lumma | a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe
Size

14.2MB
MD5

27968eebcb115c6ecb62199a98ce9ee6
SHA1

7892f28bf31caf505e792268e138210588aa4d8d
SHA256

a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d
SHA512

60afd0ab796b4f96733b24fb83fe9a4a60833a10e8b2961a3e8fa4b9b29d6ea469fb92bb1161299cc094afcbfcd9db2249dee6ab97840171a41b8917ed648424
SSDEEP

24576:JfK4O0f5F4PCxULgB/88cv15mKLTanYE2caHvdzzfn2eK:3L5gcB/88cDPLT0i9f2eK

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe

Executes dropped EXE 1 IoCs

pid	Process
4716	Banned.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4896	tasklist.exe
4988	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\OnceBusinesses	Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe
File opened for modification	C:\Windows\BuysGothic	Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe
File opened for modification	C:\Windows\RdBelieves	Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe
File opened for modification	C:\Windows\HierarchyConstantly	Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banned.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4716	Banned.com
4716	Banned.com
4716	Banned.com
4716	Banned.com
4716	Banned.com
4716	Banned.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	tasklist.exe
Token: SeDebugPrivilege	4896	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4716	Banned.com
4716	Banned.com
4716	Banned.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4716	Banned.com
4716	Banned.com
4716	Banned.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 2340	720	Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe	82
PID 720 wrote to memory of 2340	720	Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe	82
PID 720 wrote to memory of 2340	720	Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe	82
PID 2340 wrote to memory of 4988	2340	cmd.exe	84
PID 2340 wrote to memory of 4988	2340	cmd.exe	84
PID 2340 wrote to memory of 4988	2340	cmd.exe	84
PID 2340 wrote to memory of 4808	2340	cmd.exe	85
PID 2340 wrote to memory of 4808	2340	cmd.exe	85
PID 2340 wrote to memory of 4808	2340	cmd.exe	85
PID 2340 wrote to memory of 4896	2340	cmd.exe	87
PID 2340 wrote to memory of 4896	2340	cmd.exe	87
PID 2340 wrote to memory of 4896	2340	cmd.exe	87
PID 2340 wrote to memory of 5004	2340	cmd.exe	88
PID 2340 wrote to memory of 5004	2340	cmd.exe	88
PID 2340 wrote to memory of 5004	2340	cmd.exe	88
PID 2340 wrote to memory of 2552	2340	cmd.exe	89
PID 2340 wrote to memory of 2552	2340	cmd.exe	89
PID 2340 wrote to memory of 2552	2340	cmd.exe	89
PID 2340 wrote to memory of 3456	2340	cmd.exe	90
PID 2340 wrote to memory of 3456	2340	cmd.exe	90
PID 2340 wrote to memory of 3456	2340	cmd.exe	90
PID 2340 wrote to memory of 4188	2340	cmd.exe	91
PID 2340 wrote to memory of 4188	2340	cmd.exe	91
PID 2340 wrote to memory of 4188	2340	cmd.exe	91
PID 2340 wrote to memory of 2304	2340	cmd.exe	92
PID 2340 wrote to memory of 2304	2340	cmd.exe	92
PID 2340 wrote to memory of 2304	2340	cmd.exe	92
PID 2340 wrote to memory of 4112	2340	cmd.exe	93
PID 2340 wrote to memory of 4112	2340	cmd.exe	93
PID 2340 wrote to memory of 4112	2340	cmd.exe	93
PID 2340 wrote to memory of 4716	2340	cmd.exe	94
PID 2340 wrote to memory of 4716	2340	cmd.exe	94
PID 2340 wrote to memory of 4716	2340	cmd.exe	94
PID 2340 wrote to memory of 1260	2340	cmd.exe	95
PID 2340 wrote to memory of 1260	2340	cmd.exe	95
PID 2340 wrote to memory of 1260	2340	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe
"C:\Users\Admin\AppData\Local\Temp\Sigmanly_a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 71992
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Ec
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3456
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Ratio" Returning
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War V
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4112
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
    Banned.com V
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4716
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Filesize
890B

MD5
87dc89e99db19b9125ebfa8a18f66f96

SHA1
d1fe7a19500fc5105b124d57fee0b5419e4b625e

SHA256
8044ab918f28cdc032b955883c777f54edabbfd59db2823f65171769cd667e21

SHA512
194c8f2db3e90773434deaf37019344d88608d5240068dc9daa3b0cd30570f6f144a279dafeb1a9385160f73f064e417f8647d80ddb0e67b258c2b152cc2624c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\71992\V

Filesize
484KB

MD5
11a18ca5a4ec415ee2e991a8a2efa60a

SHA1
ad7f7f4763644158a7d1dc22a25d7fa3600ac91f

SHA256
44a0272003274f673664e9eac14fae1bfc04debe7cb58a86a75e7c8d08033f20

SHA512
ef4c89749a69680dd5476aadab0f0a56f5530b0eda13cb5c432bf608084f48d6968586ad8db954a860a55c973c466e1dde3157cedd49bd47044368dec750e2c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Access

Filesize
62KB

MD5
cfcfa68f88e27612ab83ea57018a850c

SHA1
b403391dd50f8f6dd090e7e0319b611d9bbd2874

SHA256
c6a15a8fa80f99e5f34775677b74082a0946fcf2f10ad3827691059821f034f7

SHA512
3b361baf0f93b2f956bab4edb48e03a2ab06f2b61583e2a0d023b25c5d5e41a14074e2b7d007672cb63a8e44f25763649c847f338119b9e5ff203ed27ae98248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Availability

Filesize
70KB

MD5
32795c14e61648316037781cc1ba12c5

SHA1
4ca7e78e840e12ee1ec390c3996e1c75efc5a248

SHA256
9e938a13061086921e0961ef7d2f0a89a6b2b33e9d21a1eec0198d878df4e536

SHA512
3a526ae9c35ee67f5ae951ceb927b8b2ce61ea4b03beb5ecb941353ce6343a007857160db689587ec34f712e7c9bc06918454de73e3792f1f75cb671174ba35e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Available

Filesize
55KB

MD5
64acfd91f0fc989008a694b9f199a57b

SHA1
8e4e37288ac01a2f48fdf059a0cfc5135c935c17

SHA256
6b0c1bb5546b6682cce559d06dca34d43a5208c30ceb0dcc18014e45f844e4b8

SHA512
02ade9009a4d732a82e3708374a4cd80319dd6f19af67841d8246ea7bdd7ba6befde911b9da8be9ac9929d12de4eb8ed69ac965fc795293449e4545281a7f30d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Balanced

Filesize
140KB

MD5
89b5a26508e16e2564552ae664e91b66

SHA1
9851ffcbe0015aa2210070e84d7058ea73ec84e4

SHA256
eaaf46c77b4f4f937a620d807d58d60882a0310978dbffc32d469cb025dd45e1

SHA512
b5d1cccc6c632d0138aae3a6058bebdde6811f5cfca986e36e790f690c7630e7b257e8c6680ce0a7a6a52d3c18cf395634be5a96b66be46c9a6a55bb1d35ef91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bids

Filesize
63KB

MD5
464b43f4d2df8df1a0d420a378b13284

SHA1
0c90a0656812b3ef827d920195c5c36841ae17ae

SHA256
f0e44f93299cce792814297dc2a34082b057ffcfbd7320c32b16598367a115e8

SHA512
2d07b7c972873d397a9e4a16478c73c864f9c82d86d8ee8ee820bded709ca3ee6b2c1e709db52b01a131ed0bff4881bc922d0bcfdea512ee02d8a0513e7f1e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Campaigns

Filesize
22KB

MD5
2e7b0022580a56f4a6645d751e977bc1

SHA1
5f9942e6359bfea8ea1407f69dfed3c308551238

SHA256
3d616d0119732bf2780af373845a9f8f1c50aed7cea51d54e0e790ffec75280e

SHA512
8887fe072570e5edf9987f4fa01b115322d0be0f7d3265911c91cf3decc8370df79bc5e09f5aa30e749a8299b313c1c3b4f7f79647c82d55b218d7171961cdae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ceo

Filesize
58KB

MD5
7d627757a86d54cd1b6c057a7dbfcf26

SHA1
3a73d88a63ed284ddd76305a4d91deb9275c4c39

SHA256
3aaf7017767a1a1fbb1d9a80fa2c5b3c05583d879be0a0e2f32898076a4d3ba7

SHA512
4b43bab09367f06c762e2bc60ed3452e05c7001b83198c6732bb68c146decbe6c837891f597092dfe00565b895933ed94eb665aac6a1cd4a49e9e26eed65986f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Designed

Filesize
78KB

MD5
7d1725a7c164ad387fba5007e60e47a7

SHA1
c4253d862dfdbdb7eae80f88e5487487e72c9ad4

SHA256
03cdd5bdcb6ebcb6cfdb7d5c3a038c1beaca34fc9c8fbb717bc85f31bbdb797a

SHA512
7368df3d1af7de8ca3074abce8ab02c6dcd309f9b6818c6acd4aebb72985b64253ac66a74e424fdc317cf1b07108616c4636826393707109e2377b4586bea4de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dir

Filesize
117KB

MD5
ce605a59de6379ba8dfab762376a82db

SHA1
0e8d74f537e58ad09e08fb0af0c2151fd91b953c

SHA256
81b6c9d8c798eeb2254ade6e6a562c55f150198f97b25e550e4740594b679499

SHA512
1dbc8184ffc8b5b90f6deb2bf002364aecddd779079a349ea875c73ac14bb63a482e23b7e2d201251cff220081c0d1d069c826e638e9da0eacceec723b867888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ec

Filesize
477KB

MD5
afa0f6f9328f080270e89afff0581506

SHA1
1c607c64fca1cdb4e75dbff2788f7c3b09d21ea6

SHA256
40e274b995ff6326eb0f89943cf999743ae9bda9f314b3d775f62ec71a5f51c2

SHA512
1be681c4cba19297fa8d4c7339bd6c7f9e76098afac72b9283739dec20b1a1f1444c71ad94bd29654e20e2cb788189969357cf9ff4284ebcb2a5958bcf166274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ford

Filesize
115KB

MD5
d036147ea7b09a642723d8811105937d

SHA1
276cc8c1dda5d55f549e053522f95cee037f6b9d

SHA256
dc830affb9d9b2e23293beda376ad0bda96cdff3670cd10acd131fdcc795855e

SHA512
b23e9e6a86720d1e37399916f66a13612ca570884d84f89383563e30479c37f6d48fb0859220f027e68a29d568b5af78360112c06ee89ba347145e9ab48f3cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fwd

Filesize
107KB

MD5
cd16a7a04781f568a2ec3ac1a39fed9c

SHA1
37096520c4625aa474494b9c2a10bf31de8b673d

SHA256
5863794ac1cc6542b2bee5e8a5cf372c386db7f2840295b902b1e3b88751a9b6

SHA512
6fb5658a18742fe5428a89e06e7ec0b3ae07658329cda5fb8f0801356648d992a9c11f9e26d2468e7153665c8f3d626151256336617037b7b5f6bf3b0ed6777a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hall

Filesize
78KB

MD5
cc9cc6f20a1ea21ea470b504fde0f90c

SHA1
1e7afadf12f7a09a68c93ba813c64c2c9b225e71

SHA256
2f9d2d953ccfeddd5dec2df0bc5134f002f44f31715bd812f81875cdf6b550a6

SHA512
64c4e6ed40c401bf82ade85189e7e862f7817965f2739fb7c93b7c2a6fd4b4959585baf05eeb1e4a21e5f665e64709c3fa670aae5ca1ee2b7927e7fe1e4d3824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Race

Filesize
103KB

MD5
b99ad1f5c7742f52686d2508fd00982a

SHA1
7b0449cadaf6a2a28dbf7e65fd45a1fd12eddb48

SHA256
ac58bf2bc9334dd912148161f79dc611a7326465cf959f7374f387e8afc61b42

SHA512
78397576fa9cd90c7b8ea8ece2f5b31887f5e5eb6d5a3c6fb69e4ba2554b14286142d68db2f6deec4c21ad28b8148a89494154f65ce36f24eea793eb3d96f472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Returning

Filesize
895B

MD5
9fa6250ac33b492a0812fc44c12a8a0c

SHA1
b4277e0d18e4fdb16b4437f0803bb6e04438a162

SHA256
26a3d1d787256edd456a7e86452ad615ad8aea98c58f8ecea9ee4978f62d02de

SHA512
ffe0cd06a9bd86e673a0d92e3c7fb87a2e50a80b40c4716ee224264f9be8a4e32f78e86f38e38156ad40ca8d987537cb65b9b9dda86bfef2fdbb9ad0cb836e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rise

Filesize
61KB

MD5
85667e167580ab6ee879a397ec8378d5

SHA1
3c22100369dd7e9fc15788182a7647cc18a12ec8

SHA256
fab0e8057b43711fdcf24ab3bb355b5cbc3f3d37782e598bf4925ab58e602e74

SHA512
398c52bec5b244353715bc4a044415db5a542bb9ef8c98d4c425baea55e2bdc0946753c5ae1775a950fb1fc2f2f3119243178d58f3230873a77086bb4fff31d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scout

Filesize
50KB

MD5
76d9165fff95e5302786c486398e284b

SHA1
abe552ee6a06100d96aefc6f2af6e189aa766227

SHA256
1b5a2e903dec1bd0620e473d0dff69761acf5e375eac1ed87adf76f36f2386a3

SHA512
6cc547e452fda1a60fbfb016027791788b23c3591114d7800b244aba620717df5a72b5ca1c98aa1355ca2c8b0e7395c04ec072db9606540051fd99b1846fb198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Soccer

Filesize
141KB

MD5
57b6e79e7402d37a0b83cff2db1d0273

SHA1
8805df3cabf590f92b2ecb7efae60d82f14f0b6f

SHA256
8df20b2b819aa0c6e36877ba7063fed41274b988c46c28ec7e4b3c72584ec2e7

SHA512
49eafe0d09f850c52006c3df4dd58e2d4ce1d6aa22aa7a378d6345ab6fe7c92987e134e4c486def75e6b0219d867ae1229aa828440c5624ef8c93c7cc1e79daf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Throat

Filesize
70KB

MD5
34be2cf79f42494db963ec85da206d2e

SHA1
2713983b0b393cff8e07630b1abc107fe90bdc5b

SHA256
7cfb013faccd6086f660d5b46712ebacabf2a160a26e453a7b83d83412a16a11

SHA512
47cd4e47a69059235607b95342e069ccd7c8e41f7d6d9e1ddc9bf5f93bc8c7a064a49edc26adc41ccd3f24b5515e965d3e9caac391d345d3d5209c6adedd61cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\War

Filesize
33KB

MD5
f0067e491667e285c6aa36cabb0934f0

SHA1
05f07bc57272acea6794f92726b6b05ac4bf41ea

SHA256
7c27fa3805b5877f74a80274b3accff8041cfcb5c8ff930de5b93f49569a9c8e

SHA512
ffdad8684222f1e957a8e64df94ee6dea74be948e8aba9c759b5995b8337a9c1f363c1b098d32c393dc69d7470c9ba2e748e4d057f3fe89e6f4c99b02de2f9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Writing

Filesize
7KB

MD5
117fe1670c955271c9d468192301a43f

SHA1
46e5d4e2284c95b30d8d5c8c506a5376987b70a6

SHA256
4c4fd142141a03a04b927a31f365dfb0acd6f972340b109430af367eaa2856ed

SHA512
1becfb8dde3672c2a6fbd33be641cd0e15852365ad2deed41700f3c441be90f691b564ae947813a04d19665e9b39ac17f73b1a7efb54ce8b4821b0a25d2dcef9

Download Submit
memory/4716-72-0x0000000004520000-0x0000000004578000-memory.dmp

Filesize
352KB

Download
memory/4716-74-0x0000000004520000-0x0000000004578000-memory.dmp

Filesize
352KB

Download
memory/4716-73-0x0000000004520000-0x0000000004578000-memory.dmp

Filesize
352KB

Download
memory/4716-75-0x0000000004520000-0x0000000004578000-memory.dmp

Filesize
352KB

Download
memory/4716-76-0x0000000004520000-0x0000000004578000-memory.dmp

Filesize
352KB

Download