf59e5a

                                                SHA512

                                                be764a1a73da6df738dc7b00fbfe86ad4ad0a8ec77f5582e0e81f203dc8b5e01b73cda7834d0c23f1d722ba256f2857ecb4e263fb8262ccdf8a00080f8dcbe1d

                                              • C:\Users\Admin\AppData\Local\Temp\Talking

                                                Filesize

                                                29KB

                                                MD5

                                                413cf0d0ca1fdf9f2fbb5ba37568f37a

                                                SHA1

                                                48fcdc4aa18001251f18e86fbc24fcbfee6d575f

                                                SHA256

                                                c9a27bf0a0c40a5f205453a870eb48db476b2f737b9a96114f00ff3ceebc3f72

                                                SHA512

                                                085f63dc907f610a062adbe43cf09b9fcec17c52e3cae78e1e1675ede831e480eeb7bd725e8802d9258672b16cea9fd16acfb2a1e8becbbe13de991a8f95b878

                                              • C:\Users\Admin\AppData\Local\Temp\Weapon

                                                Filesize

                                                50KB

                                                MD5

                                                a016f2931a9c72aef52e32f77ea02c5d

                                                SHA1

                                                f2ab1dc6f41f655f191a6893913970f0a2e153fa

                                                SHA256

                                                d2bb028bd1d52358dcacea6d6ce33d8c9361342b64167fc1d89676471520bf29

                                                SHA512

                                                1985772d2cff33887ec89852de4bca48a38ccb9a3aada653ffb4edc4c9b90fe7d0963b606806759e200424b4b642bb4982c6e007d6bd4dcb40b973ee5abf86fe

                                              • C:\Users\Admin\Downloads\Unconfirmed 245366.crdownload

                                                Filesize

                                                4.5MB

                                                MD5

                                                6ee4d16a922c7c410c48a2d7dc55ece5

                                                SHA1

                                                4281072875fc6b223fe3be38f2164e873a68f031

                                                SHA256

                                                e12353f4d5f68aea92424cf34972738128fc010fe4fe3072d7098f9a299ed559

                                                SHA512

                                                bcc1e2bd218cb745751d28472cdf87b60f8341579552fd973feff7e6dac62a69b2504dfa5e98bdef13f1cf9966b823c179e3ac456104d41ed1d937c44e714a9a

                                              • \??\pipe\LOCAL\crashpad_4744_BGKANFMONXUVVFEW

                                                MD5

                                                d41d8cd98f00b204e9800998ecf8427e

                                                SHA1

                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                SHA256

                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                SHA512

                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                              • memory/2700-576-0x0000000000230000-0x000000000027F000-memory.dmp

                                                Filesize

                                                316KB

                                              • memory/2700-579-0x0000000000230000-0x000000000027F000-memory.dmp

                                                Filesize

                                                316KB

                                              • memory/2700-580-0x0000000000230000-0x000000000027F000-memory.dmp

                                                Filesize

                                                316KB

                                              • memory/2700-578-0x0000000000230000-0x000000000027F000-memory.dmp

                                                Filesize

                                                316KB

                                              • memory/2700-577-0x0000000000230000-0x000000000027F000-memory.dmp

                                                Filesize

                                                316KB

                                              • memory/3224-77-0x00000000060B0000-0x0000000006654000-memory.dmp

                                                Filesize

                                                5.6MB

                                              • memory/3224-80-0x0000000005B00000-0x0000000005B92000-memory.dmp

                                                Filesize

                                                584KB

                                              • memory/3224-81-0x0000000005CC0000-0x0000000005CCA000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/3224-76-0x0000000000C70000-0x00000000010EA000-memory.dmp

                                                Filesize

                                                4.5MB

                                              • memory/3872-563-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3872-572-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3872-571-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3872-570-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3872-569-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3872-573-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3872-574-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3872-575-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3872-564-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3872-565-0x000001EC9B140000-0x000001EC9B141000-memory.dmp

                                                Filesize

                                                4KB