lumma | b7f8158593f48f251ca849ff762f8d5bcb1d7b103a56b889886dc9b16ee014de

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2025, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup-220225.exe
Size

278KB
MD5

6d14e2cd76e7789da24674c855f0c3e2
SHA1

e88544ac8277729b4c3bba7f0325e01dda350707
SHA256

8b3c4a26a5f7af3d4fb907102d06ae1f5c46e1987a09e28d243049917b895045
SHA512

10463863049756b0f4bba18315526c387279b08c253db1820e24eaf8334a6a523b6189b6ba13cbb1f4b7fc54e16812b907675997385f8519f6457329c547dc95
SSDEEP

3072:Wvy6/FQPR1WSIFalGADmQJJWpUo2Ld9Q3WMhMLPy8TRq6Qhu/bMiWNZaIXfHFI+F:HbIGGAD3Jbo2/Q3Bh6PRaONYEb7

Score

10^/10

lumma discovery execution persistence spyware stealer

Malware Config

Extracted

Family

lumma

https://paleboreei.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3180	powershell.exe
4612	powershell.exe
5012	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
28	2772	Setup-220225.exe
28	2772	Setup-220225.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	neptjawd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	Setup-220225.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	neptjawd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	service.exe

Executes dropped EXE 4 IoCs

pid	Process
2648	kolopertwea.exe
4656	neptjawd.exe
1408	logetiyjka.exe
1216	service.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\DERFB\\kolopertwea.exe"	Setup-220225.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\DERFB\\neptjawd.exe"	Setup-220225.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\DERFB\\logetiyjka.exe"	Setup-220225.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	raw.githubusercontent.com
24	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2648	kolopertwea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kolopertwea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neptjawd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
4148	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2296	vlc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3180	powershell.exe
3180	powershell.exe
4612	powershell.exe
4612	powershell.exe
5012	powershell.exe
5012	powershell.exe
2648	kolopertwea.exe
2648	kolopertwea.exe
2648	kolopertwea.exe
2648	kolopertwea.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2296	vlc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe
2296	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2648	kolopertwea.exe
2296	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3664	2772	Setup-220225.exe	84
PID 2772 wrote to memory of 3664	2772	Setup-220225.exe	84
PID 2772 wrote to memory of 2548	2772	Setup-220225.exe	88
PID 2772 wrote to memory of 2548	2772	Setup-220225.exe	88
PID 2772 wrote to memory of 4316	2772	Setup-220225.exe	89
PID 2772 wrote to memory of 4316	2772	Setup-220225.exe	89
PID 2772 wrote to memory of 2204	2772	Setup-220225.exe	90
PID 2772 wrote to memory of 2204	2772	Setup-220225.exe	90
PID 2772 wrote to memory of 4496	2772	Setup-220225.exe	91
PID 2772 wrote to memory of 4496	2772	Setup-220225.exe	91
PID 2772 wrote to memory of 3840	2772	Setup-220225.exe	92
PID 2772 wrote to memory of 3840	2772	Setup-220225.exe	92
PID 2772 wrote to memory of 5028	2772	Setup-220225.exe	93
PID 2772 wrote to memory of 5028	2772	Setup-220225.exe	93
PID 2772 wrote to memory of 2028	2772	Setup-220225.exe	94
PID 2772 wrote to memory of 2028	2772	Setup-220225.exe	94
PID 2772 wrote to memory of 2724	2772	Setup-220225.exe	95
PID 2772 wrote to memory of 2724	2772	Setup-220225.exe	95
PID 2772 wrote to memory of 644	2772	Setup-220225.exe	96
PID 2772 wrote to memory of 644	2772	Setup-220225.exe	96
PID 2772 wrote to memory of 3484	2772	Setup-220225.exe	97
PID 2772 wrote to memory of 3484	2772	Setup-220225.exe	97
PID 2772 wrote to memory of 220	2772	Setup-220225.exe	98
PID 2772 wrote to memory of 220	2772	Setup-220225.exe	98
PID 2772 wrote to memory of 936	2772	Setup-220225.exe	99
PID 2772 wrote to memory of 936	2772	Setup-220225.exe	99
PID 2772 wrote to memory of 4840	2772	Setup-220225.exe	100
PID 2772 wrote to memory of 4840	2772	Setup-220225.exe	100
PID 2772 wrote to memory of 2856	2772	Setup-220225.exe	101
PID 2772 wrote to memory of 2856	2772	Setup-220225.exe	101
PID 2772 wrote to memory of 2352	2772	Setup-220225.exe	102
PID 2772 wrote to memory of 2352	2772	Setup-220225.exe	102
PID 2772 wrote to memory of 1940	2772	Setup-220225.exe	103
PID 2772 wrote to memory of 1940	2772	Setup-220225.exe	103
PID 1940 wrote to memory of 3180	1940	cmd.exe	104
PID 1940 wrote to memory of 3180	1940	cmd.exe	104
PID 2772 wrote to memory of 3528	2772	Setup-220225.exe	105
PID 2772 wrote to memory of 3528	2772	Setup-220225.exe	105
PID 3528 wrote to memory of 4612	3528	cmd.exe	106
PID 3528 wrote to memory of 4612	3528	cmd.exe	106
PID 2772 wrote to memory of 1432	2772	Setup-220225.exe	107
PID 2772 wrote to memory of 1432	2772	Setup-220225.exe	107
PID 1432 wrote to memory of 5012	1432	cmd.exe	108
PID 1432 wrote to memory of 5012	1432	cmd.exe	108
PID 2772 wrote to memory of 2648	2772	Setup-220225.exe	109
PID 2772 wrote to memory of 2648	2772	Setup-220225.exe	109
PID 2772 wrote to memory of 2648	2772	Setup-220225.exe	109
PID 2772 wrote to memory of 4656	2772	Setup-220225.exe	110
PID 2772 wrote to memory of 4656	2772	Setup-220225.exe	110
PID 2772 wrote to memory of 4656	2772	Setup-220225.exe	110
PID 2772 wrote to memory of 1408	2772	Setup-220225.exe	111
PID 2772 wrote to memory of 1408	2772	Setup-220225.exe	111
PID 4656 wrote to memory of 3492	4656	neptjawd.exe	112
PID 4656 wrote to memory of 3492	4656	neptjawd.exe	112
PID 4656 wrote to memory of 3492	4656	neptjawd.exe	112
PID 3492 wrote to memory of 2748	3492	cmd.exe	115
PID 3492 wrote to memory of 2748	3492	cmd.exe	115
PID 3492 wrote to memory of 2748	3492	cmd.exe	115
PID 1216 wrote to memory of 4044	1216	service.exe	124
PID 1216 wrote to memory of 4044	1216	service.exe	124
PID 1216 wrote to memory of 4044	1216	service.exe	124
PID 4044 wrote to memory of 4148	4044	cmd.exe	126
PID 4044 wrote to memory of 4148	4044	cmd.exe	126
PID 4044 wrote to memory of 4148	4044	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\Setup-220225.exe
"C:\Users\Admin\AppData\Local\Temp\Setup-220225.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\DERFB'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\DERFB'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5012
- C:\DERFB\kolopertwea.exe
  "C:\DERFB\kolopertwea.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2648
- C:\DERFB\neptjawd.exe
  "C:\DERFB\neptjawd.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn WinApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn WinApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2748
- C:\DERFB\logetiyjka.exe
  "C:\DERFB\logetiyjka.exe"
  2⤵
  - Executes dropped EXE
  PID:1408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2548

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\UseStop.m4a"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn WinApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn WinApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DERFB\kolopertwea.exe

Filesize
1.2MB

MD5
2b78f898c534f2829c889d4add39ae10

SHA1
1a2db16430f0e60132b321e516ef95647c3742ad

SHA256
69cea165488e7874a38fe13c5a85dc228bf1da07fae940a1f9fc6410c7eeca0f

SHA512
60cc299ee017d46d7096e532a3fa607d65492b23bf097dc59d36be484bc2a5676bf8e6976e67e4d4ea1b6d337b52440f8a9d514e0a3c794a5b20a3cbd44eaf22

Download Submit
C:\DERFB\logetiyjka.exe

Filesize
105KB

MD5
b56db4ebf7110c1083550ed83a03df17

SHA1
258b171956d961a628efa6433f8cb3f629a346fc

SHA256
2d6863a49648f59642f53236790f35a63df119facda1d98549025b3a8ddac2fb

SHA512
f94d231f631a55a14130b7c8d9f5c1fd314b0b07029dc28146677f65aac99055e860b5744231b119fb06d0d582db59d4d73716c79f087d4fa455955a77ba4580

Download Submit
C:\DERFB\neptjawd.exe

Filesize
29KB

MD5
3ace4cb9af0f0a2788212b3ec9dd4a4e

SHA1
2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb

SHA256
121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e

SHA512
76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
20ccd8eee8fb63b0f660c38299f815d4

SHA1
5882e3b12448a5cd6ab57008c1be852ac84cade1

SHA256
cad714968818e2c4fec544ad7aa0faf5da04809f8efd1a8699d2861d0c0809e3

SHA512
28b87bd117a752ce699bd00c651c095dcfdb2a6cf71687177862c9062c3f73243ac32ac1b709804f940eef8c1f3e233593c73c4831449742c931d8c845c9fd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmu0chfi.ui5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1216-108-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2296-98-0x00007FF62D2E0000-0x00007FF62D3D8000-memory.dmp

Filesize
992KB

Download
memory/2296-99-0x00007FFD9AB40000-0x00007FFD9AB74000-memory.dmp

Filesize
208KB

Download
memory/2296-100-0x00007FFD8F130000-0x00007FFD8F3E6000-memory.dmp

Filesize
2.7MB

Download
memory/2296-101-0x00007FFD8D520000-0x00007FFD8E5D0000-memory.dmp

Filesize
16.7MB

Download
memory/2648-55-0x0000000000040000-0x0000000000402000-memory.dmp

Filesize
3.8MB

Download
memory/2648-84-0x0000000000040000-0x0000000000402000-memory.dmp

Filesize
3.8MB

Download
memory/3180-5-0x0000029EFBDF0000-0x0000029EFBE12000-memory.dmp

Filesize
136KB

Download
memory/4656-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download