Malware Analysis Report

2025-08-10 20:05

Sample ID 250704-n44mwaek3s
Target 04072025_1157_InnoChameleon
SHA256 0c09d626762969426c58e715e6f44aa782f4edeeae4b436e7246fa3dc3713ba4
Tags
lumma defense_evasion discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c09d626762969426c58e715e6f44aa782f4edeeae4b436e7246fa3dc3713ba4

Threat Level: Known bad

The file 04072025_1157_InnoChameleon was found to be: Known bad.

Malicious Activity Summary

lumma defense_evasion discovery spyware stealer trojan

Lumma Stealer, LummaC

Lumma family

Reads user/profile data of local email clients

Executes dropped EXE

Deletes itself

Checks computer location settings

Checks installed software on the system

Enumerates processes with tasklist

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 11:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 11:57

Reported

2025-07-04 12:03

Platform

win10v2004-20250610-en

Max time kernel

105s

Max time network

215s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\HoseMartial C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe N/A
File opened for modification C:\Windows\MontanaHard C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\extrac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4592 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 5816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1996 wrote to memory of 5816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1996 wrote to memory of 5816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1996 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1996 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1996 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1996 wrote to memory of 5744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1996 wrote to memory of 5744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1996 wrote to memory of 5744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1996 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1996 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1996 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1996 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 1996 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 1996 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 1996 wrote to memory of 5672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1996 wrote to memory of 5672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1996 wrote to memory of 5672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1996 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com
PID 1996 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com
PID 1996 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com
PID 1996 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1996 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1996 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe

"C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c copy Volt.jpg Volt.jpg.bat & Volt.jpg.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "opssvc wrsa"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "nsWscSvc ekrn bdservicehost SophosHealth AvastUI AVGUI & if not errorlevel 1 Set WTWeCJRHnQjpWResuXaRjuzPxbYFNhbkAGH=AutoIt3.exe & Set KUauBpAncgceSqQjbhWnLryvbslsLXOSEy=.a3x & Set EvvvqBcYMSRiiQYlWBlnWuKasDttNcuTzgk=300

C:\Windows\SysWOW64\extrac32.exe

extrac32 /Y Actions.jpg *.*

C:\Windows\SysWOW64\findstr.exe

findstr /V "Judge" Pins

C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com

Smooth.com i

C:\Windows\SysWOW64\choice.exe

choice /d n /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 GuGOlgXATybrzjKHxlew.GuGOlgXATybrzjKHxlew udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 giyewf.shop udp
US 144.172.115.212:443 giyewf.shop tcp
US 144.172.115.212:443 giyewf.shop tcp
US 144.172.115.212:443 giyewf.shop tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\Volt.jpg

MD5 079187927e46a2fb84a2777572282c40
SHA1 4c1388b21c7871c6304b0ff3929c21c14437f8e4
SHA256 ff23c8d9515f9d8aa8670571be589d1b6aaabb0b6bedda50d84796aa323c774f
SHA512 c96f13cbae3951e8e0e5e4e768aedfe05b6d601a177d19f94b262e592436a5e6fc66f4a4272f8280d47331ce548caf3b180782628237f316adc6b29cd920fd3c

C:\Users\Admin\AppData\Local\Temp\Actions.jpg

MD5 e46cc3cf2db4502ac1ecb3bfa7cef9d0
SHA1 bed48acd38d6be13487c2be5ebf87943bb2ddb0e
SHA256 1ffde3f0b42c24e9d9fbfe868f9a27ed4ba5208f733ce3b1ec064604a6b45b92
SHA512 b602dd81a6f62bba8cbb240d0e08ada1655959b43ef37b35631cf3824683c9effbb4e78db009be61ee00c47bee685cb35766939fd6ac51ca6f20d24f4ae2d961

C:\Users\Admin\AppData\Local\Temp\Pins

MD5 ec01b89ee67746b25094f5c16cea8e62
SHA1 4ab7f9321219c50358793a5544820dc9be0b838c
SHA256 8ab8d566fb14a7cf4c925e7acaa7cb2572153183e772654c572020a702044162
SHA512 9a76271eb42b566d6ca51bc1b1e016094f971197825dcfa02f1d3a2aa227f2a1243f13dac6943d15b60776cd8065c0d09c7f3f01ce6af02f2925adef95a019b7

C:\Users\Admin\AppData\Local\Temp\Worldsex

MD5 4e72d227b9d1e375cc45daf8b29bc44b
SHA1 fe444ec24264591a2b9fe15798bfc719202d50ff
SHA256 5a027997385b8649350893f46e0d68a9411f6c7f8fb0ed0322d3e67ec5184c02
SHA512 3cde6e8a6193cde4ba7cb949ef7488da919e2af83fed828abb9357c5307be2efa0419407cd155f6d09e71c15aa72cb25143b3679ac764ec066cac8b3ce844a94

C:\Users\Admin\AppData\Local\Temp\Harold

MD5 79f5bc834a462caee8c9b5ba1b21972c
SHA1 fccff45b6b11c9c6c04355e7dc00203989b01a22
SHA256 223c5867ae5151155ddb9a347e2310b90efc12321ca2380d4623ab74fa387998
SHA512 5bea8b73ec01e848a748dd381e60679b7096cb1767de4d5220b89ff385977799134fcc357ca474388698c52ee48735d2c566010fbc2fedb3cfeb2d99147b3abf

C:\Users\Admin\AppData\Local\Temp\Agent

MD5 0637a7f3b27457de2c31284b536e2650
SHA1 b06cad6345dd33c772a188329371dace6d8c1e39
SHA256 32b57b1fe1a1b36d29bda5c1e782cf969c5c2dbaf7bf8d23856e0d199cbfe113
SHA512 a2087c0f5632bdb623ae2a6980e71c7b70c107fd9a8476f5d610dc8830cf5674cbada6dc0c45227e572b5e1d4fa26aeb0c73387eefe7343326020b36ab905242

C:\Users\Admin\AppData\Local\Temp\Portuguese

MD5 d6f9b7ad4abc7e2651946ce4e0f0aa3a
SHA1 0d4793f3ebfbef55894f7e95864d175c9d52103e
SHA256 2e7ff6ee145781328c5a4c614591b2241131b622109009d03e82460ddce50d2d
SHA512 f3a07c7211cdf734bf7156f1155e03abbbbe5b989d78af10c73fe2916578b133d7769657514124a614f70137f39dd73590d16bb6323365ed7ed3e36aae428b36

C:\Users\Admin\AppData\Local\Temp\References

MD5 3117b4e2edeed15b686c8874ef3d8c54
SHA1 a7b83abbb7bd75c06ee5b2dd6397c3779adb644c
SHA256 f5c2b3ac5b2e832299b311d14f1e8aad4711c6ac3a3730b1e2a088574359737d
SHA512 772669df5ff9e98f3daaed94c1cb804be31defc775b0624181b31c82269d80726a6d59bc6a86ab6f286f975845fcad8a276852c8777938481b68edcddee1b203

C:\Users\Admin\AppData\Local\Temp\Pour

MD5 cf08be7163d59411a7796347741706ee
SHA1 0b6f84ef5ac3fcd0f9e9c647611941812d1a4029
SHA256 4ecb23185c5417c85a3797b26f51cb908735ffce12e8c55b94b9ff47cbc3d059
SHA512 4bf428d906e17836899eb30e50e14624c481465cd8991ad72a9e8ae087e90ef9676f6c97d23de68ec413a4185b017d68337a96ba75bba9d769d0997f05735ed7

C:\Users\Admin\AppData\Local\Temp\Expanded

MD5 205824c6f6de5a04b18157808f16ae15
SHA1 bfe41802af073f1f27be9987011e36cdd6dea580
SHA256 04e9e75696d2c43417cc55fdf6ea9ee347c08689472f0490e4c727e982629c59
SHA512 4633313a75b5619fa159e6380bee39a82326c396361943900d759a545c4011cbffc73b8b90a9ca46f372f7e3e5a43da27439f648a70b70da2d783a7df34202d1

C:\Users\Admin\AppData\Local\Temp\Concluded

MD5 624560396f6e45240443d8ff4ec33fe5
SHA1 c4dceedfd6650b9932b8f3d6f2c8447b0a6f8404
SHA256 bcd21b828ca19dd2af3dcea50cc8cffee7ca93bb9c07f8491c7429e55671767f
SHA512 a5a91e148d2988c44c7718f85152e0c72c062b2b6617bd9d98511d7e3a2bf4ebd5e19c88c35e5280e50780a7da07b87f86a5ebfdc275da0480c5511526fd2cbb

C:\Users\Admin\AppData\Local\Temp\Feature

MD5 08fc19e80913f01cc2017a0cdb07312d
SHA1 f4446e06d5075c5484e4cebed15c95f8944fd43c
SHA256 151464d4d5b509174520f77f72af4a2df13e47f5bc386b8757c16bae54702781
SHA512 c264dee1c91d98469cc4f10205d35dc2ead497c3878bc73bf5f6fd24a96b4913489618303f524d1bbd59f12fece635ee2eebd84dd36c46c96498a2a400912ad5

C:\Users\Admin\AppData\Local\Temp\Pipes

MD5 9f6790bcd34211a8047f546ca3dee4fc
SHA1 3eab73d1fe12bebd8f843895c1280e0ef3f95c14
SHA256 4eb88b6c9dd74fb724ded480386d2e6e1116a6a936fd1cfe5fe9600d41a8ed18
SHA512 7aec9d692ad94a3055edd4fb30b17da83ebf26d845ced1c59737fe0bf567ad00a800d52c32961ed13ff34a7394fbcd23db8a4bc00ad8ca8f4c5ce213b931c522

C:\Users\Admin\AppData\Local\Temp\Almost.jpg

MD5 8f7ade728f200bbebea6a89078746b5c
SHA1 66606853420213b70fed86428f549942bb719518
SHA256 f478f80e6f5cc06357106d766edd032c7e9d4d678d395ef06bae11f0acc93f03
SHA512 09ee1fa492c949df8e06de9d36790e7f4589a735fa7b3ecb22eed0d0b802bbfab4d4cb1e132a71ea77932145834402ff208eb9cdc5905da34825a7da56ec871b

C:\Users\Admin\AppData\Local\Temp\Up.jpg

MD5 a437c182d29dbce6b5d69c1ea069d931
SHA1 e1e2a32e740b0d6dfa73ab77f4b29f4e82a7f8eb
SHA256 6cc5d7c7cd996a67f80e8eeb83108652ecf55dee5783497da5b095ccef87b573
SHA512 d7abc4810c2d44603481dffaf3e6421d10af9ba4ace23c9784be23b54543c5785637f08ad1fa694a00e1084cb093464408d1b9d99deb65947f008108b6446ea7

C:\Users\Admin\AppData\Local\Temp\Printers.jpg

MD5 3a52e2f74e1c11decaf7856da85ebbc0
SHA1 a9403ca86a0ed08819f3084aef7f981d061f717d
SHA256 394e30fa289832ea300353797d880bb8bfa2bfc573dbdf83edb0016400a7a95a
SHA512 23fe7d691e4fddba794174d4ce8694d772f83dc4ec22083faf7919bab0e716a68c938119a60d1dedde83c6c15b3ae609ea46141f1afab550a899e2de2dad0441

C:\Users\Admin\AppData\Local\Temp\Sticks.jpg

MD5 43e5c0f1041a97241004553f18b32e54
SHA1 b1b26ffbed879f69a7dd50ed5f3a00982b24be6e
SHA256 507f32c47f94d387349084bbeeb653f873145ee868ec2f031b70b9714a8ec7f0
SHA512 6207be4abf4effab82ddfe229aec918a697bd4f1969b891d83888c7e9a6101df6dd2c2e5499efc6d0284b5a28d050ff848ac05d2e6a25daf2a3d1a2e3d3e4d27

C:\Users\Admin\AppData\Local\Temp\Established.jpg

MD5 1988635dba11d4bf1bc7f0324d916703
SHA1 f575df302d3e727d230ff5ab5fbae7dcf16ae448
SHA256 250c74f0933ffed14cc8f81585c5322cc4a43f612d5391dbd28e1fafbf51770e
SHA512 6e2821ccf1f711cf29647ccbce7f29633997d013457f770b265bbd9fc58a695851af02bdaa55d51a6d3f2714af10719aece67f2e1fe0da804b3ed3c9824ee57b

C:\Users\Admin\AppData\Local\Temp\Brochures.jpg

MD5 eb98cf41f60207be4f00f57d0dbfa912
SHA1 4deaf682dd22843269b7e9173af60d1dae260b5b
SHA256 981c00cd31bc71a4abd347fa925e07b373c001f523eeaeab8233030e7b33a746
SHA512 15b7915c7eaeb811027791ef3987514165126bf119d8b0b6b0a4bdefbbf6810458aac312a6b627a525d61ea153126ec30d3af72c23e0f981f377f79488648f40

C:\Users\Admin\AppData\Local\Temp\Looks.jpg

MD5 f595d410bfd66503706ceca38af31d96
SHA1 db514ab05dc131d5104f71cd97fb050389009642
SHA256 a71f9d8551fe695bfd6fcbdd5e32fa7210af1b0af6fcab45e8652d30356f3778
SHA512 bda49d0a42b50faad2700b148d8b2159e870afb7eacfc9bf914e282a7c512889e8e63ea499244f1c0f9899ff232a8e67c44c315c9f34919688c97fe136bf31a9

C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Temp\432811\i

MD5 0af9e22506b0c923c0cbdd17e569dd31
SHA1 0a18cc56c9d54ac5d7bddb62a2cc2446133df0b3
SHA256 15f040b15db2d9665a8a50eb3a972cfcf30b2a4a08be9759876a64f072005084
SHA512 813eaede24117daf74294c4d9f7b3cc59b41b83785dda0ce8277c8bfb64109c14c574640d96a666d93cee3ac6ad9e4a5d8abc62533564ce984d6ebddb4b5072c

memory/2908-519-0x0000000003FF0000-0x000000000404E000-memory.dmp

memory/2908-521-0x0000000003FF0000-0x000000000404E000-memory.dmp

memory/2908-520-0x0000000003FF0000-0x000000000404E000-memory.dmp

memory/2908-522-0x0000000003FF0000-0x000000000404E000-memory.dmp

memory/2908-523-0x0000000003FF0000-0x000000000404E000-memory.dmp