lumma | 6232ffd99002b4613913f2a8c03beccb005687c0db190d7f12d7cd841a4d5337

Analysis

max time kernel
108s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ughhiwlsl.exe
Size

290KB
MD5

3d7b6e6ec8e0ea92b7ac6d380cf7b689
SHA1

90e902eb6d1ce1ec955fce54f695f751b5abe96a
SHA256

6232ffd99002b4613913f2a8c03beccb005687c0db190d7f12d7cd841a4d5337
SHA512

76ecf6646f0a4bb419e7b5475cf1da614f1f16ffa97e5c3bbff21e41570e973a2018d86908d3a293828472b280052a8bf18f249214cc73f54f284a4334d74b21
SSDEEP

6144:N+wQSN+rztLEeUlDgldHcCkTq+FCy5dDuOvOeGJUj:NbhZDKWZ9hv2

Score

10^/10

lumma discovery execution spyware stealer

Malware Config

Extracted

Family

lumma

https://wordingvenuo.fun/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5048 created 3452	5048	Ughhiwlsl.exe	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	O2EG248BNTORCYXRALO4KWL.tmp

Executes dropped EXE 4 IoCs

pid	Process
2740	O2EG248BNTORCYXRALO4KWL.exe
4880	O2EG248BNTORCYXRALO4KWL.tmp
4084	O2EG248BNTORCYXRALO4KWL.exe
440	O2EG248BNTORCYXRALO4KWL.tmp

Loads dropped DLL 6 IoCs

pid	Process
4880	O2EG248BNTORCYXRALO4KWL.tmp
4880	O2EG248BNTORCYXRALO4KWL.tmp
440	O2EG248BNTORCYXRALO4KWL.tmp
440	O2EG248BNTORCYXRALO4KWL.tmp
1444	regsvr32.exe
4852	regsvr32.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
5060	powershell.exe
4812	powershell.exe
452	powershell.exe
724	powershell.exe
3308	PowerShell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 4548	5048	Ughhiwlsl.exe	96

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3220	1444	WerFault.exe	106
2296	4852	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ughhiwlsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ughhiwlsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	O2EG248BNTORCYXRALO4KWL.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	O2EG248BNTORCYXRALO4KWL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	O2EG248BNTORCYXRALO4KWL.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	O2EG248BNTORCYXRALO4KWL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
5048	Ughhiwlsl.exe
5048	Ughhiwlsl.exe
5048	Ughhiwlsl.exe
4548	Ughhiwlsl.exe
4548	Ughhiwlsl.exe
4548	Ughhiwlsl.exe
4548	Ughhiwlsl.exe
440	O2EG248BNTORCYXRALO4KWL.tmp
440	O2EG248BNTORCYXRALO4KWL.tmp
1444	regsvr32.exe
1444	regsvr32.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
3308	PowerShell.exe
3308	PowerShell.exe
3308	PowerShell.exe
1444	regsvr32.exe
1444	regsvr32.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
4852	regsvr32.exe
4852	regsvr32.exe
452	powershell.exe
452	powershell.exe
4852	regsvr32.exe
4852	regsvr32.exe
724	powershell.exe
724	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	Ughhiwlsl.exe
Token: SeDebugPrivilege	5048	Ughhiwlsl.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeIncreaseQuotaPrivilege	5060	powershell.exe
Token: SeSecurityPrivilege	5060	powershell.exe
Token: SeTakeOwnershipPrivilege	5060	powershell.exe
Token: SeLoadDriverPrivilege	5060	powershell.exe
Token: SeSystemProfilePrivilege	5060	powershell.exe
Token: SeSystemtimePrivilege	5060	powershell.exe
Token: SeProfSingleProcessPrivilege	5060	powershell.exe
Token: SeIncBasePriorityPrivilege	5060	powershell.exe
Token: SeCreatePagefilePrivilege	5060	powershell.exe
Token: SeBackupPrivilege	5060	powershell.exe
Token: SeRestorePrivilege	5060	powershell.exe
Token: SeShutdownPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeSystemEnvironmentPrivilege	5060	powershell.exe
Token: SeRemoteShutdownPrivilege	5060	powershell.exe
Token: SeUndockPrivilege	5060	powershell.exe
Token: SeManageVolumePrivilege	5060	powershell.exe
Token: 33	5060	powershell.exe
Token: 34	5060	powershell.exe
Token: 35	5060	powershell.exe
Token: 36	5060	powershell.exe
Token: SeDebugPrivilege	3308	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3308	PowerShell.exe
Token: SeSecurityPrivilege	3308	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3308	PowerShell.exe
Token: SeLoadDriverPrivilege	3308	PowerShell.exe
Token: SeSystemProfilePrivilege	3308	PowerShell.exe
Token: SeSystemtimePrivilege	3308	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3308	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3308	PowerShell.exe
Token: SeCreatePagefilePrivilege	3308	PowerShell.exe
Token: SeBackupPrivilege	3308	PowerShell.exe
Token: SeRestorePrivilege	3308	PowerShell.exe
Token: SeShutdownPrivilege	3308	PowerShell.exe
Token: SeDebugPrivilege	3308	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3308	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3308	PowerShell.exe
Token: SeUndockPrivilege	3308	PowerShell.exe
Token: SeManageVolumePrivilege	3308	PowerShell.exe
Token: 33	3308	PowerShell.exe
Token: 34	3308	PowerShell.exe
Token: 35	3308	PowerShell.exe
Token: 36	3308	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3308	PowerShell.exe
Token: SeSecurityPrivilege	3308	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3308	PowerShell.exe
Token: SeLoadDriverPrivilege	3308	PowerShell.exe
Token: SeSystemProfilePrivilege	3308	PowerShell.exe
Token: SeSystemtimePrivilege	3308	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3308	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3308	PowerShell.exe
Token: SeCreatePagefilePrivilege	3308	PowerShell.exe
Token: SeBackupPrivilege	3308	PowerShell.exe
Token: SeRestorePrivilege	3308	PowerShell.exe
Token: SeShutdownPrivilege	3308	PowerShell.exe
Token: SeDebugPrivilege	3308	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3308	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3308	PowerShell.exe
Token: SeUndockPrivilege	3308	PowerShell.exe
Token: SeManageVolumePrivilege	3308	PowerShell.exe
Token: 33	3308	PowerShell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
440	O2EG248BNTORCYXRALO4KWL.tmp

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4548	5048	Ughhiwlsl.exe	96
PID 5048 wrote to memory of 4548	5048	Ughhiwlsl.exe	96
PID 5048 wrote to memory of 4548	5048	Ughhiwlsl.exe	96
PID 5048 wrote to memory of 4548	5048	Ughhiwlsl.exe	96
PID 5048 wrote to memory of 4548	5048	Ughhiwlsl.exe	96
PID 5048 wrote to memory of 4548	5048	Ughhiwlsl.exe	96
PID 5048 wrote to memory of 4548	5048	Ughhiwlsl.exe	96
PID 5048 wrote to memory of 4548	5048	Ughhiwlsl.exe	96
PID 5048 wrote to memory of 4548	5048	Ughhiwlsl.exe	96
PID 4548 wrote to memory of 2740	4548	Ughhiwlsl.exe	101
PID 4548 wrote to memory of 2740	4548	Ughhiwlsl.exe	101
PID 4548 wrote to memory of 2740	4548	Ughhiwlsl.exe	101
PID 2740 wrote to memory of 4880	2740	O2EG248BNTORCYXRALO4KWL.exe	102
PID 2740 wrote to memory of 4880	2740	O2EG248BNTORCYXRALO4KWL.exe	102
PID 2740 wrote to memory of 4880	2740	O2EG248BNTORCYXRALO4KWL.exe	102
PID 4880 wrote to memory of 4084	4880	O2EG248BNTORCYXRALO4KWL.tmp	103
PID 4880 wrote to memory of 4084	4880	O2EG248BNTORCYXRALO4KWL.tmp	103
PID 4880 wrote to memory of 4084	4880	O2EG248BNTORCYXRALO4KWL.tmp	103
PID 4084 wrote to memory of 440	4084	O2EG248BNTORCYXRALO4KWL.exe	104
PID 4084 wrote to memory of 440	4084	O2EG248BNTORCYXRALO4KWL.exe	104
PID 4084 wrote to memory of 440	4084	O2EG248BNTORCYXRALO4KWL.exe	104
PID 440 wrote to memory of 1444	440	O2EG248BNTORCYXRALO4KWL.tmp	106
PID 440 wrote to memory of 1444	440	O2EG248BNTORCYXRALO4KWL.tmp	106
PID 440 wrote to memory of 1444	440	O2EG248BNTORCYXRALO4KWL.tmp	106
PID 1444 wrote to memory of 5060	1444	regsvr32.exe	107
PID 1444 wrote to memory of 5060	1444	regsvr32.exe	107
PID 1444 wrote to memory of 5060	1444	regsvr32.exe	107
PID 1444 wrote to memory of 3308	1444	regsvr32.exe	113
PID 1444 wrote to memory of 3308	1444	regsvr32.exe	113
PID 1444 wrote to memory of 3308	1444	regsvr32.exe	113
PID 1444 wrote to memory of 4812	1444	regsvr32.exe	117
PID 1444 wrote to memory of 4812	1444	regsvr32.exe	117
PID 1444 wrote to memory of 4812	1444	regsvr32.exe	117
PID 1536 wrote to memory of 4852	1536	regsvr32.EXE	125
PID 1536 wrote to memory of 4852	1536	regsvr32.EXE	125
PID 1536 wrote to memory of 4852	1536	regsvr32.EXE	125
PID 4852 wrote to memory of 452	4852	regsvr32.exe	126
PID 4852 wrote to memory of 452	4852	regsvr32.exe	126
PID 4852 wrote to memory of 452	4852	regsvr32.exe	126
PID 4852 wrote to memory of 724	4852	regsvr32.exe	128
PID 4852 wrote to memory of 724	4852	regsvr32.exe	128
PID 4852 wrote to memory of 724	4852	regsvr32.exe	128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\Ughhiwlsl.exe
  "C:\Users\Admin\AppData\Local\Temp\Ughhiwlsl.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\Ughhiwlsl.exe
  "C:\Users\Admin\AppData\Local\Temp\Ughhiwlsl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\O2EG248BNTORCYXRALO4KWL.exe
    "C:\Users\Admin\AppData\Local\Temp\O2EG248BNTORCYXRALO4KWL.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\is-5BGRR.tmp\O2EG248BNTORCYXRALO4KWL.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5BGRR.tmp\O2EG248BNTORCYXRALO4KWL.tmp" /SL5="$A01C2,5868820,73216,C:\Users\Admin\AppData\Local\Temp\O2EG248BNTORCYXRALO4KWL.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\O2EG248BNTORCYXRALO4KWL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\O2EG248BNTORCYXRALO4KWL.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4084
      - C:\Users\Admin\AppData\Local\Temp\is-NB68F.tmp\O2EG248BNTORCYXRALO4KWL.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NB68F.tmp\O2EG248BNTORCYXRALO4KWL.tmp" /SL5="$D0118,5868820,73216,C:\Users\Admin\AppData\Local\Temp\O2EG248BNTORCYXRALO4KWL.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\8ws2_32_5.ocx"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 692
        8⤵
        Program crash
        
        PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1444 -ip 1444
1⤵
PID:1152

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 656
    3⤵
    - Program crash
    PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4852 -ip 4852
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
55d32bc1c206428fe659912b361362de

SHA1
7056271e5cf73b03bafc4e616a0bc5a4cffc810f

SHA256
37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff

SHA512
2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
6baada3ef28a2c442ddf87ea54a117ea

SHA1
430ba4ea1a99874eaac4de168861e725e0fa72b2

SHA256
e85b61bf16ba4768c0f9f99fff54bd8b73f83beb1bbebf7d88a64441f667dd5c

SHA512
9cf5a9c5c6683d3c42f4aee3cfa54fa5a1de40620efdee01f54a6421c023e0548947acb65fbb4db28561acbe189b98b055f21d97c66561422ee80c2a3fcf9027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
64fa5a7299553549973e6214e78fdeac

SHA1
a8a6d7ce45ad747b1fb5dc75e7c1fe2d89462e51

SHA256
416244cde65a09b53ba01e2a7ce3f05f8713d6b3d7c570e09b715aeec5fabaac

SHA512
12acdbf00c750d27288c5403d3bf4afcc1b37c5d447fc85bf2496b10d423cd79ccb9fe1b8bec105303ff734af97ccbecc24faa978d49461eacf2b03a243893a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
63e407fa036f865a043bc261bd2f75e3

SHA1
3e801ff15e2c3600d691a5c7fb686fb904cc25b8

SHA256
d5858ba93c4631b4ec445f894dc1181648e1ec4bb7f4b93081fecff2f7ff17bb

SHA512
3358e3fc533f04818926fb528f038372ca9ea603941614d7e9d1e20e1d555888b2fa714a7f4a27c3bc5db483ae7dde85e686749746c6f12d590d9ca86b5cbd61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
87fd3aa2cb1b4fa56f5ea27b9cdacf99

SHA1
fa3f44afa5c7d9d30418a133741dd068499784ad

SHA256
d1a218c7a79cafcebf2470a6ef0c662601f9e65cc2ed9c5f3f7a9b6db3df7ae6

SHA512
dc5a22a89c1c932ccfbb5d5d7bcbe3bd58d63d3e986844c9afb0cfba631067a99216c1e1b5915be40a0a19b3aa73354ed4dfc54716f5487327f9680f6975d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\O2EG248BNTORCYXRALO4KWL.exe

Filesize
5.8MB

MD5
16b7f1e45c98d237fe351a934f6759b3

SHA1
afe5cddacc2384f7498952f788a72074e9ad903f

SHA256
480696a157ec8af6be222acb12e24a375a1819ed739f703c5eec8a7fe3d2355f

SHA512
a82f862615cc309a58a4ffc329699cf6a2301d71406192d91dd840abd4c294dfe96a369f9019ff90b929474a1731dd7f49600241053987bcccf5bc9fd8c37ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2w3i21y.wop.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5BGRR.tmp\O2EG248BNTORCYXRALO4KWL.tmp

Filesize
711KB

MD5
9917f679a0135245a5cc6b1aadcb3a6c

SHA1
7aab67a56fd3e10fd070e29d2998af2162c0a204

SHA256
a0090b3a687e7d0a6d6b6918bcbb798ebecb184cba8d3eb5fe4345ec9aba9243

SHA512
87194d9f3c97b48a297faef76e3a308de6b454d10a5b50adeb22336982ca5bd5ba3a1cacb39cfbaf78a3befbc37967eb89a7c84cfdd53054204647dffd5b35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E9J69.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T1HHR.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx

Filesize
9.8MB

MD5
95d004a0e4013988f7347d50964c3eaa

SHA1
4cf7a8a7e3065a13291dfe726dbea2b332a56c2d

SHA256
52d7de7fa23d129da0dc1e2a2bef8e0b77fe3978402d256913ad67f098c124c2

SHA512
19a0d26fcb504b6b7bf8f0687c4e195d12551b05b48fc9e66013860ceda95563d27776977821b1c662dc1c96af0f3c284b66c2f5f2e26ce288b7914afcaecfde

Download Submit
memory/452-1544-0x00000000701D0000-0x000000007021C000-memory.dmp

Filesize
304KB

Download
memory/452-1541-0x00000000061A0000-0x00000000064F4000-memory.dmp

Filesize
3.3MB

Download
memory/452-1555-0x0000000007B30000-0x0000000007B41000-memory.dmp

Filesize
68KB

Download
memory/452-1554-0x00000000077E0000-0x0000000007883000-memory.dmp

Filesize
652KB

Download
memory/452-1543-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/724-1567-0x00000000701D0000-0x000000007021C000-memory.dmp

Filesize
304KB

Download
memory/2740-1388-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2740-1416-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3308-1493-0x0000000070150000-0x000000007019C000-memory.dmp

Filesize
304KB

Download
memory/3308-1492-0x0000000006480000-0x00000000064CC000-memory.dmp

Filesize
304KB

Download
memory/3308-1503-0x0000000007670000-0x0000000007713000-memory.dmp

Filesize
652KB

Download
memory/3308-1504-0x0000000007930000-0x0000000007941000-memory.dmp

Filesize
68KB

Download
memory/4548-1346-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4548-1381-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4812-1518-0x0000000075300000-0x000000007534C000-memory.dmp

Filesize
304KB

Download
memory/4812-1507-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/4880-1413-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4880-1399-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/5048-1332-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5048-33-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-41-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-39-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-21-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-19-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-17-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-15-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-11-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-9-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-7-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-5-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-4-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-1326-0x00000000751CE000-0x00000000751CF000-memory.dmp

Filesize
4KB

Download
memory/5048-1327-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5048-1328-0x0000000005FA0000-0x0000000006024000-memory.dmp

Filesize
528KB

Download
memory/5048-1329-0x0000000006090000-0x0000000006112000-memory.dmp

Filesize
520KB

Download
memory/5048-1330-0x0000000006030000-0x000000000607C000-memory.dmp

Filesize
304KB

Download
memory/5048-1331-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5048-25-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-1333-0x0000000006B30000-0x00000000070D4000-memory.dmp

Filesize
5.6MB

Download
memory/5048-1334-0x0000000006580000-0x00000000065D4000-memory.dmp

Filesize
336KB

Download
memory/5048-27-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-29-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-31-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-47-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-35-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-37-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-1336-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5048-1340-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5048-1341-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5048-1345-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5048-1347-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5048-53-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-0-0x00000000751CE000-0x00000000751CF000-memory.dmp

Filesize
4KB

Download
memory/5048-1-0x0000000000150000-0x000000000019E000-memory.dmp

Filesize
312KB

Download
memory/5048-43-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-2-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5048-3-0x0000000005E30000-0x0000000005F5C000-memory.dmp

Filesize
1.2MB

Download
memory/5048-13-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-23-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-45-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-57-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-67-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-65-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-63-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-61-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-59-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-55-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-51-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5048-49-0x0000000005E30000-0x0000000005F55000-memory.dmp

Filesize
1.1MB

Download
memory/5060-1444-0x00000000051B0000-0x00000000051E6000-memory.dmp

Filesize
216KB

Download
memory/5060-1478-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

Filesize
68KB

Download
memory/5060-1477-0x0000000007D30000-0x0000000007DC6000-memory.dmp

Filesize
600KB

Download
memory/5060-1476-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

Filesize
40KB

Download
memory/5060-1475-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/5060-1474-0x00000000080E0000-0x000000000875A000-memory.dmp

Filesize
6.5MB

Download
memory/5060-1473-0x0000000007970000-0x0000000007A13000-memory.dmp

Filesize
652KB

Download
memory/5060-1462-0x0000000075300000-0x000000007534C000-memory.dmp

Filesize
304KB

Download
memory/5060-1472-0x0000000007950000-0x000000000796E000-memory.dmp

Filesize
120KB

Download
memory/5060-1461-0x0000000007910000-0x0000000007942000-memory.dmp

Filesize
200KB

Download
memory/5060-1460-0x0000000006790000-0x00000000067DC000-memory.dmp

Filesize
304KB

Download
memory/5060-1459-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/5060-1458-0x0000000006270000-0x00000000065C4000-memory.dmp

Filesize
3.3MB

Download
memory/5060-1446-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/5060-1450-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/5060-1447-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/5060-1445-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download