lumma | 2cad70ce25c002687496356272a8651f47aeba68902af38ba0a350737cf129ce

Analysis

max time kernel
29s
max time network
21s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/01/2025, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/New v2.2.0.exe
Size

1.1MB
MD5

ae829d606a6b1681e89a017eefbcfa3d
SHA1

4912df225c1f899fc356dd681b3a021e9aa6e1ef
SHA256

88dd58abb4e92008804f18e79631dfb2d4f83a6f0471c5642eca5f806e7bdae2
SHA512

37ad25a5f0d816519b203376cc466f345da0889179260ccefe62db08cd05d66283acd7442929a11584eba2810f91ce49089b2165b5f9f86a771feaa4b95f92a6
SSDEEP

24576:2mFtDZNsnZk7J+9kP8g6lNZPfDf1FuLersI66ePxH0/shNox33w3:zkkN81g6lrtIKxwHt0x33w3

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1088	Assault.com

Loads dropped DLL 1 IoCs

pid	Process
2100	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2776	tasklist.exe
1028	tasklist.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SpankingDomestic	New v2.2.0.exe
File opened for modification	C:\Windows\YemenSoon	New v2.2.0.exe
File opened for modification	C:\Windows\OilsJudy	New v2.2.0.exe
File opened for modification	C:\Windows\AgencyAmended	New v2.2.0.exe
File opened for modification	C:\Windows\LimitsApparel	New v2.2.0.exe
File opened for modification	C:\Windows\SemiFares	New v2.2.0.exe
File opened for modification	C:\Windows\ThoughtColonial	New v2.2.0.exe
File opened for modification	C:\Windows\BegunRecruitment	New v2.2.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New v2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Assault.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Assault.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Assault.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1088	Assault.com
1088	Assault.com
1088	Assault.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	tasklist.exe
Token: SeDebugPrivilege	1028	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1088	Assault.com
1088	Assault.com
1088	Assault.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1088	Assault.com
1088	Assault.com
1088	Assault.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2100	1780	New v2.2.0.exe	31
PID 1780 wrote to memory of 2100	1780	New v2.2.0.exe	31
PID 1780 wrote to memory of 2100	1780	New v2.2.0.exe	31
PID 1780 wrote to memory of 2100	1780	New v2.2.0.exe	31
PID 2100 wrote to memory of 2776	2100	cmd.exe	33
PID 2100 wrote to memory of 2776	2100	cmd.exe	33
PID 2100 wrote to memory of 2776	2100	cmd.exe	33
PID 2100 wrote to memory of 2776	2100	cmd.exe	33
PID 2100 wrote to memory of 2584	2100	cmd.exe	34
PID 2100 wrote to memory of 2584	2100	cmd.exe	34
PID 2100 wrote to memory of 2584	2100	cmd.exe	34
PID 2100 wrote to memory of 2584	2100	cmd.exe	34
PID 2100 wrote to memory of 1028	2100	cmd.exe	36
PID 2100 wrote to memory of 1028	2100	cmd.exe	36
PID 2100 wrote to memory of 1028	2100	cmd.exe	36
PID 2100 wrote to memory of 1028	2100	cmd.exe	36
PID 2100 wrote to memory of 1704	2100	cmd.exe	37
PID 2100 wrote to memory of 1704	2100	cmd.exe	37
PID 2100 wrote to memory of 1704	2100	cmd.exe	37
PID 2100 wrote to memory of 1704	2100	cmd.exe	37
PID 2100 wrote to memory of 2144	2100	cmd.exe	38
PID 2100 wrote to memory of 2144	2100	cmd.exe	38
PID 2100 wrote to memory of 2144	2100	cmd.exe	38
PID 2100 wrote to memory of 2144	2100	cmd.exe	38
PID 2100 wrote to memory of 1720	2100	cmd.exe	39
PID 2100 wrote to memory of 1720	2100	cmd.exe	39
PID 2100 wrote to memory of 1720	2100	cmd.exe	39
PID 2100 wrote to memory of 1720	2100	cmd.exe	39
PID 2100 wrote to memory of 944	2100	cmd.exe	40
PID 2100 wrote to memory of 944	2100	cmd.exe	40
PID 2100 wrote to memory of 944	2100	cmd.exe	40
PID 2100 wrote to memory of 944	2100	cmd.exe	40
PID 2100 wrote to memory of 2892	2100	cmd.exe	41
PID 2100 wrote to memory of 2892	2100	cmd.exe	41
PID 2100 wrote to memory of 2892	2100	cmd.exe	41
PID 2100 wrote to memory of 2892	2100	cmd.exe	41
PID 2100 wrote to memory of 2800	2100	cmd.exe	42
PID 2100 wrote to memory of 2800	2100	cmd.exe	42
PID 2100 wrote to memory of 2800	2100	cmd.exe	42
PID 2100 wrote to memory of 2800	2100	cmd.exe	42
PID 2100 wrote to memory of 1088	2100	cmd.exe	43
PID 2100 wrote to memory of 1088	2100	cmd.exe	43
PID 2100 wrote to memory of 1088	2100	cmd.exe	43
PID 2100 wrote to memory of 1088	2100	cmd.exe	43
PID 2100 wrote to memory of 568	2100	cmd.exe	44
PID 2100 wrote to memory of 568	2100	cmd.exe	44
PID 2100 wrote to memory of 568	2100	cmd.exe	44
PID 2100 wrote to memory of 568	2100	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\Release\New v2.2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Release\New v2.2.0.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Col Col.cmd & Col.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 499088
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Den
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Ion" Outlook
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 499088\Assault.com + Nest + Invasion + Richards + Prevention + Petersburg + Toe + Herald + Segments + Maria + Springfield + Valuation 499088\Assault.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Ftp + ..\Behind + ..\Deviant + ..\Existence + ..\Sol + ..\Nasa + ..\Betting R
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\499088\Assault.com
    Assault.com R
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1088
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:568

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\499088\Assault.com

Filesize
119KB

MD5
e2f2372fe77de4335cdaaf5cdc8a376d

SHA1
842f3cece3d56c7b398217019ac6135c3c097bb6

SHA256
d3429f0d09ccc8cbe30beb341c330650c428e05e6fa6a1042871d006d85fea4b

SHA512
9b7f3ac342f9ebefe8cbe29fda30af344a24946e3cee76c3ca56ba6c074a95bca4dabc268db3a95010feaeaf87acf3ec4281655c6d3812c87cc553b82b2b118a

Download Submit
C:\Users\Admin\AppData\Local\Temp\499088\R

Filesize
484KB

MD5
48217248e7ecc5772f23f180ba6cbcfa

SHA1
e821479bea37b07c7a5d8b54d9c3b1b516bd7af6

SHA256
d50391e253e264ae6d9283a7451e12d1d50f810fedf457880b14d96af23743d7

SHA512
d43c439623c87373decb457612de477c0b26952a83e4267edc7ce810917800bb541305ca62d883e8080ffb9930dd137678ff47a8a6fada2427f12fb2fbc06baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Behind

Filesize
82KB

MD5
85dab0ac307d165d05752f790c67bfcf

SHA1
52b71ded39a59987f8ad1d7c907497bb3985d59d

SHA256
e162fce61e27959948a8c3190947209a51d54619f40c7fb91a59a977ba99cbb0

SHA512
e031bc01f11f8dce16660e2ce8d2a657a4b8ecff847023dac107fc9234a64ef6737e33c457e63c30519c2dff71f987c901e4d475ee6f2d43b46232c69cb277e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betting

Filesize
35KB

MD5
2c6c7a2743d762697b15e1807b9dd9a3

SHA1
bae974ea7334029c6533f057b1bfc95a9b6d6723

SHA256
babc6ef9f9930e185af877143af80c311905778695ecf5820f581786f5ca462f

SHA512
964854a6f79447172a17e12e86deb46478c6e03c1af757fcc1e2f69424b065b91564445f9fd2ff6b2784f31522f49ba0667bc47d6622914160255b44945a1b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2D78.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Col

Filesize
23KB

MD5
78ac4439d1cfe4cb4aeda67481a8f27d

SHA1
95e4b284a10a91cfc7d3d4c33c11e243c703883e

SHA256
aceb26cbeba8b574588d6baa4853b1b94cab2eba2e3ebaed9d52fb08c604c96f

SHA512
77151215aa2642015d12ceb5ea18ba8dda708e07992018320fcfdd7f71a8a82a4ef434c2e830037af3a6d9ce93d7f66a32e911905843cafd0611f7983385ffd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Den

Filesize
478KB

MD5
b3f5c810ea5cd5dce8495de1cff4fa03

SHA1
cc27d209790f6ad28f122cb66ff9b21e8de993b7

SHA256
99994072508c1769aadc5051129cbca06c56eef9213ed489aaa09c9a7dfcd657

SHA512
9c1603581330fe26a1254bed3116d3ee7892ae7915983c359e5f82c21bee55dfce3869cfd182429d9f6fe45a1d4b885113bdb0a8850f10dddd047e3c3ee420b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deviant

Filesize
92KB

MD5
ed276026c823480e473328ec3d21f0b9

SHA1
91f49d1f156d1550534376519d9929dbe80b29e8

SHA256
b3b073f8a77fe80148b419c4cede09e98c0e26b9d7ae0cdb2fd794d2d63d6789

SHA512
888743ff5dcd1de8d16bb4676f33228b818c65a1c329db8bde90270825104a2a44f1da2b3157676004e34080698dfaeb075e1e07cc0cd9aa4a40779ea76d052d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Existence

Filesize
62KB

MD5
d65f6a527885f9184ae397336e11d4b7

SHA1
898eb7bda8b445b3aa25eb7b83742cf5264ca38c

SHA256
3660ea58f06ac95e6ea995eae0096427ce8df3e34104102e6111c9e087297216

SHA512
5c0188f0181b63678d4fc067f2b46853b19641477a891fada496096598a3e489ae917781f89a18220eb163532e5d001b76f6348e99c56e4f24d24c669b1c0338

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ftp

Filesize
81KB

MD5
a0612b5bc667153d7eb36f13fbf5ea8d

SHA1
17d80a53343902530980d92ca5b1eb00c870aa81

SHA256
536cc48a3b15d70175860966345c1f4a775843e97ba43237aa7556dcf603720e

SHA512
b2585a5f0329ac1b7d385cba2e0cf345545a2f5b409b9e342f46a8df3a400d38d0d2f502dc9a22cf0b00416b5112dbef0043c73be16bfae31ab30967b9945d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Herald

Filesize
113KB

MD5
c1a8a829f0ba5cae80af7144c9685b6d

SHA1
f15db7cbf91f43f7851da091cf83a4598e9b3768

SHA256
b1a0e52991414d57d53927782aa18bf5537f84de64ff0d60a1e0f449dd65a33a

SHA512
50723d0797570b2b3cceeba208d80a9ccfb6d340c6757bf12b0c8fd24ea11ad6e7e058cbc73404758a611af49daf79d1132f831cb2e5633a607deed28b4bc75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invasion

Filesize
91KB

MD5
a7269ab1a8bee4ac26d69f46b048b5e6

SHA1
9e4022052a3b409647510b401c4dbdf2a5452c60

SHA256
2a2f304e74eefa25181dd4e7ddae3927f73ba0a2fdd353ba8c7472269ddc306c

SHA512
9e3b91abf33c43cfe194de39662afccac74fe8b6f47308c9f550ccccc97cd1683d577d25371e13601651334cc38995dba8b8a467e414d3493d53b8346d3fedf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maria

Filesize
65KB

MD5
2abda53852b32f01008ea68d3ace5558

SHA1
043cbd1ce73fa8cbe5fef35669c8586bd3ce7ed3

SHA256
f7edf148e46611aee2ee0a560809be615940762c34a25f2107afefbec67a1797

SHA512
e5228f4df74f3ed3bd27d96721885c2594b4681121a0c878cc7fea3e18d0a45cbf202cd5c1d66d52ede6164af98622e483d414852069cecd6202086c04b1f099

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nasa

Filesize
64KB

MD5
59a4eff4ee521f0adcfd37c667b23455

SHA1
6b9a13a4bf42fc59c4844de1dbe0d316b6965bbf

SHA256
1574374dc51bd826092ac079aeae498590a1dae3edb9c20a7f824499e59be7a3

SHA512
9e868f381eed58ad086c1c08959b26b07441bd55346f9dd1871f3d80b807f9d6973e408a31e2358a3b2400975bc683e4c301bd026175622ba4e0e356fad68647

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nest

Filesize
117KB

MD5
b41ff0c5ee6c6528266642ed059f6132

SHA1
b1c807de973320fd669cf11eb1dba600d005564d

SHA256
abe8e3cd63d7d62ad7418755e1ee4297276eeab621ebe62c4e772b8e399c6d1e

SHA512
c7ff8cc02395c7f939c7038ada45f40f3d267d1e381e796561a45d37c1f5b2d199cbee03eff91d9577e53822529b8f7ade35eec488e3141ca3d3a3c507a516e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Outlook

Filesize
2KB

MD5
6071330e16d3ae23050f23f7338415da

SHA1
d4cbb59cd9057b43a896e1ecba9ff314dd806e03

SHA256
b7ef9a2f552a70c2430c01b031d7334d5999941b3c29dd5a7a1d39fcd4d2b5bd

SHA512
95a32c0857965f3c7be44b60cab50ed2aa623084db1fbffa8b890b7edc5349d32cbdf726e68f43b827a1f99f4008c51987b758d85ca1f3f22a106e8853e27f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Petersburg

Filesize
129KB

MD5
f320a7fa43e2917a0618e5eaa735c07a

SHA1
0d5ad13a157e37447cc33a2dd19f078eb7994a88

SHA256
f3c04e7798d01c4abb80a122021de424af5adf9c8a0fc2823a622b9114276ed0

SHA512
72831d3e3b6aa9459094adb9d38922f4f03d3e08264411e5439f600aec9f7a853032a6e22c19aa68bf43419a324be8c8797a28e27197b26d22f5426d9723fd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prevention

Filesize
84KB

MD5
e86b017d9cc603e75c185e5b1b67a94f

SHA1
f11e65663a4147ae003f43a8b388b2e97495827d

SHA256
afbbc51cedea8d07f8771adb02db9a45e6d7fa37c3ee31ed1c13ac49a263fcce

SHA512
a2843d426ef08977fc2371952e589c922c5b55db3af4ea45b4326b3d743cd001db30625fa12e586cf7381f2428d1888fa5147537e4413ddbee5818239be584eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Richards

Filesize
66KB

MD5
c518a717299559abe7cc54ab5e330e93

SHA1
f4f6d762081245e3894de2251cbb94aa575cd52e

SHA256
ed9a89e4e80b488e6cbdfda57f021aea7196a0f70bb8f008176449bdc6d324bf

SHA512
80cbdce5d34b344ecda6e4a6c733d29c48e89f65f7da66143627c8a4a969bd1d712fb7f0e46517c3a2d5ef3c0fa77ad082f184d97a78887337e245ebf31e44b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Segments

Filesize
87KB

MD5
9cd094e12db908192f0a686410a3113d

SHA1
d90d271bf2c28dd850ce1324f9aa157b37ed8b60

SHA256
937201d7afab3a9cad738265142dc7bf6b92be673ea6003f9d8ac1faaf1e716c

SHA512
94052ae87c2a3332de8d9995a14b3d842182309f4f87c1dbda86effb2cfcda0c600a9f7a273c2f8f172ee8c7426ceb1f0360a2754e04ce0279fe0e29faeb87a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sol

Filesize
68KB

MD5
301060e6ca2d7095957b5214d877a6b0

SHA1
7143dca6c13fdbbc17e6453d2f5d4f21e2f34cb8

SHA256
1a28d4e7ab0f6c694160a50ed7cd9ea07fd64f8bb4bb3d261c4722da7af41004

SHA512
1a9f94e0de7ba0f5f6aefa65366ca13673b6027546680d320016361454b6270ff6c510d59a27f3c7e8639ad14bf8ddac1ac843640778776ecfc7907139b4b6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Springfield

Filesize
55KB

MD5
50f14d4662a4c4a333098b4f236d6c76

SHA1
5aee59eee3864338f150757262c4b25abee5dbfe

SHA256
3bcb67265237dcfa492547fb947f6eaf453bb7b0fc2f1f767025cfaab90ad1e6

SHA512
9d720994cf988fa3aed9ba5a17f2fce1a8d96a8ed92b4f0b27524416e03b01a2bc08f827daa55b077c66aa7d1549c51f55974db4c4ae29152eef0ddc125b589d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2D9B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Toe

Filesize
50KB

MD5
1436aba91a7f642764f880b35cd1117f

SHA1
b617efed07b3162154069f470ae2016d9ffeb985

SHA256
4126cc3574bcc3b1a3c5dff3fa2b2b388df6a5bd233f0dccc6f1e77ada49eeaf

SHA512
4ab806abbc37e9e5fbdbdff42f9627b0de6506bdd084f5dec0b57f6b472e9711b4f6490fdbe43ffff7570381b041b4f013096e5e4b2e7dbdbcf4bf7381ea8b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Valuation

Filesize
65KB

MD5
3e67078fddc71fe2b84c341fd573fa52

SHA1
b6fbfc819c36c44d8afd4daf4ac777a50d09b9e6

SHA256
5a017ff00654cec4611dbdafc00411a9e121cb8797eda141409950490894b454

SHA512
339fe0f5eb049cfe3db2d5312b9a7fe1d7d89744f88cb0b2d700acb2c4df6dfe15444a34b1e0ac703544a0aaffefd0cdab1dfbb87e7f2cd3093000643261c2c5

Download Submit
\Users\Admin\AppData\Local\Temp\499088\Assault.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1088-594-0x0000000003550000-0x00000000035AB000-memory.dmp

Filesize
364KB

Download
memory/1088-595-0x0000000003550000-0x00000000035AB000-memory.dmp

Filesize
364KB

Download
memory/1088-593-0x0000000003550000-0x00000000035AB000-memory.dmp

Filesize
364KB

Download
memory/1088-597-0x0000000003550000-0x00000000035AB000-memory.dmp

Filesize
364KB

Download
memory/1088-596-0x0000000003550000-0x00000000035AB000-memory.dmp

Filesize
364KB

Download