lumma | 575b3435debce773faf1403dc24e23d8133e8828ba57a0d680961a61bde1b435

Analysis

max time kernel
121s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TradingView Premium Desktop.exe
Size

677.0MB
MD5

395b80b49dddeb9d2c978f6d8c79e262
SHA1

7325bcc615151f352b1deab06864299d438177a0
SHA256

83179e9421328bbd3922a109e5ff86f22543ed60bcb98b6a403d5f2706ee6ee2
SHA512

d360a0b9f6140a011f054a19c45f5464773548fef31eed10986b3e5cf2451483282c7202ba95940d18de48aaf35bb54e97cf957db58cdcfbd3f2723e7025dc3d
SSDEEP

24576:v3tpA/FF8NJiV+wSrG8Ec7EguyQ51YaaDrTVn4uUKD85tYcQQ7rua/:P04NkV+w2h7FQ7YDZutYsrua/

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://cousidporke.icu/api

https://caliberc.today/api

https://pistolpra.bet/api

https://weaponwo.life/api

https://armamenti.world/api

https://xselfdefens.bet/api

https://targett.top/api

https://armoryarch.shop/api

https://blackeblast.run/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
648	Sad.com

Loads dropped DLL 1 IoCs

pid	Process
2992	cmd.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2928	tasklist.exe
2608	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\TonyPo	TradingView Premium Desktop.exe
File opened for modification	C:\Windows\PrimaryHarmony	TradingView Premium Desktop.exe
File opened for modification	C:\Windows\DeadlineSentence	TradingView Premium Desktop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sad.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TradingView Premium Desktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
648	Sad.com
648	Sad.com
648	Sad.com
648	Sad.com
648	Sad.com
648	Sad.com
648	Sad.com
648	Sad.com
648	Sad.com
648	Sad.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	tasklist.exe
Token: SeDebugPrivilege	2608	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
648	Sad.com
648	Sad.com
648	Sad.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
648	Sad.com
648	Sad.com
648	Sad.com

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2992	2448	TradingView Premium Desktop.exe	30
PID 2448 wrote to memory of 2992	2448	TradingView Premium Desktop.exe	30
PID 2448 wrote to memory of 2992	2448	TradingView Premium Desktop.exe	30
PID 2448 wrote to memory of 2992	2448	TradingView Premium Desktop.exe	30
PID 2992 wrote to memory of 2600	2992	cmd.exe	32
PID 2992 wrote to memory of 2600	2992	cmd.exe	32
PID 2992 wrote to memory of 2600	2992	cmd.exe	32
PID 2992 wrote to memory of 2600	2992	cmd.exe	32
PID 2992 wrote to memory of 2928	2992	cmd.exe	33
PID 2992 wrote to memory of 2928	2992	cmd.exe	33
PID 2992 wrote to memory of 2928	2992	cmd.exe	33
PID 2992 wrote to memory of 2928	2992	cmd.exe	33
PID 2992 wrote to memory of 2692	2992	cmd.exe	34
PID 2992 wrote to memory of 2692	2992	cmd.exe	34
PID 2992 wrote to memory of 2692	2992	cmd.exe	34
PID 2992 wrote to memory of 2692	2992	cmd.exe	34
PID 2992 wrote to memory of 2608	2992	cmd.exe	36
PID 2992 wrote to memory of 2608	2992	cmd.exe	36
PID 2992 wrote to memory of 2608	2992	cmd.exe	36
PID 2992 wrote to memory of 2608	2992	cmd.exe	36
PID 2992 wrote to memory of 2624	2992	cmd.exe	37
PID 2992 wrote to memory of 2624	2992	cmd.exe	37
PID 2992 wrote to memory of 2624	2992	cmd.exe	37
PID 2992 wrote to memory of 2624	2992	cmd.exe	37
PID 2992 wrote to memory of 2560	2992	cmd.exe	38
PID 2992 wrote to memory of 2560	2992	cmd.exe	38
PID 2992 wrote to memory of 2560	2992	cmd.exe	38
PID 2992 wrote to memory of 2560	2992	cmd.exe	38
PID 2992 wrote to memory of 1104	2992	cmd.exe	39
PID 2992 wrote to memory of 1104	2992	cmd.exe	39
PID 2992 wrote to memory of 1104	2992	cmd.exe	39
PID 2992 wrote to memory of 1104	2992	cmd.exe	39
PID 2992 wrote to memory of 2892	2992	cmd.exe	40
PID 2992 wrote to memory of 2892	2992	cmd.exe	40
PID 2992 wrote to memory of 2892	2992	cmd.exe	40
PID 2992 wrote to memory of 2892	2992	cmd.exe	40
PID 2992 wrote to memory of 2496	2992	cmd.exe	41
PID 2992 wrote to memory of 2496	2992	cmd.exe	41
PID 2992 wrote to memory of 2496	2992	cmd.exe	41
PID 2992 wrote to memory of 2496	2992	cmd.exe	41
PID 2992 wrote to memory of 2912	2992	cmd.exe	42
PID 2992 wrote to memory of 2912	2992	cmd.exe	42
PID 2992 wrote to memory of 2912	2992	cmd.exe	42
PID 2992 wrote to memory of 2912	2992	cmd.exe	42
PID 2992 wrote to memory of 648	2992	cmd.exe	43
PID 2992 wrote to memory of 648	2992	cmd.exe	43
PID 2992 wrote to memory of 648	2992	cmd.exe	43
PID 2992 wrote to memory of 648	2992	cmd.exe	43
PID 2992 wrote to memory of 2132	2992	cmd.exe	44
PID 2992 wrote to memory of 2132	2992	cmd.exe	44
PID 2992 wrote to memory of 2132	2992	cmd.exe	44
PID 2992 wrote to memory of 2132	2992	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Costs.tiff Costs.tiff.bat & Costs.tiff.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\expand.exe
    expand Costs.tiff Costs.tiff.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\SysWOW64\findstr.exe
    findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 701617
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Utc.tiff
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1104
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Ruth" Equality
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 701617\Sad.com + Io + Thin + Experiment + Detect + Subsection + Meter + Well + Walls + Substantially + Mcdonald 701617\Sad.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Highlight.tiff + ..\Pig.tiff + ..\Contacts.tiff + ..\Adjacent.tiff + ..\Murphy.tiff + ..\Be.tiff + ..\Sluts.tiff + ..\Chances.tiff i
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\701617\Sad.com
    Sad.com i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:648
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\701617\Sad.com

Filesize
1KB

MD5
318a1af14e5cc5ab819e3b0635d30ae6

SHA1
3a7a378048a952a3bb56d7d0b9a127503beb0a69

SHA256
0c91dbcc50930b9f8450525daaf7cb25258a721d5f2909f4a0b3459429cd9503

SHA512
6602bd24a209d44df3d761ea0c67d68031d629bfe32fe2cbf96878e24d5f27651b37b0595d3a464da466c1de78f5271f5d6b1cde60d76267bfc83129d1d368ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\701617\i

Filesize
555KB

MD5
01cef1f79fedd7ef149704985e2a869b

SHA1
6d4856da2f3c1f254eb552fda5b6612e1636b3dd

SHA256
d640837e5b31936211b48100f90a8efeee0df97b84f202a9e22e2901bac6ba72

SHA512
04bc429145bc89684f8ed06f62013125fca35447337e2c91ba030b49c1702adb52037b3e21f3be661bf9443259ac06329965b99caaab9faa3c5dc3315cfdabf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adjacent.tiff

Filesize
61KB

MD5
d446f879fc68587d9d0ff54fa9788558

SHA1
d75ee42615dd794deed9ba1fdb8e4d26e09cb3c6

SHA256
944306e86ee9526c8f2d281f09ccf86747cb2e3638e0e6d5953d40d2591ed4f8

SHA512
6aac18ec2188eb293ad7b80d66c459dd84bf5c2e2f5ff1a6767013868d677de509ab1c166055e45f5e60aaf5a4f14729672a511b4df2fd292dc588a74ec360c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Be.tiff

Filesize
54KB

MD5
b4de58ea2bdec62dd9bfbce8e8dadf5c

SHA1
ce72b635462b09e80ab4515b80b10ce4fe26b7d7

SHA256
91b426f32f51898d8a4ac95ae842b1b887b9c58f7cd97e79b3c9659e32b6e9ab

SHA512
f676e1f261bb2529e3bdbb6e7ca4c23d578f5ba67bd45f264f8a8696dadae24f4d5e3b06ffb68b8588ab3ec9eb1f6efec8e28585778ee0579178b843183e202f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chances.tiff

Filesize
82KB

MD5
22bc4e72fe5b3441e0ba0539269ac515

SHA1
f07d0fcfbf023f481ca035efd8c7ff72959e879f

SHA256
ecf1695e95cd0138b1f6b1af20f8e4e1a21855678137d2d418098a65ad258cd7

SHA512
738dc8e0c70512f9e034004ae90193af51703c7e09150b6b1fb62e9f2aaca47c61dc401f54260521515ce69c520081bf2d72f9e21b0d2d9e6f0637bda0c41aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Contacts.tiff

Filesize
89KB

MD5
49c8e613ce09debb2e58328e231b299d

SHA1
3ab0af9caeab54a0cc43b9b7bb60f800524b29d4

SHA256
d7f42a6fda2d617d3dc94ce93d6377bbc1185096e7e5e498b9bed6da467f8a14

SHA512
52b5e9cae4b179bcf477051a90417fe509e40f10e06b5164e1be3c6f33f284bbf5b6f2b6cbac1e4ce544b905f6c5d1e9b526fd307c4e3f7f618ad2d47d950193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Detect

Filesize
147KB

MD5
2f8d8ed1b429588a20f7cb947b6252b0

SHA1
36506c2d234451ec5970e9aca50675bb96cebeff

SHA256
d51dc7bf89ce162eda9edacd23e2a0502fcdb2788260813a9044ba2cdd5b8746

SHA512
05d6c26b06d4113faf1de035aa5364d20aec8b9b4fecf1b4a2d29cf84e27d21d3f92709a793e8e7f617587faf9456ea7589537f81f11f0f31bb95394b6e83a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Equality

Filesize
1KB

MD5
05e600810c686504a75bc647d319e88c

SHA1
1e7c0b29bc655ea7fb2a10072da93443da6465f1

SHA256
c541a88f481e1a47980e35bb0b0826f9085d8c863a548a50ef6e640da72ed773

SHA512
2eef08989e7f89448705d0e031d36529da319865d80010c3a1956b4f65dbd3169da697670b03dc8480cf6a510053484169192b1067c8f87c8e77b6f765bb9231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Experiment

Filesize
65KB

MD5
a5c455a394b952405fcb60dc3239043a

SHA1
9e804ba1275155e78e266a857cffd8869f5333f3

SHA256
f6bdb8a70bb2b0c41f6d838f4967018a83073228b8dc16945b7cdf049748d051

SHA512
68d1e45934a10798f2369e5a2f9bf6acfe158cf36993c1257ddac93cddfc366d53ad20827778721e9dcf9c9cdf4f88d9e5ac3f4ec893846dc90fdb51a3bd4231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Highlight.tiff

Filesize
69KB

MD5
ed7370fa93247b3f023934baf8b0d8d4

SHA1
740a1f0f0d4049892a202e87b3f4b11635fbcae7

SHA256
ab4954ccde386302853ded9b67f3730ce0134a13b91dae8661b4763541786150

SHA512
04ad0df3e52fca02245b170748ea0ce614bffc65bcba0226aff59cd23962c89737d65888ce4af91a3df08d0090a9c0ff02a8db995dd4153cfad9108b0a863cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Io

Filesize
138KB

MD5
a7956343a046e426c2a6ebf443a25dc3

SHA1
3b25a44c331a7e5378b365028f4ba34a7d8fdc7b

SHA256
453193d27cec5e40adb56c2bcbd1b445e9329065b4439c26f9bd3dc59f9c23b6

SHA512
87b691f230f137bf9a9c982054a2dca5e67900774cc887d8dda88781a8b77e5c62b243f87bbfc7f82cafef6c6f9e86f1958896318154d2d8f86fcabd9cb9231e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcdonald

Filesize
73KB

MD5
5c844dffde2e473e482bfcae7bf20e5d

SHA1
90032f5cc0874e9866e5ce71a3edce6b5c001c13

SHA256
8f3521410cf40a40aee3c0cc984bfd2990b8902a0661e9b0ec39738e8eabd311

SHA512
95cb1be58a72efd42a951477e1f70ba01a676a79f3bc5d457727da0b0e829676d6b1852802b97074c60e83c2a197c4366120b40450bc55738bea6e0fecf9ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Meter

Filesize
73KB

MD5
e5c6d8fea3e3b65672d3d473d53039f7

SHA1
3dd005ae342dd243746a86be3dd45f69b57c06f5

SHA256
4361f40398bfebf7a5f6b1d18b94fbee376a6c0540ec9a5d8a9d1a8109ed3d39

SHA512
00e90f04960f49819c78865bb1253b5fa1ac992f6c87c848aa5f52458bce609bcc4d3af16f03088762997cab921249cbf99f39f8d0c0a38bb96062ccc7aeffc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Murphy.tiff

Filesize
94KB

MD5
f9288dab835b9cce073da3877ef8429f

SHA1
a57f88e3c68244809a12f6d02bbf162f70e1f0c5

SHA256
d1a34346ebcd5db73a3a80a6d3d86366809df955e17460c325740075c781348b

SHA512
2c37508011c5ca5bc1f3263f234dbd2ae7cf9f452a225e3ecae8d017e4d2aa9ed9a6482720fcb226107beb09eb5a0b32ade3324226c0175dd6c785cf6fb1ec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pig.tiff

Filesize
53KB

MD5
e520e7b534200b4ad5dd887db8d6c9d7

SHA1
027531234826b32e7fcec2e923bb204188ad76c7

SHA256
1e1cc6d5ec22ccfef048dbf7013f45fa3c5cf4aec4aa4423cbc8f35696b2bf0b

SHA512
166bc86d59002b0fcd1a4fb0493e99f658670dd50584e9ad3b66a8cc0a2b87a729822a5794891cf3d445e329b77b96ddcd8c0bd4c96b8ef788ba3adcf665d8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sluts.tiff

Filesize
53KB

MD5
18d0e3a4c112f20fcac57828830edebe

SHA1
d38185290346590374ba87938783fc510faab6bd

SHA256
a544d9a3e82b8c3b90876ced68d0091bdeb47069896bd540e30b9cc742faf328

SHA512
6c3ca0083ee51c532ff7575984cc04e66426f68c003607d140e379009cac03716bc76be8a0b36601ff3544d49a293826449dfc76cd4ee95ed16c44e5ea0dc4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subsection

Filesize
119KB

MD5
55e4c5676cdb583080c45ca06eb32693

SHA1
5580fc4ed15e975080071557643fe97e67868ac2

SHA256
03eaf63083fdc7270f1a126a3678cdcd39221b049fd2c81716da3199ff3d42c4

SHA512
739d2e2ecc7cc8f7d936c1cec1c903a10c1dd6992e3a813deb4139bc3e03b12ccfc8311ae4c9d990b27be5ff84ce738e7c7c582f3ed6c8975502aa1a7ddb0dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Substantially

Filesize
64KB

MD5
3d689bf36746c49ce5813eda464035d7

SHA1
f51f348ce156a5dfa0a6ff52103e1e6816e6206a

SHA256
7bf53ce8072e356e7d49314f486cbbc4084e131c16be1cd663ace65e4a5e9baa

SHA512
5487d8326aa4a2410fbebccec2df2ba46b38f7feaa08f52d7b658272623eaa82f25b447df5392d5e6a55fc763251b7855bf2942452a21c2fb4338c33bee9ca01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thin

Filesize
70KB

MD5
88f173557c468a1129e926e38788793c

SHA1
a31a53e5bc737ec036caa1f561b68628b3fa0bb0

SHA256
867d503a871bb1410c66bca4f71a6a90b4fb7653f83482642b008dedfc8a627e

SHA512
f67042f6d3a8a062517543511c07251e0d3f8367170d338d9e77ddf9469ab2e415735007c8746c5264b4fdb36a95a7f21be9ed2bf8c208cae4f56a310c35794a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utc.tiff

Filesize
477KB

MD5
86f5aa375fe4ac6380849c613f010c9f

SHA1
051c3cc9a2ebe4223df8ffc4c1c1201973cccf01

SHA256
feaa040aa0794ffcc8497201ab2b226569947deac6e3d6b7b9af5651cc58398b

SHA512
dc75e4a40bde2fd60e675cb8a356f75039992cde1182b11c7fee8ba3e251ad74ec361d60243b5ec2c8ebd0084aa8088e4592bb8bf0de923d8db0830a89bb2181

Download Submit
C:\Users\Admin\AppData\Local\Temp\Walls

Filesize
104KB

MD5
c32874cda1a9dda4341238799363cd96

SHA1
3374592a68257bc73e98c057baf89b692a28f699

SHA256
f490248903d848f4e99e0c1b83a76de7ee3b4e29ae945d5328cbc3dd6f61b3b9

SHA512
ad1e25ada3cf04f349b1407d8d1c7e1475480be161b3fd0a425438107d744f9086a1eebfb18ab2580c159387324da91ff43bc9801d9c7f2ff54713625788ffef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Well

Filesize
70KB

MD5
551f75a8da32bd65bc40a4fdd26056e5

SHA1
b7186cad2e1bd428303bd9a957b6e07f406be9bf

SHA256
cadd0e26ccd0ef6a36b5051a908cdf04600f1378be4dfa5eeaf8edf81269bcf9

SHA512
b400ad072890e146389e4d90267333e77308e1d5f7cfd53e4a6c2cfd65eccf0b316aa78e123afa498690dd7fc58c4ea84bb42936c7d3318671a089df163fdb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\costs.tiff

Filesize
30KB

MD5
73953d78b877b3d66dcdc9b7b041906a

SHA1
d7b1df174cb8ab480e06dd6cd1d5fdc5fc7420d8

SHA256
2e6839d4bc5ab61472c57a3eb2b8746e6b8f513818dbb4c7ba2ddbf81b086e0d

SHA512
d6544dfd2641e005a19f2cc59309f29360a0f95ea068b2574132a3dc4437b399981f6338f55df101cc4ee05d6d71e8726893f9f61450db20cf719c631748abe5

Download Submit
\Users\Admin\AppData\Local\Temp\701617\Sad.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/648-77-0x0000000006780000-0x00000000067E5000-memory.dmp

Filesize
404KB

Download
memory/648-76-0x0000000006780000-0x00000000067E5000-memory.dmp

Filesize
404KB

Download
memory/648-75-0x0000000006780000-0x00000000067E5000-memory.dmp

Filesize
404KB

Download
memory/648-79-0x0000000006780000-0x00000000067E5000-memory.dmp

Filesize
404KB

Download
memory/648-78-0x0000000006780000-0x00000000067E5000-memory.dmp

Filesize
404KB

Download