lumma | 74fe35f356a74e085d35b10631f3a5f66e0d7ce06b40de955d3d25d305e40ca3

Analysis

max time kernel
39s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AquaPac.exe
Size

1.1MB
MD5

d8a8a72c0a91f968623129f7c301304c
SHA1

27612e6c7a665949f6777fb14c97955cb82a4655
SHA256

7182cdbd10477e805b21ba0c78b46dd133261b28f9c3a289687870b1c1a38bc0
SHA512

9da5ed8a8e9569f5423cb6968670f0f1fca39b940ca2e2266bfaaf020ac3b9e49f9e4a42da8e72d36aa04a58604c27f1888025f70d2cceb899057d9097dc499a
SSDEEP

24576:uQdnlsomZ0yh1z+e4GVQ46ueUjcXaRN72L7SAYXOFXJYd0yb7Tb7j:MomaL/GVBLyWAYgKd0I

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

Extracted

Family

lumma

https://soundtappysk.shop/api

https://femalsabler.shop/api

https://apporholis.shop/api

https://crowdwarek.shop/api

https://versersleep.shop/api

https://chipdonkeruz.shop/api

https://handscreamny.shop/api

https://robinsharez.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	AquaPac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	AquaPac.exe

Executes dropped EXE 2 IoCs

pid	Process
560	Meets.com
4920	Meets.com

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
5064	tasklist.exe
3756	tasklist.exe
3756	tasklist.exe
716	tasklist.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DistinguishedProducing	AquaPac.exe
File opened for modification	C:\Windows\DivxOnion	AquaPac.exe
File opened for modification	C:\Windows\DistinguishedProducing	AquaPac.exe
File opened for modification	C:\Windows\FrameWholesale	AquaPac.exe
File opened for modification	C:\Windows\ResourcesOwners	AquaPac.exe
File opened for modification	C:\Windows\DivxOnion	AquaPac.exe
File opened for modification	C:\Windows\EeTurkey	AquaPac.exe
File opened for modification	C:\Windows\FrameWholesale	AquaPac.exe
File opened for modification	C:\Windows\ResourcesOwners	AquaPac.exe
File opened for modification	C:\Windows\EeTurkey	AquaPac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AquaPac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meets.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AquaPac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meets.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
560	Meets.com
560	Meets.com
560	Meets.com
560	Meets.com
560	Meets.com
560	Meets.com
4920	Meets.com
4920	Meets.com
4920	Meets.com
4920	Meets.com
4920	Meets.com
4920	Meets.com

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	tasklist.exe
Token: SeDebugPrivilege	3756	tasklist.exe
Token: SeDebugPrivilege	3756	tasklist.exe
Token: SeDebugPrivilege	716	tasklist.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
560	Meets.com
560	Meets.com
560	Meets.com
4920	Meets.com
4920	Meets.com
4920	Meets.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
560	Meets.com
560	Meets.com
560	Meets.com
4920	Meets.com
4920	Meets.com
4920	Meets.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 1940	4672	AquaPac.exe	86
PID 4672 wrote to memory of 1940	4672	AquaPac.exe	86
PID 4672 wrote to memory of 1940	4672	AquaPac.exe	86
PID 1940 wrote to memory of 5064	1940	cmd.exe	88
PID 1940 wrote to memory of 5064	1940	cmd.exe	88
PID 1940 wrote to memory of 5064	1940	cmd.exe	88
PID 1940 wrote to memory of 3436	1940	cmd.exe	89
PID 1940 wrote to memory of 3436	1940	cmd.exe	89
PID 1940 wrote to memory of 3436	1940	cmd.exe	89
PID 1940 wrote to memory of 3756	1940	cmd.exe	92
PID 1940 wrote to memory of 3756	1940	cmd.exe	92
PID 1940 wrote to memory of 3756	1940	cmd.exe	92
PID 1940 wrote to memory of 2688	1940	cmd.exe	93
PID 1940 wrote to memory of 2688	1940	cmd.exe	93
PID 1940 wrote to memory of 2688	1940	cmd.exe	93
PID 1940 wrote to memory of 2224	1940	cmd.exe	94
PID 1940 wrote to memory of 2224	1940	cmd.exe	94
PID 1940 wrote to memory of 2224	1940	cmd.exe	94
PID 1940 wrote to memory of 4228	1940	cmd.exe	95
PID 1940 wrote to memory of 4228	1940	cmd.exe	95
PID 1940 wrote to memory of 4228	1940	cmd.exe	95
PID 1940 wrote to memory of 848	1940	cmd.exe	96
PID 1940 wrote to memory of 848	1940	cmd.exe	96
PID 1940 wrote to memory of 848	1940	cmd.exe	96
PID 1940 wrote to memory of 4812	1940	cmd.exe	97
PID 1940 wrote to memory of 4812	1940	cmd.exe	97
PID 1940 wrote to memory of 4812	1940	cmd.exe	97
PID 1940 wrote to memory of 4380	1940	cmd.exe	98
PID 1940 wrote to memory of 4380	1940	cmd.exe	98
PID 1940 wrote to memory of 4380	1940	cmd.exe	98
PID 1940 wrote to memory of 560	1940	cmd.exe	99
PID 1940 wrote to memory of 560	1940	cmd.exe	99
PID 1940 wrote to memory of 560	1940	cmd.exe	99
PID 1940 wrote to memory of 3724	1940	cmd.exe	100
PID 1940 wrote to memory of 3724	1940	cmd.exe	100
PID 1940 wrote to memory of 3724	1940	cmd.exe	100
PID 4480 wrote to memory of 2748	4480	AquaPac.exe	116
PID 4480 wrote to memory of 2748	4480	AquaPac.exe	116
PID 4480 wrote to memory of 2748	4480	AquaPac.exe	116
PID 2748 wrote to memory of 3756	2748	cmd.exe	119
PID 2748 wrote to memory of 3756	2748	cmd.exe	119
PID 2748 wrote to memory of 3756	2748	cmd.exe	119
PID 2748 wrote to memory of 2688	2748	cmd.exe	120
PID 2748 wrote to memory of 2688	2748	cmd.exe	120
PID 2748 wrote to memory of 2688	2748	cmd.exe	120
PID 2748 wrote to memory of 716	2748	cmd.exe	121
PID 2748 wrote to memory of 716	2748	cmd.exe	121
PID 2748 wrote to memory of 716	2748	cmd.exe	121
PID 2748 wrote to memory of 2308	2748	cmd.exe	122
PID 2748 wrote to memory of 2308	2748	cmd.exe	122
PID 2748 wrote to memory of 2308	2748	cmd.exe	122
PID 2748 wrote to memory of 3056	2748	cmd.exe	123
PID 2748 wrote to memory of 3056	2748	cmd.exe	123
PID 2748 wrote to memory of 3056	2748	cmd.exe	123
PID 2748 wrote to memory of 1520	2748	cmd.exe	124
PID 2748 wrote to memory of 1520	2748	cmd.exe	124
PID 2748 wrote to memory of 1520	2748	cmd.exe	124
PID 2748 wrote to memory of 2132	2748	cmd.exe	125
PID 2748 wrote to memory of 2132	2748	cmd.exe	125
PID 2748 wrote to memory of 2132	2748	cmd.exe	125
PID 2748 wrote to memory of 1232	2748	cmd.exe	126
PID 2748 wrote to memory of 1232	2748	cmd.exe	126
PID 2748 wrote to memory of 1232	2748	cmd.exe	126
PID 2748 wrote to memory of 4920	2748	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\AquaPac.exe
"C:\Users\Admin\AppData\Local\Temp\AquaPac.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Imagination Imagination.cmd & Imagination.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3436
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 792142
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Actively
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4228
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Steady" Role
    3⤵
    - System Location Discovery: System Language Discovery
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 792142\Meets.com + Vt + Railroad + Authentication + Mighty + Provide + Pens + Cope + Samuel + Thumbzilla + Hospitality + Kathy 792142\Meets.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Dense + ..\Invitations + ..\Francisco + ..\Authority + ..\Engine + ..\Developers W
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\792142\Meets.com
    Meets.com W
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:560
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\AquaPac.exe
"C:\Users\Admin\AppData\Local\Temp\AquaPac.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Imagination Imagination.cmd & Imagination.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 792142
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Actively
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 792142\Meets.com + Vt + Railroad + Authentication + Mighty + Provide + Pens + Cope + Samuel + Thumbzilla + Hospitality + Kathy 792142\Meets.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Dense + ..\Invitations + ..\Francisco + ..\Authority + ..\Engine + ..\Developers W
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\792142\Meets.com
    Meets.com W
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4920
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\792142\Meets.com

Filesize
284KB

MD5
a553b9afa147b014bb580df31a50834e

SHA1
49d13863da5d737541395e051aa77410455179c3

SHA256
ae3a9353ad378389262e0be581e28c9ea53fba0f86b2ccac071bc92aba3fc1da

SHA512
332765d6d80792740356a04251861f9a129745813ddb81311389c18eaf641f2c5ba3fd4c757185d1e6a17dfa2871656ecd358fa6ce8969855a2d9bc8bfa5f27e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\792142\Meets.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\792142\W

Filesize
489KB

MD5
90091f6ead5a5340fce5fa02912c5bfb

SHA1
8585e6bfa3a2acaf851060b04e4796f08087fe61

SHA256
4d3bc79dec897ca3277885a9f29e2113627abaa251d92a3ff64c0e5505d9ada5

SHA512
6fad7646b57d52fef61e760b4e366302b98f3deb207db0e8dd71d8f8ed973a7efd25e10edb1d919bcb36aec90d2b0e0a3329498d2c683eda98ac8b3bfcb5bbd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Actively

Filesize
478KB

MD5
0e0686fa4d588f14b83b2ebb980d2a0a

SHA1
17a2e04479a36f1a6cd0a5b716ffde5557b360ea

SHA256
1bf6609584f1c4b4de0680801082f8be1449a28df32c4a490b6b8ccded8ed0a4

SHA512
51f4ac7aeab58444f436e9a687d2f585a530688d9570f4d68dc84109feb91146c5a0d796bd85bf5e8fc242eebd468899c293c90e8c56108c785448c4203d7e7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Authentication

Filesize
102KB

MD5
ac8c829182e71c67c9278453ea889256

SHA1
118be5cd1e343f882766f1db1c1d9c2022685ff0

SHA256
c7625149c7867bde5cd8eaf46f8a89e56f213f283e5b44597a24102771ac4804

SHA512
5df7b947117ee688f3e62fa628499d5d6fe209ba2d07f393c54f05a37c8c0e0bd4a4899441af2abd58100bb6359e816eada510e043439bdb74b2b434f17b0e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Authority

Filesize
86KB

MD5
57c695dcf46526ee60fa34c911cd11a1

SHA1
552d99593238f14f6695b0bfa23c05f891b54ab5

SHA256
8c6f3f195b530722800f87330e5eb4e7e27d090b1e2879c8cfcbaa94bf097284

SHA512
a6f6c88068fe0f9a06e9240445813038db4bcc064c756710041f96d36808485f94ab5d5f0919f328564a6735d4ffefb3680d52f8daf3b924f29088f9a6ff6f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cope

Filesize
104KB

MD5
cd9214c7b48443d94053af2c55701fa5

SHA1
014db1050bc244fbbc365ed5c638650ed75d0e36

SHA256
50f0bc032432295d65e20bc3dbad1200049ee1d75b1e042b9a0c44e524f92b53

SHA512
af5f680e41fd093f7482b2ae8e56421b10520e9ab0b5ea59ed7a2b1ef473869f55e86c5772a54800bfdea726eae40588f6b6ae1ff2b6f3801979ae60ff1fa02c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dense

Filesize
97KB

MD5
1e396739e2c187ab53051851212ba90d

SHA1
1363341acd9715272d6636a9cdaaac70fc603648

SHA256
a435f0f239f5994ac344ee20ff42f668d044f5c43b52947547bb001ed5ffa3fc

SHA512
18c90341766e5e22964e0f0d159d83572cb27be49af573e6b3b031450b23ce2891bc94c377f44d9e17357d028321e8eb972b75c68614edd97183767bcc38b546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Developers

Filesize
89KB

MD5
47ac9fe9d9f63f7baa1e825eecc1aafb

SHA1
92075aeab47ca6cb71fb7f1337f7e7008cbab526

SHA256
809d19ad991b88841b1c9bdae9e3a8252751a04ee0430abf01416edcfa665831

SHA512
9c87c615a1c00fab45bbf981a37135dedc410d1223b80df5e93a1c06594c7841d2db5dd0e422667a995bf681567b3f681ae5b5c8636fb86324f0c893fd029f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Engine

Filesize
69KB

MD5
37728cb2e7dd700425a811855d711c80

SHA1
90f316246027bcb56e8dc85beb4686025d513c3c

SHA256
70d77c95381c4db8b297068d10e46c8c4b065ab6688677dea83c528a528e0e78

SHA512
4e57b5bc5cf84d6dd46af1eb012b5f4dadb2edc061f12dd5158b7bae4b992804476bdff45c7299524c242f00462bdcac837da578ff6a931e17a1ad0502d65137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Francisco

Filesize
62KB

MD5
f508a14e1f7544a99029e0ab1b261ffa

SHA1
7ea718949660836c54c9f5e7af3c716c6a127dd2

SHA256
f15508f7d353e4424f4f4cdd6b359b0094508690afeb10b861d8934421d5decb

SHA512
70ed6e33751b39f76ca72edd2fb410b239169dde77a2d494097588aa0cb86e3d67e8121db437eb6dbf9df1298e9e8d989285fed2d7cd5ddb07a5e291141b6f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hospitality

Filesize
124KB

MD5
0a1035bb9fc56b3c2590e25929eef925

SHA1
427b159b91a96c69ab01cc104ff2fa2ce0fd91e5

SHA256
cbf2ecf23b8e76c1bf1a5574e4a35890713555248f1ef7cdb3c459821f4ca2f9

SHA512
5b8ee14d403b8e307e907689165206868a495ae40be484f7590314f19533732b2ff12814eddb23461cb5f932412c755ba69f8bdca69d11be9e3ed3783f8d00e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Imagination

Filesize
19KB

MD5
ac72b5f1d9ad7b1a9733acd27249950d

SHA1
4a1f91c00bbfa15621ecf46a17f40a9fd2c1d058

SHA256
fc99378ce8bc87b7095cb4a6fbe28906b97423f3d95dbab5f50e0ab3785f647c

SHA512
c63981434e0aaf2eba7e84067d2b6e986e44626dad82e24908d353dcaf6d0ee92933499124032912b192cb99888a8998a98c6382ebcedc0ab59937f2553e2d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Invitations

Filesize
86KB

MD5
2b9ccf75936f2f4567d9f1dd70a3c4e4

SHA1
46f38418e6432aa469016e87a4206db4a995ec55

SHA256
80ce58e21d4a6a79881a66ae02e084b8fbf3333f2ec2b71d1f606f158e96475b

SHA512
0ca9ecb1591f4dc1f5caadd37ea0f21c928cb6820108e74f692bbde84559a30472c72f0139065d1a98a8973d273a3f12c0d22607357acb730e724af0813d3e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kathy

Filesize
2KB

MD5
adefb42726bc224db7041c8e588ac6dd

SHA1
87778460dbe6cfe7f6c2c716eb80570ec433b0d3

SHA256
449536deddc00f968768e1a9993abefdd2d35ea1f9c5fe806879617928400f48

SHA512
ea640ddf8a4a0e9ebd64e50da893b3b144d88e07bbbb936d4bfa82ccda8a2bc4e01182eaddf2e69cc5232abd76ea743b8cb738c97bce53ac833c1c4b3f16374f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mighty

Filesize
55KB

MD5
bb0074328c540072752ce884362f886f

SHA1
8d55aa467b3af7a513d5c7d88db30ca1a9d98e91

SHA256
8e56d737730ee96e70d31f90a4bf4a2295c746ac3515e5e0708b1f6baf03da15

SHA512
f172454755b2a67d10dd0cebf01d0b91fcc4b3b9498da07d945345f316c454ca8a5d02484ea828131c29e10504a79840fcdb6ded38eb09acd0f7235c07a34bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pens

Filesize
109KB

MD5
b478a16fe5de90f378460aadc49b35e6

SHA1
74aa246e4b4bb34e03241012329fa0c36c0722f0

SHA256
490958f8c444165ceed2bb2abc11a206307367a8cba74744cd0a8bf437a87ff4

SHA512
01254fcd7d498e49c9c6ebd7d4adb3ce121b7f5c0e37011094b1e3ae0e9ff47ffd9e5941020930fbbfe79637a561992d65e46f2b926d47598e82940c9b24542a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Provide

Filesize
71KB

MD5
518d370b488b513dd644db94444562c7

SHA1
cf3e2410e2aa56ef27a048cccd0ca1d0f90dd758

SHA256
cf310de2f036bca47b494bdd071f589f445792b71439e22fae2c0b3095838a4d

SHA512
62e9b28e2a9b6ad66ea847ccbed1e852fd4ab68492d3589cfd49159362c8e0fc10244ca94a4c1b424846b3e40a4373c7213325227360bfda25fb900be74711ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Railroad

Filesize
100KB

MD5
ac2c048aaf68e5123115820b8781ee2f

SHA1
b7202f254c74bf033bae55e32cec6e244b8d8745

SHA256
155473d893db83bf888c283e74866dcb2c861b8b288a8da3af125ea097ec0efa

SHA512
270321b5fdecd02d0af8ced493b6bdef45a7311e00177523f14c7215cfdf8ea9d6e740c1decb269714ce37d28ecfffd25addb1695bf63101ed8e41155d31f108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Role

Filesize
125B

MD5
97a17d0cd5c621a4862209b3696ad4ac

SHA1
f5e9feb17fda8c77f520903e70981c4abf007adc

SHA256
600e46ce7216350e8d987cd3d3187318bc95145dc878fe6a643e92179f823710

SHA512
33caa4b7e855ab18d10c161ec171c1e372acdb4b83785630f39d3ad00513e9e4a4b5ce0e169aa835bd136abc7171aec40b78423798ebb3c2b07f28ba5d0bc8b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Samuel

Filesize
125KB

MD5
3347dc75a288af08d50b5136fc4b0327

SHA1
0f9a6482174914cdb01797bd51bd902f3ecf345f

SHA256
b5e6c3445828c9546650f554aa1b0dace518f8c22814d978b68ce34a95d94c00

SHA512
cabe6bbc0758b76380474d51df549c40982174f555890e41e2d0071071d8f53eba321162156b9e158f75915f61549ad1a33e88c0c00398d2ad9a306875f3bd9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Thumbzilla

Filesize
50KB

MD5
a993c387a1cfb59cca8c1563b4c1463b

SHA1
7dd4e9e17d02ff58e3dd80c8deb6787f3c302497

SHA256
1134c53b137901e53a76319f3ba6b6df1d054199dfadc23170def6bd94bdc832

SHA512
add996ff72772c6047609c6fedc40168473279b606f91207d536590dc96519cf1666b5a25e5f2561ad25a4ff86b733cbd5dc907554fd593097acdc82a0a0de13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vt

Filesize
82KB

MD5
d75d2ddc4f5c128ed81fb0c5f3482552

SHA1
baeae93652bac704be1ffe17b207751fec99a104

SHA256
5f4654f04b12e59ca733c72a0f0434827cd6ed76d483d392e4c16fa1a5ba7d92

SHA512
d956ad259bcde42b1fa72c278c51018172c6c069fb35d2f13cc45784ce19723023fadf541c1fcfdd80e938d64532ed08734daf1111183323116ace5a02636895

Download Submit
memory/560-119-0x00000000077F0000-0x0000000007849000-memory.dmp

Filesize
356KB

Download
memory/560-121-0x00000000077F0000-0x0000000007849000-memory.dmp

Filesize
356KB

Download
memory/560-123-0x00000000077F0000-0x0000000007849000-memory.dmp

Filesize
356KB

Download
memory/560-122-0x00000000077F0000-0x0000000007849000-memory.dmp

Filesize
356KB

Download
memory/560-120-0x00000000077F0000-0x0000000007849000-memory.dmp

Filesize
356KB

Download