lumma | 0d7db567df0c03f033db70107c7699d21fdc046d3b502160e45b6c26a7a5291d

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
17/02/2025, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe
Size

1.4MB
MD5

7725406519fdb2d4597eb70e03576461
SHA1

3c4998416fcd4367c6cb93c84e5527ffb782554f
SHA256

30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5
SHA512

36492df42a99d9881f9723aea964d30606e18584021735a902848ef8d80937dd2e1106b89398dffc1b981c150bc7b891268b901ba0c14ebdcadb09a2137bd373
SSDEEP

24576:OMgzKuSuOZFObZbEeUbihDe4EJMqsYrXKPkP8y5v1Ksn6iK:ZgzTZQtb6De4EeqrTWFyt1Y

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://mercharena.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1436	Satisfied.com

Loads dropped DLL 1 IoCs

pid	Process
688	cmd.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2480	tasklist.exe
2980	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\TestProc	30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe
File opened for modification	C:\Windows\TypesButts	30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe
File opened for modification	C:\Windows\EffectsSucceed	30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe
File opened for modification	C:\Windows\SportingCw	30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satisfied.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1436	Satisfied.com
1436	Satisfied.com
1436	Satisfied.com
1436	Satisfied.com
1436	Satisfied.com
1436	Satisfied.com
1436	Satisfied.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	tasklist.exe
Token: SeDebugPrivilege	2980	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1436	Satisfied.com
1436	Satisfied.com
1436	Satisfied.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1436	Satisfied.com
1436	Satisfied.com
1436	Satisfied.com

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 688	2016	30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe	30
PID 2016 wrote to memory of 688	2016	30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe	30
PID 2016 wrote to memory of 688	2016	30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe	30
PID 2016 wrote to memory of 688	2016	30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe	30
PID 688 wrote to memory of 2212	688	cmd.exe	32
PID 688 wrote to memory of 2212	688	cmd.exe	32
PID 688 wrote to memory of 2212	688	cmd.exe	32
PID 688 wrote to memory of 2212	688	cmd.exe	32
PID 688 wrote to memory of 2480	688	cmd.exe	33
PID 688 wrote to memory of 2480	688	cmd.exe	33
PID 688 wrote to memory of 2480	688	cmd.exe	33
PID 688 wrote to memory of 2480	688	cmd.exe	33
PID 688 wrote to memory of 2876	688	cmd.exe	34
PID 688 wrote to memory of 2876	688	cmd.exe	34
PID 688 wrote to memory of 2876	688	cmd.exe	34
PID 688 wrote to memory of 2876	688	cmd.exe	34
PID 688 wrote to memory of 2980	688	cmd.exe	36
PID 688 wrote to memory of 2980	688	cmd.exe	36
PID 688 wrote to memory of 2980	688	cmd.exe	36
PID 688 wrote to memory of 2980	688	cmd.exe	36
PID 688 wrote to memory of 2984	688	cmd.exe	37
PID 688 wrote to memory of 2984	688	cmd.exe	37
PID 688 wrote to memory of 2984	688	cmd.exe	37
PID 688 wrote to memory of 2984	688	cmd.exe	37
PID 688 wrote to memory of 2848	688	cmd.exe	38
PID 688 wrote to memory of 2848	688	cmd.exe	38
PID 688 wrote to memory of 2848	688	cmd.exe	38
PID 688 wrote to memory of 2848	688	cmd.exe	38
PID 688 wrote to memory of 2816	688	cmd.exe	39
PID 688 wrote to memory of 2816	688	cmd.exe	39
PID 688 wrote to memory of 2816	688	cmd.exe	39
PID 688 wrote to memory of 2816	688	cmd.exe	39
PID 688 wrote to memory of 2720	688	cmd.exe	40
PID 688 wrote to memory of 2720	688	cmd.exe	40
PID 688 wrote to memory of 2720	688	cmd.exe	40
PID 688 wrote to memory of 2720	688	cmd.exe	40
PID 688 wrote to memory of 2768	688	cmd.exe	41
PID 688 wrote to memory of 2768	688	cmd.exe	41
PID 688 wrote to memory of 2768	688	cmd.exe	41
PID 688 wrote to memory of 2768	688	cmd.exe	41
PID 688 wrote to memory of 2352	688	cmd.exe	42
PID 688 wrote to memory of 2352	688	cmd.exe	42
PID 688 wrote to memory of 2352	688	cmd.exe	42
PID 688 wrote to memory of 2352	688	cmd.exe	42
PID 688 wrote to memory of 1436	688	cmd.exe	43
PID 688 wrote to memory of 1436	688	cmd.exe	43
PID 688 wrote to memory of 1436	688	cmd.exe	43
PID 688 wrote to memory of 1436	688	cmd.exe	43
PID 688 wrote to memory of 1304	688	cmd.exe	44
PID 688 wrote to memory of 1304	688	cmd.exe	44
PID 688 wrote to memory of 1304	688	cmd.exe	44
PID 688 wrote to memory of 1304	688	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\quarantine\30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Medium.dotx Medium.dotx.bat & Medium.dotx.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\expand.exe
    expand Medium.dotx Medium.dotx.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 567864
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Facility.dotx
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "DISCO" Greenhouse
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 567864\Satisfied.com + Startup + Poland + Trim + Numerical + Nowhere + Ak + Antiques + There + Words + Broker + Strongly 567864\Satisfied.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Rfc.dotx + ..\Mag.dotx + ..\Sacrifice.dotx + ..\Pick.dotx + ..\Ad.dotx + ..\Influenced.dotx + ..\Obituaries.dotx U
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Users\Admin\AppData\Local\Temp\567864\Satisfied.com
    Satisfied.com U
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1436
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\567864\Satisfied.com

Filesize
789B

MD5
e9809c14e6b59930fc02b54983045723

SHA1
c6e4879fcae6302739cff85bbcf79461f5e9f3d8

SHA256
5f7413c34047587a06eb6862af4c1b0176735ec8dcf223d8fa51ebdba58e4df6

SHA512
b51d2582c1e0db77633a1e27c654144c4c6a80b282bcb7814dd020d13790f1a8dc8f340f0592561ff224423510e5d1a92e85f4b580902fe8ef6ccbea767f4f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\567864\Satisfied.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\567864\U

Filesize
486KB

MD5
76e89cf3ae0da3241af0357073e56d94

SHA1
83f67623d16b206da8a437a84fad4035de38df13

SHA256
b1e34a5337fda9e7dedb12a9555add4e20e930f100044cbecc0ef4f472585131

SHA512
2958e5ec4989e98610c5ad5b5ee187f3e9f0263f708fb4c2f053f0be5d830fb91095b81dd337bc6cdd9e6ec7027a4d46acf9c5598438de654b4b9ab393eb57a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ad.dotx

Filesize
90KB

MD5
49191eaeffe04d16ddb8c36cb65a64bd

SHA1
6055203fc8498e12bb60497cbd5cf8090701e078

SHA256
e363e2da202e70252cbb991f4b82d581216ab594ea32148cab6fe1bba9c916e3

SHA512
18bb291fecb170b383f1f934b8947ad6f895233ea842845e29ca9ab40300c41066f9e0428cb4c760ae0150c258aceb95155ed86c20f74a31af9adbbeeff072aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ak

Filesize
54KB

MD5
099efcea6afe483f73f6563fd7d7d2d2

SHA1
b7ef4681514cafab88f4542bdf99fbdd6570c37c

SHA256
35501dd71e80cd57b5794a34fe8ecd39ab805238629b05afef0ee9c20e0674a6

SHA512
5045d8b3df9e9f09a592107d231c888300d42d93dbf08ba5fcc1c10a13c3a26ccdde0b842420918524033ed67bd04bebbfe4057aa0fa0dc3699f1f29cdedd7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antiques

Filesize
112KB

MD5
7234d293b5be44b711d61aedce03aea5

SHA1
578a0a3725a2cdd52a6b4c1f9211e31e13b752b1

SHA256
a685d4b4364ae290a78efef92896dfd7fceb74e227f0259f8565c9e6fb6c6a74

SHA512
f4f0a98fb7de74f2a553cfd099182247da980c0f6d00410a2e8f53c8c513d81212d9b0722d4ba1b2b5a007428e654579bdb64d6509dc1834de4d2b081340bc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broker

Filesize
71KB

MD5
2ad7fd08bc06c0d3d45da66e4f47e7c7

SHA1
6267fc42aa2a2afb748573e3ab734eb5070f31fc

SHA256
dada7044ccd401ea9da262f2c71a9521885a51e2dd57916ffe5b096a5badfc5f

SHA512
35c5a68acfad1870bffc2a4bc3a138ad5f3faf5e3b9194afb2dd798658ce2ae9677b380d27d65993c4a626e8f5716e14ceee8b3e7dd5a2668f7ac1c8516b3de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facility.dotx

Filesize
478KB

MD5
e4c92ea1f0002f0d590167b89d1e3151

SHA1
234ed640b186442fc839039b9bbc40b1edde483c

SHA256
341e81ff8eb2ab75b38804b70ed5aec6c9a83257c142f1693c514603951d0251

SHA512
26281e47b81a8199a3ea851b985f38047b40f677a1bf7f345d63a97b232189ff29e230b60c5861cd764875596e13c61e435a7daa8ad31b0b063b832fd9ef0d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Greenhouse

Filesize
794B

MD5
554dac3043d9219200b5a68b5fcff267

SHA1
12ab0febee727d7f77d1501876e0cdfffcf80cdc

SHA256
492c8d843be286afac27a96cfd3cbebc9003e95970d8b76512577f5a91af9177

SHA512
a18a4b0e9499040b978bcca0230a604492a59a230a73a66f8d2d88872d00af5fe239587f290bcf4a2c0c383f2b4f7a109a8799233b616f048777b6a853077850

Download Submit
C:\Users\Admin\AppData\Local\Temp\Influenced.dotx

Filesize
70KB

MD5
b384f9b48afa1dc2abcb087ec98d3d62

SHA1
478a76f5f8ac6218125e29c7a938537e7af41b57

SHA256
4dfcefea6586e8e99131d30c7199e322d2734a3f772ad8a25005f61245d6bd15

SHA512
2baa806925b7195c5ef072e99c4546a6ffc96181e68a40307f591029b34bef0583e1631586a691e55c0333b20d6c39a8b4a2b8e6b0555d9c6e27a97c3aa29889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mag.dotx

Filesize
80KB

MD5
4e0414fe0890c13586b3afa657484d5c

SHA1
153159312c0116b5a2a6ec575772559772e96290

SHA256
b4fc9d74fd93b03cb7c489cf6cebe76cd546bbc5591679e82e5b9c3c16c73f87

SHA512
d13f4ab5c75e9dd0a2b93bdfc78d51b48e773b00d1afcdf0c9ce287918ff38ade1121c059b7fb48601e0230f4412d583a51a70b424c317a3c15f7ce50ef547fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nowhere

Filesize
51KB

MD5
65f89dd07d80c3959b464ac3f59ed826

SHA1
15184d45de0420e10cd3ca57112aa2ffb60b2692

SHA256
9fe7d364235e37f3c56ae580aea86fa5d0932e4397522c0732b61dea4b7c8da4

SHA512
5d80dfbc2f45d3947b1d18caaa2600d8861b96535777c4cab4ee6e74aff91354ec51cfe7eb27b84b0fd9f9806370f7e6581227dc419af23660339673f5a0abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Numerical

Filesize
102KB

MD5
16dc05489a2c0df7299d4b55d7bc4859

SHA1
bb0f32042db77dd29c987a9b6f1862cfd1afaea6

SHA256
4011cc3906d6e483a2bbe06365cb6ee17a560f668a35b8fb5ce4a1e0a1dc4ec2

SHA512
0afb16fa51df5d3cb866df9998b3c0f8741fd8b9f09d2170a18cd5eeeb3c9a1e06c3c85026a0abca438e7604dfa1becf710d1570acbd89cef794d2eb9244cba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Obituaries.dotx

Filesize
49KB

MD5
3344ab3bd24e073c0c35515304d728d7

SHA1
bf945a5a8350691de86a023510b5dd0f74e403c0

SHA256
df929b8a05fe6c50551b9a74448bbddda6b76ae465c453567b80e6bd009714f4

SHA512
d805cb40abf9edfad281d6c3214ce5492eb15562155f3447701bd8c3c92bbd24e605900dad315862c7265be416a667b90a09df817e0b60e30e019670d604e988

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pick.dotx

Filesize
73KB

MD5
a1cdee758ac1278e41467540143fe1e1

SHA1
3678be3ef7110dc550fe88b18cc7df4908ca5579

SHA256
204aeba7cd1f65dde973e894c9cf6ddea2efe0966affa60be8b67dd0f3ede2dd

SHA512
feadd523756baa45c01a2fb5de608a59a77010ca0a7c16e5b2c30d62f6815440c7de28e508d485c50e3df30f0e80fb099a66b06884332e34992d5cad8ed04f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Poland

Filesize
108KB

MD5
2811bfa42c06003ac1568d2128992735

SHA1
0d0f9eaf286ec1f5826d9d7a2ed5a730ab7801a0

SHA256
93027ea4e332ade4c314775b2d21a3592088c4b09f8fe74dd1d76866d2440ea6

SHA512
3043a5141d1c38991f13bfc4ac81ae75375e0f8918dfabd10078aa36a8d39ace8d9a85307640f813d98c345c90c0844d1a7bb114f20aa146a8ef746beb2e3946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rfc.dotx

Filesize
73KB

MD5
350b7206e035ef4efc243a61a21d17e8

SHA1
b591ad9ccad7604d24baa4c0ef23fe9f3a90d09d

SHA256
562342707e9b73389b99b26154e3044e8e9d00c3bf0694bb9db053bed2e1e721

SHA512
852bb2117c2e9ff086d6be37ecc70b362721cec44e6e6861c0b3b6b29f119b2b01a3d9f1d716d2068e7de073aba5667d413149db25a01c5f936b9bea3e25a9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sacrifice.dotx

Filesize
51KB

MD5
9026b631d19a08ec8c03056535f22cf0

SHA1
9237d2d3a9590a65595c0ffa8b93c4542a2ac249

SHA256
4e7e06dd7c77d56f1bb4c8dc59fcc447fe92e26ec03c2439b72a24741d87afad

SHA512
d11a030a4d70278975f918adb2dc185f582aab0091aa4ba1ad828b95289b71719b12d0d838755fdebba75015f5d9243bbc245f7a976cfa8f9461dc7ab6c8e830

Download Submit
C:\Users\Admin\AppData\Local\Temp\Startup

Filesize
146KB

MD5
5463aaf095d9be30a977bc2ee1713e91

SHA1
5172a354af042098d4b2aa6bc46b5fd00590a1ed

SHA256
00ef12f7956cc605cdae6e25d7c583250539f2a46c08828f06a640e71d0ebb22

SHA512
a3ff647191753ee085d2d84506fcb9036391023e13682c54e4cd008659d61430615a480d2e6c23f9dcbcacb757f064a721fd7a728a4c31f2336897ef5ae261be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Strongly

Filesize
65KB

MD5
e0759e908042ddc17f93ea9058026955

SHA1
fb8d2032b4da86cebb505433b94fca228eaa8f14

SHA256
24cd3876c0ce95c6817a09d1ce60a4262d55428ae02f3946631b214b572e2ed2

SHA512
629e64dd016664db9a46baac60fa3fe08e3932039dcb13b0e3b23b722149280b08d21e1e8354ddb4338657a1c74bea87697b3c82c4d8db7c3cbe68c93bb4072e

Download Submit
C:\Users\Admin\AppData\Local\Temp\There

Filesize
53KB

MD5
1e69c3db7301d111b196b092c6628acc

SHA1
e0f2e8371322b9d52408eb9b5e7e426b5dd4a6b6

SHA256
8c7498feb2a35f71300bc9b502f3ef8b34fbfc6111fa9b8fccec578b279a4e96

SHA512
bde10cdbe865a4a8afee130c4ff853c25be81ea0d2c9c5666764dfc7540d403606faab55a5184c4a9e554dd155b10cf2dbad1e776f235a47b466af4e1c841865

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trim

Filesize
99KB

MD5
bd9df81b7078d96df9c3ab3ff294ceb7

SHA1
242d395e7e4bed7e17f518e0cf3c4425266aef43

SHA256
5a9ca7bb981fe3b371cb0972d054c4abe8609f7ff2afd570167e7139c50e1c6e

SHA512
4594621ba7937653425e8c3eb9ee002138d6bf65e297d4389b2aa7048d9eef80c26d6b2b1c44b4b31798b9bdb37d9678274386e1cd271c0c2920b7d8dcf7adb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Words

Filesize
63KB

MD5
d9aa5a4b68e2b1f1b8a16a8fcaceebf5

SHA1
d5b7cd5ff0c73b7bb27d574f2d603a3abf606ffa

SHA256
b389d0ba973c56349a5cac11b955cc97d1b85dacadd372817b554b0292c5bbf1

SHA512
288e5a616f3f97ffc35f019025eb09ccb6b0628b6fb56b0518fe3a52f8ae54388665d2264598291001c5e3e142a2cd636a609648ffbe70adb7f512025fba5c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\medium.dotx.bat

Filesize
31KB

MD5
db2f5f4bd428c735e15bec639cd51ca0

SHA1
a3aa3f129d6ef71ed1e70719417edf81272fa98e

SHA256
15358f2531dfa925a6ced2c2293e197cfe76436832496c30c59ad8b3bf5f797e

SHA512
2c897e79d86faed8932296eb0ed0678fcab393e8bde359053d21e72abcca5a956df88457983ff9955ce11af6f32a73bd4d618b3888adbe8e26d9efdb462d05a7

Download Submit
memory/1436-77-0x00000000034E0000-0x000000000353E000-memory.dmp

Filesize
376KB

Download
memory/1436-78-0x00000000034E0000-0x000000000353E000-memory.dmp

Filesize
376KB

Download
memory/1436-79-0x00000000034E0000-0x000000000353E000-memory.dmp

Filesize
376KB

Download
memory/1436-80-0x00000000034E0000-0x000000000353E000-memory.dmp

Filesize
376KB

Download
memory/1436-81-0x00000000034E0000-0x000000000353E000-memory.dmp

Filesize
376KB

Download
memory/1436-84-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/1436-83-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/1436-82-0x00000000034E0000-0x000000000353E000-memory.dmp

Filesize
376KB

Download