lumma | ffc3ab51f9afc6124b648903a43847d36138f9f4582e426bf2c11025ec918fe2

Analysis

max time kernel
414s
max time network
434s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Config.exe
Size

1.0MB
MD5

de04368755c40b2d0b00fbb894b3d58f
SHA1

ccac583d7ae83aaef3baed808d4c7a832eaf55f1
SHA256

ffc3ab51f9afc6124b648903a43847d36138f9f4582e426bf2c11025ec918fe2
SHA512

0f09e87152206cf0efbae4947e806df2aa1307127504729470f5e39d99aec10333505496a37f35dcea3841b54134bb74568f274d340e4ddd3e4773411afeaabd
SSDEEP

24576:aw5Xa/r+mWglhh5+4YHUar9YQ/w6lxFU+P17mg+2h:rgpzncUar9YQ/ntjPR+2h

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://interfensuffer.fun/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Config.exe

Executes dropped EXE 1 IoCs

pid	Process
3144	Baker.com

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
380	tasklist.exe
4568	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ReminderRecruiting	Config.exe
File opened for modification	C:\Windows\DramaSubmit	Config.exe
File opened for modification	C:\Windows\ImpactCreativity	Config.exe
File opened for modification	C:\Windows\EarsPrior	Config.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baker.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com
3144	Baker.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	tasklist.exe
Token: SeDebugPrivilege	4568	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3144	Baker.com
3144	Baker.com
3144	Baker.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3144	Baker.com
3144	Baker.com
3144	Baker.com

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 3296	1892	Config.exe	89
PID 1892 wrote to memory of 3296	1892	Config.exe	89
PID 1892 wrote to memory of 3296	1892	Config.exe	89
PID 3296 wrote to memory of 4852	3296	cmd.exe	91
PID 3296 wrote to memory of 4852	3296	cmd.exe	91
PID 3296 wrote to memory of 4852	3296	cmd.exe	91
PID 3296 wrote to memory of 380	3296	cmd.exe	92
PID 3296 wrote to memory of 380	3296	cmd.exe	92
PID 3296 wrote to memory of 380	3296	cmd.exe	92
PID 3296 wrote to memory of 468	3296	cmd.exe	93
PID 3296 wrote to memory of 468	3296	cmd.exe	93
PID 3296 wrote to memory of 468	3296	cmd.exe	93
PID 3296 wrote to memory of 4568	3296	cmd.exe	95
PID 3296 wrote to memory of 4568	3296	cmd.exe	95
PID 3296 wrote to memory of 4568	3296	cmd.exe	95
PID 3296 wrote to memory of 3948	3296	cmd.exe	96
PID 3296 wrote to memory of 3948	3296	cmd.exe	96
PID 3296 wrote to memory of 3948	3296	cmd.exe	96
PID 3296 wrote to memory of 3952	3296	cmd.exe	97
PID 3296 wrote to memory of 3952	3296	cmd.exe	97
PID 3296 wrote to memory of 3952	3296	cmd.exe	97
PID 3296 wrote to memory of 4820	3296	cmd.exe	98
PID 3296 wrote to memory of 4820	3296	cmd.exe	98
PID 3296 wrote to memory of 4820	3296	cmd.exe	98
PID 3296 wrote to memory of 4992	3296	cmd.exe	99
PID 3296 wrote to memory of 4992	3296	cmd.exe	99
PID 3296 wrote to memory of 4992	3296	cmd.exe	99
PID 3296 wrote to memory of 3348	3296	cmd.exe	100
PID 3296 wrote to memory of 3348	3296	cmd.exe	100
PID 3296 wrote to memory of 3348	3296	cmd.exe	100
PID 3296 wrote to memory of 4976	3296	cmd.exe	101
PID 3296 wrote to memory of 4976	3296	cmd.exe	101
PID 3296 wrote to memory of 4976	3296	cmd.exe	101
PID 3296 wrote to memory of 3144	3296	cmd.exe	102
PID 3296 wrote to memory of 3144	3296	cmd.exe	102
PID 3296 wrote to memory of 3144	3296	cmd.exe	102
PID 3296 wrote to memory of 4212	3296	cmd.exe	103
PID 3296 wrote to memory of 4212	3296	cmd.exe	103
PID 3296 wrote to memory of 4212	3296	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\Config.exe
"C:\Users\Admin\AppData\Local\Temp\Config.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Loving.rtf Loving.rtf.bat & Loving.rtf.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\expand.exe
    expand Loving.rtf Loving.rtf.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4852
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:468
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 519219
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3952
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Warrant.rtf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4820
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Calcium" Bridge
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 519219\Baker.com + Ignore + Ball + Dodge + Snapshot + Penny + Victim + Hughes + Aurora + Solve + Forestry 519219\Baker.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Pm.rtf + ..\Tenant.rtf + ..\Pine.rtf + ..\Ensures.rtf + ..\Degrees.rtf + ..\Basis.rtf + ..\Trunk.rtf G
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\Users\Admin\AppData\Local\Temp\519219\Baker.com
    Baker.com G
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3144
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\519219\Baker.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\519219\G

Filesize
491KB

MD5
716c4b982c97949e1e62f5a933e40c36

SHA1
ae12e76327bb65708edc5d9a26c0d82e152452ef

SHA256
d9e8f0b89ebccd3053da3915066b20b8c5f0cc8f88e8ab6a882a7208f4cbded9

SHA512
f18c1e15923840d344d0c6df1156ff47cb77ee56edf837817756cbe49f92273b65fc189f7f386fa0c39fc066a6877a346eeaf974a271e2d4b0e6852f80727a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora

Filesize
108KB

MD5
773e84884f02c4050c91395ab903cc0e

SHA1
16d6bbc8b116bed2ea61116bbe7e27b5e6f25bd9

SHA256
e6803e246ea13754f5da52e8606741bb698adb34d1a0e875293ebf9bfd1e6bc8

SHA512
678e790e0092e313319520e5b99313b559de70ea52a8b9675c5c824b2c1c551efc89889544558d8e253e60625ef8acdcb59ca6eafdf97db66bb28368dd42d35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ball

Filesize
108KB

MD5
3ee86d10c3f7f7fa3da69a598222a581

SHA1
dcdcf6ad3dfc52882a3ab1f528d480dce3fc4516

SHA256
f36b3a90b3b2492c69c309dbbb890b1ea149e3b9e850650b3aa6715e82532c1e

SHA512
d3c79b15785e257127b7250b43bd2e1aec6e86a1eb7f1ba527e51de925dd4d6a18c6ccf96d45b8b1085d85025d2c455a0df4f255fd7bf9976a0e97ceac6e3798

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basis.rtf

Filesize
57KB

MD5
d74a45b720551a3494d3b13e0799fba6

SHA1
41103073cefe03d011dcaeb73159fe8f1aa74497

SHA256
414b3af4686e667756505879e174aecae70cefc6bc9ea5acd5de81913490549c

SHA512
1a1f3d9573665663815c5906ebda2914ba5a4d2df89170ef8509fa67a9240f7c328edd546c5058f4ae51074a15a54abd2382a042cf1d4e837bd3a3aa390a9418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bridge

Filesize
981B

MD5
d1b4667e4f14d56c390f01a8840a68e2

SHA1
79b1e5fd15e565dd3df1aa2a2d851e30e4a332c2

SHA256
8e66e24b6d62b4381310de3ae85dfd874a3d9208dc4dfb62802217f921cdde34

SHA512
5f703c00f6886bc3b66e223c49ff2518edd99acb7b73f8d109b43a622553bdb1fe82a56a32b5565dad9208213e0c748d57fc0a138e8d20b41175a0a3c5b96459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Degrees.rtf

Filesize
93KB

MD5
6561624cff78c6810b00a9aafebf28c2

SHA1
9d63e271f4b519674e78610ef9a6115778c4d575

SHA256
22698ab3f26072e2bd1cafe34943206a3783f31196a1b78c6ec7bb5bc395304a

SHA512
4507782ec7d4ff552d91857e3a8f11d4ccefb0045f3ff61f622eef144f96a6de9640fe4d964c06d4064aef13b06e3873a47f6da24d9cf086aa4630186d313474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dodge

Filesize
114KB

MD5
4765610cc51c5be4231f67fca36d0d07

SHA1
305fa65a75c10ff24d6a76eccb3a343736f6d7ec

SHA256
6b03314e05c6f5388dd6388bde2f567fb029d5fe67ce0dc7a74a98ac77fa4f14

SHA512
720b44ab8759041150ff300c5b6404d3c49caa94ca3f9bbfbb935d163ff5fb1d4cdb6cf07f34c1c9f69d58aed2feef28ef5ee43edfb357d3b151e5cf5c63c350

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ensures.rtf

Filesize
68KB

MD5
5f4004fa5155667b221371094fa2136d

SHA1
78d7ce80d80f76754a3db416115583fb79a69aae

SHA256
a66399852b38d5f2d2b122be7ca887a47095d88710c67cea72d44dbb98d1bc06

SHA512
8c869add5d3078e83bad23c2a0377795799479bca80f44cb10b1cfcea5cb828abf267c1c9e0f73524c008cc49d6894260d77c82c98b55672789e31a38e6ed01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forestry

Filesize
39KB

MD5
67690427f2a148608b4ed3a864d08e3e

SHA1
588dd76f5da2774db3ba38e66ee412507df05975

SHA256
e85cfc0c853d4c3d2290ca66071ab3650db0bb7ee4bf74e0fce43a20d72f3cad

SHA512
452ae5ce88cb322c5c2ca1a74d773e31a7388eeef0ecd405443fda54966e7e759d765b347bfa0e40825fdf56a988045c02687c2e1560d4f83e2ee4c1fd83b2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hughes

Filesize
81KB

MD5
bbe4d699897c98a2bbe61deac06cc4e5

SHA1
807c8a737004b1e4f05591485c9d64d84b630d15

SHA256
f7f27e7e4456ca8b26f72066e7e0a9a152aa9aee662dba4e3140cd9d9d27fd89

SHA512
27878a5e7589ad7a7220f8a420dd94368c675076ae4e6404accd279edf0ec9393e1d2bc82a97b659119289b2cbba07ced767de6c9acc147e88c5e12e2ed93ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ignore

Filesize
75KB

MD5
159eaa3f7d646a39949bd8201e2cb55c

SHA1
ecd8ceee1a382da2f4ca0b67a0150a5b21a22d0c

SHA256
6918c3de5cba3b2e1aff330f485ce2405413a9693a1c7ba8a7f123c77fd83043

SHA512
4f3cf8163cd55baae68c5bc58b7ea21ca770f1e8f437e285f641205c7c15e847e0f6c37a4914ff053a872be87ce78d6016bac67866219171baf5b8c35f677379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Penny

Filesize
129KB

MD5
398e215f351394a8c2f65503cfd8824c

SHA1
943955ee48ae5843e0ba53dca888ee15f1f7b87f

SHA256
e3e9bf118401d15922168791306afe8fe8a5f2df675a52c3d6b212e54b3e9ade

SHA512
a3c27ae134062acc834dc745f54135fb2f59eeabed31650d0daae292f90c70bdbaf12743f9a7beb9f58ac8e4f2ed47b1e1eb54435bd09f73647cf1f1ab99c705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pine.rtf

Filesize
59KB

MD5
d988d3d5b6aef79f5170d002140b14ca

SHA1
d23dce86fc2d1eb8736897a560962392694b7ff8

SHA256
37009d6a9bec08c3bfb57f5ea9761bb9a0f92e388a0c77ac3c97f4e87ee13317

SHA512
7311490fe785b5db37dc9c93926fa6aa60ae7e4d17cba15d04e574a0f5b39d675bd6e69b0ec673aef50428d62855c5271e98242dcc945e9ff1c44e4006f0ce26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pm.rtf

Filesize
57KB

MD5
2590a31070f2d70a51d198562f9635a5

SHA1
2e90be5efe42c69024729627a3ef4c280002e212

SHA256
6cbe0ff763d3179032b0d5d43ddf7ab1c96c7d8b8008e81e933b60e315090801

SHA512
dba8dfa1075e94774d53f0547e2f9256339d8d9419d7d9dbedd379cf4e16e7510143b943878825ee7e99a44c9032fc46cc96aef36fad9a01bd079325ad9d89ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Snapshot

Filesize
107KB

MD5
f4d41df4f77694d5654753ac8d0a4ecf

SHA1
e32da2933e3d499a5d507b49252b2414ba4d7f23

SHA256
84d3b6a36ef280f7bfd555d7907c389a5c47bcbb718d6bada76db1985d79bc31

SHA512
403c495a8f91fd19adab2e3f8ae5bb2cffabdac122e83c0a17598ff8ff963c4a45f1db6e6ce75a3dd777f713b2a2283e4e807a19f8e3928888075b1c808f29e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solve

Filesize
101KB

MD5
f97c2e88c2a2f067150ebcc9623125e3

SHA1
75a64b225e7014d5b0c6e24cb2ff51c4b3bda6d0

SHA256
0559c90a73f308803566c83ecd1ccfc24f6779107cdaad875051bf113dff361d

SHA512
01d3660606e14a3633affa08f031e7c42f13a40fd3b7a47ffd5a69feaf0d1431881f5fec13b7275e199e3de749f2765486cc645f4cdc1285dc5e7d97c860a4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tenant.rtf

Filesize
90KB

MD5
5c650ef9c8033105060a70c756499920

SHA1
adb89629a379bb0bdabe74beacbf74f92098c144

SHA256
4aaf15cad97cec38b0a31a21c4e3258e2db5e542a1b5576736ece2bdec1ae1df

SHA512
25b25f6de5894af17abd93587a9c7ddb01e7c968de6361b1cfa60fa3595fe2e41d5ad9f887828c396069842236aafd1ed9b802f3f5d2efc5184062e11348be74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trunk.rtf

Filesize
67KB

MD5
7ca091933be9f5792311b6cfb43bdd49

SHA1
28711213052fd189afc6ba33706bdfd5de8b6ec1

SHA256
862e1473190aeb5cced11243f00496bdef78e72e7b38e7bba191f8335e19c524

SHA512
6b913436a6a2a14b08f06b60c0d35d9b14d57659c663692870ed8843225af2b686fb32733a49e1fd9b27cf7dd5bb8cb54ec0d199135c274bec16dbd9952d1062

Download Submit
C:\Users\Admin\AppData\Local\Temp\Victim

Filesize
62KB

MD5
172e663a5c734870a378cf159c72a61f

SHA1
e51a9a8d1c6de1d00782ef7d412ba1a3a6c4c510

SHA256
6a91063cbe0eef746eecb6a87d7f4e1bba7c0b3e6718abfed07756c35e4e1221

SHA512
e70868181ad23c7a72feab1f891935b7b5bf3dca59aeaeefd8eb43460666ca836705c1e044c927bb9e578cc2c5c38f7019d6dd3d0e7733a4fc627bffc6900985

Download Submit
C:\Users\Admin\AppData\Local\Temp\Warrant.rtf

Filesize
477KB

MD5
3950470c531a6a9d84585887b93fc4ba

SHA1
00d7a2e5700cf3c93c14aee857f3f9c39ed9f8fe

SHA256
ecfc5f007618856ce01d34fe7217f817285a3193df99260938cc5501d9ed043a

SHA512
228931294f39e5cba43a84efa51d48c4127f36570cb9cf9c026faf3f2955180b86570e2589a4f7059fc7e676a556236e7d868f3c0a150f62e36a2c81b043b95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\loving.rtf

Filesize
27KB

MD5
71f22b73d66adf2370bdf3f9ab941086

SHA1
c7cc8938570b412a89243b588ac7cf70b947c9b4

SHA256
ac214767bc378d05afeb52bfd90da5e544cbe6cbc819ecbe346c10b79e2f3ca2

SHA512
caf1adce4ed75278a66b80e4407cb30844295397bca5cdadd40d6c9f31e0e4049b330e977b4768eb4fcd83ce298fe4b521d3196e8e9e3bb8b05e41ae67733717

Download Submit
memory/3144-76-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/3144-73-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/3144-72-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/3144-74-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/3144-75-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/3144-112-0x0000000005E60000-0x0000000005E65000-memory.dmp

Filesize
20KB

Download
memory/3144-113-0x0000000005E60000-0x0000000005E65000-memory.dmp

Filesize
20KB

Download
memory/3144-111-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download