lumma | 051a2627972d2298d7edb1da10be267de266b918c69b502ff523302eaf5779c6

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000.exe
Size

817.3MB
MD5

24e969edce8790040180f8e0903e71b1
SHA1

ef7b408ee17e0e4deafe68277001a1004049f944
SHA256

e53358b7c580456d6c5a905e46924fab8da680aa53cbdfbff52bccf90860eded
SHA512

0e5c0f8cc707bbc8c4221124bcee44cfa4efd16cab960071a21eb50ad116f63122e783270ec491cd30059fb45b7bdeeae9e3a8660aa9213ba9e0503f8cc556c9
SSDEEP

393216:Cc5rHAS4wPHoLDS4SvOeqyw+uPFoHo5IW7Vgu5r8NE5I:DILDPX

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://theorxhysics.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2876	Manufactured.com

Loads dropped DLL 5 IoCs

pid	Process
2276	cmd.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2712	tasklist.exe
2696	tasklist.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\VirusCommissioner	000.exe
File opened for modification	C:\Windows\TrackbacksSystems	000.exe
File opened for modification	C:\Windows\TransportProducts	000.exe
File opened for modification	C:\Windows\PerformancesWellness	000.exe
File opened for modification	C:\Windows\DemonstrateChronicle	000.exe
File opened for modification	C:\Windows\ConductingWicked	000.exe
File opened for modification	C:\Windows\BahrainPlanner	000.exe
File opened for modification	C:\Windows\DaysMardi	000.exe
File opened for modification	C:\Windows\ProprietaryPound	000.exe
File opened for modification	C:\Windows\ManitobaVegetarian	000.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1784	2876	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Manufactured.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2876	Manufactured.com
2876	Manufactured.com
2876	Manufactured.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	2696	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2876	Manufactured.com
2876	Manufactured.com
2876	Manufactured.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2876	Manufactured.com
2876	Manufactured.com
2876	Manufactured.com

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2276	2520	000.exe	31
PID 2520 wrote to memory of 2276	2520	000.exe	31
PID 2520 wrote to memory of 2276	2520	000.exe	31
PID 2520 wrote to memory of 2276	2520	000.exe	31
PID 2276 wrote to memory of 2196	2276	cmd.exe	33
PID 2276 wrote to memory of 2196	2276	cmd.exe	33
PID 2276 wrote to memory of 2196	2276	cmd.exe	33
PID 2276 wrote to memory of 2196	2276	cmd.exe	33
PID 2276 wrote to memory of 2712	2276	cmd.exe	34
PID 2276 wrote to memory of 2712	2276	cmd.exe	34
PID 2276 wrote to memory of 2712	2276	cmd.exe	34
PID 2276 wrote to memory of 2712	2276	cmd.exe	34
PID 2276 wrote to memory of 2720	2276	cmd.exe	35
PID 2276 wrote to memory of 2720	2276	cmd.exe	35
PID 2276 wrote to memory of 2720	2276	cmd.exe	35
PID 2276 wrote to memory of 2720	2276	cmd.exe	35
PID 2276 wrote to memory of 2696	2276	cmd.exe	37
PID 2276 wrote to memory of 2696	2276	cmd.exe	37
PID 2276 wrote to memory of 2696	2276	cmd.exe	37
PID 2276 wrote to memory of 2696	2276	cmd.exe	37
PID 2276 wrote to memory of 2844	2276	cmd.exe	38
PID 2276 wrote to memory of 2844	2276	cmd.exe	38
PID 2276 wrote to memory of 2844	2276	cmd.exe	38
PID 2276 wrote to memory of 2844	2276	cmd.exe	38
PID 2276 wrote to memory of 2172	2276	cmd.exe	39
PID 2276 wrote to memory of 2172	2276	cmd.exe	39
PID 2276 wrote to memory of 2172	2276	cmd.exe	39
PID 2276 wrote to memory of 2172	2276	cmd.exe	39
PID 2276 wrote to memory of 2840	2276	cmd.exe	40
PID 2276 wrote to memory of 2840	2276	cmd.exe	40
PID 2276 wrote to memory of 2840	2276	cmd.exe	40
PID 2276 wrote to memory of 2840	2276	cmd.exe	40
PID 2276 wrote to memory of 2640	2276	cmd.exe	41
PID 2276 wrote to memory of 2640	2276	cmd.exe	41
PID 2276 wrote to memory of 2640	2276	cmd.exe	41
PID 2276 wrote to memory of 2640	2276	cmd.exe	41
PID 2276 wrote to memory of 1716	2276	cmd.exe	42
PID 2276 wrote to memory of 1716	2276	cmd.exe	42
PID 2276 wrote to memory of 1716	2276	cmd.exe	42
PID 2276 wrote to memory of 1716	2276	cmd.exe	42
PID 2276 wrote to memory of 1792	2276	cmd.exe	43
PID 2276 wrote to memory of 1792	2276	cmd.exe	43
PID 2276 wrote to memory of 1792	2276	cmd.exe	43
PID 2276 wrote to memory of 1792	2276	cmd.exe	43
PID 2276 wrote to memory of 2876	2276	cmd.exe	44
PID 2276 wrote to memory of 2876	2276	cmd.exe	44
PID 2276 wrote to memory of 2876	2276	cmd.exe	44
PID 2276 wrote to memory of 2876	2276	cmd.exe	44
PID 2276 wrote to memory of 1960	2276	cmd.exe	45
PID 2276 wrote to memory of 1960	2276	cmd.exe	45
PID 2276 wrote to memory of 1960	2276	cmd.exe	45
PID 2276 wrote to memory of 1960	2276	cmd.exe	45
PID 2876 wrote to memory of 1784	2876	Manufactured.com	46
PID 2876 wrote to memory of 1784	2876	Manufactured.com	46
PID 2876 wrote to memory of 1784	2876	Manufactured.com	46
PID 2876 wrote to memory of 1784	2876	Manufactured.com	46

C:\Users\Admin\AppData\Local\Temp\000.exe
"C:\Users\Admin\AppData\Local\Temp\000.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Opera.xltm Opera.xltm.bat & Opera.xltm.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\expand.exe
    expand Opera.xltm Opera.xltm.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2196
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 708827
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Somebody.xltm
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "ENERGY" Javascript
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 708827\Manufactured.com + Cups + Exercise + Contemporary + Concerts + Center + Enterprises + Theme + Expired + Reminder 708827\Manufactured.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Registered.xltm + ..\Are.xltm + ..\Xnxx.xltm + ..\Dentists.xltm + ..\Platforms.xltm + ..\Http.xltm + ..\Animals.xltm + ..\Problems.xltm R
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\708827\Manufactured.com
    Manufactured.com R
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1188
      4⤵
      Loads dropped DLL
      Program crash
      PID:1784
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\708827\Manufactured.com

Filesize
712B

MD5
0cb769d375011daedbcdb3c787cdc401

SHA1
3f468fcbaa7cd4245b029dadf23c98861f7b8001

SHA256
6b678716fdbbe9d735437cfeaec670429dbf96aea21df83721bc42459a1ad75b

SHA512
18c41e288a01f2d34e5bb80ae589e7a1aadefab1becb05d6c1588a44499a7b1890d3ffeb6c4828d2d40eb42fb105bc07b8765d5a98ff00fbd5d0285dc9ce5823

Download Submit
C:\Users\Admin\AppData\Local\Temp\708827\R

Filesize
531KB

MD5
0cd32a349d9f818f5f2f21da19d6920d

SHA1
0f5960fed82dfe559f83092b6cb1d7131848cf48

SHA256
eef492f7751190179d0edfba20f2ddc39f46d8f14fd0601909e176914f6923f3

SHA512
71094ea9f9404b54c287dda8c29d9181692ac3ec7e69d4dfde927c2fdcf13f7bb74e25926ab9ae331a70cc6909dbc011b1fd5068ea71851278b3dd11a5c56dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Animals.xltm

Filesize
98KB

MD5
d188dffb127c18e7847b9171135b9514

SHA1
b0bddb968c75273cd600a4552709a94ebe4a6b50

SHA256
0f61ae582957485d0c966050072ff6e61a5ef2292b01fd0983174357feb4d9f6

SHA512
be3c06f33fd30cd61ac445de0ffd63c759dec70a650669389b1fb3a68146d68c1505f2ea561c36b9a2cde6dc47f648b88fa44cca26c7ae2a0c1709a868e22242

Download Submit
C:\Users\Admin\AppData\Local\Temp\Are.xltm

Filesize
69KB

MD5
2ca7882bce3d00fb5dc4b61a062fdef1

SHA1
0d423ee1d58fb3f15b87a7d990ea1dd75318f4ca

SHA256
1d04c20ac110bc216286aa754fa8e475905938f19b82fa8bc42c3473c1a7d17c

SHA512
1f9e4dfb053d793f0114eee1e09de8ea92a262d2cd31e21572e8ef3954bfe4138c2a07a9434e9bbb1b7af532718d4def21efb6f0d1c6a6e19f69a5cf381b2252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Center

Filesize
134KB

MD5
5ecbf8c5ed0d8bd708a2e81831cab098

SHA1
c907f42089f87980487a2dc64a85be5c1d339bc2

SHA256
e06fc6ef37026c0d90fee53770506a891bd9ce76345202528714d66a87d71e55

SHA512
7b543f7e2f5c4d1338fbdab3f78c98c9603586725190ee90c9904967fac97bec1940ce4d0b9dc27a37f2813dbe3004881e202800cf6a353da7ed1f6fc0f95fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Concerts

Filesize
62KB

MD5
7b9d6ea082b6d2d1078549d78f5b7892

SHA1
5137148f84c64d9746353c73e217cd75474461fc

SHA256
f869ca0da4c13289d6692b476e27eb903229da3feb2955ca54ba5d80fd4855f1

SHA512
4ce97b913b070a9a08852f92ed29f808f4b729e4811b459514d012f97572a93699b43d469f16f7be4b9cbd7a997688f5ac148c7b44e4dc2d4995ff6a15336e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Contemporary

Filesize
55KB

MD5
f96f449cbd25e8866d3a84e9ce3929c1

SHA1
f31909e16f268ad5a883f796e64ce8c8b0c023e7

SHA256
210751a83f99c8b9c0e7020642b087c0206fc7df6064b4fb9f6f862e588fb352

SHA512
fe6e1964e77d6d98d18b8fe262145b700777d012f4bb1d48fa2e2c10bc68299922c58a673e8a8319300f2a066a68a134047383730307df0001f218450de60c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cups

Filesize
111KB

MD5
e96037ca93c03f3d894c355c8458738c

SHA1
215c040d8b3401de106aef6e03743b4318abe49d

SHA256
2d6cc3cebaf9a7df7b3cc8db43d0b57edb96d4be171dcfb404e39996edaec3d9

SHA512
6250909cd9f8d3a13e4865b6a5d02175da4a7e2b6f2ed7a635fc557e84f33c6d221ebe4f39f441134660f522277e8731009d7d631d3b17dfb2a804ed2c8a1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dentists.xltm

Filesize
70KB

MD5
5fad4d9c44cf0263b2b6835a3383a835

SHA1
bff691c465df3257648b2b264349e82409db20bd

SHA256
2310c79464bb43dccb6a5962bc017b3da0a18505f7fb64415cb53f8a85761f2e

SHA512
d977758ad78eedf3c10595195104b6438bd107167fed0bca29acc7a15b9614ca2e82b25f7c7ef8229f02e0cdfd253a441a25ee98d107299ddd1c10751609c02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enterprises

Filesize
146KB

MD5
d51736a33d46c569d827d1b6dd7c58bb

SHA1
6a1939e5bd3ec649a530e03d63401b9e2f9bc246

SHA256
fd224159642919071a2bb0eb2667c212355b3a1655a437a1052e51f514cb88bd

SHA512
6abc34e66c1dd3417893e9c6fb20a36958e3dbd4c194645f675691ddd814b20ed8c7ea1665430443770243f6d39e87c47798f9f66e1d45a776a9550c132bb39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exercise

Filesize
148KB

MD5
b74b6b1cf0898592f399b45add3028c3

SHA1
0936cbe0d00ad5be7010f6acd9a69d0430d33701

SHA256
d764c9e627b0d3f6e418f9db5ec025ba4b7b4ed3ea90d2d547983360c3cf9ac9

SHA512
2de4b904d56ecdc015077b74c03b41d98e9f238596dae65b93d115e85cca21c672d7831c5089b0a8e1b0ba98a42c378c3ef74e81efdab125c387552b05a8aac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expired

Filesize
127KB

MD5
c28dd9ef5fc0ceb2c468ea1afe6b2dce

SHA1
486e05da0b98377e6ec14ddaef63870d9a146bad

SHA256
1104c574c556c9e88f51bf284591f36b9502ed048c4f65dd2ef5de17f8ebf53d

SHA512
dadb1ad86d2143df376085499efc019bbdb551b01ff3a24b20ad363a2c7d908681f11efbf13ddafe0adc712ed93b9bb52cedab827da72de7fbe9dff7a52ae9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Http.xltm

Filesize
71KB

MD5
0334faab1996e83bd802089ba9cd1cf3

SHA1
45268890cfbcdc9179b36de742cd0a6fc9b1674a

SHA256
8793eeba5e05046be2f81130981d753169beaa0a80132ceabe8b0c64809dae7e

SHA512
816f5f99296d484399f00c28d3587c21f907d96cf7fc8d0148ad8a2640cc821628c9cf107842b6719761d518476d97c36939a5c5d988584c9d08867b4dbd37de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Javascript

Filesize
718B

MD5
0301e0d5bbed3f514df3d8f66a09c317

SHA1
94b9e7ef66c058493a13af8bfef42522e0985de3

SHA256
b890ad292642df8a3c0dbf6df455a0b06c14261dd7e7e6b29c7ce7bd0b1cbb9e

SHA512
2cc1a68a05483a506de898ec528130a7e4cebcebe55865b6e250f94597ac793f46233bae6341a73546c6ce12a738992c79f75b4728fa0e139cbb4252e830af70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Platforms.xltm

Filesize
56KB

MD5
73181df9d7db2e27d805a39a176f58db

SHA1
6b411c77393b3e2b36e457bfaef2595471eb4210

SHA256
cc9bc4db96f8b2fc3f0058492d583b8ddae6d213bd0e4007d0660a678d6e7b45

SHA512
1d5d17c3b5b269282dd2d2d2dc0fb440cd7531f700ebd6560596d1c47e2751eb18e8593dca64928c94d7f2a48129c11143b030258d00a16a1441f84374b58fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Problems.xltm

Filesize
19KB

MD5
0db6283b3e3d5d893b783b46d53ac505

SHA1
886cbf7d79cce549a1136fb6e9425c9b6aa84258

SHA256
4983bb5063403361e7164f65d853f98cfe42079ef16480b814d7a0973f893324

SHA512
f6a638b235cbc4e8677edeaf8b206a3155f14bc7a51abf932dcad1cd6b255209d17ae920487a696440b942be2d1b26f0cdcb9d442f0a99d6ed1127baec52c3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Registered.xltm

Filesize
92KB

MD5
3a6ac3475dba71dfc298603eeca23956

SHA1
1d01e3efa3c5d4abbc10199486f32c0e866f98df

SHA256
9cd3aa3a06b2aab66a4956bdb5875d9b4f07d2c41254593ab9d15e08c82978aa

SHA512
9feda07129ae913902f9f7c5207ad0139c8462073365ca19bbc0de4c7c966d4cf4f13866884b6a4c0438ac27707fb1600ca1632e0ae80f9b8e63925735d5dbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reminder

Filesize
88KB

MD5
80945786ebcc46c523df403fc311f901

SHA1
d258fb5194a0eeeb769d3a3ddf8643bedd647374

SHA256
fecc0d25a487f34e8e6dc0344ad56897c04a746e5abb211b4479e2cd2133c567

SHA512
ac163d6334c06d9abf38ea22853a208a926e4d6ad6576b67a3cec58352ecb051978d6df2b3f7bbafdd3f8f4b675727fa2fc415f3682d56de429773adef2d5ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Somebody.xltm

Filesize
477KB

MD5
026048745b3701b1c13b50b7b454d305

SHA1
e580362a2bbc763fcf8f93f9a89e52037d9cd8b8

SHA256
6534051b71381b1a441dcd7a8a05bf361d49588128fbfe1c1fd6bad3d1d1b7e2

SHA512
d0e3bec13d7299e7e71c7013874a804e482334eca5c18e192c3366ca7e3377f30bdcd9c88024541019587a5ef02046373989d2f4d55877b200ba0870b2c7f7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Theme

Filesize
53KB

MD5
d1593e2989b89e5adf2a72076e6dbbb9

SHA1
8f8315986b369b69922992879ecac61db03df304

SHA256
6d29f727129da75a92462e244627bc0ec279d6e4256fd51e44b8b08ce2c17a59

SHA512
59bfbaf3a58b4a6a0bded668f07f19c05d7f38db67156675f807437fbf5ea55f8282b877a25384a6c7d0afcd7b339e4ae2b42d35768337f641a67e1f77f6a68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xnxx.xltm

Filesize
56KB

MD5
6b838b964a714ceb075c1530d92c46fb

SHA1
17cfee6ed0cc62ffbfbb3045c6985da8cf072863

SHA256
e053dc79bb7255ec9f393ee70eb38c311a08b3ff77bc3646a00bcebdd95a7dd5

SHA512
f767fa79da73ed50d530d246efb14d7f766f3678f29e7091965b58f5c2a950de3c5373e03d4d58b51ab35880db1113c346735ba086cfc477d1ad061e270cbf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera.xltm

Filesize
18KB

MD5
f08fb2c77ea13dcc716f6c13b62eaed7

SHA1
51486cbe02019c5bdf2e557b7cf42309f5f50804

SHA256
f0d15066f9af7d87c80fc3e7408014d08ad8fb55e33ece47c956774b799d9f44

SHA512
57e50b3cea8ccaf1dc2d08b417cf6acd178d71d590ecbb4c6ab662464b1dd7d5f3e120837a3d069da732e861e68e2f3164138185872ef458b71c86d2edde79a3

Download Submit
\Users\Admin\AppData\Local\Temp\708827\Manufactured.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2876-72-0x0000000003A20000-0x0000000003A83000-memory.dmp

Filesize
396KB

Download
memory/2876-71-0x0000000003A20000-0x0000000003A83000-memory.dmp

Filesize
396KB

Download
memory/2876-75-0x0000000003A20000-0x0000000003A83000-memory.dmp

Filesize
396KB

Download
memory/2876-74-0x0000000003A20000-0x0000000003A83000-memory.dmp

Filesize
396KB

Download
memory/2876-73-0x0000000003A20000-0x0000000003A83000-memory.dmp

Filesize
396KB

Download