lumma | hxxps://ryosw[.]ws/

Resubmissions

13-01-2025 02:57

250113-dfkjzssncv 10

13-01-2025 02:49

250113-dbfegasldw 10

Analysis

max time kernel
250s
max time network
266s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ryosw.ws/

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://jubbenjusk.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1572	Collection.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
648	tasklist.exe
4940	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WvEstablished	BootstrapperV2.exe
File opened for modification	C:\Windows\PublishedSs	BootstrapperV2.exe
File opened for modification	C:\Windows\CoinConverter	BootstrapperV2.exe
File opened for modification	C:\Windows\MorganPass	BootstrapperV2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collection.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3620	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4176	msedge.exe
4176	msedge.exe
3288	msedge.exe
3288	msedge.exe
4752	identity_helper.exe
4752	identity_helper.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
4268	msedge.exe
4268	msedge.exe
1572	Collection.com
1572	Collection.com
1572	Collection.com
1572	Collection.com
1572	Collection.com
1572	Collection.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	648	tasklist.exe
Token: SeDebugPrivilege	4940	tasklist.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
1572	Collection.com
1572	Collection.com
1572	Collection.com

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
1572	Collection.com
1572	Collection.com
1572	Collection.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 2096	3288	msedge.exe	82
PID 3288 wrote to memory of 2096	3288	msedge.exe	82
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 2260	3288	msedge.exe	83
PID 3288 wrote to memory of 4176	3288	msedge.exe	84
PID 3288 wrote to memory of 4176	3288	msedge.exe	84
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85
PID 3288 wrote to memory of 5064	3288	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://ryosw.ws/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa202f46f8,0x7ffa202f4708,0x7ffa202f4718
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,1710509117368996496,12888620892581664224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4468

C:\Users\Admin\Downloads\0P3NME\BootstrapperV2.exe
"C:\Users\Admin\Downloads\0P3NME\BootstrapperV2.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Twist Twist.cmd & Twist.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:648
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4696
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 637575
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1276
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E According
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3264
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Corporation" Coastal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 637575\Collection.com + Innovation + Trinity + Walks + Cleveland + Followed + Britain + Told + Executed + Zinc 637575\Collection.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Campaigns + ..\App + ..\Minister + ..\Timeline + ..\Journalists + ..\Attachments + ..\Complement y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\637575\Collection.com
    Collection.com y
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1572
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Temp\officeclicktorun.exe_streamserver(20241007094908B10).log
1⤵
- Opens file in notepad (likely ransom note)
PID:3620

C:\Windows\notepad.exe
"C:\Windows\notepad.exe"
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4f610828-12c6-46b9-b05f-d5067185e824.tmp

Filesize
6KB

MD5
078219fb009e9fb71e27dc4c2fcd5991

SHA1
91983715c51278da0c83cd00bdb0fe0d81e49d43

SHA256
87185b8beb2a2c7629e4b590de4168548304d41e58eadbd97476305b91f6391b

SHA512
2b9dd03332f27389d5b2e8dc86f87f6d4a033ba16cc5781d728e35c563e1017eeae6cc9096eff7c2403f543ead8a03ee2d6f7481e84a88bf73b1a0fd1e394da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8e43555d-2a5e-46b9-a287-45e3c9a608e6.tmp

Filesize
5KB

MD5
21de40f5df1ab5fdcf9a54f500aff7c1

SHA1
56e59501a79903cc9a78fa076390d59ef6c64a4f

SHA256
23f7700dd01448773c30b8e5506f499d4e172555cb7cd7d05030cbb4f39061f9

SHA512
1df769acd94cf34e2b1644439a78a9326dc7844e9d0465fc67ea86b024d68fe751ecfe11a07e8c481fbb16c7d095c26bf629494bfb8a311f39826c66ae198c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
420f03fbf2c7d3920de8a7bcae177ca2

SHA1
71484b1390953e135061217a3ab80fe1c7cbcd0e

SHA256
72b84a3c22c5f729afb981cd4a65db48e9d536a2603256f15ebb64ea18a52388

SHA512
f9d20b0ed8f68c97e5219673c6a410a91453f38c799d194ccdbf4a6ba6ae4e50b86b01b1b8b4380e2e5cc61a1da978931cff48262e01f4e71a9ea5111137d1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f78c0bf3069a401f7f058c621fcca711

SHA1
698ce46a84f6d32568ef529c474845d1e9fe15a8

SHA256
4d6de9fb2500efee10d5e356181c37a937f508f31bd9e23baca175d7c30d10ff

SHA512
9a5c51ff296c7f3fa9c760d4a473c95aef228fe9d0f6cb243d83b6d49c5f5dae6ccd4b15b5b5760214ebbd1006c06aaa9dcc3d34b6ebb38299ddf815f47d44db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c0f5610fa436dc40227001498bd2990f

SHA1
c07ba5a731dfef45a4dcc608fc17b4df4ecaa61f

SHA256
1c79c7f9516846102a22059d6ce25e3fde551f9bf77cf345beeaa6be83c53959

SHA512
0ddfc79f6f657179a0c3eb043f6f4250fa4b6f8ccc55437b681f4a571080bb8b0e16678e080bea599534a97bae770d3871d59d14305c8cb3cefd95d5bf54265b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e5e3c6516f4a44064f2815641b3f97a5

SHA1
309e6c04eeaa43b7c189a231c0f80bec94163ec9

SHA256
6465289a31366e66a5eeb1c47c350c1bdbf6c5b1c82bbc6181abd67914112b50

SHA512
13e8a9b4240292cb01b90b40c618ff6c6465564be11397056192736b670b859b062fb79307cf045ad2625c978af2e7c9d3777405d70726ec530fca4da5cb1d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
789db639c4c74007fcb1020196c9e7f5

SHA1
7e5e13291104f3fcff6b02699458d0afb28ceeda

SHA256
a62609c3d8054be97f16813f50c5b4f91d8c440e5bb11cd288167ee403ffcd45

SHA512
f9583ff23b35bb79e0ff9142bbf9eec82407f15e54e6e76e216f5a34e2d25998ef61366ae9aa7c045d97288bc6d8d58f44fded17f4ef243d39071f0a8b34c174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a8fde610a2d9cf685f567e4375ab93e

SHA1
f778108efca4226437a20b14ecc55565d58300f7

SHA256
293ed78dfe4f19068d9cdf28d38449a0ad20ce16acaa0bc6e8e84fc614ce5c9f

SHA512
0ddba877cb60a246964a0c95dbad496f65a5e0e3160a1f23f0e09cef756e099b8508ddfca9583660d95fd7215c952cd30cbb42ac0ca2a7374facf8b9014a514e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
12e68672161ffd9d258b61092fef033d

SHA1
7a8302270335e4914c5bfb63ac6089ef1a1bc04b

SHA256
1d033334edb5d8cd845c802e0beb43c3456bde575ba2497f458f45322c4fe4e6

SHA512
bf8bbf4ece1b7e8777dba6a9af7362ff95ca4b4756f6b2033900bbafbd877f8162b6f1f1fd785fc82cdf4c46cb250c7e7f5bce891d05f5fc2a629e3259c73a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1826d0bf626df574027ef724f14c7e55

SHA1
453f04a1bef73d6333769a51c30cbe965e5f7f21

SHA256
43b57a819989f6d00bc5d0577020bc5943da4145ae32176b7ff82b5cdf17c5ae

SHA512
07938da011a696fd2536c08a82704d161b798c580c7ac3aede1124aced7a5c62a2aa477a36682c69522c8e6e75d80b2ac7a55b2e00091dbcfa9678332f3422e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63215c04671f477da39455d90a5cf4db

SHA1
f84c49c924bbe46bb1743d77408737dea427d00f

SHA256
d536c4a4a466f8c62a864c58d4e74d1e563a25adaaa3e5915a5258d43f810d74

SHA512
64bc4ef3928a1de928791c958c11e9503dad475126aae8386ed277c140441651ae6b9d11cfb237fadd5bb6d6a15a7c5c991f7581a738df49f2934802e4333bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7f28409e61f99fee18d9caf572ca69af

SHA1
68e7b37b1bb37a602026b6ce7b0ce8c7a68de680

SHA256
7dc5e0e0fe8dffbbfc0c5996375260641aac52a23eded76c299879591ebfb675

SHA512
bb54476a0641a7fc59f96611acb549ff41efb98bdf4ae8f42d505f2bdc680753decd3875ae33033530a319b41c61b16a019999f1ff4c6fe1f83b6fa71b8e9467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6be553c2c26369589ae205a99221373d

SHA1
43d8eee0f59c4b20827015fe67b9123e6611c83d

SHA256
3ddd88de1261160bfa7bbce3e17d23ce0aab4117aea0ec387654c853d77dd96b

SHA512
fbaf4dd0346096ae8ef61f5374d9466e588b4629b04e7c3fd6deba1133353d03a05a7146cdd9b599cf56f820ebe3f19aeb43e6069cad984bb373bd51ec6c524d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4f0cae267c7223d8c584ea0db4de2acb

SHA1
da1ca12a9eb3880ab3441c1793945b83f1deb45a

SHA256
d625d6c09c2e54778f1428bd27414427b04678c877919c031137235db007bdeb

SHA512
ef707e703918325d2208c76e01631b5118d13d519863352f8348c0a8daa037169b7bd0c4f848b559d23e270ffebba0c144fb1cbe4895d22a3081af4cb8882912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58585c.TMP

Filesize
533B

MD5
0b87b3001bafd8d558199f78b6d249db

SHA1
036e794bff170e6c3a332a63c8386e9a7cd16590

SHA256
bff1fc55a3e8cc64f6858f80b5610fc428f9acba0255d1c8c77e5bf67c904bc4

SHA512
215d3120fe584877cecd1cd64e35c668c1ba45d024cacd0b6e5ecd8d089743c1f16769f415c188d2fba0f9ca7559fb42101080de7dda76cbe3acdffe63392e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1d75daa042cca3004cbf5bab178f6561

SHA1
774455a6462a53ce16f4d01749e1352b8585eede

SHA256
7cda1098cd031340e408731cad233734e4a24508b14a4666ee19f6c9e96c6073

SHA512
a203b2ac776fb42632b5a75a9b6e7a99e6d6fbb013e1d4ec68d92133a7007ac0bfcdc44683c4f574f27073ea15bb70905ffecac8f72034b6118f6444f4d1a9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f61de41bb16cfb086f2f5654470e9ca

SHA1
495665ee761ec584c169abd7a08029de4b2a4b5f

SHA256
f18300f1eac88e3be2a33f3b457af6bf0844b11caab2c11ac5a994630788f942

SHA512
2918f77f8ef6f31abf941f29bf8bc92307ec32b1fbf0fcfe55a8ffc6e0598c8e8aea153c95f9f00a20b782313b50a8cc1f1970d2f2fd2a34ed36352a28b1aa4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\637575\Collection.com

Filesize
383B

MD5
ae367865f0be0758371b71120a86c6d1

SHA1
d4f37284dbf667bac9cc16f551f7cc573fd2f641

SHA256
39c02827133e674e5425ca11186ade42c493b4107694c0eaf2301d855b84686d

SHA512
4e17fd8c69926dd7712123826b71deae408ece5e033e4703bf75e39379f1b904ec7ce4d7e4370b94dad9e3428184f66b43028ff1179d201cb5399f816db105e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\637575\Collection.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\637575\y

Filesize
473KB

MD5
509388799038828408168e8936c1006e

SHA1
3d64f0b9f7ef995f9dccbead2a5a633fbaebad67

SHA256
d1153d48c90ed43ea397d0502c8fb6963a8d47883bebf8d63d539c35465d755b

SHA512
6aa34ff63de9817e4b778511236554d8d18664dda67d76aba8fef6db69a267c5bb00eb8878ac7098bdc1828faab9d2a769a8af9ce268f622f3619df6fb912a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\According

Filesize
477KB

MD5
c6da22e953f5d6e194c182ef9d398214

SHA1
05b020ab430337d34fcf010581bcf0a01658decf

SHA256
aad8f066433c5ddb5ce40ad640bf8d2ddc96abbc09eb1a8d815e1c59218144ce

SHA512
d51bd0bf6dc62baa9000dd6634292667d864044d8eed1d6680207496c493a9a5b17d98e4aa08027716932bd94b04b35b166c7d7ac7542b43d3184f70c5e962b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\App

Filesize
69KB

MD5
30dfb5b3f6e74fbc6b8393854dffa8fc

SHA1
018c9219f53d44182b4a4565d4ea9515af53690e

SHA256
f2e5a15a9e755df57d44737ed14d6589a0e8293c4c205b2e1c922cc3cb8489bd

SHA512
54431bc6958eda2b45e633e7427886d5d447b99d0f0a24a5186fb7fe2fbc71c7f4df6246b224b3a7b71c396e440312f235f9ce643cf42522511a22d754b5f824

Download Submit
C:\Users\Admin\AppData\Local\Temp\Attachments

Filesize
73KB

MD5
4ddaaf7c1b3447594ea19331cec96e8c

SHA1
3989b67d528dc9ce5ed840daa5f5ff946f943b0c

SHA256
fe8c010b699cf73b4d828d3d86509ccf1d822bddda115de390eca8c59cf1b564

SHA512
befc9523812d616f07dda8862291b316694163b5ec43ac3be6a48c551778259ce48efbd42dcdcb50053643266b4cd2954db4a273d6e3ce6a7577f6eefd358201

Download Submit
C:\Users\Admin\AppData\Local\Temp\Britain

Filesize
101KB

MD5
97f8c42016f1ff671e108ba556a185d3

SHA1
13d6ae5a3102fa4d6b1c4897f37a6c1b0e843cc5

SHA256
8e99918a8e44917b13546d33cdaa371e43f9ef8f0ee5d9fa17aa5b359606317b

SHA512
b787cab551c976eed623827e90d57659f0baac3fd36d09cb9a642068db475094ffdd6a73a308b3c5beab888666917235cb4163fd838444f8043c1f46e457fc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Campaigns

Filesize
67KB

MD5
98319c11c8c1cd78a529fadc5998020c

SHA1
a79a10708d3e11c73365aebf5c5ca00fa4a4f9a9

SHA256
b4a6242b27a6711e575fbd88b300c0086debdd962973ce82c5f8d273cbaf457a

SHA512
f9eb3c5776665d2e593b3bc754c4cbb641f2658cc80c33d937296c042c03989153bcda71bbaf6f4ba0004889138e79c24d035497d567cdd66bf6f0fb11798c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cleveland

Filesize
100KB

MD5
d1e90dff5e9e0afad50831e58de8aa9c

SHA1
31e4159a95a708b024cb9219aa600c61dedf8cc5

SHA256
c30264610f3e8f40381b984d0c9e74505e006f0fd284bd7b1fb695225f547d67

SHA512
661c0a7b17cae9a27f2ca2a71e153482bd20cc0bedde9c9a964fce61d66bb4c8a53c7723ab6db0d6894f0351448ecbe74806a3bc977adcd9cc3f8252764d6895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coastal

Filesize
394B

MD5
4083b97b69cdb6a691cb6bb78eac8170

SHA1
a53bd406f388ffc16fa9b11ed23e1f5c48e1145c

SHA256
c25a5c19747a6aaeb00e8a97800d630485a01867199e0ae7d10af6c5b409cebb

SHA512
f8c10aeb63fd7b8fe3ebe0db23505c1b518bfb54db569ffc25390e4f1502fdd8500e0d86fba4bbecda081aaa1eac488ba0d396c3fcb6aa1da1fee9df1a9a9698

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complement

Filesize
27KB

MD5
d9896a432eae409d87fd0bd3407c9cb5

SHA1
b396ed85d3907d3e4edee98c9576c9a3873ad8ca

SHA256
b93e2ae91147e8a634e26bfe792ce7f93c48a89c6a674d9b746090fe7c1163e2

SHA512
e756f79cd46348c55df07c8fd2a4ccddd4dd1dae2fa8b846e461c8f5e1b9d207a1a98aac110c4d970c6f4ac0d97aa5eb97bb016f085cee3b17d38e0ad3723672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Executed

Filesize
82KB

MD5
f608b9cbea2cac45955ada1b58ddae70

SHA1
6f13fc21cd80c3145bf9dbc8a062f4a2e8d2d04d

SHA256
25915c752cf9504a08245ea20e9a7bfa8094bf725a7bf60f527ef9f13549148f

SHA512
f0daac5912ba8177ac19ab7b06a3f2a208289a8976448435b188205905aeddf12f3b5ee8ce35f283a685b849ad4d357868c044144f4eb5cee2dbdc78a26273e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Followed

Filesize
134KB

MD5
29934db735f8f100d167a2b004a3d1e2

SHA1
8821e1ee70e4aa54505a1ae980898d6aad6d6dae

SHA256
f1a0e5e38e828d53c23d6dd2a557ee91b5d0cc3afb04eeadea9ea55bec42455c

SHA512
bd9baf1fbecec4a7fbd32f86fe4c90b8bb95dc65b943f5c84fbc043f4f04733be23bd36c9969ad68d8e89d65f6c70f47b672b86765e83e4138885a66542aa1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Innovation

Filesize
137KB

MD5
3c3988fa795265441ad9390d4ee171a6

SHA1
ca5cbcb893fb7b0dc82e09d2a5b41d0c933bcaac

SHA256
00c97189910776c057ca5b15fbc90c1a9afc168592df9fb1b472cda863df6a70

SHA512
784f11254633f2201423f7b3e89b300bf0b7a6fc057792f089b5a89b71b61ac209e0380d5f6e0d180b7e0156b72372f3481b0c37beb73fd7697aeb5f6a574c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Journalists

Filesize
87KB

MD5
c9fec4408155f6006827eba35af1f384

SHA1
73d30e220475271881c71911cb283ad24bf26363

SHA256
fb679686cc2f1c6f4e8ebfc53402567efaa2e2a82cb0efed8966f50db80d9644

SHA512
46bbcd49292d2a56a644d2b15deb4c907ca2112b118df2eacc4df168285ea4eb72343aabe2e72db0a7fe0d354623e6dad6431770431fd67d5c47b2f50e3767dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minister

Filesize
91KB

MD5
ff290a5754c961c72f2f625a900fa12b

SHA1
b2545c332bf50e20ece97cc99e6f9b7ec808b48e

SHA256
7f2ff05067b45bf807b79f9ce0015891b43e95c528824345e69ec378c27c9013

SHA512
a03b2ec0c2476982b6f990a4463d3e9ad50caae66ef811cce832a4efda2403d6be5dcf26b5bba4d32420aff642b924a91086331cb6e1f3cea659b8026ea76c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Timeline

Filesize
59KB

MD5
b865fc7d2fa5620441067d180b445037

SHA1
2b73153e445d233a21c43d55694947cfcbfa2b04

SHA256
c8e76d4e23dc79939ea46fb4a88409458d78fa05cb86420f57d41132dba1b33f

SHA512
53d44273255b6c7e377b3d7ba5f64283bfd3d4fbf2db90997de5740d3704ce4ffe27cfa6494c0ebc62036f9770b8ca8b23a3bd086b74e322bcc38c9bf9627539

Download Submit
C:\Users\Admin\AppData\Local\Temp\Told

Filesize
109KB

MD5
acd623793bacd5cc52a489f80cad0309

SHA1
d18e0976805d510c368521c62e70a56d56e623e0

SHA256
8015a23ab93c815d7a215cc412974b09f1315062848a66582c9f311609d62b97

SHA512
19dde7ba632334a450bacd8f63b2ab310406881a9e2db202eb1dc76671dff52bf4f228cf19d1a952a41390c6bbc169b790cb1b017a648c454b3fa7d2774430b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trinity

Filesize
120KB

MD5
a34fec3e5094608cfae0d656d0f67a99

SHA1
eaf36199a41e3ca14295e00c27730a7551ce7662

SHA256
9f38e5a64b0de0826b1139b20f703412e49d9184cb1056b318a2ab9877922185

SHA512
899f93ce7f8d4e3e3dabae7cdc45f6f79ba64621e9e2997b4db2acd55438ccb675b181d9a467fd81984c4a42bde3bfb1b6370ffeda8b38e528107f0e0bb359e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twist

Filesize
20KB

MD5
de3bf90712e3dfb0e23bda22153b0fdd

SHA1
34be286fbb26b021f5fd8cf2594c6a5e87d2a507

SHA256
1a323e91936ee0dd4d48dbbf8231f84c34b0fdb4dc310d1495736b986852501d

SHA512
24880e1394650cc878a50d744bc240c8c27fc5b21f12c43ab53090b459be8acdf532acf8eebba24b1e79ce367884651add527f1b62c8ab6cf12eb5bf6b91d46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Walks

Filesize
79KB

MD5
751e192a63079f6a7bcab8899f0265d6

SHA1
970b793e09161bde610b2b084dca98cede20aaf9

SHA256
a2b91e0e35acf3ea5273c148699ee29b8f1a03a3f1481aa183125ab8ee1aac27

SHA512
13a57ec35e1acef2f8da2ae611c7cec176fbdac3367dfb60f7ae8cff61d834d220eaf8047eefbd5243daa29dec384381cc572701493aab602c64d32dfc8f704d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zinc

Filesize
62KB

MD5
d301984e153779482174711095453c4d

SHA1
4ba42b2a34f0c2d46e85706cbd1b442c65869962

SHA256
b9da2398a39e17358eb02b823799cab55c33504584224ee29fe29a409ee66ca5

SHA512
2e628a7864056eb316b56d8a78f84968d7d6c774913c657d312bd0d2e1d0275dd2667d1cbe7121b988118c3e9a0cdf090802a1fcae919f4e7ded7e5bfac668a6

Download Submit
C:\Users\Admin\Downloads\0P3NME.zip

Filesize
1.5MB

MD5
777f43112f44c0b8868f2a6de75140ef

SHA1
97cde13751c61b0c2be09119c821b8a00d398141

SHA256
c219fe6b87a36c8a3ecff7483d4bbed7a3f6a9fbd3a06eaa69ce143288267210

SHA512
5d40dc30860ed2b2c575278057b3bd29835ce40f342d77a35eb302daa8dac8b8b1dbc7a8de6a03a11fb4795ac36f503b1bfebdf00ff688a6dd0ab1b136abe8aa

Download Submit
memory/1572-425-0x0000000003F00000-0x0000000003F58000-memory.dmp

Filesize
352KB

Download
memory/1572-427-0x0000000003F00000-0x0000000003F58000-memory.dmp

Filesize
352KB

Download
memory/1572-426-0x0000000003F00000-0x0000000003F58000-memory.dmp

Filesize
352KB

Download
memory/1572-428-0x0000000003F00000-0x0000000003F58000-memory.dmp

Filesize
352KB

Download
memory/1572-429-0x0000000003F00000-0x0000000003F58000-memory.dmp

Filesize
352KB

Download