Overview

overview

10

Static

static

3

InjectorSOFTWARE.zip

windows10-1703-x64

10

Resubmissions

05/08/2024, 10:44

240805-mtardaxfnh 10

05/08/2024, 10:39

240805-mp375atekp 10

05/08/2024, 10:24

240805-mfcc2stbqn 10

Analysis

  • max time kernel
    278s
  • max time network
    280s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05/08/2024, 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    InjectorSOFTWARE.zip

  • Size

    18.4MB

  • MD5

    4087fb773df09b91e226c59bd9e400ca

  • SHA1

    40680eee9d47ffa93b7c10cf4b9cd71038ff81c5

  • SHA256

    35760704fdaef694cf129c2cf70d6edbe87adca57ce2073eeba6b39e97f4c5fe

  • SHA512

    e67eaf7cfa49f0ff487f9762ecfea1930394e68232cbe9dc9c0924d3d8ecdbc522e6c210270f90ca19b0aff36b5449b8b5d63ffd416d95b48ebed91be8d5357a

  • SSDEEP

    393216:r9qRuxNxl69OXuniRll7a08I7/3asKn1RtrbSZJZwP0M:ZtNxKOOixoxsSbSVwP0M

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://clouddycuiomsnz.shop/api

https://empiredzmwnx.shop/api

https://boattyownerwrv.shop/api

https://rainbowmynsjn.shop/api

https://definitonizmnx.shop/api

https://creepydxzoxmj.shop/api

https://budgetttysnzm.shop/api

https://chippyfroggsyhz.shop/api

https://assumedtribsosp.shop/api

https://whimiscallysmmzn.shop/api

https://applyzxcksdia.shop/api

https://replacedoxcjzp.shop/api

https://declaredczxi.shop/api

https://catchddkxozvp.shop/api

https://arriveoxpzxo.shop/api

https://contemplateodszsv.shop/api

https://bindceasdiwozx.shop/api

https://conformfucdioz.shop/api

Extracted

Family

lumma

C2

https://clouddycuiomsnz.shop/api

https://empiredzmwnx.shop/api

https://boattyownerwrv.shop/api

https://rainbowmynsjn.shop/api

https://definitonizmnx.shop/api

https://creepydxzoxmj.shop/api

https://budgetttysnzm.shop/api

https://chippyfroggsyhz.shop/api

https://assumedtribsosp.shop/api

https://tenntysjuxmz.shop/api

https://whimiscallysmmzn.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 14 IoCs
    discovery
  • Suspicious use of SetThreadContext 12 IoCs
  • Drops file in Windows directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3360
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\InjectorSOFTWARE.zip
        2⤵
          PID:4136
        • C:\Users\Admin\Desktop\New folder\Runner.exe
          "C:\Users\Admin\Desktop\New folder\Runner.exe"
          2⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k move Calvin Calvin.cmd & Calvin.cmd & exit
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4988
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3724
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "wrsa.exe opssvc.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3516
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4348
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2520
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 232333
              4⤵
                PID:2208
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "MenuHelenSpringsAmateur" Predict
                4⤵
                • System Location Discovery: System Language Discovery
                PID:4456
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b Expansion + Lights + Finish + Susan + Pretty 232333\N
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1556
              • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                Manufacture.pif N
                4⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:2696
              • C:\Windows\SysWOW64\choice.exe
                choice /d y /t 5
                4⤵
                  PID:808
            • C:\Users\Admin\Desktop\New folder\Runner2.exe
              "C:\Users\Admin\Desktop\New folder\Runner2.exe"
              2⤵
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2616
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4960
            • C:\Windows\System32\GamePanel.exe
              "C:\Windows\System32\GamePanel.exe" 00000000000D0056 /startuptips
              2⤵
              • Checks SCSI registry key(s)
              PID:5032
            • C:\Users\Admin\Desktop\New folder\Runner.exe
              "C:\Users\Admin\Desktop\New folder\Runner.exe"
              2⤵
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:676
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k move Calvin Calvin.cmd & Calvin.cmd & exit
                3⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4572
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  4⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1428
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "wrsa.exe opssvc.exe"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:4808
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  4⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4592
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:4536
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c md 232333
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:3396
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Expansion + Lights + Finish + Susan + Pretty 232333\N
                  4⤵
                    PID:1372
                  • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                    Manufacture.pif N
                    4⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:700
                  • C:\Windows\SysWOW64\choice.exe
                    choice /d y /t 5
                    4⤵
                      PID:916
                • C:\Users\Admin\Desktop\New folder\Runner2.exe
                  "C:\Users\Admin\Desktop\New folder\Runner2.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2600
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 868
                    3⤵
                    • Program crash
                    PID:1632
                • C:\Windows\System32\GamePanel.exe
                  "C:\Windows\System32\GamePanel.exe" 0000000000020346 /startuptips
                  2⤵
                  • Checks SCSI registry key(s)
                  PID:4180
                • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                  C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                  2⤵
                  • Executes dropped EXE
                  PID:1472
                • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                  C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                  2⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4348
                • C:\Users\Admin\Desktop\New folder\Runner.exe
                  "C:\Users\Admin\Desktop\New folder\Runner.exe"
                  2⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2744
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k move Calvin Calvin.cmd & Calvin.cmd & exit
                    3⤵
                      PID:4112
                      • C:\Windows\SysWOW64\tasklist.exe
                        tasklist
                        4⤵
                        • Enumerates processes with tasklist
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3552
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /I "wrsa.exe opssvc.exe"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:2340
                      • C:\Windows\SysWOW64\tasklist.exe
                        tasklist
                        4⤵
                        • Enumerates processes with tasklist
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2724
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                        4⤵
                          PID:4908
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c md 232333
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1388
                        • C:\Windows\SysWOW64\findstr.exe
                          findstr /V "MenuHelenSpringsAmateur" Predict
                          4⤵
                            PID:96
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c copy /b Expansion + Lights + Finish + Susan + Pretty 232333\N
                            4⤵
                              PID:2000
                            • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                              Manufacture.pif N
                              4⤵
                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:2364
                            • C:\Windows\SysWOW64\choice.exe
                              choice /d y /t 5
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:1428
                        • C:\Users\Admin\Desktop\New folder\Runner2.exe
                          "C:\Users\Admin\Desktop\New folder\Runner2.exe"
                          2⤵
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          PID:2872
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                            3⤵
                              PID:4564
                          • C:\Windows\System32\GamePanel.exe
                            "C:\Windows\System32\GamePanel.exe" 000000000004034E /startuptips
                            2⤵
                            • Checks SCSI registry key(s)
                            PID:1104
                          • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                            C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                            2⤵
                            • Executes dropped EXE
                            PID:1144
                          • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                            C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                            2⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4592
                          • C:\Users\Admin\Desktop\New folder\Runner.exe
                            "C:\Users\Admin\Desktop\New folder\Runner.exe"
                            2⤵
                            • Drops file in Windows directory
                            PID:3708
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k move Calvin Calvin.cmd & Calvin.cmd & exit
                              3⤵
                                PID:508
                                • C:\Windows\SysWOW64\tasklist.exe
                                  tasklist
                                  4⤵
                                  • Enumerates processes with tasklist
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2984
                                • C:\Windows\SysWOW64\findstr.exe
                                  findstr /I "wrsa.exe opssvc.exe"
                                  4⤵
                                    PID:4164
                                  • C:\Windows\SysWOW64\tasklist.exe
                                    tasklist
                                    4⤵
                                    • Enumerates processes with tasklist
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3000
                                  • C:\Windows\SysWOW64\findstr.exe
                                    findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3724
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c md 232333
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4572
                                  • C:\Windows\SysWOW64\findstr.exe
                                    findstr /V "MenuHelenSpringsAmateur" Predict
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:168
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c copy /b Expansion + Lights + Finish + Susan + Pretty 232333\N
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2664
                                  • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                    Manufacture.pif N
                                    4⤵
                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:2436
                                  • C:\Windows\SysWOW64\choice.exe
                                    choice /d y /t 5
                                    4⤵
                                      PID:4784
                                • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                  C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                  2⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:2476
                                • C:\Users\Admin\Desktop\New folder\Runner2.exe
                                  "C:\Users\Admin\Desktop\New folder\Runner2.exe"
                                  2⤵
                                  • Loads dropped DLL
                                  • Suspicious use of SetThreadContext
                                  • System Location Discovery: System Language Discovery
                                  PID:1316
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2560
                                • C:\Windows\System32\GamePanel.exe
                                  "C:\Windows\System32\GamePanel.exe" 0000000000070344 /startuptips
                                  2⤵
                                  • Checks SCSI registry key(s)
                                  PID:216
                                • C:\Users\Admin\Desktop\New folder\Runner2.exe
                                  "C:\Users\Admin\Desktop\New folder\Runner2.exe"
                                  2⤵
                                  • Loads dropped DLL
                                  • Suspicious use of SetThreadContext
                                  • System Location Discovery: System Language Discovery
                                  PID:796
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2016
                                • C:\Windows\System32\GamePanel.exe
                                  "C:\Windows\System32\GamePanel.exe" 00000000000902F2 /startuptips
                                  2⤵
                                  • Checks SCSI registry key(s)
                                  PID:680
                                • C:\Users\Admin\Desktop\New folder\Runner.exe
                                  "C:\Users\Admin\Desktop\New folder\Runner.exe"
                                  2⤵
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  PID:196
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /k move Calvin Calvin.cmd & Calvin.cmd & exit
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2340
                                    • C:\Windows\SysWOW64\tasklist.exe
                                      tasklist
                                      4⤵
                                      • Enumerates processes with tasklist
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1396
                                    • C:\Windows\SysWOW64\findstr.exe
                                      findstr /I "wrsa.exe opssvc.exe"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5032
                                    • C:\Windows\SysWOW64\tasklist.exe
                                      tasklist
                                      4⤵
                                      • Enumerates processes with tasklist
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4756
                                    • C:\Windows\SysWOW64\findstr.exe
                                      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                                      4⤵
                                        PID:3988
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c md 232333
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2872
                                      • C:\Windows\SysWOW64\findstr.exe
                                        findstr /V "MenuHelenSpringsAmateur" Predict
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1232
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c copy /b Expansion + Lights + Finish + Susan + Pretty 232333\N
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2548
                                      • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                        Manufacture.pif N
                                        4⤵
                                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:3644
                                      • C:\Windows\SysWOW64\choice.exe
                                        choice /d y /t 5
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1376
                                  • C:\Users\Admin\Desktop\New folder\Runner2.exe
                                    "C:\Users\Admin\Desktop\New folder\Runner2.exe"
                                    2⤵
                                    • Loads dropped DLL
                                    • Suspicious use of SetThreadContext
                                    PID:2724
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3392
                                  • C:\Windows\System32\GamePanel.exe
                                    "C:\Windows\System32\GamePanel.exe" 00000000000903E0 /startuptips
                                    2⤵
                                    • Checks SCSI registry key(s)
                                    PID:1944
                                  • C:\Users\Admin\Desktop\New folder\Runner.exe
                                    "C:\Users\Admin\Desktop\New folder\Runner.exe"
                                    2⤵
                                    • Drops file in Windows directory
                                    PID:4128
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k move Calvin Calvin.cmd & Calvin.cmd & exit
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3584
                                      • C:\Windows\SysWOW64\tasklist.exe
                                        tasklist
                                        4⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:704
                                      • C:\Windows\SysWOW64\findstr.exe
                                        findstr /I "wrsa.exe opssvc.exe"
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:4736
                                      • C:\Windows\SysWOW64\tasklist.exe
                                        tasklist
                                        4⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4172
                                      • C:\Windows\SysWOW64\findstr.exe
                                        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3708
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c md 232333
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2608
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c copy /b Expansion + Lights + Finish + Susan + Pretty 232333\N
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3112
                                      • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                        Manufacture.pif N
                                        4⤵
                                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:4348
                                      • C:\Windows\SysWOW64\choice.exe
                                        choice /d y /t 5
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2868
                                  • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                    C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                    2⤵
                                    • Executes dropped EXE
                                    PID:1044
                                  • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                    C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                    2⤵
                                    • Executes dropped EXE
                                    PID:1912
                                  • C:\Users\Admin\Desktop\New folder\Runner.exe
                                    "C:\Users\Admin\Desktop\New folder\Runner.exe"
                                    2⤵
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    PID:2508
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k move Calvin Calvin.cmd & Calvin.cmd & exit
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5072
                                      • C:\Windows\SysWOW64\tasklist.exe
                                        tasklist
                                        4⤵
                                        • Enumerates processes with tasklist
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3528
                                      • C:\Windows\SysWOW64\findstr.exe
                                        findstr /I "wrsa.exe opssvc.exe"
                                        4⤵
                                          PID:4748
                                        • C:\Windows\SysWOW64\tasklist.exe
                                          tasklist
                                          4⤵
                                          • Enumerates processes with tasklist
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4980
                                        • C:\Windows\SysWOW64\findstr.exe
                                          findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                                          4⤵
                                            PID:4964
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c md 232333
                                            4⤵
                                              PID:2444
                                            • C:\Windows\SysWOW64\findstr.exe
                                              findstr /V "MenuHelenSpringsAmateur" Predict
                                              4⤵
                                                PID:1892
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c copy /b Expansion + Lights + Finish + Susan + Pretty 232333\N
                                                4⤵
                                                  PID:1052
                                                • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                                  Manufacture.pif N
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:4752
                                                • C:\Windows\SysWOW64\choice.exe
                                                  choice /d y /t 5
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2168
                                            • C:\Users\Admin\Desktop\New folder\Runner2.exe
                                              "C:\Users\Admin\Desktop\New folder\Runner2.exe"
                                              2⤵
                                              • Loads dropped DLL
                                              • Suspicious use of SetThreadContext
                                              • System Location Discovery: System Language Discovery
                                              PID:4512
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5032
                                            • C:\Windows\System32\GamePanel.exe
                                              "C:\Windows\System32\GamePanel.exe" 000000000010032E /startuptips
                                              2⤵
                                                PID:2596
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:2652
                                              • C:\Windows\System32\bcastdvr.exe
                                                "C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
                                                1⤵
                                                • Drops desktop.ini file(s)
                                                PID:584
                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                1⤵
                                                • Drops file in Windows directory
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of SetWindowsHookEx
                                                PID:932
                                              • C:\Windows\system32\browser_broker.exe
                                                C:\Windows\system32\browser_broker.exe -Embedding
                                                1⤵
                                                • Modifies Internet Explorer settings
                                                PID:2920
                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious behavior: MapViewOfSection
                                                • Suspicious use of SetWindowsHookEx
                                                PID:5080
                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                1⤵
                                                • Drops file in Windows directory
                                                • Modifies Internet Explorer settings
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2976
                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                1⤵
                                                • Drops file in Windows directory
                                                • Modifies Internet Explorer settings
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2468
                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                1⤵
                                                • Modifies registry class
                                                PID:5040
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Suspicious use of SetWindowsHookEx
                                                PID:3048

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Runner2.exe.log
                                                Filesize

                                                42B

                                                MD5

                                                84cfdb4b995b1dbf543b26b86c863adc

                                                SHA1

                                                d2f47764908bf30036cf8248b9ff5541e2711fa2

                                                SHA256

                                                d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

                                                SHA512

                                                485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                                Filesize

                                                154B

                                                MD5

                                                1d65a1ec1541627947d0b6b5bbf04790

                                                SHA1

                                                f0f5e95e388305202d15209244a113100114a8aa

                                                SHA256

                                                81eff477e13eab3ae44f8e83e2672c37d29546d0f34c41ece03f4f1495d75d8a

                                                SHA512

                                                429cb2c8d4efef69744a71773944ce7c27279abde26684a9be7d368ea70bd5b518e5ccf9dd84ec7b082eb2e419ed95cf7c22474c8ce370e64ff5fdbf8dbd7293

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\232333\Manufacture.pif
                                                Filesize

                                                924KB

                                                MD5

                                                848164d084384c49937f99d5b894253e

                                                SHA1

                                                3055ef803eeec4f175ebf120f94125717ee12444

                                                SHA256

                                                f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                                                SHA512

                                                aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\232333\N
                                                Filesize

                                                471KB

                                                MD5

                                                4fdb1a12770b4c88fd6d2aaa9ca9a2b4

                                                SHA1

                                                95a1e665ec99a6c40c262a2b9a261821f9c7dbf0

                                                SHA256

                                                0e404a8a95dd932bccd8ae3f6f459fc47a83a0afefcadca898689e1535fada33

                                                SHA512

                                                f1350d31d268650afa0503ae0e1020a00444960d4dcda126f6f6c4b19884f3ac86ddf569375d83df7a7ba6c5fe1ed1221fd9719e61e82ae53e7bb7e75e493092

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Achievements
                                                Filesize

                                                64KB

                                                MD5

                                                503b49562d47ec3d7bac36b283a000fe

                                                SHA1

                                                029d7b6a7d1b95854a440e54791ae9ed07550741

                                                SHA256

                                                c223cc0ced87549593bec6a286adcfb8f4be8fdc0360ea01858fed6331825803

                                                SHA512

                                                26d85f3eff8f27d783a492c5f870eab761282f189ad5843d380032eb6f7e7dbfe54d43d7c1388f86ab434eb35cccadc00c5bd2afecab6f8a34966e4a0b970787

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Applies
                                                Filesize

                                                20KB

                                                MD5

                                                1433355c586c2fdec518f4d8f7dafeeb

                                                SHA1

                                                608bed0c126a348cb2cace3cc3ba7adf0010b2d0

                                                SHA256

                                                247708f95834307b851966f2daa882ea3fd40ac7e7313fc3c052449a66291235

                                                SHA512

                                                8495bcc89a28fc3dfb4d70e3829b8a174221ebb1675b8c2d0d499ba6e39b284e5c36f60a06737dd77e8c7ad7348a1efca82b66a21be8b47a59122e3c2b93e9b1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Associate
                                                Filesize

                                                8KB

                                                MD5

                                                bc5912b3c47f2501e116404c987ff631

                                                SHA1

                                                766d3a265a538dbe0e6dcd279ccfba8d55e46f13

                                                SHA256

                                                2ed934b6e69455fbc61ad10cbfe607e5f1705779151eced7b69a64992218a18b

                                                SHA512

                                                992eba3da27deb8fa19a9dcd1eb8446658022a51547bed64b9e6100a9a90a88754c8b2ffcfef822ef6511ebf52d5d0ff2811433f057f04b76f3afb28d97a59dc

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Brush
                                                Filesize

                                                5KB

                                                MD5

                                                1d07a7c3edcbe811c97d8aa87fadcf0c

                                                SHA1

                                                335313821207c6aec6d7de786611faedfa8d4e94

                                                SHA256

                                                deffd4ca1108b05f99199e8158a76cd7ae4549ee72f94063f47549030c1c1b40

                                                SHA512

                                                043262d2a5a0188ebfa2d34e4891805bea74c20f8bb3b9c0fb5ad6f5e965d14d3e12da6c0a0d65ebb89adca47bd262ceb994cdcc728f210e2ac04d6894880fa2

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Calvin
                                                Filesize

                                                13KB

                                                MD5

                                                f15de6944e5309dd1d193a167bdc991c

                                                SHA1

                                                8b6733bd71553e2c17374bc3795db8d0ac6c6822

                                                SHA256

                                                3c6810e428bb9906405feee07c73b8055203a1e1da49edfcb53c1bc345464239

                                                SHA512

                                                c344568aeea9857c2d35b50955a515623d7e1d246dc0904dacb4c5f829091ad0a659be9df1044abd7bc0abe73c5139736504dfa8f2be0c449f9d464b01aaf7a9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Cat
                                                Filesize

                                                18KB

                                                MD5

                                                7220dbb3b385e6826eb1667ab3c43536

                                                SHA1

                                                b351714eb11190df8207238159c473288f1c62b3

                                                SHA256

                                                65ffa38d175e37791622354055e40bdbf080927a0d2364c6a7b01c8ea2705c6c

                                                SHA512

                                                b24f21f550731cf3b4649497ba3bf688406db5aafea0bede8275056002605bf7de1eed88f14f25d778e5f7c70372a31997ccf50c6828a42995d2d9c99308ddf6

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Catch
                                                Filesize

                                                60KB

                                                MD5

                                                aeda8b49d380003d29a7382764632d74

                                                SHA1

                                                c0ce4bd4c15126c8c43f0e33c3bccd9ec37ba87d

                                                SHA256

                                                98220c2e4af3987a59a4c6edc16c34e5670511438b9c3a4fdb5005ddf438fb8e

                                                SHA512

                                                909b6e77bf9052a0e3e1d56f903e4910d19e7ac92537ef47d25b3bcc6c0d70558f0cd89ff939c17b20a1dd575605da378eee98d8bb9a61eb11322a970208bafc

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Expansion
                                                Filesize

                                                146KB

                                                MD5

                                                8cc545443bf8df3db7c6f71297041dc2

                                                SHA1

                                                b78fdd8d81e4deaac5bcfc1e415d7887468766d5

                                                SHA256

                                                d257f366a170793acd2c73f905daa38bffdedc50dee8965886e96946c3b9180a

                                                SHA512

                                                84078c5221ac2bcfbc30bdbaef76d87352870dfa740e2b8a3ea7404ab26ee4857b79a68f4ad573c1dec5dc7280d909fbdd4df20919cf06e108d487a7ce9932b9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Expressed
                                                Filesize

                                                42KB

                                                MD5

                                                c9c7aae72d8a772209022357fa1042db

                                                SHA1

                                                d2561c89d954115d346e9688537763fa9f514027

                                                SHA256

                                                9007c6e36f4d0d0a256c69b3e8c8c4531e5e1806dde1bf1a89e8b1794a8c9662

                                                SHA512

                                                2eb874ab86ec14109a1df14cee548b5b94c66d480dd06bea57e3ec70a205a9971a4ee163d4022713032c4424d36f60efdc3b7fd9396b992a68326a403a9473b2

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Finish
                                                Filesize

                                                66KB

                                                MD5

                                                2db81a29f6f362968a4d18a2f9157835

                                                SHA1

                                                facce20c827e2c9daf3b6bfcccc180813f4e5576

                                                SHA256

                                                f516d152ab3c28d8fe1928d81a6240749f0970f989d1e0f7a7514ef83b272968

                                                SHA512

                                                bd92a0cdec8831c318b3f7e60eaea84e7228576076c623dfd08d4f19b2ba821ad3448aea3cada7c6d298a48e268748450b86f35dc71ddbb6bb43c5c67308bc95

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Francis
                                                Filesize

                                                29KB

                                                MD5

                                                4cc23bf57f0b0ca6cecd68b966662e19

                                                SHA1

                                                661f549d23d248204f43ed0cef7d278397bbf11a

                                                SHA256

                                                0b875d3d77935029d2006157b19de0c352e77db84c57b2f2e9d50bdcb933d797

                                                SHA512

                                                7c3e6424c91231c83fd5f2e0883d64118ce31a10fdf48ad58cec3f513de9098fa3ce375cc0a0470a1ad328b26ca095bfed2b8ce454861b57b7dd4cb55d2f8a1e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Happen
                                                Filesize

                                                47KB

                                                MD5

                                                bc2f8b48336a3ead427b00a921e45b32

                                                SHA1

                                                ad931ce9176fd4920b95acc9771edb70306373ef

                                                SHA256

                                                01a35f509a574ac3d99818c163bdf60e2434c7b1950c6dd5e134d319eb25a07e

                                                SHA512

                                                01969689fb4ca1fc8dc29e44fc990266534fe430a19346513e2074652b6b3f3c08ebfa5d435195760fa46c3a9285c780ecc3ef77e06b07062f6944d858cbfa49

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Largest
                                                Filesize

                                                46KB

                                                MD5

                                                ec77542b519d4338cfef2ff2ddd7020d

                                                SHA1

                                                de98c0306fdb71788fdcf5c41563b6a75c0e9fe3

                                                SHA256

                                                469efc5e64c1ce9c73262c33d9c8bb61522fa5d513da5d643dd53bce888e67fd

                                                SHA512

                                                43059826eee08430cc6240206918ea3f9a9b624bbe72d8d4b4d472d021e26a3954381e419dedc7ad26b58898a6255489dad8fa048469656c5711512a1c24b1f7

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Lights
                                                Filesize

                                                47KB

                                                MD5

                                                a1717c93352d8da83751780f8f6ca13d

                                                SHA1

                                                835c8c725530de58bbee7c324bfbb0f655a3e894

                                                SHA256

                                                3d8181335a2802b75911d4f6e6296804c52ef9f39460e1949d143df4f8339b00

                                                SHA512

                                                7020d2b331b1fc08abbdf001b4ae5ba04197175edad1027edf90bc35670398d234e87107a1462d73dfec917b76172805afa83474a878cc863f5911d6204df777

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Memory
                                                Filesize

                                                28KB

                                                MD5

                                                38f2602bdbd93847ff53d489449ed190

                                                SHA1

                                                7c2399c082840f944e2c7dc68109b06fa06b4272

                                                SHA256

                                                bc053cd44fa3d5fb83ce217f4f5dc56204a6e9ae9008080b33dee5ce958368fb

                                                SHA512

                                                c5a76062bd4e02d27602ffb3cfa705952768739c5074acdf85ec5a968d87f340343e03d3118033b96054cd7f05b9cccb8f9401ddd50240af8a3fc5e0b14d5678

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Newscom
                                                Filesize

                                                52KB

                                                MD5

                                                03bb2608f5f8dd012beaf4811c74ff57

                                                SHA1

                                                81652ee81940fcc93b6310a8549f8769e0dcf927

                                                SHA256

                                                d4fc239c6733667c3cbf448572e0732cd7e0fda8968077f06f5e07de806249e9

                                                SHA512

                                                e8664f3b0ece01edcc71e0d522d8992b817a8cfce86cb2e0f243ef83557f83b54b745705942dee5c39ee0ce046eb587a3267b48499e9690f5af4d77fb5446007

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Ng
                                                Filesize

                                                47KB

                                                MD5

                                                7c2899d655f06fb0bdf69b2ce8a84b2f

                                                SHA1

                                                a49118b7a646247b7c8ba68c0f29c9601f3024d9

                                                SHA256

                                                71acfec7b10a9cd5b0ff64cdfada09f146050bc8671dada415e91181b55cc984

                                                SHA512

                                                b9c440e0e3cc3e33948f5cbf89ad10d0791c84965c27d98a887bcc3b57a9a78e26100c3020009a08c9239fb8e6fc8bd7a8511fe5c664bf3bca2ff2b3b3567a6e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Patricia
                                                Filesize

                                                66KB

                                                MD5

                                                f4bce82e1a91bf61bc12e566b7fcd21d

                                                SHA1

                                                68024c75c18308c0aefcd1b4e43d8bd75110c457

                                                SHA256

                                                25b399aa3994d3c6c071ae126ac8386b198b6efa70f037a1866dc2af18d585c9

                                                SHA512

                                                3251058aa9e29e0436cc660b80e429cf4dd326085f3ddd1f0fb64c4b343af2fd6e92191809a31067b34ac3436008a34fc788fd567a1cbce02d12eaf27a24450f

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Positioning
                                                Filesize

                                                17KB

                                                MD5

                                                6c1c62f4cef7702dbf2a4d0892e230b0

                                                SHA1

                                                a9c1776a789ee260015ff5ca0cbfe57edc5fb704

                                                SHA256

                                                0c8148a308e34701b5cdef5fe729dcf4bbfa1fe9dda40bcc45f7c4c63ef1dbb3

                                                SHA512

                                                f08cdfc62b0aec34b57d33fdf221c83ed654240c4854c35b9fe75603d53f89794e63a40d320ae06570ca974ac3a628ad3ea40c3908d09ee6c337a0f849d59a8d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Predict
                                                Filesize

                                                179B

                                                MD5

                                                9859e9000a8a9116d73a0daff8cf4eda

                                                SHA1

                                                8e2fcac1b04019800ddec1da4939754f93bebb89

                                                SHA256

                                                d9fa12836f1a795e4b7aea63438afd1628db01e38b0b373c42674e7b08832225

                                                SHA512

                                                9f07e18608b5afd241761805b7f5b74c039f199f8b22664ce7b745e0f897dda3c9b84d8fbc486896c25bb11c33d7b4f1214af0691dfdbb3aa49f6865cd1bb29e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Pretty
                                                Filesize

                                                37KB

                                                MD5

                                                040be569f177171b4733539998501a77

                                                SHA1

                                                bce941b812c9087757136fad9dfcde341830e1a2

                                                SHA256

                                                de7417e0aa3461b488c06088d22ccc1ac029bfd67ace834fd8e9d109c6d4d536

                                                SHA512

                                                c4768554b69c8b2404cf408cc2773c53334fe02b27731c2e7c0c4ee57c45f2ff4e933ca2042adb602e6c7e8f4532ce771f0c1984e55e95980e7c33e477cba523

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Prints
                                                Filesize

                                                6KB

                                                MD5

                                                063d7bfa15802b259705405a0c98f1ba

                                                SHA1

                                                46dd85304e2ad0e7b17b7ba0cf8eb32d7aa7e73e

                                                SHA256

                                                366dedddbcefe46c993816db51721c1a6d463f885cf91ea37a1707711cec494f

                                                SHA512

                                                b696a021d9f73779d14e28bec7bb865a3cabd134e3751f250f507b708c1cdefbacd2374e0d59a2fbddf1610026446fd924d385b5943d9c7d37986b32c58ff2d9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Raising
                                                Filesize

                                                66KB

                                                MD5

                                                5fa2f5c9839153a65a91a615d152bb3b

                                                SHA1

                                                b56fb3d2664a703f6dab0dfe8faf760222b0be7a

                                                SHA256

                                                954c5254c1b3bdf67a2cc590c8a0a0007390d7ae5cf2d39fda07ffa3f6fc4c29

                                                SHA512

                                                9046f3117863944a5a141ab560de1db91915c67d7d2d2f9be1f63c1d35f11b155fcb9a839f6ce89ebbd76cb4a056cecd31dcbcc60607a77e039c8c2868f5368d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Retrieval
                                                Filesize

                                                40KB

                                                MD5

                                                053f39ed7e64fd13d379894195d9dc44

                                                SHA1

                                                8063791bddbcdac297f4cdebc84741e9a585489d

                                                SHA256

                                                1effe0d4d9e4e197eaa8f4597f1e22277454a53b3bd01bb7dc700ff272760a28

                                                SHA512

                                                8f4613bf451c576459e6936fc1ca3e7f2990a484e377499751dd669fc2d136cb0acd841db516c28f08a8b6955a871bc520c3764cd35554cb6581b73284c0be9a

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Routine
                                                Filesize

                                                46KB

                                                MD5

                                                3a92e7ff423fe5c7c40f42ce3e9af6e4

                                                SHA1

                                                30c0f3748be0324bff1443954d74f7366ffc5dfb

                                                SHA256

                                                f77846134b9acd81f72a2b10b16571a2dc4b8b70b2e7008e54d2340c48569101

                                                SHA512

                                                746e4fbf9aef5624ed18b46089f9d34901902b46a8e6081618c11524d6b9faf9f99db07888a17ae02b6600394ac68a2fc3b781e796de79432638f206ef4696eb

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Satisfied
                                                Filesize

                                                53KB

                                                MD5

                                                c9dc84cb3898a5e24ebcfee1b3f9dc5f

                                                SHA1

                                                972079d65c31dc8982f98f1976a8c3913882d706

                                                SHA256

                                                1601a870c0ad402852b9a3ff191afec62e5272426ad6ee87d0cefc98a19ba0ed

                                                SHA512

                                                88985317cfd5bc128d340ea7520048d87eaf2847f631cd375ac0ffe85302b4975c72d5d6b6d1c7a6f83649fbb4f8f13c4837bd0fa921f8ea648764816d4b5a86

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Sorts
                                                Filesize

                                                26KB

                                                MD5

                                                b7a11bffe009c47ed5f3bff893c3c058

                                                SHA1

                                                eadfd773d19b03766739a2d873ee35a31e95ddda

                                                SHA256

                                                67d47d2bf1a7bd132aa43d4a363f0a26be0458a4b7b80f6f0fbd3a484ad18b6a

                                                SHA512

                                                08f1114fd09c866465bb3f352435271fcb553c8e5cf8bdbf3402db26bf4d133d03de2e8b0be65a37abf9272df219339310f0aebc9fb75023dd7508384119821d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Susan
                                                Filesize

                                                175KB

                                                MD5

                                                859f6eef94ac9d053bd984d79f524b93

                                                SHA1

                                                30dab95859880a0754681ecfd7b97ef498d3d8f9

                                                SHA256

                                                b68e986c42ce291c96a0541c3f5ad428f9e176e25508ca8c762e1c6fdcc89a28

                                                SHA512

                                                efb4002f65799d421146d3e4ab82d3d9984ca7772565d922686a36ab1f47e018d03f5392fc0abee2e482425466059cce457f6d5d41d8789daa48132650e7981f

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Sussex
                                                Filesize

                                                27KB

                                                MD5

                                                e3276a8cb70b701b69155cb10a230c42

                                                SHA1

                                                8765545e96df259f179c4803fb5bdd11a68f59fd

                                                SHA256

                                                c11a2061e458239832352e15836356da77442cef1e2f217491a248c21658bb53

                                                SHA512

                                                77b0d6dbb0915e84a6185d54415cb0291a36480ef429f81360c0fadc8cd75de918733ef82eda014f365d388aae0646ba9ee72f99f06e77a788e47d3bfbbdd24e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Uniform
                                                Filesize

                                                46KB

                                                MD5

                                                aba2142787a23cb46bcf18ff001b6299

                                                SHA1

                                                b20b8eef5e95d4cb5a3cf6c2a50ae19dce773ee6

                                                SHA256

                                                614191139a925d09762b19e4a8475d281853a460dac6b39882c4332ebca6a328

                                                SHA512

                                                b537aaf54f61b4ffca421e58cd019fd309a1cdb2dcc026761ca14b9d2811c877321200f655814b20ab9779d3d2b44006bd66a0b02c1da5699c4c026c97981955

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Utc
                                                Filesize

                                                65KB

                                                MD5

                                                24f82dcbcfd2280b0ddcca567247ff21

                                                SHA1

                                                e3c21a28260d481fc8c13e85f34213c7236a6d4f

                                                SHA256

                                                1204683d5669a70204ead35f292a2e01fadc55939a085ad6e29d295f95b8fd80

                                                SHA512

                                                6a87bfa8c1b9fb4d23f7582e39a9ffea53cfce59fccf806cf9195d340d60752822ad396574ad016d5d039776f258d20b4a118430d897d89e57822d9ceb3cfeb7

                                                Download Submit

                                              • C:\Users\Admin\Videos\Captures\desktop.ini
                                                Filesize

                                                190B

                                                MD5

                                                b0d27eaec71f1cd73b015f5ceeb15f9d

                                                SHA1

                                                62264f8b5c2f5034a1e4143df6e8c787165fbc2f

                                                SHA256

                                                86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

                                                SHA512

                                                7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

                                                Download Submit

                                              • \Users\Admin\AppData\Roaming\d3d9.dll
                                                Filesize

                                                512KB

                                                MD5

                                                a77a9cf718826505c24aaef8806e99a9

                                                SHA1

                                                279289ce25e61574a43db2842c8232eacbbef2a0

                                                SHA256

                                                5a82c3e9d4216bb25582bb6e815de8550957c7e98e67c64e2c2e2f039192f1c1

                                                SHA512

                                                c8ffbe90aa69177e2aa4287a7cb7d8af00a3519d02537e75ed8d4081ecda00f04f90f27215efc027bfbcd58dffb2323e30f4bd98dd825c3786ba7b97f1dd7296

                                                Download Submit

                                              • memory/932-265-0x00000185C0520000-0x00000185C0530000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/932-281-0x00000185C0620000-0x00000185C0630000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/932-300-0x00000185BD7F0000-0x00000185BD7F2000-memory.dmp

                                                Filesize

                                                8KB

                                                Download

                                              • memory/1044-433-0x0000000001600000-0x0000000001655000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/1044-432-0x0000000001600000-0x0000000001655000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/1472-153-0x0000000000280000-0x00000000002D5000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/1472-155-0x0000000000280000-0x00000000002D5000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/1472-157-0x0000000000280000-0x00000000002D5000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/1912-437-0x0000000000B40000-0x0000000000B95000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/1912-436-0x0000000000B40000-0x0000000000B95000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/2476-327-0x0000000000CC0000-0x0000000000D15000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/2476-328-0x0000000000CC0000-0x0000000000D15000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/2616-62-0x00000000008E0000-0x0000000000A7C000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/2976-308-0x000001BF87300000-0x000001BF87400000-memory.dmp

                                                Filesize

                                                1024KB

                                                Download

                                              • memory/4348-160-0x0000000001210000-0x0000000001265000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/4348-158-0x0000000001210000-0x0000000001265000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/4592-227-0x00000000006F0000-0x0000000000745000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/4592-226-0x00000000006F0000-0x0000000000745000-memory.dmp

                                                Filesize

                                                340KB

                                                Download

                                              • memory/4960-85-0x0000000000400000-0x0000000000457000-memory.dmp

                                                Filesize

                                                348KB

                                                Download

                                              • memory/4960-83-0x0000000000400000-0x0000000000457000-memory.dmp

                                                Filesize

                                                348KB

                                                Download