lumma | b8c493757e334234ae3f39cd7cd6ee680f2bb155ea2a6055fdb2415f9d3c2676

Analysis

max time kernel
78s
max time network
173s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

830.2MB
MD5

424002ad028d34a391530de7056e1a3e
SHA1

789ce1a150ae617905f780d1e954ebc5f131cb55
SHA256

4e16b88993763f67736946986abea47678ad68d3f79735579b10a35472fd1909
SHA512

f35eff83f93de61fe57c598288a419eabe0f1dbcb2f137dc0dde9d8b576d317d30f63d9f7bb2440ea9479919bfbd25d351761174272e8372589a0149eb2072bd
SSDEEP

98304:6nEph1de+/e/LsugyAvWoW1ZfrKepi918AjF+zpGYBt+XE2j+Fba3/fbwT0:0gh1KLhgyRoW7Y9f+jBc02j+I/fW

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

https://breathauthorit.cyou/api

Extracted

Family

lumma

https://breathauthorit.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1776	Transparency.com

Loads dropped DLL 1 IoCs

pid	Process
2988	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2208	tasklist.exe
2752	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CourtIrs	file.exe
File opened for modification	C:\Windows\ColumbiaMadness	file.exe
File opened for modification	C:\Windows\RobertSwim	file.exe
File opened for modification	C:\Windows\AcademicMiss	file.exe
File opened for modification	C:\Windows\PsMyspace	file.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transparency.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Transparency.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Transparency.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Transparency.com

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1776	Transparency.com
1776	Transparency.com
1776	Transparency.com
1964	chrome.exe
1964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	tasklist.exe
Token: SeDebugPrivilege	2752	tasklist.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1776	Transparency.com
1776	Transparency.com
1776	Transparency.com
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1776	Transparency.com
1776	Transparency.com
1776	Transparency.com
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2988	1800	file.exe	31
PID 1800 wrote to memory of 2988	1800	file.exe	31
PID 1800 wrote to memory of 2988	1800	file.exe	31
PID 1800 wrote to memory of 2988	1800	file.exe	31
PID 2988 wrote to memory of 2208	2988	cmd.exe	33
PID 2988 wrote to memory of 2208	2988	cmd.exe	33
PID 2988 wrote to memory of 2208	2988	cmd.exe	33
PID 2988 wrote to memory of 2208	2988	cmd.exe	33
PID 2988 wrote to memory of 2192	2988	cmd.exe	34
PID 2988 wrote to memory of 2192	2988	cmd.exe	34
PID 2988 wrote to memory of 2192	2988	cmd.exe	34
PID 2988 wrote to memory of 2192	2988	cmd.exe	34
PID 2988 wrote to memory of 2752	2988	cmd.exe	36
PID 2988 wrote to memory of 2752	2988	cmd.exe	36
PID 2988 wrote to memory of 2752	2988	cmd.exe	36
PID 2988 wrote to memory of 2752	2988	cmd.exe	36
PID 2988 wrote to memory of 2748	2988	cmd.exe	37
PID 2988 wrote to memory of 2748	2988	cmd.exe	37
PID 2988 wrote to memory of 2748	2988	cmd.exe	37
PID 2988 wrote to memory of 2748	2988	cmd.exe	37
PID 2988 wrote to memory of 2912	2988	cmd.exe	38
PID 2988 wrote to memory of 2912	2988	cmd.exe	38
PID 2988 wrote to memory of 2912	2988	cmd.exe	38
PID 2988 wrote to memory of 2912	2988	cmd.exe	38
PID 2988 wrote to memory of 2784	2988	cmd.exe	39
PID 2988 wrote to memory of 2784	2988	cmd.exe	39
PID 2988 wrote to memory of 2784	2988	cmd.exe	39
PID 2988 wrote to memory of 2784	2988	cmd.exe	39
PID 2988 wrote to memory of 2700	2988	cmd.exe	40
PID 2988 wrote to memory of 2700	2988	cmd.exe	40
PID 2988 wrote to memory of 2700	2988	cmd.exe	40
PID 2988 wrote to memory of 2700	2988	cmd.exe	40
PID 2988 wrote to memory of 2516	2988	cmd.exe	41
PID 2988 wrote to memory of 2516	2988	cmd.exe	41
PID 2988 wrote to memory of 2516	2988	cmd.exe	41
PID 2988 wrote to memory of 2516	2988	cmd.exe	41
PID 2988 wrote to memory of 1468	2988	cmd.exe	42
PID 2988 wrote to memory of 1468	2988	cmd.exe	42
PID 2988 wrote to memory of 1468	2988	cmd.exe	42
PID 2988 wrote to memory of 1468	2988	cmd.exe	42
PID 2988 wrote to memory of 1776	2988	cmd.exe	43
PID 2988 wrote to memory of 1776	2988	cmd.exe	43
PID 2988 wrote to memory of 1776	2988	cmd.exe	43
PID 2988 wrote to memory of 1776	2988	cmd.exe	43
PID 2988 wrote to memory of 3036	2988	cmd.exe	44
PID 2988 wrote to memory of 3036	2988	cmd.exe	44
PID 2988 wrote to memory of 3036	2988	cmd.exe	44
PID 2988 wrote to memory of 3036	2988	cmd.exe	44
PID 1964 wrote to memory of 1184	1964	chrome.exe	48
PID 1964 wrote to memory of 1184	1964	chrome.exe	48
PID 1964 wrote to memory of 1184	1964	chrome.exe	48
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49
PID 1964 wrote to memory of 1700	1964	chrome.exe	49

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Airfare Airfare.cmd & Airfare.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 412641
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Game
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Ieee" Care
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 412641\Transparency.com + Sandwich + Debug + Yr + Lincoln + Logos + Forth + Whole + Az + Contributor 412641\Transparency.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Introductory + ..\Hall + ..\Provide + ..\Row + ..\Adidas + ..\Electronic + ..\Midwest D
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\412641\Transparency.com
    Transparency.com D
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1776
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef57a9758,0x7fef57a9768,0x7fef57a9778
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1228,i,12137436916735367275,13813200239796763951,131072 /prefetch:2
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1228,i,12137436916735367275,13813200239796763951,131072 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1228,i,12137436916735367275,13813200239796763951,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1228,i,12137436916735367275,13813200239796763951,131072 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1228,i,12137436916735367275,13813200239796763951,131072 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1180 --field-trial-handle=1228,i,12137436916735367275,13813200239796763951,131072 /prefetch:2
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1132 --field-trial-handle=1228,i,12137436916735367275,13813200239796763951,131072 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 --field-trial-handle=1228,i,12137436916735367275,13813200239796763951,131072 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3820 --field-trial-handle=1228,i,12137436916735367275,13813200239796763951,131072 /prefetch:1
  2⤵
  PID:3064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1000

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
PID:2660

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
18KB

MD5
a172898f2fcb326e395402d1564f7152

SHA1
580dae32b0c1e29ecf3834d10fd853d2c62b96b6

SHA256
278b3617cdd14af5b97a6da404192ada4bfe795d64f7b82665d50bc57fd2e545

SHA512
dd20ce7a589aa2b578ad751eaccda7c9e83f29ffc9f5c831d3539526ca26b22b844913adbb82da71e6975551dfa9d1594fc8192437249d7a1085d6ad6bc99006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\2609f651f76951ef_0

Filesize
19KB

MD5
fba1e2f9052cdb6903065b1cb7e7c2c5

SHA1
badf057a85f45a1d53b49d17859595f35e6baa7b

SHA256
16df8cfc512348770586ac1763060c939935a21446d4fbf2834165eea37ceb37

SHA512
c1a6ecd7d7c85b7ea714be5286994b1b3994d9de9bd163de7625bbf75370a124651988b023fdd909327eb81fd45ab1ce4c858590c87bb5971ba9ddd7e242c2fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\eb0840898e90dec0_0

Filesize
280B

MD5
6901bf9f8b18076a7cf7c0fb7317dc66

SHA1
7101937c0fe89d15104e11871a682040caefba50

SHA256
a8bd4b3c0cff0dcfc8d1903cdc6aaea99514bf6bd39a2c51b5346991b58c406a

SHA512
a39edc550593ab88b26c7e92316ed42864d7d2b092637363dcb7d7b9f7a6c9f07abbf56b301e253acf0fd376a335f06030f6171ec290e2e2a6a45473f01c1475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
cd8fc1dba80e5a394c67e4e848924aaf

SHA1
b44eee2364061dd7c52f2841e276653fcd88c3f4

SHA256
e8ff3ed1912834e301d26a2842a34bf1300cd2c5a02cca47c3708516bf346a90

SHA512
9697938f71a67a451408282bc30d92edb0b34a0cca566dcc48a9e11c047ae5377a37055ee089357f44fa182366fe1b422b06dabbb697348aeb2fde94eca0cd45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
4dcd8291f37b3b0e245b88926c87a676

SHA1
7f311468842fa7149d5589f1119c23f50311c0db

SHA256
6c79a027bd29610c74dcaf5dc7a8b7ff22d7cede86b76695d6a05fc5b183b161

SHA512
1f21e00d2cef7ecbba513266da5f5d7b7df9f24827fcfb69667ce54638172fac5fc1308fa8e093886a4d8332ac3dd00a0be69dd0b3e04d2b6bc17eac383dd638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
e259459f431ec7406c314db52058cea4

SHA1
07db3509fcc8b84a1f9bb3684dca0e65b32236b1

SHA256
8df15719b207a67b9d2b051efb3e2d313f5455bea1b6d2243751d91b032c3f2b

SHA512
515375f6e8fff4894f4caa735584c2b62880f539addd1f0133e2be26202922f1c382758c5a36698efbf44e2bf56b2e3c08fd4c826b42858f89e65a13d0fc63ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
822dd2c72d86828e40a69f019a46dada

SHA1
700042ac000628c2142c08ed28ac9858dd68447c

SHA256
f6d8440f13b2592d688120f3f5036df1426d28a060da50ca537ec52959d2ea13

SHA512
296ddfd92db5f0471a24eb7b043745bbf739f4a0f13b53ec7326fe8cfc2cf285820bca54a9acc49e270c633f068adb8be3f918e31e004e2511cd4596e7a9122a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a530dfd9f4f58d43746ea9fa5e2e6dab

SHA1
247c6d79536f1a25ea7a353161d2bc2702c98637

SHA256
f0e95dcdc07fe9ff61e90779074acb838017a1d547466c312532092b7101e45e

SHA512
97a850ef447bc18689a8e9fc636b8b31cd28f79deb48c43237a83c3df8d18130ca66278a40f22e938e565b6a0ed7c4848fb672db2174f9618534dd426d891884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
beec072c5e45206a40b4cdcfddd14794

SHA1
d5f9d5a6290fd5b4af4200f4731b4024cc70fc3f

SHA256
270b8e2828d6d0b5307793b067ef5ccc842d7dca053998b87dd6c09e84f7ae49

SHA512
b0f5e0e4fcfc3eeacf5ba7eb1812afc8cd47bb1e072ecac2cc6f4d84c788bb4cacf3d4fcc018ab0b76bb370e9342a5fe33b99942d83a52f4d44caa332a9c8204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2926846233570f5463760b0c85f197b5

SHA1
cbab50bc3362ac312e7a176afe0adb98f435c885

SHA256
905bffc3143642dc52655b1f020ea309000229412cb0219cbffb88407a4c3a04

SHA512
446eb7d4cf4bd251e5c75f6d93dfc51e36bdf57dd36d17b33e2cf44981f3d32b2c34253b9ded3beb2e59d010fcfa66801d2c200d485747c1e19fe9bacce31cee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\412641\D

Filesize
481KB

MD5
0c3edf35ac4b16c96c96263f5690c4ca

SHA1
b4bfd35f66703ded75b909108b37151baacd5315

SHA256
0d8a755776bfe01badb823cfee4170e666c929cc6b61ea01a913064e3c30256a

SHA512
2e66b11b735510d4cbfe8ebe8e4129168eadf765263c17e915a1d4067ad275b400732d092619b3e1b3145c64fa2150b9724f54b38ec579803b77ff091a60dd4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\412641\Transparency.com

Filesize
234KB

MD5
01992250bdfcb87ccbe1b9de60a9dc94

SHA1
c3d057ee7dc2d640fe79c2d0d4cff49b51ae1638

SHA256
8117d60f63d77d1a484d212b2a755eff50776f9299bf851795af3911307a26da

SHA512
9495e9b23bd05565b7adc1dadf1f27f25a6a44efa0f7829c798f11bf0ddb04873ecde7167cd031cd15bdfd8d8e49995ca0dd058cf1f19a16c77eebafa69ae717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Adidas

Filesize
50KB

MD5
8890ad30217b5eac28a806c9f6646826

SHA1
afd0283e69996ffbe1a0032012706fa2f75001e7

SHA256
054fa236b21affc36c8fd8d5334816e1cb40b7979671af696c9948d90945ea9f

SHA512
13e19ee19f385fb0d50d498cd034cdd9bd4c379cc001f470c5e1bb95b8061516717fb6f3503ce6b3cde45bc937f3ae1387dd0810f2b57204250601dac727d76a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Airfare

Filesize
18KB

MD5
25d9238d8454b26e9a9cb229c98bb520

SHA1
5417100dfd897da358d0bb9c013a834a7e059107

SHA256
894a2fc5415442dcb534ff571f78831188d29e44668f432f21e1660ef12ec251

SHA512
937ceb26875b6554c255ada796b80c12ac577289f6c34e1dcc5743308d5028b3fa63913d16e90651594b9771a3d6d01ed077d5f673c9ce67df9825209339ebd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Az

Filesize
146KB

MD5
f9186f6da3e4c3b6a8f644ef35c13475

SHA1
0f103554610d4b06a2298e788d1ea2e210304265

SHA256
bfe6f657bb5f67d1b94ebe0c00c27f06fc22d84274f5fc3f346d6b589be1acba

SHA512
8d75ad6e311faf72ebe2e2a540a2c448efb076a97500f9bdd2ce99d1ead503dc394478cfe8a82190e9c8d622a0d4ec24ac79b0afaefd256c5893fdfed033fba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Care

Filesize
1KB

MD5
44eb9df3267c5181eaa90b2288157501

SHA1
1bd9acfef72eeb5dd2839539b679de235b2fd19c

SHA256
688a20527200703b8bd423c6d5d472132a0b121841f510e3b5975ef4305a482e

SHA512
50872ed9f26bf10a83f2bb72821d0cfd4881a0101fb5beaf011dacf5c54b22409d7e9c89549fbec89e7accd1623eade2dfa6fc1909b7dad238553e5c30c75ae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Contributor

Filesize
41KB

MD5
6208d841411b7ff00e91ed79cb19613c

SHA1
59a09fdca4c21f1f47522c2e1dc292ecca6222c4

SHA256
c40977c34c4307a530a61d712a57405d8e9e303c54310a4cb51b66c9fa88327a

SHA512
01b6657ff7b5fd6180d167ad16dd55deb706f2c0bd04d1a55d7cf6058cb907639ad64d69535d74f8af2a122bc9c2bc1f3fffe08424d243d6c91ac084d7629d20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Debug

Filesize
108KB

MD5
4cfa622df8e07dd1ab9eba5c66b12dcc

SHA1
06fd48637aa167d04cee86e58ee035732b201f16

SHA256
7d74344414fdeb7be797fb12144a390245130a505100607dd924e6473ade6318

SHA512
f2ff34b55d684663dc4350953d2486c89eea85d78163a6adf4e91b9a6054ae7b05a6c7abbbfe42ee465595870ab99f71e419b84d4f01394a3f7660df13b7fba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Electronic

Filesize
89KB

MD5
82952dacc84d83a87ded1197f0141b79

SHA1
a3c5731314ffb65e7e4235d38b3178764f9b66f6

SHA256
dc396d66af1711dbb966cb79f74f4beeefa83ef9c43736b0019ea6384383ddc7

SHA512
22a307e3b61eb997e5e2e91779cc972a0e4e4bfe031da6176a8dd7a4eef3373d3e2c2e5da645e8158bc0526d8d1896c77d63553916b812601b2480e075d60f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Forth

Filesize
107KB

MD5
05b03a2332d090e42ed3b18c304383c8

SHA1
c3afb8301895445ee942ff221d612b98328d837d

SHA256
c394b91818796e889470a2abe97a51462bad6ae515a73d789237b465ac1fa52c

SHA512
00a732e56693ea3952f94c3439570ee2250bc1ac0e47e6f550ab53a5a68cc51f419662ed6e2fd2f6723638f0a56b571d1f90fa40da68630860b93de75f345df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Game

Filesize
477KB

MD5
0b4236ee1e6350c30fbc43b4df21714a

SHA1
a47d0148c539f8f02e3cb243e726d4074868923e

SHA256
e6f9e5da28273b3febc71b10fac7856d16a29ecd43b200e54130fad034bd06bb

SHA512
ed3eb9b88333cc0284cc33730103a8859078e25492d7d4a94e38bf3440b7eca2e0ad3defeb38b2e3a3ac2922df97486e102415883bb9b0d2f3c2735805c3a909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hall

Filesize
59KB

MD5
55adfbea53950d4c53d8be4554f1fa72

SHA1
61a4fd8ac6637a9ff2956ed86c0db9200af42fcb

SHA256
3bea64f987a506e9b1a8ef9d7a817a6a9dafec35e3872226bc6e534b54e06fb1

SHA512
79dac2f5d0f2296029f67c282b51bb87b16c22947b425793e20d77c39c4907c8c16395edac9608441af9c55c6eb20935c31a430b889826c9b947b887efa67d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Introductory

Filesize
58KB

MD5
45cad5710cf32a1b405656194cb286a1

SHA1
7fbb73ce6f09b1b47b08b882b57cafb06761e4e9

SHA256
eaeb62c9055c367a954a454ce6e65d9f995720e8a057bb801a6698afa6aa1470

SHA512
a5d3d3bc82f56cdc4afbc19a2efd4347fd07421e86f7d97e00a5424126be8f5bd1655cdaa8def2472ef1449793810d9050d60b3870f712f0f34f39347421639a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lincoln

Filesize
118KB

MD5
13c3c8e5d05f6fbefe9ed8f22e8b617d

SHA1
7a3a0cf920747661e6dde7c783d9eacf8440ae3f

SHA256
e7969ae321cb61b7cbb8fc3ce002fe884f3d6b2deeaf0cce19eb0adb13624dd1

SHA512
08ddd0c83d884f2c6a337054ff0c3230f9bd0432eaeb7b553877b27276c2645f3bf9d9aab887ada989241f5c3ec8fa9633ce5b5c808b823833ddd9edc95da054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Logos

Filesize
125KB

MD5
bc6ab270f03dfbd5329aea95f451d3b0

SHA1
8a13c5e7bfc51e763da990243eb8e56dd9609d00

SHA256
8e605cf4ffa066438b355076af8230e84da4c9c3dff33d35b0b02b932e80ca7e

SHA512
632078cd4969b52ace062c79421f1d1e5383a35477bd5c322a1319823f117e204b2ede88874400e5d11ccea0be5dea46a233700d19a05683fb492730c71e588b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Midwest

Filesize
40KB

MD5
d2a8164fb8c5f663a2272f8d75232fcb

SHA1
95ff11101bea0a60d067b483c3323567cc613d1b

SHA256
6309998f0a4911ee4ca067eb9feb974e5de7c95db6524e66086c7c1b57265bb5

SHA512
f631bd964f09db2734bd207750a3a57804e57d30a68560d02f66ad5c3e4c6ce9fa7403b297b1caf6140390dec9f14e8c50c59e4e3ed9a2a3016f67bbb0bcaa45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Provide

Filesize
91KB

MD5
3f8be08648f90fbcbcb0ffd959e5ecd4

SHA1
641c894a38113ccb575a297d248d5945781900d4

SHA256
cf70a05214afa5f50f9475c6686b9801f720720563c15728fcb20b95571694ae

SHA512
5ef3a8f497082dc1cdfc120f9351d55a4ade9c8422e26575440ffed2266f9978ec1d9b6149727a493b2f31da82aa1d22b15ab8744026124e06bc67514b26c1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Row

Filesize
94KB

MD5
8539f0ba658079fc94e2bde2d53549c9

SHA1
84a7d8945f4a00822ae2b38c05f79a264838b68e

SHA256
0cedc573b3f5c67842872f2dc2650ce4c45111be26d17902be26a8050e7814fd

SHA512
ee566d3e4c7ca3fd22fb74cf02d26d4857da87e2d242e0d9e896b1fe56fa348d5757a7d642266d46af4893fb23c8a4a4a0786cb621e5b46543c8bdadce0905f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sandwich

Filesize
125KB

MD5
dca7d73b3e0ecc2bc23c202f575d0807

SHA1
d6bf2826679455a687c0c859fe8148626a574f3c

SHA256
6ef6ac9a1919cd0482fc4a6884267e50fe6ff13198afc0f8e5090d7bc9fb513b

SHA512
ce40e672f08b48372fa109b64510e28107760b41ccb26a728e52e9a377d52537160b53758f6ad87db3d75c5265ebba41f029a2d47652239de784b64ee1e7a38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Whole

Filesize
60KB

MD5
e6b82e5ba90de9145a46f8a9d4588339

SHA1
0792b08d247f81854997627792e9f916b1fb1e8a

SHA256
7486b6a13efeade618dc9f160784605048e06c38480059af6a70bc8f74cc0555

SHA512
339449e2fcbfcb31e90c2a12166f8c1b20bd5063b6ae4ae5c6f1080f581a713c729a8b08bbf9b346049e4eebca2812998fcdf7772cb6e4725e6427a2fa14aeb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Yr

Filesize
93KB

MD5
ceddee6b1275349218f7a7ab2688d537

SHA1
6ca0e912cc7c01cd5c258f51301424afb27a30f0

SHA256
8c2976a3714d7f475145bcbd10f407bfd7fa23107d9bd522bca71271e50fc10c

SHA512
2d442944361548399fe386eea4355759d44ea4df73e321ed47e3a4ba0c93bdad1c33f08caf130d4645a84385dfc745b74659626ebceac6f82200bc8cd4bae511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5082.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50A5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\412641\Transparency.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1776-69-0x00000000037C0000-0x0000000003818000-memory.dmp

Filesize
352KB

Download
memory/1776-71-0x00000000037C0000-0x0000000003818000-memory.dmp

Filesize
352KB

Download
memory/1776-70-0x00000000037C0000-0x0000000003818000-memory.dmp

Filesize
352KB

Download
memory/1776-67-0x00000000037C0000-0x0000000003818000-memory.dmp

Filesize
352KB

Download
memory/1776-68-0x00000000037C0000-0x0000000003818000-memory.dmp

Filesize
352KB

Download
memory/2660-315-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2660-333-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download