lumma | 8e7391f55642f8b52e8c20afb4007a7df1a85215a12660cff88590b4cc631420

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New WinRAR ZIP archive.zip
Size

14.0MB
MD5

410b420f7ea683db6602a54daf9d5d87
SHA1

458d00abcf6a69057b0ce99fc48907d710fe86d8
SHA256

8e7391f55642f8b52e8c20afb4007a7df1a85215a12660cff88590b4cc631420
SHA512

8eab468630ab0a2271c64421d7d44a0c7a7b5646dd53a46b83470e276a5cd24f542f5d1b91e3dab044e4ebe94936423a936759e6808377f08e6f804c7e236109
SSDEEP

393216:ybtPe4bLNoTzrMZdpTmBGqQCv7phabeqePBC9jX2U0KCEcH91XK:yJe4dUiEBGDgabNecX2gCE4PXK

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://freefacerz.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 8 IoCs

pid	Process
2500	Setup.exe
1092	Way.com
808	Setup.exe
2032	Way.com
2056	Setup.exe
1408	Setup.exe
1680	Way.com
2360	Way.com

Loads dropped DLL 1 IoCs

pid	Process
2952	cmd.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

discovery

Process Discovery

T1057

pid	Process
1700	tasklist.exe
2916	tasklist.exe
2996	tasklist.exe
2052	tasklist.exe
2716	tasklist.exe
2932	tasklist.exe
1776	tasklist.exe
1040	tasklist.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CultGraphic	Setup.exe
File opened for modification	C:\Windows\ExamineConfirm	Setup.exe
File opened for modification	C:\Windows\EnterprisesTmp	Setup.exe
File opened for modification	C:\Windows\ExamineConfirm	Setup.exe
File opened for modification	C:\Windows\DeadlyIrs	Setup.exe
File opened for modification	C:\Windows\CultGraphic	Setup.exe
File opened for modification	C:\Windows\DeadlyIrs	Setup.exe
File opened for modification	C:\Windows\DeadlyIrs	Setup.exe
File opened for modification	C:\Windows\CultGraphic	Setup.exe
File opened for modification	C:\Windows\BookingReplied	Setup.exe
File opened for modification	C:\Windows\EnterprisesTmp	Setup.exe
File opened for modification	C:\Windows\BookingReplied	Setup.exe
File opened for modification	C:\Windows\BookingReplied	Setup.exe
File opened for modification	C:\Windows\CultGraphic	Setup.exe
File opened for modification	C:\Windows\EnterprisesTmp	Setup.exe
File opened for modification	C:\Windows\ExamineConfirm	Setup.exe
File opened for modification	C:\Windows\ExamineConfirm	Setup.exe
File opened for modification	C:\Windows\DeadlyIrs	Setup.exe
File opened for modification	C:\Windows\EnterprisesTmp	Setup.exe
File opened for modification	C:\Windows\BookingReplied	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Way.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Way.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Way.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Way.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Way.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Way.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Way.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Way.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Way.com

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1092	Way.com
1092	Way.com
1092	Way.com
2628	7zFM.exe
2032	Way.com
2032	Way.com
2032	Way.com
2628	7zFM.exe
1680	Way.com
1680	Way.com
1680	Way.com
2360	Way.com
2360	Way.com
2360	Way.com
2628	7zFM.exe
2628	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2628	7zFM.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2628	7zFM.exe
Token: 35	2628	7zFM.exe
Token: SeSecurityPrivilege	2628	7zFM.exe
Token: SeDebugPrivilege	2916	tasklist.exe
Token: SeDebugPrivilege	2996	tasklist.exe
Token: SeSecurityPrivilege	2628	7zFM.exe
Token: SeDebugPrivilege	2052	tasklist.exe
Token: SeDebugPrivilege	2716	tasklist.exe
Token: SeSecurityPrivilege	2628	7zFM.exe
Token: SeSecurityPrivilege	2628	7zFM.exe
Token: SeDebugPrivilege	2932	tasklist.exe
Token: SeDebugPrivilege	1776	tasklist.exe
Token: SeDebugPrivilege	1040	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2628	7zFM.exe
2628	7zFM.exe
1092	Way.com
1092	Way.com
1092	Way.com
2628	7zFM.exe
2628	7zFM.exe
2032	Way.com
2032	Way.com
2032	Way.com
2628	7zFM.exe
2628	7zFM.exe
1680	Way.com
1680	Way.com
1680	Way.com
2360	Way.com
2360	Way.com
2360	Way.com

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1092	Way.com
1092	Way.com
1092	Way.com
2032	Way.com
2032	Way.com
2032	Way.com
1680	Way.com
1680	Way.com
1680	Way.com
2360	Way.com
2360	Way.com
2360	Way.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2500	2628	7zFM.exe	31
PID 2628 wrote to memory of 2500	2628	7zFM.exe	31
PID 2628 wrote to memory of 2500	2628	7zFM.exe	31
PID 2628 wrote to memory of 2500	2628	7zFM.exe	31
PID 2628 wrote to memory of 2500	2628	7zFM.exe	31
PID 2628 wrote to memory of 2500	2628	7zFM.exe	31
PID 2628 wrote to memory of 2500	2628	7zFM.exe	31
PID 2500 wrote to memory of 2952	2500	Setup.exe	32
PID 2500 wrote to memory of 2952	2500	Setup.exe	32
PID 2500 wrote to memory of 2952	2500	Setup.exe	32
PID 2500 wrote to memory of 2952	2500	Setup.exe	32
PID 2952 wrote to memory of 2916	2952	cmd.exe	34
PID 2952 wrote to memory of 2916	2952	cmd.exe	34
PID 2952 wrote to memory of 2916	2952	cmd.exe	34
PID 2952 wrote to memory of 2916	2952	cmd.exe	34
PID 2952 wrote to memory of 2804	2952	cmd.exe	35
PID 2952 wrote to memory of 2804	2952	cmd.exe	35
PID 2952 wrote to memory of 2804	2952	cmd.exe	35
PID 2952 wrote to memory of 2804	2952	cmd.exe	35
PID 2952 wrote to memory of 2996	2952	cmd.exe	37
PID 2952 wrote to memory of 2996	2952	cmd.exe	37
PID 2952 wrote to memory of 2996	2952	cmd.exe	37
PID 2952 wrote to memory of 2996	2952	cmd.exe	37
PID 2952 wrote to memory of 2324	2952	cmd.exe	38
PID 2952 wrote to memory of 2324	2952	cmd.exe	38
PID 2952 wrote to memory of 2324	2952	cmd.exe	38
PID 2952 wrote to memory of 2324	2952	cmd.exe	38
PID 2952 wrote to memory of 2788	2952	cmd.exe	39
PID 2952 wrote to memory of 2788	2952	cmd.exe	39
PID 2952 wrote to memory of 2788	2952	cmd.exe	39
PID 2952 wrote to memory of 2788	2952	cmd.exe	39
PID 2952 wrote to memory of 2732	2952	cmd.exe	40
PID 2952 wrote to memory of 2732	2952	cmd.exe	40
PID 2952 wrote to memory of 2732	2952	cmd.exe	40
PID 2952 wrote to memory of 2732	2952	cmd.exe	40
PID 2952 wrote to memory of 1692	2952	cmd.exe	41
PID 2952 wrote to memory of 1692	2952	cmd.exe	41
PID 2952 wrote to memory of 1692	2952	cmd.exe	41
PID 2952 wrote to memory of 1692	2952	cmd.exe	41
PID 2952 wrote to memory of 1480	2952	cmd.exe	42
PID 2952 wrote to memory of 1480	2952	cmd.exe	42
PID 2952 wrote to memory of 1480	2952	cmd.exe	42
PID 2952 wrote to memory of 1480	2952	cmd.exe	42
PID 2952 wrote to memory of 3008	2952	cmd.exe	43
PID 2952 wrote to memory of 3008	2952	cmd.exe	43
PID 2952 wrote to memory of 3008	2952	cmd.exe	43
PID 2952 wrote to memory of 3008	2952	cmd.exe	43
PID 2952 wrote to memory of 1092	2952	cmd.exe	44
PID 2952 wrote to memory of 1092	2952	cmd.exe	44
PID 2952 wrote to memory of 1092	2952	cmd.exe	44
PID 2952 wrote to memory of 1092	2952	cmd.exe	44
PID 2952 wrote to memory of 600	2952	cmd.exe	45
PID 2952 wrote to memory of 600	2952	cmd.exe	45
PID 2952 wrote to memory of 600	2952	cmd.exe	45
PID 2952 wrote to memory of 600	2952	cmd.exe	45
PID 2628 wrote to memory of 808	2628	7zFM.exe	46
PID 2628 wrote to memory of 808	2628	7zFM.exe	46
PID 2628 wrote to memory of 808	2628	7zFM.exe	46
PID 2628 wrote to memory of 808	2628	7zFM.exe	46
PID 2628 wrote to memory of 808	2628	7zFM.exe	46
PID 2628 wrote to memory of 808	2628	7zFM.exe	46
PID 2628 wrote to memory of 808	2628	7zFM.exe	46
PID 808 wrote to memory of 308	808	Setup.exe	47
PID 808 wrote to memory of 308	808	Setup.exe	47

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New WinRAR ZIP archive.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\7zO44A3F2E6\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44A3F2E6\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Kelkoo Kelkoo.cmd & Kelkoo.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2916
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2804
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2996
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 523031
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Clean
      4⤵
      System Location Discovery: System Language Discovery
      PID:2732
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AGED" Combined
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 523031\Way.com + Trailers + Fig + Forming + Iran + Du + Incentive + Exciting + Purpose + Carl 523031\Way.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Pasta + ..\Bumper + ..\Containing + ..\Ta + ..\Convicted + ..\Immigrants + ..\Den T
      4⤵
      System Location Discovery: System Language Discovery
      PID:3008
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\523031\Way.com
      Way.com T
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1092
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:600
- C:\Users\Admin\AppData\Local\Temp\7zO44A94B27\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44A94B27\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Kelkoo Kelkoo.cmd & Kelkoo.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:308
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1324
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 523031
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Clean
      4⤵
      System Location Discovery: System Language Discovery
      PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 523031\Way.com + Trailers + Fig + Forming + Iran + Du + Incentive + Exciting + Purpose + Carl 523031\Way.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Pasta + ..\Bumper + ..\Containing + ..\Ta + ..\Convicted + ..\Immigrants + ..\Den T
      4⤵
      System Location Discovery: System Language Discovery
      PID:2868
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\523031\Way.com
      Way.com T
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2032
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:696
- C:\Users\Admin\AppData\Local\Temp\7zO44A8DB67\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44A8DB67\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Kelkoo Kelkoo.cmd & Kelkoo.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1308
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2932
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 523031
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Clean
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 523031\Way.com + Trailers + Fig + Forming + Iran + Du + Incentive + Exciting + Purpose + Carl 523031\Way.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Pasta + ..\Bumper + ..\Containing + ..\Ta + ..\Convicted + ..\Immigrants + ..\Den T
      4⤵
      System Location Discovery: System Language Discovery
      PID:772
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\523031\Way.com
      Way.com T
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1680
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
- C:\Users\Admin\AppData\Local\Temp\7zO44A0B167\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44A0B167\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Kelkoo Kelkoo.cmd & Kelkoo.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1040
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3000
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1700
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 523031
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Clean
      4⤵
      System Location Discovery: System Language Discovery
      PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 523031\Way.com + Trailers + Fig + Forming + Iran + Du + Incentive + Exciting + Purpose + Carl 523031\Way.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Pasta + ..\Bumper + ..\Containing + ..\Ta + ..\Convicted + ..\Immigrants + ..\Den T
      4⤵
      System Location Discovery: System Language Discovery
      PID:1324
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\523031\Way.com
      Way.com T
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2360
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\523031\T

Filesize
493KB

MD5
a2c7b2f6dce9d6aeda54e61e2ed242ed

SHA1
56aeca314d1781f7eb60ba454dea21ab30458c1d

SHA256
5424b08b8522a00c36b0dc90d52213bbc0c1ed3a4d7e0cf8f166ea7ae2e27fc4

SHA512
a8f142530c755be42500f1fb29c54c38e686adefedf273bc25d385b2cb2302a87d870bc69fa0a7f34bd0aa7bd4ac2e57bff06d5c73e05d124eb5b8405046de11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\523031\Way.com

Filesize
2KB

MD5
744accb3dfe9177d4311a7a5b8a38de0

SHA1
df128f95c0c74d43bc2b08cccb1be3a0cd10c5bf

SHA256
896b5c031a7e787507c468cf6007ab76ab8778d5290712f82cba447b7d67f7c8

SHA512
8e3e416c8fc8699ae29284b0f0bbcf1a6a9c7a397618f3da0282f6a588cc61f4b36d94eb72367278464145e43ab038751d4cf65190f208e8acdcefcafffe1752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bumper

Filesize
94KB

MD5
1c72f8c8cbdf2effbd9594dc952b70ab

SHA1
b411de78ad63803e86960b5ac3423b30bc986c6d

SHA256
c6d16703534d4ad39fb381c1824da2e62f4d69388c928d59c2b7f269cddb7a55

SHA512
14d172a55613b0fa2107b381f7a82edd270c9213c5acf50f471459a036b0619ed1a010e068f8e512576312a668c2c356faccd2beea98b7328ad23b640c8eeae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Carl

Filesize
10KB

MD5
1c4faa9b6b4d46f2f97d3004728f97e7

SHA1
f6e56dad883eb925ea29f750f738b4951f02d740

SHA256
8b6ec2190f55c01d270935370047d1bee34d8edd9293e3e49ab285ef3beea42c

SHA512
f1d0457134060a1fa9ed24e22422975c5b58acdfe7dff5a96243f09f661fb41e68287337575f5ef321f3bc4876d489da5602d4a951fc1880288e94bd3e70c8b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Carl

Filesize
96KB

MD5
07142146c5ebd0aa7b857628eaca36c3

SHA1
aa7733d926ff6b4668c0a803ccbbd8d8f1805b47

SHA256
7f4dd0cc94843f53d77dd478f1216bc384eb5310fc18de97688b577699aaaa79

SHA512
8caceb719e2d736f91b3967736260af8b8fdd4ef02ebe22bf999b9be176edafbcaed70837a42f710a648f800882ef28e0a4f50edcff1d41bff4d90046b57dce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Clean

Filesize
477KB

MD5
da0a8975fb8eb33f4dfcfc9fe1b9b4ce

SHA1
817868120286c64ae52573b7d7686682be7d7bd5

SHA256
240ee6886e549b29f150af297d6afb50ff96cc4e3fcc17aec064c18c5d7055ce

SHA512
53ef13ca6026894db5292d6c14c3536086ac887ac86990e08757e074627dfbbec8492c1445bb488a8d4535e680b2a5ff586d799ac9d1aa54a7a2e00357e6f43b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Combined

Filesize
2KB

MD5
7a187598101986f637a5e78b6330b7e1

SHA1
80eb904296208e27ab2fb21a5e7c864f868fb004

SHA256
01dac2c074f4c2c4278a075068785087dc0a147e4e6b2778d21c9ab2bbb5b4b7

SHA512
aa1e9f28241129bcab229bccbb46ef60d6848cf6f37f493b01fb00535fb314597f90021b1daa5316be34dc7674351517dfcbc484dbd8419fa398f2ed8d337b0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Containing

Filesize
73KB

MD5
f1b2c37147023e09f8e8bc45c3b8f5af

SHA1
6e7525a751393ffc57c44eb15a7ab1cdfab8587e

SHA256
d66490d58165f0dd5d53892b9d2ee1e8aefddce0b52a800bf1db7c7764be7028

SHA512
9ba3c1ba09efb6adef25f51da8c72d41dea19ae0922bac1d97b2dbeefd5f83fc5b74d5199a49e38830d324b314b614d7c3d77908e122f951bc49828e5d0e7e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Convicted

Filesize
56KB

MD5
f5a6846d471dda2f625d7e9df618f539

SHA1
f75eaa8c88752fd8fa89446fdb2530cd0108901e

SHA256
a4be03457e9b2aadcd5fd9ec481ce23053a2749c8f9e1c6d3510ce3e469ddb15

SHA512
2acb2448649ecb0e547118ef3b460f3dcd754521f45660a9a19247cd6746a4d2f62cfa9ba6ae363cd5ef8d65cc9bc923b9813c17e8f95cab7b6e1511fe217738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Den

Filesize
40KB

MD5
6ca2cecfbc6798dee3b4c1b3bee5144b

SHA1
ca676cc1fa3cc2853262149ba647e267facce2b0

SHA256
d08d35c4d6b9920db95decb0b496030d4527eaf44300b20a02dae31e8f563833

SHA512
459b0afccd33b963c92ee3a6652f2ad567a48219d1b9a296c11b9f5165adfb1a9d66af032dd7ea9ec3a9e914507dda192eac8d67f478873298941195598a2125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Du

Filesize
123KB

MD5
431e3139b47c188258b5b498db5c0908

SHA1
df12a9a3224cb903cb7d25ba5f6a98474a767a77

SHA256
3065f92427bbc0a1a83b098ac5ab7ccf547b77ad8580cd6d659117081e38cbd8

SHA512
c6a5e12e6863d237f743d755754c8e525e540d7662459970d140761aa68edc1ae15e3bbc73a4161fa995f9e42043898e972b233c79877ee963bb0590ba03ef06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Exciting

Filesize
109KB

MD5
926e28396f15fd14fd2fa54f358cce6d

SHA1
2479f6a00b503aa8a994e225ce9f245716ee2bf0

SHA256
3bfc7aebc3e00b94b9382c4523b6d39d203388e6f935a64cd56a5ceb9d1c1707

SHA512
c10fc66f8fb74913062f2040e02eda7f87cf0789e1973b1b4e17d964e39677aeec05d03d26b34e1a5378e1c326ba6fcea3e3f79439b0ae490e62adde626f64e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fig

Filesize
70KB

MD5
32938b33c7e8231df98d2c8db6503716

SHA1
35e0e0a7aeaeaa315ddd36148db7bfab80894727

SHA256
50d3ad84a81975915325f451930450fcfcad4db960f422ed9b40bd1e818594c3

SHA512
7734bbcea2e233b080959ba27af93c6198e31a1fd19a4ce6290fea3b9b9089e71643a82c217723264c9ac0efdbdefb8565d0d3ca42939ce39e020010ce6152fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Forming

Filesize
102KB

MD5
cd5022daba5fbc9e6b77a25be21b7edf

SHA1
d89876957a5053f4de64b47dbdc747d2b5223e31

SHA256
5f86441f5397f0c166b40c37a07769f43d798e8a5624f6844b9a05aad56ba846

SHA512
b70f59f81c35cab1006fe9862b5839135685f5d72638df4e171513d934ec07400d20d8cdf9308af99b5a729f1d0d8c6bb2f5ea4defb1f5ef102405b32124899f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Immigrants

Filesize
58KB

MD5
3705ca14713aae2a6a08660f6a737f3b

SHA1
a921c257350e2ed38159a21f37097682083449c0

SHA256
bb33c3676fa623799ba81d7accbe42381b7c136fb745ba2cdb29cba734787873

SHA512
89ec6fed7e47a383d417f49ca701bd0364b073d8cffa5c9b3ffc90f400b9e1e8ac608b07987826bda9662e80cb2ed86f450a13e134d7fc5aef021e5c70c5a814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Incentive

Filesize
106KB

MD5
1860fc016d49315fe30d6c2ca2d78aac

SHA1
0bdb6b8e676ec44ab558d7cf9250ae02b72ee542

SHA256
da1d250666a81ec5576af64f7cd75779777ebe03f7f40cc07648c087fa2c98d1

SHA512
286f96614cbcd45836119366d1c171625680120e6bc463369e9319ad7e87fc29dbf924eda1131634c13046e9caf87021755206f5b8a5c89e866a7a29ad4b716c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Iran

Filesize
64KB

MD5
b2ca47c8cf03d70ae05a9ebb6553185a

SHA1
d85f0182cf4b159c04c0cd46a7510eff4f8c3b79

SHA256
affbca32c1fc8a4cb0728a8cdb3f3fc9375fbff7c1c9272c1a52b9210a2971f1

SHA512
26617dc946820f3731028685c94d53f060a0d39aa7f2cab8af323eff6bf33d572f6268bc2a2d3e4c21e5bde76e351427f54429006c6b91b19687bcbc37a699d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kelkoo

Filesize
24KB

MD5
0fbde0fdba307e93615786acc4b4ba49

SHA1
c54eba11961e50b021f8b2f91a4b12db81283e3d

SHA256
c9f8ace264d94c99811e4cd5272a055b556d1e1991e2a5cc44db4c46aa4197b0

SHA512
87395c9b5f03751a4c6c38f1d755fcfe08ba310d9dea44850e0dd8a749a3a54b4f697bc4dc7f1f6b12e0b56e46e59eee2e8da3b0bbe018df9de676019bd30e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pasta

Filesize
86KB

MD5
a9c31ed91be0cad2d31702e2510fc142

SHA1
7c292f4538502a86187e79e07df505b1c62c2ea7

SHA256
7b15711a199898e7ae758a2b2300a10ed98b91c84899666dc02f00666db18502

SHA512
d7eac026e0437dceb99e3edca695732f64c2a445e237533ef7ea05604e7aadce47c4aaeafb3f387acacc33b388cf1e78b21a903b92050e1da3d3e9b32076d918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Purpose

Filesize
138KB

MD5
e76a7c412034a25b15e63d6f1c905833

SHA1
83a85afd0f5000df7698adfabafe4abc14817be5

SHA256
51f0482f62ca9d85aaaa3413c6da97d78ad0f833e9f88f552b0f67c7f94f5eff

SHA512
3bac75a6dc38ba4f98a9779890d0c7c8cdfaffd95ffe35da266c1647bc6c6453479772c5ba290cc4a5b647c8cd4f00b26861205ba3bc02ec7bf613d8f329cd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ta

Filesize
86KB

MD5
f8812ccac0a8bdc3873f77fd053609bc

SHA1
b63384454872333a20800858e1a468e93e940c35

SHA256
19c8f11dea22f76dbeee778718404f98892e64c3a4369fc88745141f25ade88f

SHA512
7ad35d7d4b99051b6db654fbc938ff9cacec60a9dabf64cc7ee84e8bb296e3e2caaf7a0d4df4f41231200ca9387c86ab4ecf9b0423af082208e657b89460c56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Trailers

Filesize
114KB

MD5
a0d1acf188c167b34bef2bb483306cc4

SHA1
a22697ee82f2360de6e72e1d1f4057efad54d854

SHA256
8a672af99cd98aebee658852e47796f2a8bc7c4cf8d7d4463e64a4466cc0658b

SHA512
a55f230ad19c3c0f8cd4d2f5e656763cd5cf6d7992c29177d9a96fa8caf61486f183c5bfcb65ecc2cdc8fbb04dd32e03d50a5c56666a06a9cc28097733c97fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44A3F2E6\Setup.exe

Filesize
1.1MB

MD5
2c87ed3ac24adddcaface3c66eafc395

SHA1
1d74e99450fb026cf88b400a905ee8d4c2814652

SHA256
2bde8b140b1c7071d6e5e353e0c3a32365319f4b7a9112a3ae8d13a0ebc149d0

SHA512
9cb0370d3d14679bbeb00ea5b3df7b930969384c7cc0c26d9fc97085236c7f6cf710a10b32e46498226cdcd5714c4e9aa115a867fa40648fa280cffb5d05f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab280C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar282E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\523031\Way.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1092-139-0x0000000003BB0000-0x0000000003C09000-memory.dmp

Filesize
356KB

Download
memory/1092-142-0x0000000003BB0000-0x0000000003C09000-memory.dmp

Filesize
356KB

Download
memory/1092-143-0x0000000003BB0000-0x0000000003C09000-memory.dmp

Filesize
356KB

Download
memory/1092-138-0x0000000003BB0000-0x0000000003C09000-memory.dmp

Filesize
356KB

Download
memory/1092-140-0x0000000003BB0000-0x0000000003C09000-memory.dmp

Filesize
356KB

Download