lumma | aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f.msi
Size

4.2MB
MD5

93a70c58cbc42d4362fd4cc206d5a35e
SHA1

f769777dec440d5e8900927b42d6c4232d6d58b7
SHA256

aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f
SHA512

db54faa43d5fc83f7160edbda953ba763080f499d8ce20cc0502a357a564d1be60dc44ece4425f5ddfc0d4ce6e47cf5b7e79bf1dfa680ea98cf728191df28a23
SSDEEP

98304:Fn3X3JlbT6t/B7ALNsrYr82OvJ2p9TSNV1+jjz:B3X33bT6dB76NsrYFcw+o

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 2360	1284	iScrPaint.exe	36

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f768d35.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f768d33.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f768d32.msi	msiexec.exe
File created	C:\Windows\Installer\f768d33.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E1C.tmp	msiexec.exe
File created	C:\Windows\Installer\f768d32.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	iScrPaint.exe
1284	iScrPaint.exe

Loads dropped DLL 4 IoCs

pid	Process
3012	iScrPaint.exe
3012	iScrPaint.exe
3012	iScrPaint.exe
1284	iScrPaint.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2172	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iScrPaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iScrPaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2984	msiexec.exe
2984	msiexec.exe
3012	iScrPaint.exe
1284	iScrPaint.exe
1284	iScrPaint.exe
2360	cmd.exe
2360	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1284	iScrPaint.exe
2360	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2172	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeSecurityPrivilege	2984	msiexec.exe
Token: SeCreateTokenPrivilege	2172	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2172	msiexec.exe
Token: SeLockMemoryPrivilege	2172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2172	msiexec.exe
Token: SeMachineAccountPrivilege	2172	msiexec.exe
Token: SeTcbPrivilege	2172	msiexec.exe
Token: SeSecurityPrivilege	2172	msiexec.exe
Token: SeTakeOwnershipPrivilege	2172	msiexec.exe
Token: SeLoadDriverPrivilege	2172	msiexec.exe
Token: SeSystemProfilePrivilege	2172	msiexec.exe
Token: SeSystemtimePrivilege	2172	msiexec.exe
Token: SeProfSingleProcessPrivilege	2172	msiexec.exe
Token: SeIncBasePriorityPrivilege	2172	msiexec.exe
Token: SeCreatePagefilePrivilege	2172	msiexec.exe
Token: SeCreatePermanentPrivilege	2172	msiexec.exe
Token: SeBackupPrivilege	2172	msiexec.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeShutdownPrivilege	2172	msiexec.exe
Token: SeDebugPrivilege	2172	msiexec.exe
Token: SeAuditPrivilege	2172	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2172	msiexec.exe
Token: SeChangeNotifyPrivilege	2172	msiexec.exe
Token: SeRemoteShutdownPrivilege	2172	msiexec.exe
Token: SeUndockPrivilege	2172	msiexec.exe
Token: SeSyncAgentPrivilege	2172	msiexec.exe
Token: SeEnableDelegationPrivilege	2172	msiexec.exe
Token: SeManageVolumePrivilege	2172	msiexec.exe
Token: SeImpersonatePrivilege	2172	msiexec.exe
Token: SeCreateGlobalPrivilege	2172	msiexec.exe
Token: SeBackupPrivilege	3064	vssvc.exe
Token: SeRestorePrivilege	3064	vssvc.exe
Token: SeAuditPrivilege	3064	vssvc.exe
Token: SeBackupPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	632	DrvInst.exe
Token: SeRestorePrivilege	632	DrvInst.exe
Token: SeRestorePrivilege	632	DrvInst.exe
Token: SeRestorePrivilege	632	DrvInst.exe
Token: SeRestorePrivilege	632	DrvInst.exe
Token: SeRestorePrivilege	632	DrvInst.exe
Token: SeRestorePrivilege	632	DrvInst.exe
Token: SeLoadDriverPrivilege	632	DrvInst.exe
Token: SeLoadDriverPrivilege	632	DrvInst.exe
Token: SeLoadDriverPrivilege	632	DrvInst.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2172	msiexec.exe
2172	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3012	2984	msiexec.exe	34
PID 2984 wrote to memory of 3012	2984	msiexec.exe	34
PID 2984 wrote to memory of 3012	2984	msiexec.exe	34
PID 2984 wrote to memory of 3012	2984	msiexec.exe	34
PID 3012 wrote to memory of 1284	3012	iScrPaint.exe	35
PID 3012 wrote to memory of 1284	3012	iScrPaint.exe	35
PID 3012 wrote to memory of 1284	3012	iScrPaint.exe	35
PID 3012 wrote to memory of 1284	3012	iScrPaint.exe	35
PID 1284 wrote to memory of 2360	1284	iScrPaint.exe	36
PID 1284 wrote to memory of 2360	1284	iScrPaint.exe	36
PID 1284 wrote to memory of 2360	1284	iScrPaint.exe	36
PID 1284 wrote to memory of 2360	1284	iScrPaint.exe	36
PID 1284 wrote to memory of 2360	1284	iScrPaint.exe	36
PID 2360 wrote to memory of 2052	2360	cmd.exe	39
PID 2360 wrote to memory of 2052	2360	cmd.exe	39
PID 2360 wrote to memory of 2052	2360	cmd.exe	39
PID 2360 wrote to memory of 2052	2360	cmd.exe	39
PID 2360 wrote to memory of 2052	2360	cmd.exe	39
PID 2360 wrote to memory of 2052	2360	cmd.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2172

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Limerick\iScrPaint.exe
  "C:\Users\Admin\AppData\Local\Limerick\iScrPaint.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\NotepadLoadZC_test\iScrPaint.exe
    C:\Users\Admin\AppData\Roaming\NotepadLoadZC_test\iScrPaint.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "00000000000003BC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f768d34.rbs

Filesize
8KB

MD5
d3a7f721f0d59a656223a7fab8d9cf3b

SHA1
b77f889dda139834a58f1950c5e54fa452a0f89b

SHA256
9425d6bd7cc49e9a27555b07e35b71bfc108a5019762078d7c6fa8299bc1d2a2

SHA512
2fc18a6b7a98ace09c8c6bf9b0a1d05e38e04f334e4895a008efecc1cdbe857cd67207a5df818c102549e018905503d44de5fea28ade25590f6c50efeef535fe

Download Submit
C:\Users\Admin\AppData\Local\Limerick\WebUI.dll

Filesize
7.6MB

MD5
d4ad539ff52c5af062bdd88deb9d08a9

SHA1
c4264de99b628fc9afd320ec47e004ef1ade1d54

SHA256
44e5c6ac6131bf6b55b9a4c0bd5db41b56da3efcf0797f044bc693abed28dbbd

SHA512
a87696e66564aba54311f49e06fb6948f51531a323dfceae5d3af4b62a140ab009429853e72124ecb03058a0e85c5277b3329cb52f9c3b034f840eee15a45904

Download Submit
C:\Users\Admin\AppData\Local\Limerick\cajun.sql

Filesize
43KB

MD5
10d06a63ea6f430da50e26ed3441ea1b

SHA1
15f43b1d9a5723c6851db5de307df3f0b220a972

SHA256
8a58cca115c3e3c1afd2ba4c4af776306f3b4dbfd6d16704c180d60dd192e40a

SHA512
9669dccc63440c9942a7a13b4f715c8dc65dbb11482d0144c4b7dcbe451b9af0f2c9f894cbc186cc8880b6b68fc70e5191bf54faa4e65e8dff0662afdb21bda5

Download Submit
C:\Users\Admin\AppData\Local\Limerick\iScrPaint.exe

Filesize
1.8MB

MD5
098ac4621ee0e855e0710710736c2955

SHA1
ce7b88657c3449d5d05591314aaa43bd3e32bdaa

SHA256
46afbf1cbd2e1b5e108c133d4079faddc7347231b0c48566fd967a3070745e7f

SHA512
3042785b81bd18b641f0a2b5d8aec8ef86f9bf1269421fb96d1db35a913e744eaff16d9da7a02c8001435d59befb9f26bc0bbfa6e794811abf4282ed68b185fe

Download Submit
C:\Users\Admin\AppData\Local\Limerick\jaculator.app

Filesize
799KB

MD5
eaed4e7f6c2a9d9558061db4f88b6083

SHA1
0992fe807fb82aa4a4cc6a2eebb76346222643f9

SHA256
b6b3c597d404fe24f1f87f1fe5b2cae0b6476e796c6acac1ada9ed02ede1ec07

SHA512
c42ea74bbb9276cc671f9635d8f4df9365d95b43c0d108c02c223a40765df517549a2332c3c427b09ef74d0e7b36a1340dbb733dd4bd14d1c8c2099ce0e5cfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5841ff88

Filesize
1.0MB

MD5
04a12e127cb772326d2d8c3c7fefdde7

SHA1
5dd1170781acff8227136861ba464ef2fd7c3bcf

SHA256
ef765ac4826f9c57f2128686b3ba33c3c15d8236428ef1bab942b18b3c6d03bf

SHA512
b1e839def293eab4d46d50d0a50ded89134ce4985087d6b702155abc1df7cb1ddb04ff7b030719fc87e230d76d043ca3209314d19b4b6fdd89d71d4209510b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4868.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar487A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\f768d32.msi

Filesize
4.2MB

MD5
93a70c58cbc42d4362fd4cc206d5a35e

SHA1
f769777dec440d5e8900927b42d6c4232d6d58b7

SHA256
aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f

SHA512
db54faa43d5fc83f7160edbda953ba763080f499d8ce20cc0502a357a564d1be60dc44ece4425f5ddfc0d4ce6e47cf5b7e79bf1dfa680ea98cf728191df28a23

Download Submit
memory/1284-53-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/1284-52-0x0000000074660000-0x00000000747D4000-memory.dmp

Filesize
1.5MB

Download
memory/1284-54-0x0000000074660000-0x00000000747D4000-memory.dmp

Filesize
1.5MB

Download
memory/1284-56-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/2052-61-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/2052-62-0x0000000000080000-0x00000000000DC000-memory.dmp

Filesize
368KB

Download
memory/2052-65-0x0000000000080000-0x00000000000DC000-memory.dmp

Filesize
368KB

Download
memory/2052-100-0x0000000000080000-0x00000000000DC000-memory.dmp

Filesize
368KB

Download
memory/2360-58-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/2360-59-0x0000000074660000-0x00000000747D4000-memory.dmp

Filesize
1.5MB

Download
memory/3012-46-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3012-34-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/3012-33-0x00000000746F0000-0x0000000074864000-memory.dmp

Filesize
1.5MB

Download