lumma | 835da839a33cf2fe0c98b0a69d90d6ba506f67b7e9bb3897b273abfc86a7c5e4

Analysis

max time kernel
74s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/01/2025, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-up.exe
Size

70.0MB
MD5

49ed2f49b9cf4c5cded3906c247ecd75
SHA1

57f4b2b8cb6310c0272c3d9ad50858abbcfbf7a9
SHA256

835da839a33cf2fe0c98b0a69d90d6ba506f67b7e9bb3897b273abfc86a7c5e4
SHA512

a5c0410f18702cb258ea0aa2242eaa638ac258c43f0d5549794f7253f285cc587fcf461812a96fa114ae88f4bb3fafeddc95b5a4b871546bf45a6c39da8533dd
SSDEEP

12288:oClTmK/OHyQ0nUQL3xfbwfTsLPeh6BhEIaR6yZMwsQ/SZduLdgchrm+qNIolZN/Z:oITmIOMUQVjVPu6Bk6GrmpIoXNNp/1gg

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2884	Intel.com

Loads dropped DLL 1 IoCs

pid	Process
2780	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2920	tasklist.exe
2596	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\JeffreyDomestic	Set-up.exe
File opened for modification	C:\Windows\GroundAngela	Set-up.exe
File opened for modification	C:\Windows\AsciiKidney	Set-up.exe
File opened for modification	C:\Windows\IdeCalendars	Set-up.exe
File opened for modification	C:\Windows\RevisionContracts	Set-up.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Intel.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2152	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Intel.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Intel.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Intel.com

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2884	Intel.com
2884	Intel.com
2884	Intel.com
1652	chrome.exe
1652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	tasklist.exe
Token: SeDebugPrivilege	2596	tasklist.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2884	Intel.com
2884	Intel.com
2884	Intel.com
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
2884	Intel.com
2884	Intel.com
2884	Intel.com
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2780	2756	Set-up.exe	30
PID 2756 wrote to memory of 2780	2756	Set-up.exe	30
PID 2756 wrote to memory of 2780	2756	Set-up.exe	30
PID 2756 wrote to memory of 2780	2756	Set-up.exe	30
PID 2780 wrote to memory of 2920	2780	cmd.exe	32
PID 2780 wrote to memory of 2920	2780	cmd.exe	32
PID 2780 wrote to memory of 2920	2780	cmd.exe	32
PID 2780 wrote to memory of 2920	2780	cmd.exe	32
PID 2780 wrote to memory of 2796	2780	cmd.exe	33
PID 2780 wrote to memory of 2796	2780	cmd.exe	33
PID 2780 wrote to memory of 2796	2780	cmd.exe	33
PID 2780 wrote to memory of 2796	2780	cmd.exe	33
PID 2780 wrote to memory of 2596	2780	cmd.exe	35
PID 2780 wrote to memory of 2596	2780	cmd.exe	35
PID 2780 wrote to memory of 2596	2780	cmd.exe	35
PID 2780 wrote to memory of 2596	2780	cmd.exe	35
PID 2780 wrote to memory of 2608	2780	cmd.exe	36
PID 2780 wrote to memory of 2608	2780	cmd.exe	36
PID 2780 wrote to memory of 2608	2780	cmd.exe	36
PID 2780 wrote to memory of 2608	2780	cmd.exe	36
PID 2780 wrote to memory of 2212	2780	cmd.exe	37
PID 2780 wrote to memory of 2212	2780	cmd.exe	37
PID 2780 wrote to memory of 2212	2780	cmd.exe	37
PID 2780 wrote to memory of 2212	2780	cmd.exe	37
PID 2780 wrote to memory of 1928	2780	cmd.exe	38
PID 2780 wrote to memory of 1928	2780	cmd.exe	38
PID 2780 wrote to memory of 1928	2780	cmd.exe	38
PID 2780 wrote to memory of 1928	2780	cmd.exe	38
PID 2780 wrote to memory of 2108	2780	cmd.exe	39
PID 2780 wrote to memory of 2108	2780	cmd.exe	39
PID 2780 wrote to memory of 2108	2780	cmd.exe	39
PID 2780 wrote to memory of 2108	2780	cmd.exe	39
PID 2780 wrote to memory of 2152	2780	cmd.exe	40
PID 2780 wrote to memory of 2152	2780	cmd.exe	40
PID 2780 wrote to memory of 2152	2780	cmd.exe	40
PID 2780 wrote to memory of 2152	2780	cmd.exe	40
PID 2780 wrote to memory of 2068	2780	cmd.exe	41
PID 2780 wrote to memory of 2068	2780	cmd.exe	41
PID 2780 wrote to memory of 2068	2780	cmd.exe	41
PID 2780 wrote to memory of 2068	2780	cmd.exe	41
PID 2780 wrote to memory of 2884	2780	cmd.exe	42
PID 2780 wrote to memory of 2884	2780	cmd.exe	42
PID 2780 wrote to memory of 2884	2780	cmd.exe	42
PID 2780 wrote to memory of 2884	2780	cmd.exe	42
PID 2780 wrote to memory of 1852	2780	cmd.exe	43
PID 2780 wrote to memory of 1852	2780	cmd.exe	43
PID 2780 wrote to memory of 1852	2780	cmd.exe	43
PID 2780 wrote to memory of 1852	2780	cmd.exe	43
PID 1652 wrote to memory of 972	1652	chrome.exe	49
PID 1652 wrote to memory of 972	1652	chrome.exe	49
PID 1652 wrote to memory of 972	1652	chrome.exe	49
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50
PID 1652 wrote to memory of 2464	1652	chrome.exe	50

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Speaker Speaker.cmd & Speaker.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 797812
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Shell
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Puppy" Particular
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 797812\Intel.com + Injured + V + Ice + Officials + Developing + Enhancement + Admitted + Jerry + Previous 797812\Intel.com
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Transfer + ..\Matthew + ..\Cases + ..\Puzzle + ..\Perceived + ..\Discs O
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\797812\Intel.com
    Intel.com O
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2884
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1852

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2516

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5df9758,0x7fef5df9768,0x7fef5df9778
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1208,i,16653998792511065379,6637280092335799049,131072 /prefetch:2
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1208,i,16653998792511065379,6637280092335799049,131072 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1444 --field-trial-handle=1208,i,16653998792511065379,6637280092335799049,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2128 --field-trial-handle=1208,i,16653998792511065379,6637280092335799049,131072 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2136 --field-trial-handle=1208,i,16653998792511065379,6637280092335799049,131072 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1744 --field-trial-handle=1208,i,16653998792511065379,6637280092335799049,131072 /prefetch:2
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1788 --field-trial-handle=1208,i,16653998792511065379,6637280092335799049,131072 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 --field-trial-handle=1208,i,16653998792511065379,6637280092335799049,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2408
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13feb7688,0x13feb7698,0x13feb76a8
    3⤵
    PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3696 --field-trial-handle=1208,i,16653998792511065379,6637280092335799049,131072 /prefetch:1
  2⤵
  PID:2204

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
8377e1811a85e908ccd5930711e91a90

SHA1
6589bdc9a60dcd22eeb7769acc872071ae4f361e

SHA256
c1da15234c7dea188851b27f3a3bf623619bf59db77122a9224273779af67f82

SHA512
ad26d43354481839922f912f121828afac7afc0b5aa637272563cea17d3a1a5cd0cc0836f07077a99b4400a64b16bb3e4e90a156ffcdd68e8897d5bbd10f5691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2bf83688018df5e828cd6a5cec2a4b8c

SHA1
9bd80113638a8519b6e46e41b916a3c299390d0b

SHA256
8a9eac88fc12367152dc483a8cd001cf6215ded5ffd7292c929642f667806810

SHA512
0339779da4792bb5d913172c395e9a38222dfdad7314888a4891d9206c66dd978162419c31d26372aa58ab7f4126c6e3ab9451bdc5aed16e90b1b2531bf6a2ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0d1190fffde0ca9e00d5c87caf3a91b4

SHA1
3415d64932d757b1eb374c443f6bee16641c607c

SHA256
cb762936f62eb8a7fb64125ab26bfccdf41cb2dd82a914e8d05ceb7a84b3388b

SHA512
eeca05b8499c10a79746507a5c417f9384ccc0bced43631257b12e2df9cefd3e3396468860a526f78dfa5a2237e1398aa74cab327b4f4ed7bcad1cfa247813c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5553939c3697a4550f69c55463983594

SHA1
e683de149342efd3c5e5f80375b4d75a8b5d9e65

SHA256
a4e779faee573cd9c2688018b283001935c23735625ceafba5acbf88c1a7a16e

SHA512
3d33c126c771ef12e9dca7fd6f3139a761ef7d2232bc30e60ce2703d7238b02c40fb4f3f60a4f52afdf37e53ef19d9f5b9407f7a821c604988eab94cfdb3858d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\797812\Intel.com

Filesize
2KB

MD5
d8e7546d4b3939adf568dff5ac1c3243

SHA1
15538d81020cab6111602ec349a9f9ca94e0e534

SHA256
4dcad7419b7954b9d9f6e74f6451c18bd4d35aae98904849d094c37c20c45ead

SHA512
7668683df9f5469b9b4545a30c48741d7e80f0649de8ceb9b6eeda2a5650ff2ab5a5acbd80a5d388c27e74740feb72c33ab6dc70bc4dcb7a89e4e509ec5ad9c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\797812\O

Filesize
464KB

MD5
0bd0df4e02c980a190bd097f008bb439

SHA1
902586720fc203bb84bab0b3de6d8ab7d39bf3d9

SHA256
74caf515469d0b3e63ba733a51ddc56c1e60ae32559667894f731206a124e789

SHA512
90b2131e371c7fa33c200a3d3ec3b54d06d9d0716bdcf78f2fc5f19ea5551096ee60fce187eaca65806f5d871c0fdf5b2943ddfca0a446aa37504f21da9a9d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Admitted

Filesize
135KB

MD5
33f046e8e2bc5e2628011afe5eea2c61

SHA1
0b955ec3a67dfaac377e4d7dded520fd895fc45a

SHA256
ed8ad3a85aee815c6659856a76e2e6c5ba4d949105ad3ec08a5c9652115781c2

SHA512
385aa200c9b060e63e0787f8b6b73de96c6c7b3e3e3b43379c6e0ff2cdde9cea2078f1d3486252e7f37421e7cf9e85095b045b83bd21addaeec5a97279446696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cases

Filesize
58KB

MD5
b5e040a81938d5bf11145baebeacd25b

SHA1
bc7e59688c3306b764ac23b260114ec90c0bf00e

SHA256
9dc17db978dad78d57cdb0cf7a0ff42c0ff42ae3626e47d36f426c7a8d49f286

SHA512
942232bab7f16827c384e7a4294f81b3b4571cba31b1324a9d5ce56b4781f3aa60432bafecb48be8fb73ce5a9da2bbbd9bc5f4e0e6189d36cf457070bb3eaef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Developing

Filesize
105KB

MD5
4e37b5b3167b8ea88db2078668eedc6a

SHA1
bf3ccd401fcd28b243e8f2fd2b2b8e5838ec17b9

SHA256
cbd8ad2c9777286de5c5583b6c44009be79b63b40b0fe0edf3ce64d55cfec83c

SHA512
dfc0d028ffc34446df095495423803a203c5a53bef791522309a52f251ff592098bef5650a8cba7ab5c1411480ad80165f6d2feb86a6f650c4224f287cd5b28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Discs

Filesize
71KB

MD5
bb3e7b6ded2fe44eed6f7738770648a0

SHA1
ddb96fec00a4f550d1bf0c9dd440933c956d8bb5

SHA256
c15556ee02269eed2f6809c92e02aae44454b48da02ad30a0632b8393d041b85

SHA512
a7940155a5acfb94bd9bed3cc67e408852d2d81cd89c17574ae8acbe9c3c88330d4d14d77e4862dfea7dd3a4a20f28f8143450dae90a5a735a1144760095c02b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Enhancement

Filesize
139KB

MD5
52280c8fbb21350a3ad0867d18504cc3

SHA1
3c9b92d516b0a407211be3e227fc2935f54b0f90

SHA256
0f0e77282fd960a65030c41d71edb534d7fdf20d355efa6621a46eb56733a059

SHA512
af2bf615ad11f84ad97b6300322c93cbf7fe347870d0ea9a67fe49b66c95ab6ff89946032b910faf124e5f07305ea71130f10fa45a45ea2a7b82b33795d80bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ice

Filesize
53KB

MD5
063352d783ba25a930cf15acf5d388e0

SHA1
ec18af2b572da11d0a1673c46ac4c8c793467409

SHA256
112adf15c0468eaa4331b6281be516d810d845975751ecd461552dc03d1ed455

SHA512
59044dff5f7bdfe12263e8715e05296f72720d5954de089a6ef3cdbdf5c5314c9e93dd2edc1d21cdd27c5c02064e3e7f41e9aaac458d23a75038a0d4e7112197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Injured

Filesize
71KB

MD5
591a579c6d8a1c3189f09acd0f93be9d

SHA1
96f07e53507bc3973f1285c2fa6b4b7b9c6312b2

SHA256
0c0a340f85bbf7c68cac83f29debca50a30b76f9b9bddb6b14c176b42df4655c

SHA512
13a32cf44de9984e4d7862ef1b5d04b134ae7acaaed6eaf4545c9b7debf2c3a74508abb0ff26289c6d68b472caf3fc53046a5de16c33d12a377d089f157344d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jerry

Filesize
106KB

MD5
60391536f458851f182c56c1025f90c5

SHA1
e65428658c931abd439b456a30ee5d995f0022bf

SHA256
d3d7faa51c5ff10248d059898039828e2217557ba1bbc357d84b4726139a1cd8

SHA512
8f6db445108a36525d1838136eea87a22f3e9e19503897bfd0d077a10dbcaa137c0b8997bb2de09226195d4d0a67fdfef4304cdb8a6a8b32fa12e478f6d80ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Matthew

Filesize
78KB

MD5
385c300bee7ca6167e949a099dff7d2a

SHA1
0a6a305e4468e436fec3e82448cc97a46ef6bd89

SHA256
ea16f26ac3b9dcf9b6dca5bd7af7c2bcb3d7fd9b6756cf3db936391cf086630e

SHA512
0b7296ebe440651e8159ffd5e5b43160c8c521400f585ce365eb070067f75c5a9ac08adc6dfe49f91c4592aedb9ef9a449afaec1bbcf2052719a5ed365c5362c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Officials

Filesize
134KB

MD5
30ae5d75a9caccb0c7902f70949af0dc

SHA1
8a9bf9deea246b31686724c52c01fde54a56f618

SHA256
bcfcb407595df90414d10c6422bbac2ccfed48f59076b35fa950c236b36774e9

SHA512
cd3f826bac499d91506288bac9b7cd0f484c3104d7bafe192fc7bbc6531f23848071234489db05f6b5c4cdf1916f3885a42270e293d29e8373280d2781751004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Particular

Filesize
2KB

MD5
dec7eb7a03564e0f8a19997d269f0714

SHA1
4c5958fa7e7698a2360f3f28302150ba2dee9129

SHA256
685c2466be6ac0fc2163f833740a14e3bb993d77b02c9209b809eb65cd16e211

SHA512
ad8e3ae2c218771dd557fbb8b0c7bbcfa43615146432b14edd4d5d003463231bacffa1189ff48b7dbe53bd6eaf069c075fefee1c4abbf4b656ce4b7bdfa058de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Perceived

Filesize
87KB

MD5
27148b31a570368ff17ddf2dee97cbcc

SHA1
408ae7f88b7e57542e726c3623bd08c92f3cf23b

SHA256
d8fc5ccf796b04f34f4c4321e4a600123e5457db675b249624fad42c97b98611

SHA512
77527bdf9b99c54ccefc5db61ce70eb62b35edf8d17487768bb9de42ce914eb9b0548dddeae308266aa83f737786edbc769d2092cab9a890daf0f888e46287a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Previous

Filesize
79KB

MD5
9e6025442f3d21ca732626ca5fc19e08

SHA1
bde6a137238f2a1f2c1bb2798e71846ee9887240

SHA256
c439f6a51f3df550babc73bcc60bbe86547df06a81a751ef88ddea47b142ac4a

SHA512
13a39212035f6870117383b8233861a9370637f9bce91629ba448a05c7edc958a83b1c15ccc96ff7144c394d3c0b085789832db0fbcc6e24d3ec72dad1a5e836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Puzzle

Filesize
75KB

MD5
51aa267d4aaecd2cbb91563f7e4ca84e

SHA1
135b9a2175955fc78984e5244001b5de49442c60

SHA256
19cabd02c613ee1ad13565f4081899417c00734c620f66dc6c05c8a4ff7c51fd

SHA512
07a82f9ff72f5f3936e9a644b8ee5f84edbcc82c46d698f85d84221f46b6901c47d4cd2ac00a0e363224b4290fbec099261b44dbf905b31835e810159b18bc8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Shell

Filesize
476KB

MD5
17a5515f0b5cb198812d403515fef5a2

SHA1
7a6d29c7734c9f272bfdb024dbc0aed9278a965d

SHA256
a34d952416a1476ed622c3ecdcfb40c62a2153c9526cf5f291d130d9211bf3bc

SHA512
8ea7090510bd235c93af9de9ba44c6672216080b5e51cb188e4e7588dfc632dde1595044c7ef273bdad8cf4388ba366dbd8262afd28939c33ddec2619f2a905c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Speaker

Filesize
15KB

MD5
8a42c64e3f8bd9af520879f4f11b962f

SHA1
f1baf11cbef7941d2848ed9367e298ff26ad1b22

SHA256
c13d4ca226e90e1c6f91b6a8052ddb07e60d773e16c35a5eb14929254b03afb4

SHA512
a569c729f24b02ac8de9ae49f675283688b9ab98ca61b6aee931630717f3c235d3039c0fcef159cbf025a63c2eefbe2f11d82d2345dfe7153332faffad5c3d76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Transfer

Filesize
95KB

MD5
f8397f4028667e77fdadb719d655589b

SHA1
1f684532f9c019724a437acfb6c85d8b2b5d784e

SHA256
5829fec35ba896276eee8847d47597d7dcce9f060b9da19097ad298b51e9ec5a

SHA512
092dbf77f80d182259ce5fb85864f8ce566989356a1c351ce160cb88c82360d2d681001444f1efd8d646509e84a774318909aa0590952330a659d3a988576ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\V

Filesize
100KB

MD5
e19640e715783f26ccd25128b64af49a

SHA1
52875ff85d5d41d1a7e40016e02e0120307da125

SHA256
62eaf997bce6c1fc7bc5dd3e11966ef6c7ffb5409149bbb7c1a5f15b2bf89fc7

SHA512
7d3a528913d03f254d523d4bdd28a1bc2f580aa6e647196c0838c727d665052eee2b2f6d035a598c40f5960fcf1fa197641e850c85cf9a72f6a33b8d04feed01

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB972.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB984.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\797812\Intel.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2884-69-0x0000000003430000-0x0000000003487000-memory.dmp

Filesize
348KB

Download
memory/2884-68-0x0000000003430000-0x0000000003487000-memory.dmp

Filesize
348KB

Download
memory/2884-67-0x0000000003430000-0x0000000003487000-memory.dmp

Filesize
348KB

Download
memory/2884-65-0x0000000003430000-0x0000000003487000-memory.dmp

Filesize
348KB

Download
memory/2884-66-0x0000000003430000-0x0000000003487000-memory.dmp

Filesize
348KB

Download