lumma | e78d116ef45c71f6d09c72c2db3f747561feb83506a029a27cfa5612924d327f

Analysis

max time kernel
96s
max time network
157s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

779.4MB
MD5

48a252ed8004a6b79601d0d282a84cba
SHA1

09354005be631cc4fdd5376e87862507bddd4699
SHA256

3e385223250225135232ef995cc22fb6558c9a4ea006fe697978c0353df8cd5a
SHA512

9aa454a7c12ba0f7803c6d81c93c1ff84f3c465d12607c18138149392ea2137e260b0088fa39b9504c58e863d797f96264cb093c60ae1370a9512c12cd84e9e7
SSDEEP

393216:ll6tO1HqSFgG/kEl17Ltw8OgKZp/rsX2bnAjcSmvPv:b6tOLF7/q8Og4+2DAov

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2036	Phys.com

Loads dropped DLL 1 IoCs

pid	Process
2636	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2204	tasklist.exe
2824	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CommWinter	file.exe
File opened for modification	C:\Windows\PlatformPicked	file.exe
File opened for modification	C:\Windows\TelechargerLook	file.exe
File opened for modification	C:\Windows\ShouldDrivers	file.exe
File opened for modification	C:\Windows\GmbhS	file.exe
File opened for modification	C:\Windows\PassesVictorian	file.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phys.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Phys.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Phys.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Phys.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Phys.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Phys.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Phys.com

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2036	Phys.com
2036	Phys.com
2036	Phys.com
1296	chrome.exe
1296	chrome.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	tasklist.exe
Token: SeDebugPrivilege	2824	tasklist.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2036	Phys.com
2036	Phys.com
2036	Phys.com
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2036	Phys.com
2036	Phys.com
2036	Phys.com
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2636	2296	file.exe	31
PID 2296 wrote to memory of 2636	2296	file.exe	31
PID 2296 wrote to memory of 2636	2296	file.exe	31
PID 2296 wrote to memory of 2636	2296	file.exe	31
PID 2636 wrote to memory of 2204	2636	cmd.exe	33
PID 2636 wrote to memory of 2204	2636	cmd.exe	33
PID 2636 wrote to memory of 2204	2636	cmd.exe	33
PID 2636 wrote to memory of 2204	2636	cmd.exe	33
PID 2636 wrote to memory of 2240	2636	cmd.exe	34
PID 2636 wrote to memory of 2240	2636	cmd.exe	34
PID 2636 wrote to memory of 2240	2636	cmd.exe	34
PID 2636 wrote to memory of 2240	2636	cmd.exe	34
PID 2636 wrote to memory of 2824	2636	cmd.exe	36
PID 2636 wrote to memory of 2824	2636	cmd.exe	36
PID 2636 wrote to memory of 2824	2636	cmd.exe	36
PID 2636 wrote to memory of 2824	2636	cmd.exe	36
PID 2636 wrote to memory of 2844	2636	cmd.exe	37
PID 2636 wrote to memory of 2844	2636	cmd.exe	37
PID 2636 wrote to memory of 2844	2636	cmd.exe	37
PID 2636 wrote to memory of 2844	2636	cmd.exe	37
PID 2636 wrote to memory of 2936	2636	cmd.exe	38
PID 2636 wrote to memory of 2936	2636	cmd.exe	38
PID 2636 wrote to memory of 2936	2636	cmd.exe	38
PID 2636 wrote to memory of 2936	2636	cmd.exe	38
PID 2636 wrote to memory of 2688	2636	cmd.exe	39
PID 2636 wrote to memory of 2688	2636	cmd.exe	39
PID 2636 wrote to memory of 2688	2636	cmd.exe	39
PID 2636 wrote to memory of 2688	2636	cmd.exe	39
PID 2636 wrote to memory of 2588	2636	cmd.exe	40
PID 2636 wrote to memory of 2588	2636	cmd.exe	40
PID 2636 wrote to memory of 2588	2636	cmd.exe	40
PID 2636 wrote to memory of 2588	2636	cmd.exe	40
PID 2636 wrote to memory of 2632	2636	cmd.exe	41
PID 2636 wrote to memory of 2632	2636	cmd.exe	41
PID 2636 wrote to memory of 2632	2636	cmd.exe	41
PID 2636 wrote to memory of 2632	2636	cmd.exe	41
PID 2636 wrote to memory of 1220	2636	cmd.exe	42
PID 2636 wrote to memory of 1220	2636	cmd.exe	42
PID 2636 wrote to memory of 1220	2636	cmd.exe	42
PID 2636 wrote to memory of 1220	2636	cmd.exe	42
PID 2636 wrote to memory of 2036	2636	cmd.exe	43
PID 2636 wrote to memory of 2036	2636	cmd.exe	43
PID 2636 wrote to memory of 2036	2636	cmd.exe	43
PID 2636 wrote to memory of 2036	2636	cmd.exe	43
PID 2636 wrote to memory of 2776	2636	cmd.exe	44
PID 2636 wrote to memory of 2776	2636	cmd.exe	44
PID 2636 wrote to memory of 2776	2636	cmd.exe	44
PID 2636 wrote to memory of 2776	2636	cmd.exe	44
PID 1296 wrote to memory of 1556	1296	chrome.exe	46
PID 1296 wrote to memory of 1556	1296	chrome.exe	46
PID 1296 wrote to memory of 1556	1296	chrome.exe	46
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47
PID 1296 wrote to memory of 1708	1296	chrome.exe	47

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Investigated Investigated.cmd & Investigated.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 291618
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Clark
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "London" Relatives
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 291618\Phys.com + Scenarios + Blood + Sword + Terminal + Doll + Likelihood + Jungle + Asset + Ate + Pat + Face 291618\Phys.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Von + ..\Safely + ..\Jo + ..\Attendance + ..\Polish + ..\Boxing x
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1220
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\291618\Phys.com
    Phys.com x
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2036
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7039758,0x7fef7039768,0x7fef7039778
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1008,i,3740003119737094988,2550380991584443923,131072 /prefetch:2
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1008,i,3740003119737094988,2550380991584443923,131072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1008,i,3740003119737094988,2550380991584443923,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1008,i,3740003119737094988,2550380991584443923,131072 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2160 --field-trial-handle=1008,i,3740003119737094988,2550380991584443923,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1856 --field-trial-handle=1008,i,3740003119737094988,2550380991584443923,131072 /prefetch:2
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1476 --field-trial-handle=1008,i,3740003119737094988,2550380991584443923,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3852 --field-trial-handle=1008,i,3740003119737094988,2550380991584443923,131072 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3436 --field-trial-handle=1008,i,3740003119737094988,2550380991584443923,131072 /prefetch:1
  2⤵
  PID:352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7039758,0x7fef7039768,0x7fef7039778
  2⤵
  PID:1372

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2136

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
66b458a927cbc7e3db44b9288dd125cd

SHA1
bca37f9291fdfaf706ea2e91f86936caec472710

SHA256
481bc064a399c309d671b4d25371c9afba388960624d1173221eac16752dea81

SHA512
897fade0ea8f816830aee0e8008868af42619005384e0a89da654ad16102cd5e7a607440bd99f9578cf951390d39f07020054cca74231cdc42a3cffa363d9869

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f4746717bd7ffc7f183c71abe46a2933

SHA1
9330df400e4d86b91263cc9ca82bf9310e843b81

SHA256
043e6388eb6594270a8832ce48c9238c95cde2d4ab9bd0b62523f32f85cd93fd

SHA512
3c442c2265e16dcb6df1efc73f52fcc6a8fe6b9af80d27ec9484a51c95af0d155b2fa35d82eb3efb83f00ade3badc1066aa802b8e74824a6696e0edee1c6b3a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8f1b45925bc87e00fa33bee895e44942

SHA1
4a9236a77e4e7c86474cf02a204ca2c823ab7e58

SHA256
8d625c191842f41beaaa906c0e5e702d66252cdd53182958ddca598aba5ac754

SHA512
ce5619fb8fed681aebb288660ccb2cdcff4278eb7adea459f9cc510e69e3c6781e854c87160f9796cb208e66fe49495999319c9cb656f9c54b3716cf5dee6f56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
979f1d35c0dcb7233dc1ab500cdb16c8

SHA1
7aeebd89893193f2b1a4e0794a31d32932cc67c3

SHA256
ab5d988c721f003be689f2092a717f1f59cbcb210a4ec9ecc7145162e882ad6c

SHA512
bdc02affa935786fc49ef6ef8412b71895326114ce4550c31117862cd8f42d8297bcc3e357af8cbcdf75a50a84a4d2fbd65703a9aac3be588ac41c00a033d728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4d6c87b79f82eced3b1f76f460f24396

SHA1
41ec975a928a27b87b651d6eba5cfc3cd4ef4a5f

SHA256
b4e4f907211b053e6e58d023728dccebd043a6f8c0e9c002e1595bce0aec8638

SHA512
7678f7d07e973e75175d3c05f3f447baa7f2dcc522986c47bc19d4ea3ebeb46e0754fc4b102aeaab92773af5f6430d861a201d54ea7bdb8ce3c5bbfafd34945e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
d200934356e19ea0a012dd43d1761dee

SHA1
b004a29b4e8c5073716b804e7c9be2f5525b8a83

SHA256
84ef6806152f0eed56e7f0e7c8b2ec431f780f49231d668498563acddbed550c

SHA512
768db9f0521473928e53a901fa25eb4b4fb632b5503df1ea6625e6def979be114d88d054354bda10b9375db5989e1cc678c02d433306dff4bccb7e5157af62a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d9063c1a-5312-453d-a629-e6ea43fc2c7a.tmp

Filesize
344KB

MD5
2745753e1311e115524a7834931a8e5f

SHA1
c9874beb4a53f5cad5843ebd245b7671e7da0c98

SHA256
f1968f73fc6476ccf9b1649ab267bb411fb019065fa5555d5ebfe8b18c2070e0

SHA512
6f4e459e7cba98de75ed2fe064d980368cc73806779964504e6a554ca661e35e9f06adde372158c3f7ab43e10d55c02e7aa840f6def154f9bfc3afd4d188029f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\291618\Phys.com

Filesize
110KB

MD5
2a20c99c41821f0fb94590f08d1cfe1c

SHA1
a1451e1bc0f7045e4b81f31f0ed1eaf920ce092f

SHA256
95b9b1e92e0ccea5d05c15c7cc9e9be9bc04865a7b5cafbcf83c43ce0c6c0a88

SHA512
db6971a9594c13ca426039053829cf7705144792ebc8d4b8f7f336db0dd6d723193a9cc8d53245734cda7727f26141cf3e2b6fe37a18a21353e89d6fb541b5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\291618\x

Filesize
461KB

MD5
042bce38fb2013d46defba954d0c7462

SHA1
95110de97431672d9f2e7753c8c157cf743e60f2

SHA256
056e08ff1354e83d46bb1ac6b1316ad2a1da5521a86c860b0868e037c2d4357b

SHA512
b86a90dceacd1cb22611dd84c9313e6f9009c8635e2cc047b3c3be23c1f0f08fa1dffbe1eab4a571c754ea75006f37cdca88af74150976d2fda039feaf55480d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Asset

Filesize
92KB

MD5
d5130b7af488fc8ca62e63472d2d2e22

SHA1
b49785df2de6b2ab1f3240c8cb4d7ba66e62d8c9

SHA256
8368d561c351f4d5434882e6ffaf1ae446728c216b23b55e0d8f0c4e14ad9153

SHA512
c6cf35025cf97bac273eb7dfdba7ee1294fbd6d8ca17739f8c568e245d7a21a03fd83ba43195680dda350785c14f719c4fbbbea6c0555f9de757d0cda4c41421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ate

Filesize
53KB

MD5
7b3fd1acca771568cb3aef82666a77f0

SHA1
63aaa40c009371f8c312f463f7bb621e9f0e00c6

SHA256
d1c2c0e4e25450887e41e841d106b4f527a68a6e5da2ab129d9ea9f4c0a358ec

SHA512
a54c0492630abee4a545a7e7c5c40132778f5766ae4e2dcbf234821ac1857225d96514ad763a0c73a49c5b5dc86409033ded531e2e6e6c6d1a9255f95c889ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Attendance

Filesize
86KB

MD5
84fa8fa93ecba8b7c599fe633f8488f6

SHA1
505c6b205a25846e118bbc1cedb196b0988741bb

SHA256
c56c757a9062ca236958d79f42172ed8ee16d06fba17178c13a91969a5700c85

SHA512
1487b53c307194a667edbcea013545a570ecc4b8dfe1948ea6fc508a03cc146b41ef7fe2a4e6ea6163433d9ede497a8e03c4b446ade0e027870a8dc65ba9cd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Blood

Filesize
94KB

MD5
118fe5e0f73cade9847c853209a9d1d6

SHA1
a4bddf4e1d07b630a7d51414431e44f896761384

SHA256
5828f7dbd2a2f0078f86e9c68c58c6ff7a9a2c78340197969d54dbc8f21cdcdb

SHA512
3df38c11618273c8136601c146cdb8caec17deebd0ddee22c3fdb046fcf998651b09aa36742c9b7e22ad6a4e19cd07628eeda28d95705acd4243fa7b5f6a13f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Boxing

Filesize
52KB

MD5
4438585cc27324bea2b1e48354e7bfd7

SHA1
af9af4d6216c296d052ae8086288eefecdfde493

SHA256
ad6122b5dfb44530a1edd0fcf7f8ff3700ad9e32b9d1f0b30d691f54a25abcb7

SHA512
2e46c716ff9f3b2d86edae20b8ac2b3851ce00bd04f8cf17e20e5f96ebdde568fa374f819d853d1819591c9e9d630c1a8008b902d638cebb6fc2d5187a00acc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Clark

Filesize
477KB

MD5
04b9366ce55acb39b2b55a4e822be3f0

SHA1
3fdee15987565a2074c618d81e78318687600ed2

SHA256
aea8f0a05565805ac89d074d1f5f3e9275b53e740216550dc097b64abf51b2cb

SHA512
3be8d6eb8528017cab14638fdb4b21068092b5b08ced6523143982e4eebe00ca4b2e1c608f0fd82fcaec8c05e4e17ecb2dba099d791d539ef0b189971d229987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Doll

Filesize
56KB

MD5
046151eb036418e4fc79036f28555668

SHA1
eeb9f98db9b67ec076c9e7e39dfba0d252463d9b

SHA256
39c85db49f163366e49350e80d8516b6ac6688a7430f3a378b4caf7bf2ac7653

SHA512
bcc3eed0bc84dd8816ecf4d13ee80200cbbf0a088ca41969db5264f3d6f0e65283e9486a77bad99ae057bf539b4060bc78a8dfec0079383bc709a474fba0405e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Face

Filesize
67KB

MD5
7c4406ac94eac56ea6bff6a5556104ea

SHA1
47f49965ee5d47e90a0879c4f2d15337a776f5a6

SHA256
2a41933d82080bbf3fccf2a361970327874ff8c7b4d722153eeb70000ee551b8

SHA512
5a94215a1071d6108ebdcd8679a7fbe0ecd07dfd47f7aca10be38d052cc476469495e8dfdb7a9d39c8cedb4635dcc052ae20141322bb39622ed2cb08a337d459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Investigated

Filesize
21KB

MD5
e9dc0e9940c3852d730fb2e7a85f59d5

SHA1
8e1e6dcc4d86549837a9f9caf535d5f65449cdce

SHA256
da9025c1ebf1a1ae88179f8de3de9e8080f3a7f03297a49b022949a2b4f8580a

SHA512
481af63c73faf2bc3d4db33ecd2a1e0fa7618f216a4b41a461463a7521beb0c541185c5c4f122bf0c7f15b8203e9ac136855c3c1a0ee0c424931bef536577a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jo

Filesize
94KB

MD5
8af51c052de886c9ff8cf097cd4bdd5a

SHA1
0f8de359f3440398e821cd5a79d195a47a016d2e

SHA256
5943b28b88e4224fbd486b05f3acd49c1c3240e046e2e221aaff61e6c71d945d

SHA512
034c9e1f150694989703ce907044f89d9541f8368a344c38baa2262896516366ff43967742934d22238d3a2bf1edc7221de5c900a64ddaf6d4790c5cf2d418d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jungle

Filesize
74KB

MD5
f77ca3527c507cdc811bbcbd17c64c29

SHA1
64dd0f98bb6c1eb2c31810657cf306c9bd120bc3

SHA256
2035010d4c07bba8841a65feb9ccb2197ee851bbfc475856670ca2027e3362e6

SHA512
6e1f70407d13c6a5a594d0bc0fa4236269ba965db8aa480a7e2b0721fc803cc9c0122c1051176272996deb8de979a64a2829f98dd44cc52e2a27256cc0d5fd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Likelihood

Filesize
115KB

MD5
0b333b799180eef96ace328e558f9d54

SHA1
923fe8999adf046057aea975f96aa0b3235b2eaf

SHA256
8c7c1a9cb6c4697b787c9ef53358e5f51e81182db24a7df3a5816f2ce6aef890

SHA512
ed89ba3311d440e4a60b0a6749f3d951fbabe93f30709139030afef7a4090cea94f66830427e4d93fa843b48d5b7c75da22d7df876c3f7b5fe0d24db6807c87f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pat

Filesize
101KB

MD5
817d54ada89af8be9c883b019f513163

SHA1
ab12a83d060a6860ef352fbf6b89b4e7b63a19a1

SHA256
5932f89fa2d6ee47d530c6946bc730fbc7c0e776f4fd4a3397af00121ebeb01b

SHA512
0a1a74b09c22e70b2f725d66cc29a3e7b8bcf9e5802262099a06ddc43592d6b1454d2228c11af92d1a9e2e61ae25628df3fc10978f39e3a1f3bfbb9f9a921ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Polish

Filesize
85KB

MD5
003cc773050905b8f655f01451628d52

SHA1
fa48827542a13e12b3f2b8d5a9ea39eeb153e563

SHA256
363ca265b7f216cdd988bd8d3b4b6850e6cee1fc29be90e6dd3d3caefa30532b

SHA512
b8b903010246f05a51f9cb6fe0ce99b865377af4e644623b2c3489a0e8927f0c1d16f95495ebba06beb35b6b7d34ff761ca691d9a51189c5d4dbb3e1d43b3d17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Relatives

Filesize
834B

MD5
d3c55dcc231e4f907ca2bd5acd955001

SHA1
8fda516752dc23b4027dda8bce3322d2ee9faaa7

SHA256
d202cb21e13eb4152732414610f98eb506d5b64a900895118a7a7abbc226541f

SHA512
8e99307ab8161486ee08c11eefcc25269b089f154da752d509b14748d0ad52b10bb30d2eee3e694f89c7f110acdc1a3e664119574bd1e59d922186e9bafc4f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Safely

Filesize
94KB

MD5
7a17525441484f70e9cb0e3718b8d7ee

SHA1
521770cb4171560687033ab79943eb5063204e97

SHA256
e6d4093effc493f544bdbeb8f57e04f3c118b7d9bb877e74c7518530e5361b5b

SHA512
a822b6c58b85b667279a594131b364467cefc4a90377217893a58454d0e28dc41570f14f2451be33a266cfb1dcf27d221b6eb6829aec995d6a61bd98ac835c82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Scenarios

Filesize
110KB

MD5
92f021c63e8d9b68e3bba52f48851821

SHA1
3bccd87a4578ab546270ced776a3624cef68744a

SHA256
f9b93cc2c55a541c9e3b68f48c50ef5dd19be46300472b8b67eb24ee72c327ce

SHA512
9033c8e6cda8266e44edf3ffdfdde7ae9012f8c9fc108ad10d867b3fac04314ba232340adb2ed7fa514e811c0dee3c741f70caee2d0b9c48c3ec1f4ba93a0c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sword

Filesize
88KB

MD5
2581a04461db31d9d4ba1ca4fa54d7a7

SHA1
bb9c90d7da3165a3a0e87f265a8989bcb5b7ab08

SHA256
5164ac600e04641b570b7d243ffbdd962962835644781064567ee21ed1988713

SHA512
7faf361ff795469993bf597d3cb0c28a838f6ba53b4d9198b29f0eceaf19cd7ccc5b358ff90e2b6eb676352ae617a508dc7a56e3931cded24208e2c1e3e56aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Terminal

Filesize
74KB

MD5
07ffab532663cc926e0d1bf37f640c2b

SHA1
9cbb8384aa2b6b9d32bb22857cecb42310557830

SHA256
808fb695c92755082f317db824575d3231698226d97a88a044786a18b9e82904

SHA512
ae0a89a78170de626dd3df71211f198830eb39817411e7903306414c7f5d04a6486f01c304603c5023b2d26c9bd674f3d0c0cb3a7b20cfd9b7b99ec909acdc37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Von

Filesize
50KB

MD5
e35c1a9b8d1379c72ef893919a5a4bb8

SHA1
17f9ec286160ee19969ef0f36433359ab6936937

SHA256
25889652ccdad6300189390a4696746741bdd9bf8782f85bcd6691f7e6f7fbe1

SHA512
08a8e8cced55d32118561f06163a21702274795a61c9542a7e5d21fb137314a13f6edc1dfbf0f89e3781df9be490cbd340a72172e8da9f15e18236fb4c2996b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab237A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar238D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\291618\Phys.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2036-75-0x00000000035E0000-0x0000000003637000-memory.dmp

Filesize
348KB

Download
memory/2036-77-0x00000000035E0000-0x0000000003637000-memory.dmp

Filesize
348KB

Download
memory/2036-73-0x00000000035E0000-0x0000000003637000-memory.dmp

Filesize
348KB

Download
memory/2036-74-0x00000000035E0000-0x0000000003637000-memory.dmp

Filesize
348KB

Download
memory/2036-76-0x00000000035E0000-0x0000000003637000-memory.dmp

Filesize
348KB

Download