lumma | afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e.exe
Size

1.1MB
MD5

470aed70b81cb24f9316bac75ce9c409
SHA1

6797699947374efbe4e4746f7500a1e2d92ce36a
SHA256

afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e
SHA512

b26ad5e4fac0bbca810554f0a5453bffa8ad4d654bd057fefc8e83e3dbfd42e1e63ddef308c445a783d8684038e9a2f1f546ff1a7948b93c63b886632e242cb6
SSDEEP

24576:lVcPvhB8dHjhl1nd1NWiOBCmn0jRq9odg3cC:85yD1NWiOBpn0YUgsC

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Spec.pif

description pid process target process

PID 3556 created 3604 3556 Spec.pif Explorer.EXE

description	pid	process	target process
PID 3556 created 3604	3556	Spec.pif	Explorer.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

Spec.pif

pid process

3556 Spec.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1504 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4460 tasklist.exe
2784 tasklist.exe

pid	process
1504	timeout.exe

pid	process
4460	tasklist.exe
2784	tasklist.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

Spec.pif

pid	process
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif
3556	Spec.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4460 tasklist.exe
Token: SeDebugPrivilege 2784 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Spec.pif

pid process

3556 Spec.pif
3556 Spec.pif
3556 Spec.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Spec.pif

pid process

3556 Spec.pif
3556 Spec.pif
3556 Spec.pif

description	pid	process
Token: SeDebugPrivilege	4460	tasklist.exe
Token: SeDebugPrivilege	2784	tasklist.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e.execmd.exeSpec.pif

description	pid	process	target process
PID 3276 wrote to memory of 3380	3276	afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e.exe	cmd.exe
PID 3276 wrote to memory of 3380	3276	afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e.exe	cmd.exe
PID 3276 wrote to memory of 3380	3276	afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e.exe	cmd.exe
PID 3380 wrote to memory of 4460	3380	cmd.exe	tasklist.exe
PID 3380 wrote to memory of 4460	3380	cmd.exe	tasklist.exe
PID 3380 wrote to memory of 4460	3380	cmd.exe	tasklist.exe
PID 3380 wrote to memory of 2668	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 2668	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 2668	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 2784	3380	cmd.exe	tasklist.exe
PID 3380 wrote to memory of 2784	3380	cmd.exe	tasklist.exe
PID 3380 wrote to memory of 2784	3380	cmd.exe	tasklist.exe
PID 3380 wrote to memory of 4384	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 4384	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 4384	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 4248	3380	cmd.exe	cmd.exe
PID 3380 wrote to memory of 4248	3380	cmd.exe	cmd.exe
PID 3380 wrote to memory of 4248	3380	cmd.exe	cmd.exe
PID 3380 wrote to memory of 216	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 216	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 216	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 3144	3380	cmd.exe	cmd.exe
PID 3380 wrote to memory of 3144	3380	cmd.exe	cmd.exe
PID 3380 wrote to memory of 3144	3380	cmd.exe	cmd.exe
PID 3380 wrote to memory of 3556	3380	cmd.exe	Spec.pif
PID 3380 wrote to memory of 3556	3380	cmd.exe	Spec.pif
PID 3380 wrote to memory of 3556	3380	cmd.exe	Spec.pif
PID 3380 wrote to memory of 1504	3380	cmd.exe	timeout.exe
PID 3380 wrote to memory of 1504	3380	cmd.exe	timeout.exe
PID 3380 wrote to memory of 1504	3380	cmd.exe	timeout.exe
PID 3556 wrote to memory of 4092	3556	Spec.pif	cmd.exe
PID 3556 wrote to memory of 4092	3556	Spec.pif	cmd.exe
PID 3556 wrote to memory of 4092	3556	Spec.pif	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e.exe
"C:\Users\Admin\AppData\Local\Temp\afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Urban Urban.cmd & Urban.cmd & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:2668

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
cmd /c md 780229
4⤵
PID:4248

C:\Windows\SysWOW64\findstr.exe
findstr /V "STEADYSIMSCOLLABORATIVEHUMANITIES" Stylus
4⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Conservative + Transmission + Employee + Conservation + Coastal + Atlanta 780229\p
4⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\780229\Spec.pif
780229\Spec.pif 780229\p
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\timeout.exe
timeout 5
4⤵
- Delays execution with timeout.exe
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & echo URL="C:\Users\Admin\AppData\Local\VitaConnect Innovations\VitaLink.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & exit
2⤵
- Drops startup file
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
1⤵
PID:4480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\780229\Spec.pif
Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Temp\780229\p
Filesize
497KB

MD5
7b1b8aeab05915903ada61d11645389e

SHA1
5b6cd0a7f4be8853516fc717336827da2071b481

SHA256
c015e80e220d64afa0bb2f783474b875311f5fa1073b1808d4a421efb914ea26

SHA512
2b03e2f05fe8177b49ab8e11d5f062e6fde014f984fc81506e84a12c85bc38324db4f11a029007a526c5b44d20fb58098d2203564d9e3d2f0ba23e1411ff3f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assist
Filesize
43KB

MD5
3d5a4446b998817ac3a378b584c185db

SHA1
8d45506c4e96d1832f6196f520ebaf7c306bfa0d

SHA256
1e5e63511babdfb0c84c679197f7f8229f217c5e906ae5f74ad27b3b4712c872

SHA512
6f174d0d9efe9ddd3d2d33d43dd199e0ca97b14a0c0bc809627aa6f4066a740a0d26f73b7993183822eaa8f94388bd7197e6c2b9d73051b6947baeb6696b1ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Atlanta
Filesize
51KB

MD5
cf13e125ebd42109a234d0e007ecb52a

SHA1
1b806383b5a60f1519baa5b32aff5656c3db3b5a

SHA256
6ac1fb3b9928df1e98506f698cc3f17015e5f50d73bfe1fb83e23f64b1f5629f

SHA512
9768acd0797bef99b54e2a41665e8ac0a249f2b9044702e1bc7d6faec1188ae5d6a8271f4c9ec38a2a091628fdf855d380aad976fcd86ff0e0008ea1ccd956d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Background
Filesize
14KB

MD5
bc5572aa0538e459255c7f4bd5fd9329

SHA1
c438fd4e9e7fb2469087dd66a66477e820dd1458

SHA256
2a01ae6f5e673fef886fd46e756ef67dba711a88fb6e37ee3cb597f25fac7f35

SHA512
a14b1884d29577abace6b6cf91985faff868c5c061ff63bbe814c66dcd849cb51044d018ba41c7c042cb5ab9e96511293d0bdfe4b5979c98d95a138d821fbc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coastal
Filesize
125KB

MD5
986685c929f290f3477df35aa927c9c4

SHA1
fabb341ef7c35162e91ca9f682f7580740cce6d0

SHA256
ec363d9542852edaf960c70bfca82ecd8ef3b36206ba7a4ad1b222d333e7d04a

SHA512
7e7348628f75166783bcf1ea75e6baacee5061b6dcd2b3400ca5925fa5dfc3f7f6ea19f3d6a2be647d10652f72c6016bfded8d486194bbe4d5170472e7984ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Conservation
Filesize
135KB

MD5
86dd8e97e95aba14ec8dca8a8a638f99

SHA1
ca5b8703a1a1d04011c3a814107d7b749697022c

SHA256
6de63be8abc2d24a39f2c29f244fe228a4adb51e2fb6416f3be20b010404869b

SHA512
e51238add28c6f61084a581dd50f3498615f49cb8bc90b9c245e52e73bb1a85ebf3d2027ccaf407437b2285214bf293afbbac1b155da0e60d23229300c7ac239

Download Submit
C:\Users\Admin\AppData\Local\Temp\Conservative
Filesize
62KB

MD5
886e48ad0a5b7ad246eaf5ec024cb504

SHA1
2dff25375c6ee691e8e4576ee47420390eed39cc

SHA256
9d4b2c18472db38809d2889f3457d1d5a63a937f17a406b06379b90f036bd71e

SHA512
f158cd7390eeac5b4f53f7548f565bf50f50e52989c7d44f3abcd2030a98a67f39c6a55ea70a8c6fcde59c747a4157e0253d2a10c67ae903f449dabf5fa697e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cork
Filesize
22KB

MD5
5cc445df8645d4f81115dc82eb8fd203

SHA1
52b06228fe35eeca5d43962fb99224742d2cb3d2

SHA256
c6e0b293a30e342a043baf0bdaf67d457bfd800c707cd725c63e8336222fa584

SHA512
ee7d5794d527b072b89a326735ed74a4e345ebe66efc894f9db42b694918b275bb9613e86d6f9f27736cc5b2de890d1fb10ea68deadde2a34fe66b16bbebf374

Download Submit
C:\Users\Admin\AppData\Local\Temp\Displays
Filesize
41KB

MD5
2b350feb7cfd247a9817b380f8d8d2a0

SHA1
b8b99b3849b47b0be611b94bce5f78dadd9f9b6a

SHA256
ef0988209ae0cbb771e5dc9d5e3f16cc00a97629fb8122dee68a19eb88391f02

SHA512
bb581b2573b91094f7f3b3e715d41741c270ce28ae7e4b47d323ac791681f2a2a88ef756e2d85b666906b0eb1a673bfae3f7fe4de500ae831f046b69f44a3ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Employee
Filesize
29KB

MD5
84218a18580be323347a2304c12f923f

SHA1
6b1c36cbab567f19a538a262fc7727fb605aaa08

SHA256
06a07be0b4a7c35146441418f1cc1428024761f456eda27a486ce8ee83578120

SHA512
e4bdfb7666509c2ef6830be33690f034eb5542a213410b9136bf5ee6c53f20fe0b35eabc9257bc73d6b283b0ab436c7b34133ac455339c3a2b9aa530e04263b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Examples
Filesize
69KB

MD5
cb2749a3d65fff87fcb0b47adb23fa76

SHA1
b0b6a9d11c7ee02d0d8953d450e9696cc601b7dc

SHA256
9919ebf3a126ccefccb5236c053dd2a511ea21a58e478f7ea747055c8ef09c6c

SHA512
0ccb7889ee9c94d5d38a03321ba2b5f6316f996792e494e68be75bac72c23db5a486c6bd40a21270ddea2db727c54a7566fcab5645e0defce289931f8825d6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fundamental
Filesize
49KB

MD5
230ed0afa33749b3c72b2ffde41dd1e3

SHA1
9c09200619efecb0a6dfe689edc322a281d83aa8

SHA256
abc1fc7f2d61a140868d22644c4309275989ecc5ef491155dcaf9459b438dcc9

SHA512
31b32ac30e5055d53d708b91fdb39df071f346d4a4417dc508d26153a5dbac2b4906a0e891d205d7d9809ee24eb3fd733e0c5394bed9b9b4804f8fd4356c2979

Download Submit
C:\Users\Admin\AppData\Local\Temp\Garage
Filesize
18KB

MD5
9b29139ec949d7e0f82a74d8adb19ee2

SHA1
5a2259b8c340f06d12664395a7b7a0486adb0bfe

SHA256
d08fa43d4dd8a8510c169b2af280429718675d1798535470a76725efc258edcd

SHA512
dc4e3c9e86114875f3e34e1f13e7f0dd13c9459b0a50effcc73914642a7377f36c6f2486a49c870138d237068f058c971eb9a016334f04d773c8cb0166dda8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gmc
Filesize
45KB

MD5
4c9a521b76ec971866b6be22d492ecb3

SHA1
dbc391ecd117e753bc8e81094fea97ad21ed055e

SHA256
85ba17029925a9f7535476da50a071742ad42ebb5e6c512830f42072066c7ed8

SHA512
90b0c018f3975b4f7389c07249c5fb618c3e67a66e0d0fd76d83de69840b4723181d681935345f42ce28286bf62b82ce4f1e1e9c8e8a2a8b57dc68feba74b90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grande
Filesize
45KB

MD5
23bdc147635d0923b3ea85727ca548fd

SHA1
5d7be4a43b8f964b3b8cde3dc2f314ad53c4ce96

SHA256
457709d49819cbf2c82da81e53db0c08ce060919a8fd51742d6bc524023b0a6e

SHA512
3331c535e933eec9bce89cfe3707c1a2044860d2ad6f1af732061971803e884a0ae470fa098a1c3786bd39b82480915750d2914cbe634127bebb38c1aa1c41e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Harbor
Filesize
7KB

MD5
0b905402cbc77bf185cfecaa3a0012a3

SHA1
01c7fcbfd193ea9596275dba7ca781c8b9522f12

SHA256
5b180090eee932b7bbe1ddb907ca605132e7c01296ab9c46f27aa5cf05b18a95

SHA512
9c97d30220fd3dd9ae2b3c841328178e711f4958f58a0f40072d10445baa0b27a9bd44a579cb723757afdb13f08cc603b42062f838e9b0f797c99a53c2e203b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hazard
Filesize
28KB

MD5
7e5213365026fcf2d0e327ef2f82ebfb

SHA1
417bcee52da38ac48a1b3194287c30dc64ec2357

SHA256
05624896ce7048b13823712ca6337999db01fe55d7e340498fb0e2c0f2948cb7

SHA512
29d2f99f3ca0c7dd5f90f1d820f63e9dc1ec14a74cb2f263ee0225d1d120b2796e905e84a22a176622215041939bcf79bb85def73232bb4ab70ca172015df231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Identification
Filesize
26KB

MD5
745146f7e842cf985c3ddb836942fb8d

SHA1
e3748492e99179fd35b6bf614c189b9dd74d04c0

SHA256
2898fa8eceed4197751a55a5170a905944c7e1940784f3b230babc04e5e404ea

SHA512
39fa62b63fee220d6164ed1f8d9665857d9ad667990c3d618bb95eeb2b0a02d3179aad1d621cc436f348b607ca513d0a5b34e964b27e1529bd8be96f6ccc9916

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knowledgestorm
Filesize
61KB

MD5
5882258da7a689077b2f1dcbaaf43bd8

SHA1
71869c35d792e014beebdbd7d618803da9873074

SHA256
b69a3f1178ca18c6a34dbadea494ba9eb5e3956c3d13a504355a84154ea87067

SHA512
d96d61cdd4dad758c55081a79720d06e92434a4cff0610577618727a2d9368312acb1c448736b2bd0d1e3c99bf72bb1e9a281bf7bfbe8a96851794b2b43287ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Laid
Filesize
21KB

MD5
8d8f3ef95cee2b4e55e783ae40b380da

SHA1
cd29e91eac3f5c7def12d63524e837b900132071

SHA256
0bdd34c4018c9a76880f01f9e1f6e637573b223696f33bb02423b698fecca91e

SHA512
c685da8969d017c50d1dc327d5397525f9998cbbc7d53ba31a9de25bb1be7bf510a8e3c3edf2b9ee0f88be0a6f23defb832274b2424f6301c19831e52ae07345

Download Submit
C:\Users\Admin\AppData\Local\Temp\Like
Filesize
24KB

MD5
409794898e575cf088a4b1d21233a91f

SHA1
67f47df2bba5a90b5ecc57c9641fed44c48cff35

SHA256
dce624d7c6c7525c6029bd118d98da93d6e94795a23ff3bddb619e5876e5b23c

SHA512
e4d87a890aa899c338d8f272cdac9f8c5c22f79007cb8b78a1ee989dfcbf7aaf84fdb88e6afd48d198cbdae6fea3540d8021b92dea58913698da80314ca5e738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madagascar
Filesize
59KB

MD5
a27a8c3654d5d395f8e8f06c82be57ce

SHA1
3dfd9867d193563ab663fae5479d86b3424c2742

SHA256
0d32e269c1d7fa02345d67d1a3f9b0477d48ef463a15cd923f0f9692eb368f3b

SHA512
84eaed220950f1f4751bfd17d2f0be6cad92a2f4d45a521a584d5da86bed18df27f68ba52d72a5525d926c4db83e9a7e2c54d58ceff5fda7f3ca3eeb8af7c84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\P
Filesize
47KB

MD5
fe2bd2f5fff0525c6733ef4bf9d9de73

SHA1
c133fc2bb7ab7106a584dff48be8eff7939e882c

SHA256
0f10045d1f210dcbb8847fc79ea248c92b933f880e454b22e5c8542c5ba53f83

SHA512
6561352bf16bb9363e4db545a144902353e029763a37511e399db28a2c026de02ec4c9bf6005a9d23283dde648dfb0fec46fc6b270bb07b951981305068ba3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rec
Filesize
10KB

MD5
097933d56590ec30c957edb5f2e580e6

SHA1
98fb1cfeaee9d94bc41c6e5783cdf9d41370f5ef

SHA256
3f6d68d098f843f5189a0aa5ad221e12f682dcbc702c6758f81d39149855177c

SHA512
5fc9cf938feb56fb7c24e90d4af3a8050b8b9f052500001e2e5ba56cf1a9ee629feea1d6fd3016cb7e7c0303638e4627f71f952207f611fb0ed06c952a1243ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Researchers
Filesize
27KB

MD5
60342db0dd9bd96b7931e4df72f9af60

SHA1
cb2b03db0dc86994f0af1608081fed744061ac62

SHA256
ed3ec7b159e2bc1f76c5f791dd81e7605cff698d378a3d22925ca0b744268e75

SHA512
fe0d699218ecc6cc62b141b151df7dde1cb1a9506a5dcacd82079af450c1f49b1b7d2b0f785095fc93bf480c60618e7ae7190a55b1d26499469751c3e1e3e2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Routes
Filesize
65KB

MD5
2e93c82856f94f9f7cfaec0aa7603402

SHA1
885ce160d0e227ec17a2f937d53a106c699f20f8

SHA256
2d5df035e71bfcf3d9267cca2d0796b797793f000fd8c9d3938ac8103089d91a

SHA512
035fdcbe0b373f5df277a441aeba70db37d21fdc25aefcd4d88df2ff8e37a442ee52699a65c7683e17d9e5b31d94e94d4e7ff3ddfe804cfa21fbb972868e075b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sharp
Filesize
6KB

MD5
116886b0235707b9e012ed9d498c4fa7

SHA1
b1c1b56805b4f52958b25cec8bc67ba475f3f104

SHA256
1e6e75e0f171fc6c2f251e0cc35192902bbd9121bda6173ad9483f60ad604c5d

SHA512
7976991d302cdbe4d8d8f5e991b1d6d2e3f6e46d970cc7cf7129557c0dda23b5f3797050e90bf51558bb1958201b23b2176954186a6dd1b4fed6f1ecef8351cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spaces
Filesize
17KB

MD5
14ae8a2be941636c1649d513fc28f113

SHA1
c80f0028fafe85719391d1206d358e481902053b

SHA256
90f4e24f14944dc39eeff8cab25f97ee5c41210c5cab8492b7bde755407546cc

SHA512
d10bc69e3d8996f57d6974824fae0ff03700fa7b5aff2ca59759575f01db0d93199b20a0f0d8b262a45e01341b97ddec2b8c2d98c8ece6ec7a0d3407b9020aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speaking
Filesize
60KB

MD5
65764034656cf73e4c1069d4f7f6ff4e

SHA1
354e99bb0064324594f02eab0a7b9bfb6ca373f8

SHA256
8a40f39d37bb2eb37c8676f8b08b51ea278bdc22998f232b5117545ed9a27fbe

SHA512
5a141e6d881447b2aabfd52aada35b806f1ff5da2630a911304c1138b009f7f5a0fcc5211c68588658f76369f4782b8398d3378fdcf9c7183b128296219d86a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stylus
Filesize
208B

MD5
ce77907dd56d674bcd0bbcfb7011bd93

SHA1
c8483cacfe2f8e81f8ef1a5068b6a42142c1cf4f

SHA256
748d79ad490a68ce10d337bdb791dadef6fec2e34b69b1eea4b976a95d53a0a1

SHA512
3c97ad521e092b429f210a4c98cd3de01c063fabc1f0d1d91a2389f4e223b4469be2b4db5d7a2a8c610331864bf684f1d8f1d1b654bf1b656508d91f12c7cf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trackback
Filesize
49KB

MD5
1702760d98698b7994dc9015bf7d0974

SHA1
7cd832396a8d3e7941091b30701e652717f51524

SHA256
a201cfb199fdabadc13d46a892b0b91a8d992c62c04912caf9876eee40753d85

SHA512
562a7dabe416e45b96d916ab29300f0a54e68d08ceb7157bb759099f6c610eec229f3231103c71a787c5184217aa439f972319d781fb3ac3dc64d4b6733b5eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transmission
Filesize
95KB

MD5
d33bab7c7a67305e759258703a8285e4

SHA1
387913f0031a60373e0974ff88354396287c9ec7

SHA256
d91fd5090fbbbbdcf3a2ba9246177eddd7b09f04f3f23ee1ae16ccd4807cc280

SHA512
6d8f0a96e73c9c9d24c5779e1aa3329a0e5803f95de8fd844f916c8e54fd216f6c54e4fc065a28d3016ddc00fceb4caa218ca393f4a884faf19f7edec8867b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urban
Filesize
19KB

MD5
0acf541cbe9a635dab7b5bcf6f2bb645

SHA1
765e9babeddb81d9c0b88282e6b8a9ada0445de4

SHA256
873200c6afe55ab1b0c4bdea11370b84bca64d0bf7a5d2976416c43cda53bdfd

SHA512
71d1c51aa76b0e3adac409bc8124b57c529e12918b58dc42e4ffea603771377d654c88f7733ca04dd2b7daab45bd4b4a00aa5ca68604151c6077b6c803e3fe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\V
Filesize
23KB

MD5
80443fd53203084d5318a3ea8580158e

SHA1
210d1602f0ba0b60c1a6911737f20b13486b9f0e

SHA256
9f08233b07ea0811d8f5c77089c75f780ee9fa9b861a2d988d2af1580d8f679e

SHA512
b78a0e0d9c40db5df8be06e9e054fb23ab8ee4ffd277ca954663da10fe63a3b2d3270f50c8e78a411e24ec617d4b588fbe78703fbd9caeeee16cc08edcf6dcf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wisdom
Filesize
39KB

MD5
60cd333a8df0712024e4ff8695689fdf

SHA1
b8aa530305d049a70c01120c890477bd21893391

SHA256
c086e5371c551846794ac35bd3a96bef3fc4492592d89385557805eb6c739cfa

SHA512
4bab10910a86673ae031b1ff6598efeb51d6e13632b06ac09cc6c5e3c64d054d0ce7036c9595ef6c894443a7b73e323fcb22725c87b2154ff2dec5238c541a0d

Download Submit
memory/3556-511-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download
memory/3556-512-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download
memory/3556-513-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download
memory/3556-514-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download
memory/3556-515-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download