lumma | 57bdd9c5eca5fa517551038cefce58470fa011d1a461e9e4650d34918f23755b

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57bdd9c5eca5fa517551038cefce58470fa011d1a461e9e4650d34918f23755b.msi
Size

2.4MB
MD5

896fb90e32e5ac077d7048884ba7aff9
SHA1

dac99dae9ff264eaa302dbca0cecd42d78dfc94f
SHA256

57bdd9c5eca5fa517551038cefce58470fa011d1a461e9e4650d34918f23755b
SHA512

3eb744de0ed9ae0611486ac1bc654e227ce9a97b2b84cbc6dc5a72b9cac1b16204e7d4d34c5e5dd3500abdef81255ea694bf0c218f6d0c925d99f905337eecc7
SSDEEP

49152:+k2GffEmyfZgElK2Th08HZVT0k5AiLUMUu+PhxiSFxT0kEpd:bffEmOZgElKEdZe3MoPhgSPT0ld

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 1912	2468	ManyCam.exe	95

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57c71b.msi	msiexec.exe
File created	C:\Windows\Installer\e57c719.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c719.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EB362F8A-671B-432A-A16A-6FD978FB7B56}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7C4.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3664	ManyCam.exe
2468	ManyCam.exe

Loads dropped DLL 18 IoCs

pid	Process
3664	ManyCam.exe
3664	ManyCam.exe
3664	ManyCam.exe
3664	ManyCam.exe
3664	ManyCam.exe
3664	ManyCam.exe
3664	ManyCam.exe
3664	ManyCam.exe
3664	ManyCam.exe
2468	ManyCam.exe
2468	ManyCam.exe
2468	ManyCam.exe
2468	ManyCam.exe
2468	ManyCam.exe
2468	ManyCam.exe
2468	ManyCam.exe
2468	ManyCam.exe
2468	ManyCam.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4736	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\	ManyCam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ManyCam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\	ManyCam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ManyCam.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4000	msiexec.exe
4000	msiexec.exe
3664	ManyCam.exe
2468	ManyCam.exe
2468	ManyCam.exe
1912	cmd.exe
1912	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2468	ManyCam.exe
1912	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4736	msiexec.exe
Token: SeSecurityPrivilege	4000	msiexec.exe
Token: SeCreateTokenPrivilege	4736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4736	msiexec.exe
Token: SeLockMemoryPrivilege	4736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4736	msiexec.exe
Token: SeMachineAccountPrivilege	4736	msiexec.exe
Token: SeTcbPrivilege	4736	msiexec.exe
Token: SeSecurityPrivilege	4736	msiexec.exe
Token: SeTakeOwnershipPrivilege	4736	msiexec.exe
Token: SeLoadDriverPrivilege	4736	msiexec.exe
Token: SeSystemProfilePrivilege	4736	msiexec.exe
Token: SeSystemtimePrivilege	4736	msiexec.exe
Token: SeProfSingleProcessPrivilege	4736	msiexec.exe
Token: SeIncBasePriorityPrivilege	4736	msiexec.exe
Token: SeCreatePagefilePrivilege	4736	msiexec.exe
Token: SeCreatePermanentPrivilege	4736	msiexec.exe
Token: SeBackupPrivilege	4736	msiexec.exe
Token: SeRestorePrivilege	4736	msiexec.exe
Token: SeShutdownPrivilege	4736	msiexec.exe
Token: SeDebugPrivilege	4736	msiexec.exe
Token: SeAuditPrivilege	4736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4736	msiexec.exe
Token: SeChangeNotifyPrivilege	4736	msiexec.exe
Token: SeRemoteShutdownPrivilege	4736	msiexec.exe
Token: SeUndockPrivilege	4736	msiexec.exe
Token: SeSyncAgentPrivilege	4736	msiexec.exe
Token: SeEnableDelegationPrivilege	4736	msiexec.exe
Token: SeManageVolumePrivilege	4736	msiexec.exe
Token: SeImpersonatePrivilege	4736	msiexec.exe
Token: SeCreateGlobalPrivilege	4736	msiexec.exe
Token: SeBackupPrivilege	1004	vssvc.exe
Token: SeRestorePrivilege	1004	vssvc.exe
Token: SeAuditPrivilege	1004	vssvc.exe
Token: SeBackupPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4736	msiexec.exe
4736	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 5096	4000	msiexec.exe	87
PID 4000 wrote to memory of 5096	4000	msiexec.exe	87
PID 4000 wrote to memory of 3664	4000	msiexec.exe	89
PID 4000 wrote to memory of 3664	4000	msiexec.exe	89
PID 4000 wrote to memory of 3664	4000	msiexec.exe	89
PID 3664 wrote to memory of 4136	3664	ManyCam.exe	90
PID 3664 wrote to memory of 4136	3664	ManyCam.exe	90
PID 3664 wrote to memory of 2468	3664	ManyCam.exe	93
PID 3664 wrote to memory of 2468	3664	ManyCam.exe	93
PID 3664 wrote to memory of 2468	3664	ManyCam.exe	93
PID 2468 wrote to memory of 2204	2468	ManyCam.exe	94
PID 2468 wrote to memory of 2204	2468	ManyCam.exe	94
PID 2468 wrote to memory of 1912	2468	ManyCam.exe	95
PID 2468 wrote to memory of 1912	2468	ManyCam.exe	95
PID 2468 wrote to memory of 1912	2468	ManyCam.exe	95
PID 2468 wrote to memory of 1912	2468	ManyCam.exe	95
PID 1912 wrote to memory of 2636	1912	cmd.exe	103
PID 1912 wrote to memory of 2636	1912	cmd.exe	103
PID 1912 wrote to memory of 2636	1912	cmd.exe	103
PID 1912 wrote to memory of 2636	1912	cmd.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\57bdd9c5eca5fa517551038cefce58470fa011d1a461e9e4650d34918f23755b.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5096
- C:\Users\Admin\AppData\Local\Layby\ManyCam.exe
  "C:\Users\Admin\AppData\Local\Layby\ManyCam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\system32\pcaui.exe
    "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Layby\ManyCam.exe"
    3⤵
    PID:4136
- - C:\Users\Admin\AppData\Roaming\ZWS_Agent\ManyCam.exe
    C:\Users\Admin\AppData\Roaming\ZWS_Agent\ManyCam.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Roaming\ZWS_Agent\ManyCam.exe"
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c71a.rbs

Filesize
9KB

MD5
85110698ed42d627ee4ed2f2bab79d9c

SHA1
62f59c69bc99bc3aa4753a4bbcc4811d39154549

SHA256
fd920d5374969d3d9186b50cde53a7fe2ce29911f171fa31059a5bd8e051be8d

SHA512
d30e6d801a681738a64d380f8969af15a0fe95c35e2a496d060844d25d95bf4eef25a7d833135ec6b677748cd644a2e90c8171ed69b8cb3a3212b7896c1658b6

Download Submit
C:\Users\Admin\AppData\Local\Layby\CrashRpt.dll

Filesize
114KB

MD5
62ea1a57e6f1939eef5bf2bccf8bfe08

SHA1
d1792b6c7f19420fe925210777e99a92f7173c3b

SHA256
75a4c10bcdf5ae133dc809e413143a96ca9522569a05b39fa3168ae6ee6da6e7

SHA512
02f57bc51e0e407eeadb4f3bb39cf1191b5906e76a5b86a0388bdc66f2ef871b49d72f3c76eeca1357795dbe67a08009597adb41dadf5f758f00aea9c02a2786

Download Submit
C:\Users\Admin\AppData\Local\Layby\ManyCam.exe

Filesize
1.7MB

MD5
ba699791249c311883baa8ce3432703b

SHA1
f8734601f9397cb5ebb8872af03f5b0639c2eac6

SHA256
7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

SHA512
6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

Download Submit
C:\Users\Admin\AppData\Local\Layby\cv099.dll

Filesize
664KB

MD5
2a8b33fee2f84490d52a3a7c75254971

SHA1
16ce2b1632a17949b92ce32a6211296fee431dca

SHA256
faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

SHA512
8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

Download Submit
C:\Users\Admin\AppData\Local\Layby\cxcore099.dll

Filesize
908KB

MD5
286284d4ae1c67d0d5666b1417dcd575

SHA1
8b8a32577051823b003c78c86054874491e9ecfa

SHA256
37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298

SHA512
2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

Download Submit
C:\Users\Admin\AppData\Local\Layby\cximagecrt.dll

Filesize
487KB

MD5
c36f6e088c6457a43adb7edcd17803f3

SHA1
b25b9fb4c10b8421c8762c7e7b3747113d5702de

SHA256
8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

SHA512
87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

Download Submit
C:\Users\Admin\AppData\Local\Layby\dbghelp.dll

Filesize
478KB

MD5
e458d88c71990f545ef941cd16080bad

SHA1
cd24ccec2493b64904cf3c139cd8d58d28d5993b

SHA256
5ec121730240548a85b7ef1f7e30d5fdbee153bb20dd92c2d44bf37395294ec0

SHA512
b1755e3db10b1d12d6eaffd1d91f5ca5e0f9f8ae1350675bc44ae7a4af4a48090a9828a8acbbc69c5813eac23e02576478113821cb2e04b6288e422f923b446f

Download Submit
C:\Users\Admin\AppData\Local\Layby\highgui099.dll

Filesize
388KB

MD5
a354c42fcb37a50ecad8dde250f6119e

SHA1
0eb4ad5e90d28a4a8553d82cec53072279af1961

SHA256
89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

SHA512
981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

Download Submit
C:\Users\Admin\AppData\Local\Layby\intercessor.raw

Filesize
775KB

MD5
5cf9c5ab7c4f58ddb2e30818731a546c

SHA1
ced3fc10281409a893881d458160e4fc02625687

SHA256
f1a74a1988d5a88e161fd8ffe3e4c332f6566a61f7afc0536446ce28c0e6432e

SHA512
ec3003a76840de0fe876a9bd6391d443dfbe7fc0fed1593b52b26e4ad7635efe11d0d585893b7e4b9380cbcdf625478cf41c2a2e7284f36614d501434c9548ed

Download Submit
C:\Users\Admin\AppData\Local\Layby\javelin.mp3

Filesize
27KB

MD5
a0996395ddf43ba787ba62e48b24074d

SHA1
9fa7af708aa2d1626a8885ef336acd3abda913f4

SHA256
1578d251a4bc8d538d0688de2c585d6b9d8d4223f10308c86fb25790e23833d0

SHA512
55371f41f3cc8e324fa75bd6d293160da3af5a3178bd5f726067bc48e9a04b18914020f75f45ae1c9368e3cfd6b4cae2b8ea29640c79ef0a4d8bf44b06bf3ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\66df7873

Filesize
1014KB

MD5
acde97b6cfe4bd11c6c8b57875d3d6b0

SHA1
52675f9fcf1c18916af18c2413594d983bc8e206

SHA256
48a949131cc04017a9a819eed12a4ddadad34d2b1cf72e9f332e83109fdc6c1e

SHA512
6615ce9be357a36db32feedb3025ecd1323677e69a15ec2c7466771ee6fa6c038cb6b4934dd531dde6a1c746752539171eeb126f29eb66bf4df4ca6faa070f18

Download Submit
C:\Windows\Installer\e57c719.msi

Filesize
2.4MB

MD5
896fb90e32e5ac077d7048884ba7aff9

SHA1
dac99dae9ff264eaa302dbca0cecd42d78dfc94f

SHA256
57bdd9c5eca5fa517551038cefce58470fa011d1a461e9e4650d34918f23755b

SHA512
3eb744de0ed9ae0611486ac1bc654e227ce9a97b2b84cbc6dc5a72b9cac1b16204e7d4d34c5e5dd3500abdef81255ea694bf0c218f6d0c925d99f905337eecc7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
b121de95a7e4347fcab405e854f92abd

SHA1
7b3ebaf4caeb21192901f4e49d482fea05fb5775

SHA256
e907a2c7e4f654667b6559b789e74909c90a82a805070a6507aedfb065752e6b

SHA512
cdf878716cb3cbfbf0de6a6872c7e844f075e8fe5966b0fc9befab525c8b1ca99592ff6117519841607da27c793f2f87aa3c4b60b7e0c22635af031dff5914bd

Download Submit
\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{57eb7262-b931-4319-93c6-63ecce9c4e19}_OnDiskSnapshotProp

Filesize
6KB

MD5
799a79a5864b6ab91ffe900f8556a88a

SHA1
11bbaff6693ff5d9061daa92841291275962aa69

SHA256
b326e387f178c5f1a5f0104248bea4c5f0acae755e8163e23df8c9af76bfa37c

SHA512
83d21c70412047bff5db2954e18cc218c8ace1ecbda6b1760c1590da9e9f42c19ce3ebcb8db4485736f65655f9c8e475295c66401d3b909102f1c1c3da766d15

Download Submit
memory/1912-100-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

Filesize
2.0MB

Download
memory/1912-101-0x0000000074240000-0x00000000743BB000-memory.dmp

Filesize
1.5MB

Download
memory/2468-88-0x0000000001C50000-0x0000000001D3C000-memory.dmp

Filesize
944KB

Download
memory/2468-95-0x0000000074240000-0x00000000743BB000-memory.dmp

Filesize
1.5MB

Download
memory/2468-96-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

Filesize
2.0MB

Download
memory/2468-91-0x0000000000B80000-0x0000000000BE2000-memory.dmp

Filesize
392KB

Download
memory/2468-89-0x0000000001D40000-0x0000000001DED000-memory.dmp

Filesize
692KB

Download
memory/2468-97-0x0000000074240000-0x00000000743BB000-memory.dmp

Filesize
1.5MB

Download
memory/2636-103-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

Filesize
2.0MB

Download
memory/2636-105-0x0000000000440000-0x0000000000496000-memory.dmp

Filesize
344KB

Download
memory/2636-104-0x0000000000440000-0x0000000000496000-memory.dmp

Filesize
344KB

Download
memory/3664-52-0x0000000001D00000-0x0000000001DAD000-memory.dmp

Filesize
692KB

Download
memory/3664-49-0x0000000000B90000-0x0000000000BF2000-memory.dmp

Filesize
392KB

Download
memory/3664-46-0x0000000001C00000-0x0000000001CEC000-memory.dmp

Filesize
944KB

Download
memory/3664-59-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

Filesize
2.0MB

Download
memory/3664-58-0x0000000074240000-0x00000000743BB000-memory.dmp

Filesize
1.5MB

Download