lumma | 5a7a88b315c2a2dc81ac4b5af5f48b310a13ffd7377a9608bec5d72717d99343

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

1.1MB
MD5

16ac36a918c29f1e3f54ada06befdca9
SHA1

69f59cfe33b74fe22864e269d9bb60d932c79001
SHA256

5a7a88b315c2a2dc81ac4b5af5f48b310a13ffd7377a9608bec5d72717d99343
SHA512

349f0853d4cf052767139ee74d00892e31db661766008478c2f65bf24f008b51b88736520fda6c2f73069c89bcdd630ebbef6600e76ce4c9a8b7624445519549
SSDEEP

24576:pAodEpXENNq0lH68t/eNil3VHmFgugQWkh2otY/Ocw9zq3mHZb7Tb7j:qHD048gklHcMQWkh2o8ObVq3id

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

https://sailstrangej.cyou/api

Extracted

Family

lumma

https://sailstrangej.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
616	Commentary.com

Loads dropped DLL 1 IoCs

pid	Process
844	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2424	tasklist.exe
2724	tasklist.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RolledHunt	Loader.exe
File opened for modification	C:\Windows\MtChange	Loader.exe
File opened for modification	C:\Windows\DonatedOrganize	Loader.exe
File opened for modification	C:\Windows\AcquiredPerhaps	Loader.exe
File opened for modification	C:\Windows\VideosDraft	Loader.exe
File opened for modification	C:\Windows\AheadCook	Loader.exe
File opened for modification	C:\Windows\OurColors	Loader.exe
File opened for modification	C:\Windows\EuropeanAmericas	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Commentary.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
616	Commentary.com
616	Commentary.com
616	Commentary.com
616	Commentary.com
616	Commentary.com
616	Commentary.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	tasklist.exe
Token: SeDebugPrivilege	2724	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
616	Commentary.com
616	Commentary.com
616	Commentary.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
616	Commentary.com
616	Commentary.com
616	Commentary.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 844	2452	Loader.exe	31
PID 2452 wrote to memory of 844	2452	Loader.exe	31
PID 2452 wrote to memory of 844	2452	Loader.exe	31
PID 2452 wrote to memory of 844	2452	Loader.exe	31
PID 844 wrote to memory of 2424	844	cmd.exe	33
PID 844 wrote to memory of 2424	844	cmd.exe	33
PID 844 wrote to memory of 2424	844	cmd.exe	33
PID 844 wrote to memory of 2424	844	cmd.exe	33
PID 844 wrote to memory of 2300	844	cmd.exe	34
PID 844 wrote to memory of 2300	844	cmd.exe	34
PID 844 wrote to memory of 2300	844	cmd.exe	34
PID 844 wrote to memory of 2300	844	cmd.exe	34
PID 844 wrote to memory of 2724	844	cmd.exe	36
PID 844 wrote to memory of 2724	844	cmd.exe	36
PID 844 wrote to memory of 2724	844	cmd.exe	36
PID 844 wrote to memory of 2724	844	cmd.exe	36
PID 844 wrote to memory of 2776	844	cmd.exe	37
PID 844 wrote to memory of 2776	844	cmd.exe	37
PID 844 wrote to memory of 2776	844	cmd.exe	37
PID 844 wrote to memory of 2776	844	cmd.exe	37
PID 844 wrote to memory of 2836	844	cmd.exe	38
PID 844 wrote to memory of 2836	844	cmd.exe	38
PID 844 wrote to memory of 2836	844	cmd.exe	38
PID 844 wrote to memory of 2836	844	cmd.exe	38
PID 844 wrote to memory of 2700	844	cmd.exe	39
PID 844 wrote to memory of 2700	844	cmd.exe	39
PID 844 wrote to memory of 2700	844	cmd.exe	39
PID 844 wrote to memory of 2700	844	cmd.exe	39
PID 844 wrote to memory of 2600	844	cmd.exe	40
PID 844 wrote to memory of 2600	844	cmd.exe	40
PID 844 wrote to memory of 2600	844	cmd.exe	40
PID 844 wrote to memory of 2600	844	cmd.exe	40
PID 844 wrote to memory of 2640	844	cmd.exe	41
PID 844 wrote to memory of 2640	844	cmd.exe	41
PID 844 wrote to memory of 2640	844	cmd.exe	41
PID 844 wrote to memory of 2640	844	cmd.exe	41
PID 844 wrote to memory of 2612	844	cmd.exe	42
PID 844 wrote to memory of 2612	844	cmd.exe	42
PID 844 wrote to memory of 2612	844	cmd.exe	42
PID 844 wrote to memory of 2612	844	cmd.exe	42
PID 844 wrote to memory of 616	844	cmd.exe	43
PID 844 wrote to memory of 616	844	cmd.exe	43
PID 844 wrote to memory of 616	844	cmd.exe	43
PID 844 wrote to memory of 616	844	cmd.exe	43
PID 844 wrote to memory of 1148	844	cmd.exe	44
PID 844 wrote to memory of 1148	844	cmd.exe	44
PID 844 wrote to memory of 1148	844	cmd.exe	44
PID 844 wrote to memory of 1148	844	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Buses Buses.cmd & Buses.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 672717
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Investigators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "HEAVILY" Jackets
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 672717\Commentary.com + Parts + Favourites + Rochester + Pest + Simulations + Touch + Possess + Analysts + Radar + Sys 672717\Commentary.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Contain + ..\Apollo + ..\Displays + ..\Name + ..\Mill + ..\Given + ..\Terminal u
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\672717\Commentary.com
    Commentary.com u
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:616
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\672717\Commentary.com

Filesize
2KB

MD5
2afef75a6916ed35b2bdb5de65aaf2ca

SHA1
4047156dd5e157db9bc676dbad90b5e2a6a7da5a

SHA256
794678a42985d590b8071ed6caf8bfd3f76c173c727b664a3ab1d114e81be674

SHA512
b48b0e15f1beee647ce306b6512b21fbb39b2664bdb0e1e9e63d2b530d302f9ade26af40da222ac41921f93431ce16e752f7e8f6c2f2d4bc2203262e0da266cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\672717\u

Filesize
493KB

MD5
e5c7ee16a7493817e95b75974d3b2ce3

SHA1
889d319336b674d211157e31d0b7c662c9a63db1

SHA256
787be0889de588a6f1b279122496aafeab8095bc4ad1432a5f9315d4b3b66e05

SHA512
8319a5bf7bf08bf8019654a7afd99440f138bb19cc8e69959b1f72271c5388c8a6a22cf9538cf26a1de85fcd637d2eabcf2b4f34be8584925565aaddb28ce1cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Analysts

Filesize
100KB

MD5
8bb1dbf2a308789236297e21d4aea007

SHA1
1cdc6c170436d0f427c27dcc25a5b9436cade09c

SHA256
f8fd730ddab96f0b202c6e3f8694bdcb1c84e943b0a773fd07986d283d6d0011

SHA512
020932a453e10dba6ea2fdec0ed231a80c836424e531b11f710abdae6fb2b1d0352221342f3b8e7ee8df1d7db0b16b2eb3c2beeb1a57fe09cefbf9bb7ca154ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Apollo

Filesize
98KB

MD5
3d96de5980245ed8bbfbfbf2e4db3aca

SHA1
266e73bae8403912b880cc4e92552e6d38cbaea6

SHA256
e724542ddd3cd07735b75ca76843650862f93cdd3728724cb87d39e1f01d60fe

SHA512
012039799e62cbfc18eed3e8fe684c4cf1f7dd3e8531d84e260ca4951cac8e4c91c88666e61e8a467ac2ba4d6d67bc93a19050c22165fd7179a0396ec11d9edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Buses

Filesize
15KB

MD5
aa42c7fea6808c0af9f2f9dc52f07782

SHA1
a350df0be5f2fb823dfd6450c180da4caec151c9

SHA256
bf7e5027aa452490352cd2df668779d6dc230b7f27e00a504ed032704528ad43

SHA512
150488c67ed99aff77bb74d1a238710cbc65b3fe513a8f06007c3301b4603a1541a0f2872b787e45cee9a33d80be5d697f39aca58ec429c24e1bfe91e5de2c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Contain

Filesize
65KB

MD5
5abab600e19a94a84e220fc5220a9b14

SHA1
b1d535b02fcea8a511967bc302a2d3d5d0c5d90b

SHA256
c764f0fb99c8f35491898d4331a88b5e17df2137c9c8981942783316bbdc585b

SHA512
799ed7b8eac804a862df5f34e0f71c5e4a45b806596c98154037e5dc0c3cfe49e28bd97645a00bb029dc1d44f5c927a2abdef2e9112221353ecfce2615d1732e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Displays

Filesize
52KB

MD5
7d36ffad89e91436c482d996e1c5a8ff

SHA1
bf1791a1d1cf94e009100764f84c4165cad82ed6

SHA256
379c3f76f49ffd01f1fcf8ee8c8172bbba512a4d9e1e5e5f032aa9c2be2fdd3b

SHA512
37eb10a7b0cf60539873ae35a0e3e823cbf1599eaaa8181bbb5557d3ad5702a1559f46895b3f132fe836d2782434c3eb1428f3d4e7877d939fd69021432cf439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Favourites

Filesize
117KB

MD5
e8d086062b46f8ac885d9b6ecf1d4129

SHA1
c89700e3530f1caa75e8963f3a1e085f54a8d25e

SHA256
9049d6c099e773b261d9fe9b877dc12a248513132c8626b86d4e1dab3cca42c7

SHA512
61b5075c7a2445578095a8df92293088b92f7b3584c7771241168346e69df0d59f1e7c0d088724acc40a3c56ed17bc80a75f7e55316f3a1cd380d25383dd5881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Given

Filesize
97KB

MD5
a57729977e6b5b11b9b9ade4130dd9e0

SHA1
e10a28f4d16896031c768dc1ca2d510a4e81a10b

SHA256
78d18a62d3c75275afeff635375a1f4370cdd5520730f8fbc572b4dba43e5fcb

SHA512
46a722ba28265de3f9835661891b0b46fc3b8adc91b48c791fdf024ab88b306b31eb4492ae95a74eae9fe7b9d31286debe35513fef2c8216a75c05ef5df14758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Investigators

Filesize
478KB

MD5
077c44d8585f7a668f60b3aa75fdfc4a

SHA1
bd426d85ef7712d2e08586f8f4003cd42b517672

SHA256
314bddc458e2195062351b154607523a723a3cc2ec75efd8f0da82586840eaf4

SHA512
ed11cdab4bd1c97e8c6f648ee2106a1a41c8460e012bc13dd52f5453f421ba0b31d29b928ef909e31dec097b6095330ab82166aa200217ea6a9929fd316c5644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jackets

Filesize
2KB

MD5
919a24637f5e2563dc365659e655c390

SHA1
667ea4ca9506ee32e51f29da0fc787d4b15d7fb7

SHA256
69028bd013ed991351dbc9de17c9a3b33b8fe42b7320d0d855b9f78aa5fbbafe

SHA512
4d6d07072b43505efbc507e528b220e19476a511f457aa82aed28947a3099f0148be9f041d8913b423b7638fd1b01436d7f4161e3fe015090d6cc3bde92fded4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mill

Filesize
51KB

MD5
8c1d1b3a4eb8d2af73edb3f539b92fab

SHA1
b609d3b659d3f25952c2e58aab3eda6dc4626a18

SHA256
2324e57ab04af35764a26f8c49e2193c67f22904603bce366ff40d195fbe17d2

SHA512
c74418b8b6d0cd22b3c25fafee811c14a2f3debe7ad0fe595ad68bfd5b39839a4ebf82d1ccf59fc503bc851963a62094b9b34e2ecff1beb22d047682d658590e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Name

Filesize
87KB

MD5
5e88567e27b1dedd756e6ef1c5da17c5

SHA1
0b67150c038978b79ebfa1bdb1f63c3b2874ad70

SHA256
c02f60cad58451af445a22fc3e6599cd488413dc7d9c8e11646b9ad50093be50

SHA512
f46c2060be8d47c58eee3f84a3f5079bf1dda3b8d86fd6aec7705c666d8d33a1e436c4934be653206c7b47de38163de9932b86764aa7d789e5ca0b2a431053ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Parts

Filesize
69KB

MD5
685c0f9269179f062270f85ca9a2e560

SHA1
553e15baa1b688dfdd0abf801822c641301a6bcb

SHA256
e1bd07f95d5055b0053688e38c14d61fcd70e92f7826579c4ee45df2740a6804

SHA512
e5ef778264f630b8e0e7f6fd6274826d7dfbd14a10a67f0df0961b0281f91d63d19f534ae1d36c98578d4d157701ea024ed61f91a9e8f0a14ee5397ce439e934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pest

Filesize
128KB

MD5
d4c40a1515ab758cbca591f4f1530951

SHA1
eae1e1e71348a8f1d3ee8c035764f8eb7e0c5849

SHA256
6f79c3fbab818b87109666ef0a38d79cf5def54f9de5ecd68bd5366f4e0a10a5

SHA512
5b4012490523ab22934dff000985ae82be23a23f3100ee237de13a573224a855a71e4547b14b8327cd7e3b468597387dbbdf91dea1c21246aca7dd171a307f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Possess

Filesize
57KB

MD5
f5adba0dd83290f1c77557a63cd248a7

SHA1
66cd877e9459217a8907fe544fe7195382ddd89e

SHA256
a8de88b8e06ed48e0a0220487ee3a974579bc368f14f3c0c9cfb4a3d05263ffa

SHA512
8bb56a1fa7f7a56001636ca612fdfdc019bdf95dee2cc7383b7005567924f667d250bf80d7482ff0b149469873ccd9a45504c75f2035c3cbcc45602ba4a70ef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Radar

Filesize
120KB

MD5
65cacd951491179d861b7a5c42a0bafa

SHA1
7a5928a684570af8b6663696cce260bc9dc93f11

SHA256
480b0f02f13e28973c9947e40752db9e89f7b2a1d3d75d9008bcb8f518be2643

SHA512
ca69dd61cd1346e56012f524b83856f3be4e54d3a8301cd224b189dde7df0533a0c9fc7d9f8d5dc0ce311f4231cf1caf5b3104c1d1ebdd1ab06bf5b2cfa23462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rochester

Filesize
120KB

MD5
363328c48de082e845dde35c76c98c68

SHA1
9d80778643d5116956e79a04c83d88335c16f269

SHA256
5c6829df2ca0a5cdfca7391014555076ea570e3e3bcd5920c4c1153b23828821

SHA512
1a3e30f2e7b03900309ab2e42b2fea04407b7d92f32c01502a908b5df33b321b1db521bbfa8fee2976717320416cc8df5b6e8f0687fbe4e2719854b0c80ad01a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Simulations

Filesize
133KB

MD5
3842755604d08e44c0ad02d218b4845b

SHA1
a97448cc13782aa80fe74748e38fbdd60b519030

SHA256
051b7147f9c636121ff5b1e97e05cf56c8a7a72663614609170dd6be0749ab73

SHA512
11d3b171a8a52e6e881678bcef90a5dd3ba422912e38c69a597a03d6ed9dcdf28f459bfde1e114056b3f2d628875691af3258f298d2538cbce6bc1d39c187c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sys

Filesize
15KB

MD5
83c718b31ad4e7789348d35dab4bec7c

SHA1
b38f684fa22bc609fc96ae34e9563ad215937383

SHA256
39076bcdb6dc8bc37b683693f7086c972632fc4449cc6062a534412185b244dc

SHA512
25ff8e59a60c47869d8d27c2ba2ac1cc8851ecd8a7b4a065ae1a094ea37f826c17a6665bdf4c9cd915201674890ddcc813d7d25177a60201ee7a4d492b9225b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Terminal

Filesize
43KB

MD5
01e3ad4f76967f6eae0849d0e3eca092

SHA1
4d7f0f7cc8f9fbd1f5725929fed5c4a48a02613e

SHA256
4fa173d94796f2b7c8cde9c8e0a76604dfe74374b20e0cbf81bd1ffb07930932

SHA512
67703fb00e998c0d604d6484aaf24e52d1a43d422d7cb8029a74956d6d5783cdf9bc3b571f334b2b621545f793c2725c0fe0e3baebda8dcc5c7d68a601d13fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Touch

Filesize
63KB

MD5
4021e51169bc9a64c2b64783953e5ebb

SHA1
a1fa39c391c6167dd146b1c99bae4c2e0168ac0e

SHA256
207733202874187a960eb73049ed035a80199823d481fd3bf9264038ae7b5a33

SHA512
bcc68ef897e77f08a04168b0fd42d89c94c0a685d97cc030039859cca664faf9a3c6deff7db8ce88e2ce86793257218380d39af4d3a903b261b7e304adcdafdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1844.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1866.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\672717\Commentary.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/616-73-0x00000000036C0000-0x0000000003719000-memory.dmp

Filesize
356KB

Download
memory/616-75-0x00000000036C0000-0x0000000003719000-memory.dmp

Filesize
356KB

Download
memory/616-74-0x00000000036C0000-0x0000000003719000-memory.dmp

Filesize
356KB

Download
memory/616-72-0x00000000036C0000-0x0000000003719000-memory.dmp

Filesize
356KB

Download
memory/616-71-0x00000000036C0000-0x0000000003719000-memory.dmp

Filesize
356KB

Download