lumma | 8260647571aae648b61118dec247eb50b3fd6e7d7f0235b6db899ec599f55f23

Analysis

max time kernel
149s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2025, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TradingView Premium Desktop.exe
Size

676.6MB
MD5

49da650eed80ed136bc6b6138100ea7e
SHA1

b6b666662e9589f545daa347939c9cbe9312b8ea
SHA256

2c04d438959cf7e075bd80d101b5405c5a0ad48143c733da30cca323a29b37f9
SHA512

97a90458688c2f3abf063d56e96f4554ba88d26edfca446b5c8a800bf6bd4fb29ed2b947d84ebb06d3e5097b0c0457e07b782c3df2cc2b19beb755910379c413
SSDEEP

24576:y3QK3COBlxYfh+bHyQVp7W2+zzxZXGOWWhMoiC3NaIhtW+nJKWRT:cVBHEgHyWqzthGOH3Jht7JKWRT

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://latchclan.shop/api

https://featureccus.shop/api

https://mrodularmall.top/api

https://ijowinjoinery.icu/api

https://legenassedk.top/api

https://htardwarehu.icu/api

https://cjlaspcorne.icu/api

https://bugildbett.top/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	TradingView Premium Desktop.exe

Executes dropped EXE 1 IoCs

pid	Process
4684	Rid.com

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4308	tasklist.exe
4568	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IncludingSequence	TradingView Premium Desktop.exe
File opened for modification	C:\Windows\OtherwiseFatty	TradingView Premium Desktop.exe
File opened for modification	C:\Windows\CanadaTied	TradingView Premium Desktop.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rid.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TradingView Premium Desktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com
4684	Rid.com

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	tasklist.exe
Token: SeDebugPrivilege	4568	tasklist.exe
Token: SeImpersonatePrivilege	4684	Rid.com
Token: SeImpersonatePrivilege	4684	Rid.com

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4684	Rid.com
4684	Rid.com
4684	Rid.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4684	Rid.com
4684	Rid.com
4684	Rid.com

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 3652	4812	TradingView Premium Desktop.exe	85
PID 4812 wrote to memory of 3652	4812	TradingView Premium Desktop.exe	85
PID 4812 wrote to memory of 3652	4812	TradingView Premium Desktop.exe	85
PID 3652 wrote to memory of 4340	3652	cmd.exe	87
PID 3652 wrote to memory of 4340	3652	cmd.exe	87
PID 3652 wrote to memory of 4340	3652	cmd.exe	87
PID 3652 wrote to memory of 4308	3652	cmd.exe	88
PID 3652 wrote to memory of 4308	3652	cmd.exe	88
PID 3652 wrote to memory of 4308	3652	cmd.exe	88
PID 3652 wrote to memory of 4360	3652	cmd.exe	89
PID 3652 wrote to memory of 4360	3652	cmd.exe	89
PID 3652 wrote to memory of 4360	3652	cmd.exe	89
PID 3652 wrote to memory of 4568	3652	cmd.exe	91
PID 3652 wrote to memory of 4568	3652	cmd.exe	91
PID 3652 wrote to memory of 4568	3652	cmd.exe	91
PID 3652 wrote to memory of 4596	3652	cmd.exe	92
PID 3652 wrote to memory of 4596	3652	cmd.exe	92
PID 3652 wrote to memory of 4596	3652	cmd.exe	92
PID 3652 wrote to memory of 4384	3652	cmd.exe	93
PID 3652 wrote to memory of 4384	3652	cmd.exe	93
PID 3652 wrote to memory of 4384	3652	cmd.exe	93
PID 3652 wrote to memory of 4292	3652	cmd.exe	94
PID 3652 wrote to memory of 4292	3652	cmd.exe	94
PID 3652 wrote to memory of 4292	3652	cmd.exe	94
PID 3652 wrote to memory of 3156	3652	cmd.exe	95
PID 3652 wrote to memory of 3156	3652	cmd.exe	95
PID 3652 wrote to memory of 3156	3652	cmd.exe	95
PID 3652 wrote to memory of 4624	3652	cmd.exe	96
PID 3652 wrote to memory of 4624	3652	cmd.exe	96
PID 3652 wrote to memory of 4624	3652	cmd.exe	96
PID 3652 wrote to memory of 5296	3652	cmd.exe	97
PID 3652 wrote to memory of 5296	3652	cmd.exe	97
PID 3652 wrote to memory of 5296	3652	cmd.exe	97
PID 3652 wrote to memory of 4684	3652	cmd.exe	98
PID 3652 wrote to memory of 4684	3652	cmd.exe	98
PID 3652 wrote to memory of 4684	3652	cmd.exe	98
PID 3652 wrote to memory of 5968	3652	cmd.exe	99
PID 3652 wrote to memory of 5968	3652	cmd.exe	99
PID 3652 wrote to memory of 5968	3652	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Photographic.accde Photographic.accde.bat & Photographic.accde.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\expand.exe
    expand Photographic.accde Photographic.accde.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4340
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\SysWOW64\findstr.exe
    findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 184714
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Placement.accde
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Looking" Ut
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 184714\Rid.com + Would + Seasonal + Newsletter + Navigation + Standing + Happy + Brighton + Amy + Pos + North + Religion 184714\Rid.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Swift.accde + ..\Adapted.accde + ..\Surgeons.accde + ..\Jj.accde + ..\Pointing.accde + ..\Serbia.accde + ..\Staffing.accde + ..\Donation.accde J
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5296
- - C:\Users\Admin\AppData\Local\Temp\184714\Rid.com
    Rid.com J
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4684
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\184714\J

Filesize
577KB

MD5
a16a9a31a8f29e07a6d2d9d5e8ccb0ae

SHA1
3f2925cf6d662f1b0efaa4bdd5a64ded9b0c03e7

SHA256
2ef8b22ee59a291296ec77cbaa0ff2be5eb5ceffa1f3c9e71f3c462539d60bb2

SHA512
ecc4e88d516f521dcf7ff4177c0efb3d9d9bdee3e393592cd572d840a20ebe8c8ff91d8c75e2132bc981c186d03a985face4aff9bf0e252afc5a9b899ddf5af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\184714\Rid.com

Filesize
579B

MD5
828d8b7c93544d2c933c4dab818076f1

SHA1
2f4d9a48f1d6efaf66b0f7aaa509d3122e06c216

SHA256
a65c165afc16a53dba05f0b04435fb5c70501cd1ae38f39f60aa0731540c0201

SHA512
e14e3d1130c52241a16746e2fbc6f081edb0d704cac8cd179f42641547ef89fe4d79c9c91acacc24aaebe9383b8ce5d03cbf78b1e46a2ad1e8f47bd14ca4e406

Download Submit
C:\Users\Admin\AppData\Local\Temp\184714\Rid.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adapted.accde

Filesize
63KB

MD5
a3197cd43f15c99b7672c38f226bf17b

SHA1
7260ca09a07b5c8b349f526ca1c1602d335c2ce5

SHA256
fd64cb4d3d892e52797e72e23f1b1fe0b6623b34877c66af02572cc06cf33a6a

SHA512
fb367adbf3e7ea508221e2c5301edf8c317770292dd22b0d1c7fc4006dd83dd1f0815eed7b7984d290eefd5e9543110070dcccc46ae77e00a04bcf96a0571277

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amy

Filesize
82KB

MD5
e7781310866bbc27440a011bd6ac14c5

SHA1
18974f8bf7a74eb39e16ef96ec58a11296d8795a

SHA256
2e21cf5735293b178dbd5125bc5f42ee103db0f077c0c6d07e2ec2385eddea5b

SHA512
79c845fc4f01edae470754c9d50f98d755086d078315b78819014e3451ac87bee678a2ef7857bedea7d948063a24f0f0632d44a3e829a5fa7b2bc4498fe992e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brighton

Filesize
62KB

MD5
3ecbf5f56c5fa1f1e919e2b3bf5221fa

SHA1
7fae4a4588eb967324aecdebd11d36454a0822a6

SHA256
b7600e72fdf891eb7e80328de43fb213e43bbf532386255adf2dbeb5caca5eab

SHA512
3f5c14848a8ebb9a5847bf9dd44fbf49fb4a3f0bb479ecea6c36983e10a89ff3dba93e0883e2ce085cfcdc891b79417248cc5de1bdfb1c8224e2ec490fb90f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Donation.accde

Filesize
61KB

MD5
02aeb4e0dfdc7cdb9fa84c066a8bd44f

SHA1
94ebbf60096b102a17c9b081423c31660b9871a6

SHA256
891b683cf2ddf83723ef035cced14afb26f501647b5f5a70d18e6d45270ca29a

SHA512
30ed31ed8036cadf749a23ec6e7ea10b35b0aaad8ecaec65b09cf3ad885dd13436bc9312b302fd8496f00d0852d547a311303f4e7e665a66133b19463dcf68e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Happy

Filesize
112KB

MD5
fe164dd17d16534a9d6e6b2db3576791

SHA1
53239ecc28b9b0fe52917d2ee734d9d0b981179b

SHA256
81a1927c0440e451ae4237b61a117d64efce8670f1b599c2bc20f83e84861103

SHA512
cd388202f2062a05a499f98c3ffbe2484a61ca0a1ac96f59350b7cb59d567b72d8ff3808db7c34a935d5f66dab180621dcdd91365d4fdf557c036be969181545

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jj.accde

Filesize
70KB

MD5
c1c46bb61941d01802b2c18fb91319f7

SHA1
68c71f0a69f1ead87e46d53b5240ece7542f663f

SHA256
6b6ccd67838cd45a37d4ed0be293fa3ed450c1666392949d8258170f670d5e2a

SHA512
e83b805a1e8f2cb651f89881e1f16d6fa44021d772922c1bb836dd73e94cb84add9cf71e76c3c840112358abc840a7e42dd539ae491e4eb4768a2db3341bb73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Navigation

Filesize
56KB

MD5
b72cf93381bc8751d7ef5ffac06e3fee

SHA1
ed1c20f5cf7bffc733299b0cd95321881346bb69

SHA256
599a8d0fcd369607948d32eb2d0e820c8d9b3a00a4ac974ea064902f6e26204b

SHA512
9722eece9088959331cde4d72c7f0440366c7f6627d39f9336ef06b1bafb30899f6801e916dde7435a05f35efe3d17b3f646cf8d88ae51a6cacca920229e0cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newsletter

Filesize
57KB

MD5
22485c17c5d0c70a2e8b408d4ac2b1dc

SHA1
45d276b3cb9504f3fa4ec0eaa1740808e139698e

SHA256
e80b2e8b88cbb0e752c8b117365f36e704a6a1a0df5e21b25500baa76ad3f681

SHA512
7b501660048a9ce0be5263c73ffe0a6b9993ac4f5b07852023f1fdd67d8f33b193efb78e68b440640861792c37c34aca70f5216969361cfcdcc152bac1338349

Download Submit
C:\Users\Admin\AppData\Local\Temp\North

Filesize
115KB

MD5
e71bcb706ee1fa52fc19e21684372b5c

SHA1
751892319f0bb6006550ece163c01c6d3d4eebbe

SHA256
0338fddf5cc4c0f1d6784d8bde3e3225fff4beaf1ccc0df41665f48db7058b49

SHA512
726add9fd3f54c0814f1fa2fb966988751a0f5d7f6e63baba167f6b8f4008981413741dda8ecd74002d4e181e6008a7f993122dc332320bb13d8e91846d2240e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Placement.accde

Filesize
477KB

MD5
a1b34cd741e8e88a1f4c21c576221920

SHA1
9326e7b705a53e49accf15d945478d9feb840974

SHA256
4f405d9566c70a7d8227d985bb93ba8a638580166d85980299c13748a4aef229

SHA512
9b4b4bebbae7418b48f144dbb3b039259241239cf2b0efd6575c3b0bf2ab7d70a4e59fc76df833e54a9ae3d9fe6babe0231c3c664964fb670a12764d83b7287e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pointing.accde

Filesize
59KB

MD5
5984e3b0d843de7e0775dc1dc97c500c

SHA1
3473b191e4a98d3527e74299a6cee2c941c59710

SHA256
64362e01c925d01cfa1b5556b42723ebe2768e1b46cafc99e089eb2fa0b15cbc

SHA512
da5e1f0ac4da566825ce70f893c5b00ceb654af5c151fb8ed0cd7f7b46455c2d303a6d1ea90794001108e9727f7eece8a37dfe01df54ac9a183dab68bc1f6e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pos

Filesize
105KB

MD5
82858a54256677a58d4d2367e0818a89

SHA1
b0d8c8981a492078aacba472b894d772e9c6d31d

SHA256
c14d1da4bc8cf346938a31e20e03cf232444aa91a8545fbc06ab5088e7a4aebe

SHA512
b14531de5a9025381cb42a81b50e40c90f8b4b4e3e4993e588c007f773898e9297682791538509ee85d707daa25030a178187b1c1fe063e1d5181412c157e7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Religion

Filesize
5KB

MD5
b179a7bf36293552e544bc5ff09cceb7

SHA1
07c5556477ce8ffda4287afb4a0131b5ed88a427

SHA256
baecf960456effa9a4b9a2d0af2ccd70142fa8b70408ecf5d7b3b02568ef5ceb

SHA512
9c17de291ba7169d7034bbd6bb128dfd84b647402ab2a20f4916c6ba9366494cad74e2fcb8fd5adbf9af94744c58dfc71e177e1cf0ba3f1ad4db0f074fc63822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seasonal

Filesize
140KB

MD5
56743d1c99fe38e50d8871e34f2cee91

SHA1
ec309de3fa347480a1c971e92e192a27c404192f

SHA256
43565fdabf11e8f537fbc08903352dbc93850c2364120972f2f5b16fd5c65ac3

SHA512
636074b6d2cc93128e54d8222da07673d5b50855ed36e4970865b4910ca086ec328db067263b190f178cbccb0f0045b2bbfdf3ab27aa149485e2d56c9d4c77cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serbia.accde

Filesize
86KB

MD5
17c49d937f2895f226260e2e3985ca50

SHA1
98f7e2f871f1e764ca0729d0740295da2fa65a14

SHA256
a42aa9b2629e40ee071da735c50c0e0456cd4e0ff459586b39e01ef42b85ab32

SHA512
34823164f33675b14eccec1c25cb0de7b1e812729db36de137fd2a09c8dfe659f1705158e74d6c86750a40c46c2ae3ceeec340180c6b14723d0d3f59fb12c113

Download Submit
C:\Users\Admin\AppData\Local\Temp\Staffing.accde

Filesize
63KB

MD5
6af4d57148a3875519fb6257499c52a9

SHA1
e70ae3ddf7f19a3b07b47709cd17989aeefec97b

SHA256
39ec4c64df3303204def7cdf2be164b415c0ce8b53e5f5e0c9b943682f7a2428

SHA512
9c7d731b40ae050057a0f086a816e60ae01cf05742d833b33a92185858f54484b294c606dbab54caf098f0bf32830d50d049d8b3cbf51ec5496d9de07d597293

Download Submit
C:\Users\Admin\AppData\Local\Temp\Standing

Filesize
121KB

MD5
11140eef86f9038998d60f03d39b94c6

SHA1
4c746b2398bc8f3d55bc957812a357f8746c5b90

SHA256
2d41ce85a7c46afb7504d3df7449943e6be944a7b8eb65d0a2df43960fc86b38

SHA512
3c66b5ff21f3b4da7d0027305cbf9e9ea4771eae5ae6583d89ed2d59afe49ded9b340ad7c6fed7dc059ec4b6537780d77563945928bf47bd8bf6748f1da393c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Surgeons.accde

Filesize
79KB

MD5
563793bb998cc6a0d8dbd1938db17722

SHA1
eff95512b98d65221ee539522f5450906b3b7eec

SHA256
ed203cbf2579321d155c2a4b6ed009ab5fa843cb5b12b2d2cd1ba5a5283f7909

SHA512
2bc2d55ba526243e473fba80a1a3614e0419bfa3e82fc02f24be6b409cf3bebef9d3e943a22a8fd31a2bf0a1608ffa7d8badf8681f4c78922e1e3684a8d3b031

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swift.accde

Filesize
96KB

MD5
2ba1907e2f74e12c361e345ea396abb4

SHA1
e03916de715cadf0b216c54ecde50fc01bc9a697

SHA256
51097095bbd53c74d8da8b5020839e9872fe43b746f7e52c44eefecd2c5a872f

SHA512
11838a69de25372a468cff70adb24d3c903f62a9bd9eaacb1b9b940007974a5c0aa56e45a97a352524beebcdcf53edea59c53511af52fc4ca4221ef7dbd549f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ut

Filesize
586B

MD5
38b5d69a68c4d4d5b488436ba8d47d9f

SHA1
ed272362cc6ba05ea2778d8a68cdd4b639d07992

SHA256
29380ec9b91bb5ad299c70b16b44d500b00e3ab16818db7c28d2895eddb3d7ac

SHA512
b7f4ad5dc3fc4b62012eb4abeadc044b04c682743c23d1ed58766dd90520f3926ee9081f72708fb81bfc9955cf3bc237ea52c547cc041e5476a3feda8ceabbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Would

Filesize
69KB

MD5
3577a857b96f3e52132f753482dd2b09

SHA1
07041d3de6ff4ec8817a2f6b2b8b4cce7b9c8de9

SHA256
26ae0e3376d87c261dcd1f5c75a496fd24d0945bc6bfe6f4cb6a626d657ea2f7

SHA512
8106abdeccab06399a173dadb2ba2f7df86d273e5dfcfb5a4b34bcee9045b54ab6cb0697d1f421992bd4f60fc1b84597802076b83bd79998edfe4e98be8e432e

Download Submit
C:\Users\Admin\AppData\Local\Temp\photographic.accde

Filesize
12KB

MD5
22e04312e77dc3a4e2672da4aabb8ecf

SHA1
224f0260dd244898cc9c32659094d515a3ff8788

SHA256
c83d77f26297926f7907cc154acd0f64cd631d9495261f0fa5b906221b22bbfa

SHA512
2a847dd4ace61ffd3f6985e9f39cf24d1162eab913f75f7e5347f7c5cfa4bf4e32c9b6e13c4988c2dc8701e47fd5ed1067d7483089893346d6c9103eda174de1

Download Submit
memory/4684-78-0x0000000007790000-0x00000000077F5000-memory.dmp

Filesize
404KB

Download
memory/4684-80-0x0000000007790000-0x00000000077F5000-memory.dmp

Filesize
404KB

Download
memory/4684-81-0x0000000007790000-0x00000000077F5000-memory.dmp

Filesize
404KB

Download
memory/4684-82-0x0000000007790000-0x00000000077F5000-memory.dmp

Filesize
404KB

Download
memory/4684-79-0x0000000007790000-0x00000000077F5000-memory.dmp

Filesize
404KB

Download
memory/4684-85-0x0000000004FB0000-0x0000000004FB5000-memory.dmp

Filesize
20KB

Download
memory/4684-86-0x0000000004FB0000-0x0000000004FB5000-memory.dmp

Filesize
20KB

Download
memory/4684-84-0x0000000007790000-0x00000000077F5000-memory.dmp

Filesize
404KB

Download