lumma | 6d11d8339ed8917190ba15dfbdf12c46d0a9d90b4b680edf54a8c65585e76e74

Resubmissions

26-11-2024 19:09

241126-xtsx3a1nfj 10

26-11-2024 19:08

241126-xs64asvmcw 7

Analysis

max time kernel
80s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zorara.zip
Size

498KB
MD5

935eca784190b019bddfcbd9977c9416
SHA1

7dc1869d79a110f7394afe4b93c06b586185139d
SHA256

6d11d8339ed8917190ba15dfbdf12c46d0a9d90b4b680edf54a8c65585e76e74
SHA512

624f2b2348a4ab37855cd238b244d99f9dfdf4cfd7c8bfb2e55ad72aeee161db1d8a9e961e6e31f6be5f52a0f9c0562f49e484dc9763540c7c45ea819a9cdae3
SSDEEP

12288:UmCAJEZ64ZZnv7zOCcf+X/N4mUiRvyPqBmKUU+zSy:Uc4ZZvOPBi5/BmKUBWy

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

https://disobey-curly.sbs/api

https://motion-treesz.sbs/api

https://powerful-avoids.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Application.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Application.exe

Executes dropped EXE 22 IoCs

Processes:

luajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeApplication.exeluajit.exeBirmingham.comluajit.exeluajit.exeluajit.exeluajit.exeluajit.exe

pid	Process
4532	luajit.exe
1920	luajit.exe
1524	luajit.exe
2332	luajit.exe
2440	luajit.exe
4148	luajit.exe
1924	luajit.exe
4356	luajit.exe
1652	luajit.exe
4572	luajit.exe
2000	luajit.exe
2448	luajit.exe
3888	luajit.exe
4380	luajit.exe
4480	Application.exe
3484	luajit.exe
464	Birmingham.com
1260	luajit.exe
3036	luajit.exe
4436	luajit.exe
1524	luajit.exe
3716	luajit.exe

Loads dropped DLL 20 IoCs

Processes:

luajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exeluajit.exe

pid	Process
4532	luajit.exe
1920	luajit.exe
1524	luajit.exe
2332	luajit.exe
2440	luajit.exe
4148	luajit.exe
1924	luajit.exe
4356	luajit.exe
1652	luajit.exe
4572	luajit.exe
2000	luajit.exe
2448	luajit.exe
3888	luajit.exe
4380	luajit.exe
3484	luajit.exe
1260	luajit.exe
3036	luajit.exe
4436	luajit.exe
1524	luajit.exe
3716	luajit.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
24	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
4608	tasklist.exe
1416	tasklist.exe

Drops file in Windows directory 3 IoCs

Processes:

luajit.exeApplication.exe

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	luajit.exe
File opened for modification	C:\Windows\CatholicContainer	Application.exe
File opened for modification	C:\Windows\BoxLaptops	Application.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tasklist.execmd.exeBirmingham.comchoice.exeApplication.execmd.exefindstr.exetasklist.exefindstr.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birmingham.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Application.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

Processes:

7zFM.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2328	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
1632	schtasks.exe
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Birmingham.com

pid	Process
464	Birmingham.com
464	Birmingham.com
464	Birmingham.com
464	Birmingham.com
464	Birmingham.com
464	Birmingham.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
2452	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exetasklist.exetasklist.exe

description	pid	Process
Token: SeRestorePrivilege	2452	7zFM.exe
Token: 35	2452	7zFM.exe
Token: SeSecurityPrivilege	2452	7zFM.exe
Token: SeDebugPrivilege	4608	tasklist.exe
Token: SeDebugPrivilege	1416	tasklist.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7zFM.exeBirmingham.com

pid	Process
2452	7zFM.exe
2452	7zFM.exe
464	Birmingham.com
464	Birmingham.com
464	Birmingham.com

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Birmingham.com

pid	Process
464	Birmingham.com
464	Birmingham.com
464	Birmingham.com

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.exeluajit.execmd.execmd.execmd.exeApplication.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 3888 wrote to memory of 1920	3888	cmd.exe	105
PID 3888 wrote to memory of 1920	3888	cmd.exe	105
PID 3832 wrote to memory of 1524	3832	cmd.exe	109
PID 3832 wrote to memory of 1524	3832	cmd.exe	109
PID 4996 wrote to memory of 2332	4996	cmd.exe	112
PID 4996 wrote to memory of 2332	4996	cmd.exe	112
PID 1304 wrote to memory of 2440	1304	cmd.exe	115
PID 1304 wrote to memory of 2440	1304	cmd.exe	115
PID 2628 wrote to memory of 4148	2628	cmd.exe	118
PID 2628 wrote to memory of 4148	2628	cmd.exe	118
PID 4816 wrote to memory of 1924	4816	cmd.exe	121
PID 4816 wrote to memory of 1924	4816	cmd.exe	121
PID 1920 wrote to memory of 1632	1920	luajit.exe	126
PID 1920 wrote to memory of 1632	1920	luajit.exe	126
PID 1920 wrote to memory of 2028	1920	luajit.exe	127
PID 1920 wrote to memory of 2028	1920	luajit.exe	127
PID 3612 wrote to memory of 2448	3612	cmd.exe	137
PID 3612 wrote to memory of 2448	3612	cmd.exe	137
PID 4900 wrote to memory of 3888	4900	cmd.exe	143
PID 4900 wrote to memory of 3888	4900	cmd.exe	143
PID 4196 wrote to memory of 4380	4196	cmd.exe	146
PID 4196 wrote to memory of 4380	4196	cmd.exe	146
PID 1920 wrote to memory of 4480	1920	luajit.exe	140
PID 1920 wrote to memory of 4480	1920	luajit.exe	140
PID 1920 wrote to memory of 4480	1920	luajit.exe	140
PID 4480 wrote to memory of 800	4480	Application.exe	147
PID 4480 wrote to memory of 800	4480	Application.exe	147
PID 4480 wrote to memory of 800	4480	Application.exe	147
PID 800 wrote to memory of 4608	800	cmd.exe	150
PID 800 wrote to memory of 4608	800	cmd.exe	150
PID 800 wrote to memory of 4608	800	cmd.exe	150
PID 800 wrote to memory of 1952	800	cmd.exe	151
PID 800 wrote to memory of 1952	800	cmd.exe	151
PID 800 wrote to memory of 1952	800	cmd.exe	151
PID 800 wrote to memory of 1416	800	cmd.exe	152
PID 800 wrote to memory of 1416	800	cmd.exe	152
PID 800 wrote to memory of 1416	800	cmd.exe	152
PID 800 wrote to memory of 2476	800	cmd.exe	153
PID 800 wrote to memory of 2476	800	cmd.exe	153
PID 800 wrote to memory of 2476	800	cmd.exe	153
PID 800 wrote to memory of 880	800	cmd.exe	154
PID 800 wrote to memory of 880	800	cmd.exe	154
PID 800 wrote to memory of 880	800	cmd.exe	154
PID 800 wrote to memory of 2144	800	cmd.exe	155
PID 800 wrote to memory of 2144	800	cmd.exe	155
PID 800 wrote to memory of 2144	800	cmd.exe	155
PID 800 wrote to memory of 464	800	cmd.exe	156
PID 800 wrote to memory of 464	800	cmd.exe	156
PID 800 wrote to memory of 464	800	cmd.exe	156
PID 800 wrote to memory of 4860	800	cmd.exe	157
PID 800 wrote to memory of 4860	800	cmd.exe	157
PID 800 wrote to memory of 4860	800	cmd.exe	157
PID 4564 wrote to memory of 1260	4564	cmd.exe	161
PID 4564 wrote to memory of 1260	4564	cmd.exe	161
PID 3492 wrote to memory of 3036	3492	cmd.exe	165
PID 3492 wrote to memory of 3036	3492	cmd.exe	165
PID 4220 wrote to memory of 4436	4220	cmd.exe	168
PID 4220 wrote to memory of 4436	4220	cmd.exe	168
PID 232 wrote to memory of 1524	232	cmd.exe	172
PID 232 wrote to memory of 1524	232	cmd.exe	172

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Zorara.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1972

C:\Users\Admin\Downloads\luajit.exe
"C:\Users\Admin\Downloads\luajit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4532

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\cfg.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc daily /st 11:09 /f /tn WindowsDefenderScheduledScan_ODA3 /tr ""C:\Users\Admin\AppData\Local\ODA3\ODA3.exe" "C:\Users\Admin\AppData\Local\ODA3\cfg.txt""
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1632
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc daily /st 11:09 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2028
- - C:\Users\Admin\AppData\Roaming\Games\x86\Application.exe
    "C:\Users\Admin\AppData\Roaming\Games\x86\Application.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Revision Revision.cmd && Revision.cmd
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:800
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 415471
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:880
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Parish + ..\Merchants + ..\Fog + ..\Weblog + ..\Rel + ..\Dairy + ..\Invasion M
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\415471\Birmingham.com
        
        Birmingham.com M
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:464
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Application.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Application.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Application.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "
1⤵
PID:3904

C:\Users\Admin\Downloads\luajit.exe
"C:\Users\Admin\Downloads\luajit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4356

C:\Users\Admin\Downloads\luajit.exe
"C:\Users\Admin\Downloads\luajit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652

C:\Users\Admin\Downloads\luajit.exe
"C:\Users\Admin\Downloads\luajit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4572

C:\Users\Admin\Downloads\luajit.exe
"C:\Users\Admin\Downloads\luajit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "
1⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Application.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4380

C:\Users\Admin\Downloads\luajit.exe
"C:\Users\Admin\Downloads\luajit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Application.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Application.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Application.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\Downloads\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1524

C:\Users\Admin\Downloads\luajit.exe
"C:\Users\Admin\Downloads\luajit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
5c804e6fb47a974389bcb2b6dce0cd73

SHA1
2b6e0be20fa5705cde49d9b95d8fd28ae41087ea

SHA256
a57d0e2c157698ad8ef542ab205995561b7d1aab8e081ad9e588301ae7d228e9

SHA512
390aff6d0a178c8545b0f7b43e8088215c5e4cc834a8e3407f40019232749e5a6574709d6d817c9cede22e17ca7bfb07459f235a436b90f1368a1fa11f497bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
7285b3aec381139c2b1d504b6008e2c5

SHA1
6724bd20824edbe4662836ffeb31a6c4dfdb80e1

SHA256
cc40f069685f111445e8bd551eb7273cbea7d69a4f81aeef67c47ac8c1f09c92

SHA512
6ce817e6624c4b59629217409ff62583f98a28e7899eddd1cc69e8aa1bba0c61ae7d9792a494e6a28b8a92ba9f2fcfd4a70131872dac9a5356741fc992b7c1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\json[1].json

Filesize
291B

MD5
c085beeb6f771b90fed94c1d940f97f6

SHA1
44a994d9175d6abaa9a3b5718e242fa659aed66a

SHA256
ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51

SHA512
9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\415471\M

Filesize
470KB

MD5
1eb4f1ad3a33045ff577d9afe1e69466

SHA1
0a68d99f8d9be186cc9a5678da56699a63ced664

SHA256
cd5661e127db6fcdced932919416afeb107c0915d100b439b5a4b6fdb9c468bb

SHA512
ea20397316c65b93c0d098158ba4a3aa077eb18b0a75f72bfdc70efeba49a8518641aee41905f18186101ef94f17edda2588b727b21d3d63a02ad5b948896b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dairy

Filesize
79KB

MD5
aaecc697c418f0e68f8fabc430b550fe

SHA1
075933a5ce35ee04c2ec14ad78f98e3559946eed

SHA256
1ea4e0c2149a4c9346cea80e946d2cb297ec874633fef2f21bc246074eef4fe9

SHA512
01fff5e3ddb5113015e77c9529077fc26444b4b3029c55da3521d08639e99ac1ee683632fb7771854ada6a4bbc8d07dd359a4bd70cae13aa7f19bfa9eb5924b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fog

Filesize
82KB

MD5
4ec19af8cd06be8f066f98105c0f68ad

SHA1
926e5ea68fee6c191686f9e685fc5727d3c0340b

SHA256
41d903f0c53df01b24792993f3f51e9cae09348648025a670f83da5b42896856

SHA512
a25de2b384ed1a24ef2b6dbcf7ce0094598a6972ba222ad14f4cf1caa03edee5df97b1baf7b18fcd534aec69e293740ac83d9756e04032df4584faa6ed60c52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invasion

Filesize
22KB

MD5
0b94751985c5cc1b4d36d08ef1079776

SHA1
88785b64a0dcde83243cd2db5fe66ac8631c9350

SHA256
3739ba9b1e3a6aebd88c9a81bde77510ab5d3a84ca68e39a651df4ba55dbbc70

SHA512
9e06db7d097369ca78d229c4913ab000171ea554c714351abbd341a755a093b3bbeda7e2203d5fb745341dd7a9b3b546b255d3be02c42c06d8b79ec0da9acc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Merchants

Filesize
55KB

MD5
c8fee1cffcdf4c723d44bb813ee6c011

SHA1
eea5dd182b46ddf4ba8c88bf5b373e00b116b579

SHA256
af717df977ffc73c7c2011e6c052daae01f8801d8f9b78ef609177a3d37ab4f1

SHA512
411cdde218b1c661841b0bfd9b398756774535e65ac9b61f7319ededfde178dbb06e064e6ddcf0fd714ccd7ecc6d6060eae26b435eb3cc41460c79004c200f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parish

Filesize
93KB

MD5
a7e24c868a7e97c7859dbe877e04e0ba

SHA1
3927bb39b7a79c53943f161ea8cf241fb4028aea

SHA256
76f3c5b19af5e4869b1619569ec09339867f212fea6e1d4d0dc09331574a977f

SHA512
95cfa327d981bb9e14be8d00b4f7b25f8213079ad460dd1e2d6c03da43b7b85f15c726553c94f6a03ec8cfa076fb5e77cb3f6ea2df28bc5e91d87f7cb9f4eef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rel

Filesize
76KB

MD5
2c062d5033d880aa2d565187c505e44d

SHA1
0a0fda31e2d2c52409f727cef680644a18dcc443

SHA256
a8e50612f6bf418e8a2fb87c37cbf2e92c483f88b77a7d2f1530395cad40d2e1

SHA512
bdde04cf4bca0c4953c4310c6c4b0622d2c7bbe88d651a735f585d1ff97f8acf6ada24ed7a91bd0e5a5e7ee765191ff5e950dd2153111422c2614f35f9115a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Revision

Filesize
7KB

MD5
6a61b446b20420fedb86cd3638ccfccf

SHA1
c9f40008be95f03bf81bcc99bba41cc1caaf3abb

SHA256
376f29efd12b2312963cd5b33430105f7d88b581f1a5bc1530a6dc89285ac3ca

SHA512
5a580c7aa4d78906f23781cfcb25ac1f73c085f67f34875e8752d3cf2e75c93af760789a0be0aa6225405c6e34725bfcc32e0c03d6992ca45dda0ec2b17e5a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tabs

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weblog

Filesize
63KB

MD5
6574aa1b9b0d1d458eb7c7559688150d

SHA1
d5a38753250e039ca48f0d74d86fd26eb4410c54

SHA256
542ad5772656fe92679586642dc21a0e210f77519b5d2c250d02b9b5719844e2

SHA512
1eec8daf0bd19baf3e17dc84a2fb317c9212770246de51cb7d6d3c2c338bc4617d85e5eeab990ee72ff71f21281916b81887c09264fe80a9d32ebc9b1399dd29

Download Submit
C:\Users\Admin\Downloads\Application.bat

Filesize
1KB

MD5
1f886633d8933efe74279e6519035ac2

SHA1
e0b8ed8660b546dbe6a6cd6808d8ea33569647ea

SHA256
c8bd116c303dbf8c8f539a8353a180a1b5b51d771c820ef176359bf0f194e49e

SHA512
766a3452dc1265defb8168c87d8e187c33f42bfc936aaa061678fc23093a6ca10e32c06038f4e8127c53fddf1c2994550e01e059e4581c6ab6513e2a178a63c4

Download Submit
C:\Users\Admin\Downloads\cfg.txt

Filesize
220KB

MD5
02c099ed621a95bd3d10ba5df143c137

SHA1
714b1f835cbafc55ce8ea4b8a65d855c652536b4

SHA256
be27274aef2547575ee05db27a1f40054190c5cc7e36d1da6936fe6d8478f22b

SHA512
4c3b5d9164b5ee51bb6bf08767de6e92cd706f34ce8e8ef44b007a8e92aac80d1c6df6ab3aa3e4329d9789207e0ebc3fc51474660c53aa8d98e6d3ccc2cc7896

Download Submit
C:\Users\Admin\Downloads\lua51.dll

Filesize
479KB

MD5
47885ad50b2f52aec010ea4416a99ffd

SHA1
19953daea1f663c1521deaeccff656cc110d6f8e

SHA256
88c5bfba7b487bc311d7bd5877f7ee7a7f8dae8347e19079c00ed79625055f67

SHA512
19476a1491d9321bb6cd2428ee1e0cb354e12fe27d43162f6bbe7765c8b24d185ce48f890ce6c7b1cd441b3cfce196f6304bdf2223e853d88e2b3272ac7a05a9

Download Submit
C:\Users\Admin\Downloads\luajit.exe

Filesize
288KB

MD5
e9563030420846d2c54f73b4f5515ae6

SHA1
ba4ce71542fc4e52a4d4b464d825100e76da8c1d

SHA256
726ec4876adc426ecc8b9b575e4a64962e19ed112d76bca84dbbbdb96c4c4dd9

SHA512
d71b90a75151e336e2418636a86ea11ebfdf1e67134db437b5ad66f8b468da0810ca86f56c2171c2e32152c7a0eaa857c6d7d6dc10fd0a1a116499bd9c2ed0de

Download Submit
C:\Users\Admin\Pictures\F2CDB6FB4AB845479F25FAD1F7A44351

Filesize
1KB

MD5
c4344702c5d245d53f805e89bf7e34cd

SHA1
8d2508cfd9146b6745eefdec37a696e780974322

SHA256
126afd368dde6099de1800bec2b3d7d6e5e46d208336a7698195c6c5227f3592

SHA512
df2168f7949f4633a263d173ac7490a49a45e57eccb7cfa3c666514a8a4218bf184a3ef01da219c7ea748af725ddbb57f387ffc55286a11d32268e5bd9bc4b42

Download Submit
memory/1920-33-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-24-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-66-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-64-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-63-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-62-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-61-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-59-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-58-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-57-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-56-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-55-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-54-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-53-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-52-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-51-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-50-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-49-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-48-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-47-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-40-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-34-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-68-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-32-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-31-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-30-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-29-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-28-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-27-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-26-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-25-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-67-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-23-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-22-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-21-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-20-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-19-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-18-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-17-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-65-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-60-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-46-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-45-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-44-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-43-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-42-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-41-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-39-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-38-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-37-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-69-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-70-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-71-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-72-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-73-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-74-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-75-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-76-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-77-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-78-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-79-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-16-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-36-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download
memory/1920-35-0x00007FF908C80000-0x00007FF908C90000-memory.dmp

Filesize
64KB

Download