lumma | aefc0d264a6726fbbcfbb68385412b83d9928f0527813c543cb4f90d4920e419

Analysis

max time kernel
270s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software.zip
Size

908KB
MD5

6f676d2be92f94716a4be2b2b5f6392d
SHA1

2e9a27380b2ecd17729ba0b61bbd35d26952a3f7
SHA256

aefc0d264a6726fbbcfbb68385412b83d9928f0527813c543cb4f90d4920e419
SHA512

2b0911894b54245f9f9ddee3a2f1a06d9066031d0aef6f52baa0addcb165f42d2d0627235bcc6f79f29b144960357cbdbb2b43dccbab1a849551773c3cbbd788
SSDEEP

12288:5TyZHcK0Ty2wv8s7/mj/73RaLHIW5BmUeUhoE4RgiF1q1bPIBKsg4Db0S1:5GZWTpwkc/u/7IoRnUKfq1Dl4DYk

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Roblox.exe

Executes dropped EXE 5 IoCs

pid	Process
2008	lua.exe
2024	lua.exe
1752	Roblox.exe
5028	Briefly.com
2388	lua.exe

Loads dropped DLL 3 IoCs

pid	Process
2008	lua.exe
2024	lua.exe
2388	lua.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2820	tasklist.exe
4628	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	lua.exe
File opened for modification	C:\Windows\BalletAntique	Roblox.exe
File opened for modification	C:\Windows\HighlightsHeader	Roblox.exe
File opened for modification	C:\Windows\FrancePn	Roblox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Briefly.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2920	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4668	schtasks.exe
1632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5028	Briefly.com
5028	Briefly.com
5028	Briefly.com
5028	Briefly.com
5028	Briefly.com
5028	Briefly.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4448	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4448	7zFM.exe
Token: 35	4448	7zFM.exe
Token: SeSecurityPrivilege	4448	7zFM.exe
Token: SeDebugPrivilege	4628	tasklist.exe
Token: SeDebugPrivilege	2820	tasklist.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4448	7zFM.exe
4448	7zFM.exe
4448	7zFM.exe
5028	Briefly.com
5028	Briefly.com
5028	Briefly.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5028	Briefly.com
5028	Briefly.com
5028	Briefly.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2008	1356	cmd.exe	104
PID 1356 wrote to memory of 2008	1356	cmd.exe	104
PID 1356 wrote to memory of 2008	1356	cmd.exe	104
PID 2008 wrote to memory of 4668	2008	lua.exe	112
PID 2008 wrote to memory of 4668	2008	lua.exe	112
PID 2008 wrote to memory of 4668	2008	lua.exe	112
PID 2008 wrote to memory of 1632	2008	lua.exe	113
PID 2008 wrote to memory of 1632	2008	lua.exe	113
PID 2008 wrote to memory of 1632	2008	lua.exe	113
PID 2008 wrote to memory of 1752	2008	lua.exe	114
PID 2008 wrote to memory of 1752	2008	lua.exe	114
PID 2008 wrote to memory of 1752	2008	lua.exe	114
PID 1752 wrote to memory of 3304	1752	Roblox.exe	116
PID 1752 wrote to memory of 3304	1752	Roblox.exe	116
PID 1752 wrote to memory of 3304	1752	Roblox.exe	116
PID 3304 wrote to memory of 4628	3304	cmd.exe	118
PID 3304 wrote to memory of 4628	3304	cmd.exe	118
PID 3304 wrote to memory of 4628	3304	cmd.exe	118
PID 3304 wrote to memory of 5096	3304	cmd.exe	119
PID 3304 wrote to memory of 5096	3304	cmd.exe	119
PID 3304 wrote to memory of 5096	3304	cmd.exe	119
PID 3304 wrote to memory of 2820	3304	cmd.exe	121
PID 3304 wrote to memory of 2820	3304	cmd.exe	121
PID 3304 wrote to memory of 2820	3304	cmd.exe	121
PID 3304 wrote to memory of 4376	3304	cmd.exe	122
PID 3304 wrote to memory of 4376	3304	cmd.exe	122
PID 3304 wrote to memory of 4376	3304	cmd.exe	122
PID 3304 wrote to memory of 3588	3304	cmd.exe	123
PID 3304 wrote to memory of 3588	3304	cmd.exe	123
PID 3304 wrote to memory of 3588	3304	cmd.exe	123
PID 3304 wrote to memory of 4740	3304	cmd.exe	124
PID 3304 wrote to memory of 4740	3304	cmd.exe	124
PID 3304 wrote to memory of 4740	3304	cmd.exe	124
PID 3304 wrote to memory of 1332	3304	cmd.exe	125
PID 3304 wrote to memory of 1332	3304	cmd.exe	125
PID 3304 wrote to memory of 1332	3304	cmd.exe	125
PID 3304 wrote to memory of 4944	3304	cmd.exe	126
PID 3304 wrote to memory of 4944	3304	cmd.exe	126
PID 3304 wrote to memory of 4944	3304	cmd.exe	126
PID 3304 wrote to memory of 3180	3304	cmd.exe	127
PID 3304 wrote to memory of 3180	3304	cmd.exe	127
PID 3304 wrote to memory of 3180	3304	cmd.exe	127
PID 3304 wrote to memory of 5028	3304	cmd.exe	128
PID 3304 wrote to memory of 5028	3304	cmd.exe	128
PID 3304 wrote to memory of 5028	3304	cmd.exe	128
PID 3304 wrote to memory of 2976	3304	cmd.exe	129
PID 3304 wrote to memory of 2976	3304	cmd.exe	129
PID 3304 wrote to memory of 2976	3304	cmd.exe	129

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Software.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\fold\Launcher.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\Desktop\fold\lua.exe
  lua.exe icon.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 12:17 /f /tn ApplicationExperienceAnalysis_ODA3 /tr ""C:\Users\Admin\AppData\Local\ODA3\ODA3.exe" "C:\Users\Admin\AppData\Local\ODA3\icon.txt""
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 12:17 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1632
- - C:\Users\Admin\AppData\Roaming\files\Roblox.exe
    "C:\Users\Admin\AppData\Roaming\files\Roblox.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Very Very.cmd & Very.cmd
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 88358
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Namely
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Projects" Oven
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 88358\Briefly.com + Ft + Aluminium + After + Shepherd + Profession + Ahead + Eagle + Build + Exceed + County + Eds 88358\Briefly.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Boston + ..\Subaru + ..\Hon + ..\Mixer + ..\Surplus + ..\Stunning X
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\88358\Briefly.com
        
        Briefly.com X
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5028
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2976

C:\Users\Admin\Desktop\fold\lua.exe
"C:\Users\Admin\Desktop\fold\lua.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2024

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\fold\icon.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2920

C:\Users\Admin\Desktop\fold\lua.exe
"C:\Users\Admin\Desktop\fold\lua.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\88358\Briefly.com

Filesize
927B

MD5
44573b96edbe776a81627d5eb8caa82b

SHA1
20df5b9fe95cc48e3806e6204e315e7a637b5ab8

SHA256
28b25d641d312bb24af0e35f243ac1f58786ac4044ecbc236e8fad500307ae9a

SHA512
261d7bdfa66cd466b622bb93a80fa8a026c95bf8ed3ed818cc8ffd3489a89ed4bdfda949b15601f793c39bed8daaadda29ef0407ee653a1f3ecdd02c93c05dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\88358\Briefly.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\88358\X

Filesize
451KB

MD5
e872ef145dd334dcf5562940e6641cd0

SHA1
3199371bd8c82081ca8c43e827ffc28e57685b20

SHA256
8be6e0ed7358a1b2aadfeaf7b1ac9f8e552388385934353dd4ead4eafaa92c32

SHA512
b78b7f345c7eaa596efa5dc7d7279c91bcfc4d22744906d7e4763205aab98817b3921cfbfba4bd54c71ee7b79a42be2108e404b7743866f45006115716c35db5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\After

Filesize
58KB

MD5
a12d07b0098d2699971d42963276de2d

SHA1
5193808007206067d8107b9cd5f178319243beda

SHA256
b9d87bda11dd6b7821b3e5626bde95c196814589b317cdf7d59663bff34d4bdd

SHA512
1616aca22f1acdda8eb40b0f84507a19d7bb891eb223ae3eabc49f1b79fb11b79aabd127965abde1dc7932c17e1e7846066202e0edf4a7307873985a3e10d0ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ahead

Filesize
62KB

MD5
9d49faa6f53a0928d354c7b77ecab55f

SHA1
270bab8f8a6a96f522904806bd115188a1b6a2ba

SHA256
dec6d54d902c5557ff9e80e58ff45f43b002bd46d1427b691c8806acfd85fb5c

SHA512
f1aa6b83f339254e7d0c931dd2eda5f6b1c1247f70e19c425d9656a8fb32be8a257ab6ed9b49cd674f7554df3cc7fcfaf2b5b3fcd4436160d0885aef01a59fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aluminium

Filesize
86KB

MD5
10622036576a3509f11d8e6beddfc95c

SHA1
c2844a9c011c0473630cb3fb62c093633d95cdaa

SHA256
697ae84e4291b067700ff7b8be3d17c43b9aade780aabf35c49b409995f9786e

SHA512
3e6303d4c18a1338741be729bb2853feda2990bb2a3a529a028547ead5391a66b6f621c467231d6735ed3131b9a6e7ee413acb698b9434e400e9a3835f9d94bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Boston

Filesize
82KB

MD5
dbaedcb6665215950d059f1421e2bfa0

SHA1
f97e4bd50a1adfd6e2e3ae3273980720a0df31c2

SHA256
d70f7d3302ef306f60cc78ee181fb065ee7f2940014548af2233895a5aaa15fa

SHA512
625985ab8c513a6f4320c0e832afbc152413b8d359462df70d05f783820986126d8a94bad9ea853235df2abe0d5eafc893b8ebf381b728c4bb8745a4de0c8be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Build

Filesize
58KB

MD5
99f1e77037465079f718ef79267612ff

SHA1
736ff3fe87993de164a4639347ab2c23a0fc6e90

SHA256
193ee221072a3ff82d087d2c881054078cdc222191780f5afe261fea9af63cf7

SHA512
4fa3762e6fab1df0fdde3e3536c7b4f8c8d5fd97f469fc2e734498393ab39b0b2fc02ec2a3f19bb2d1280fe8f71b318aea12b88bbe1cf4aca88ecc9cd52c4aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\County

Filesize
86KB

MD5
974d56281350d3e278b3a8059d971b2c

SHA1
7161a8e39e515a541888d5e605eb944ab57116c3

SHA256
87cec3014db6914ad63b22311943fddb2e14f9383146e6a87ee5330d5f9bea55

SHA512
682892e1391382355c063186d3d5432fcb28bf367d033b58330d4df2a1d3aed10aa578ef63d1175d3d16cbab946eb27888b7b8505c49aead20c15f18fb1e8165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Eagle

Filesize
133KB

MD5
3d7e12929165839aefeff0485220020c

SHA1
7c43a4ac680b8cd5342d545fdced260b3366a82f

SHA256
24ee30a875cf96387548a3aa201f24591acb3f8a02c352e616cb8d13d9419aa8

SHA512
e79db17bd841f3a93ceba0e8fa9f61ab2939693b8649471d6fd40d77dc54331bb32457b6b5b5087fe5ca7e946e00e6596b8b19a9e07b0bec877ee43cf7ea6b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Eds

Filesize
27KB

MD5
4182f91c2e55a8fd23f65dea47928475

SHA1
9c181fef313d7d9402fee381e27b0756cde0c7e8

SHA256
3b17dee4e4d576ececa45230ee3e379e78c506c2fc63050a52e6097a79775249

SHA512
0b6e5a94918f73d8d5b2dbd10644cea55ee367ff4e1560d1f2db2f1de4693edd631fc40ba38bfb041992cf139745bfb3b508c964257725db9fccb9224dd3aaf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Exceed

Filesize
87KB

MD5
4019ab86608a140be754a4daf374144c

SHA1
ccea8a2febc0e888186e7baaff5c8a9997177763

SHA256
6fd18a6177d3b0434652a5db1774476f8e7b27c6b2450551d3d0feb079565bf0

SHA512
d14af008c68591a717ffdcca5db22d9559ed1e224ea53634bb875e2dbf1ea13d78d30dcde6eb815ef0156a91db0c2564bbedd5fd07dd71c3713d1914ed0b43c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ft

Filesize
126KB

MD5
7fc164f2672813daefc45ae2b5c6aa6d

SHA1
c7b1e870592a8d5b0dbd063533d1cefc2f5ac5d2

SHA256
5523e256f49474769d59d9ecf59f4826551eeb9a7b73c9ee5dcf325f4d1e0163

SHA512
502a6d39e4f3aa584047e453ac5053dc89bf3092ed96ec4d2c39fa6caa584cf3d9ced847d0e0746e7e798826739be07c1175bbf396d386908c6c2369f4e13d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hon

Filesize
89KB

MD5
9529767cacc03415d96fd9652d841801

SHA1
617f41f1a0fb1025020a8cffffb46a4457f0f896

SHA256
6689bd33856ce7b359fd61cc7031376b5e04b2f1287def80dbf83ed82cf102d3

SHA512
9f4546370dc6881603ccec1f2a9f121dd8b8f8c72543dc5d34c0bebca0f87a0410a9d9e405ae021e67990af5be919fc29efe5845056a1ed476cd3766cb50667b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mixer

Filesize
84KB

MD5
ff03b4ec16e822730640c40998651bfa

SHA1
db1adefb3fb077e8e0a4bac5343193ab9900f0fe

SHA256
cb704fa92c9a2babec7b01a9ddac260d42470871691cfc9938c64d7d9580c76b

SHA512
e086c3de540196413c13d591e13c4a90a04bd51de591a58ee153117040729d26bb72ca78fe769023646126a210bf1d2e78a54ddf858c5de5df26ff06158ede68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Namely

Filesize
479KB

MD5
f012632b43abc18a94a91c3171a51686

SHA1
2dbad43fd426d50f946ea805cdd5e73595dcd96e

SHA256
ccdc8b4f72b7d33375d20b5d5c4b1496b373d6e5bd01e3649ace2bc95f8a0c20

SHA512
21f4cab5e0e8138c7e6556a2f0893ca1699cfdbe4b41926c3358ddce2ebbc43ba42da2f1568f71d525df5c3f1ae428e0f1f13b879c4c030ff4494cae3c4755ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Oven

Filesize
935B

MD5
e7baaa5a9619a0165e5466810df3c1f7

SHA1
01589a53014c4098debcf625a0306526ca4971ab

SHA256
f25e40da39e290656cc4ef129f34a6300b47cde6e0336a1bbb26507d4045d1c4

SHA512
727f7cbbd34503fb7e5072043fbfa681b96f814b14c596c9ff78e6e0662856bb338136ea54c36c69bfba2a87dda04fda4ed9e9bff9ff6e126433101414e34a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Profession

Filesize
52KB

MD5
78ba8a5aa1b7c31e40c49252bfcb6f69

SHA1
5b61c745cbcd472acb7cd28093d8ef946f6f7dbe

SHA256
9b6a140f26989a189f3ad3af9635f3347a50c638e82f518d3e587cdc3bd4aacc

SHA512
00396de63d9c5d9a5fc123495f9e7f5e421d06e0c79ed48cf765914c9da5282e1ca3e4f942e7fc6c7a12c4759f8abb4e16a3d8d69f1c4105e2dc3efb9d272052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Shepherd

Filesize
149KB

MD5
f2e685babf2db8ac3a3e40159d7fbc06

SHA1
137173db47949caf1eba201d59fae3021683f3be

SHA256
3f2755c14f7735314ef973e81007f0a02be20f826d0b98ddad36be16e886ae31

SHA512
11a1c95b2479e5b3822364711c65baa86db657660d9763147490185e71dc39ca98227433fe70522179be2142dd37d82e18ba6dd7d6d4bd8303ec7e414a53d9ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stunning

Filesize
31KB

MD5
e430854dd18636fdaaba282c740d9c35

SHA1
8f194acfca01504469fe48fa0819fbf104c52ff5

SHA256
7a5c6fbe14b785c3bf2a27581df0b9cef2d045454755c9ffdd7257b472d65189

SHA512
5f569e877eef4ccafa8deed943fb81203e7941a1c1234f4aae342071791dc3d8e586f6d6643ab4a02a3afe4987c87e8f2d86e3270539653256fd1c4baacd1043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Subaru

Filesize
98KB

MD5
23788431b17624d0100f3619f3133c6d

SHA1
0a0b3dffa236b137586d3181ca43479b348b89e6

SHA256
d1af338d8787aa0c4e79d37e8fb1cf709a4dc741e9ad668dfdaa011ce1cbbcc7

SHA512
d342c0a666d03bf5d2c6a801621d0c59e44d498fea7d9aab0f568b3573d4657c2b47123ee11743e5d23a493a46961a1d6d232ce10ce7171d7c5d6ee04a6bc100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Surplus

Filesize
67KB

MD5
282e8e6fe01cca0b082491d3bfae9c6f

SHA1
a434fb1e4cd68c2180e663ff86068b868b961ca0

SHA256
af377703eb7e3f249c5eff649fa47c2eed8e573ec64e607c3a20ff0300e6b151

SHA512
2d8d389876c1a68b63895eb1511da41aa003e5eff30f4e78f9f196161a605b7081b6be35f575f53f7625620e796db37043af6bbe4d075a4556f0d18ffb18518d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Very

Filesize
20KB

MD5
fac7e28ec4ae3e000133d5d455d4a712

SHA1
8aa80092450b70d2922705681839303f0ca81094

SHA256
218da93f7a010fa6f13090bde77323f4810be971e18fb1eefaafa256b9d16577

SHA512
e5b6e3be962dd17354f56dcd80433a4b752d24652bbe9e309fc08a71c2a5de57ecb6c39a5bc0bbf8ebd15cf80e7b1deea987200765f8b0156ed4c7349679cfc5

Download Submit
C:\Users\Admin\AppData\Local\ODA3\ODA3.exe

Filesize
976.1MB

MD5
6fd28a0b449883b13da368648fadd887

SHA1
a636fe9df00654f18ac40b7b2e1c302f62b97f7d

SHA256
6106a96945d6dbf36941bb8557661e71bb444690678dc6c5c3f24bcb81b85274

SHA512
a0e91393167888911cd709f9ae5b0a8ec3d3acf4dab6c9dec0369eb5220ba77dbe96aab16d004355a562be1b8bf0bb205d972aeb51a5423c9fc9574e9823e6c0

Download Submit
C:\Users\Admin\Desktop\fold\Launcher.bat

Filesize
2KB

MD5
d7f990b9df5038c0eeab8525eeab05e7

SHA1
f217d29ccae0525807a9b6ddac1906c4dedd2d97

SHA256
2b33969e45b9a684b8a14b2b8becb4fc93f4b8e32cf2b4f6aaefc9f20200bc07

SHA512
9a3fad6820c2734fd05148a3e743fe61c8ace54ded02a4146b08a9ffef15761e77993a0bd7577342556b09eb18b0df0cfea10161425bd0f945956b07c983f20c

Download Submit
C:\Users\Admin\Desktop\fold\icon.txt

Filesize
224KB

MD5
32ffd84173a0df93d1e347d784a59005

SHA1
cb6152f9fef83f3bd3157aad5e2583c4756bd5a5

SHA256
f47c99ddf6c9d84056629101933639be211a68f4b8b7f290c32afe3a19e7edb9

SHA512
35be78e10a46a1b06b206bbb6c29cf70945b81c995bfed68ae1090db5e2f7eb395db934118df6146be67761cb9ed42f540c5303018b20d6a1e5b239a20990ae1

Download Submit
C:\Users\Admin\Desktop\fold\lua.exe

Filesize
89KB

MD5
dd98a43cb27efd5bcc29efb23fdd6ca5

SHA1
38f621f3f0df5764938015b56ecfa54948dde8f5

SHA256
1cf20b8449ea84c684822a5e8ab3672213072db8267061537d1ce4ec2c30c42a

SHA512
871a2079892b1eb54cb761aebd500ac8da96489c3071c32a3dab00200f74f4e12b9ab6c62623c53aea5b8be3fc031fb1b3e628ffe15d73323d917083240742b0

Download Submit
C:\Users\Admin\Desktop\fold\lua51.dll

Filesize
592KB

MD5
3dff7448b43fcfb4dc65e0040b0ffb88

SHA1
583cdab08519d99f49234965ffd07688ccf52c56

SHA256
ff976f6e965e3793e278fa9bf5e80b9b226a0b3932b9da764bffc8e41e6cdb60

SHA512
cdcbe0ec9ddd6b605161e3c30ce3de721f1333fce85985e88928086b1578435dc67373c3dc3492ed8eae0d63987cac633aa4099b205989dcbb91cbbfc8f6a394

Download Submit
memory/2008-44-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-30-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-62-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-61-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-60-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-59-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-58-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-57-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-56-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-55-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-54-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-53-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-52-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-51-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-50-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-49-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-48-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-47-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-46-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-45-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-64-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-19-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-43-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-42-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-41-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-40-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-39-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-38-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-37-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-36-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-35-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-34-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-33-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-32-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-31-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-63-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-29-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-28-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-27-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-26-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-25-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-24-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-23-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-22-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-21-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-20-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-18-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-17-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-65-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-66-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-67-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-68-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-69-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-70-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-71-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-72-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-73-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-74-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-75-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-101-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2008-102-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2008-103-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2008-105-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2008-109-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2008-111-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2008-76-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-77-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-78-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-16-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-15-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/2008-206-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download