lumma | fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update_1.65.4.msi
Size

9.5MB
MD5

d330c09503e6c3d51cd2d3435de0795a
SHA1

5b7bbf5bc80f4b3863c263d1aed620faa4612c9d
SHA256

fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b
SHA512

ed3abd52e47d36ca3637dbf3d738d6509049162dd3f084dc7b9c286f517be815c6825df2c1070f36ac4e4445e62919c44a37793fc4bc0761076608340c35610e
SSDEEP

196608:0uVUeJYJMd0rWLhjx5YHU+tYERMN2fr/pa/3pqnLtAPLMgzWS3W9i4EzP:lV6WLR+tYiyURmpML6DMgzJsc

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 1888	1420	ReFB.exe	36

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76b9cd.msi	msiexec.exe
File created	C:\Windows\Installer\f76b9ce.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b9ce.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76b9cd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA89.tmp	msiexec.exe
File created	C:\Windows\Installer\f76b9d0.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
380	ReFB.exe
1420	ReFB.exe

Loads dropped DLL 13 IoCs

pid	Process
380	ReFB.exe
380	ReFB.exe
380	ReFB.exe
380	ReFB.exe
380	ReFB.exe
380	ReFB.exe
380	ReFB.exe
1420	ReFB.exe
1420	ReFB.exe
1420	ReFB.exe
1420	ReFB.exe
1420	ReFB.exe
1420	ReFB.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2520	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2412	msiexec.exe
2412	msiexec.exe
380	ReFB.exe
1420	ReFB.exe
1420	ReFB.exe
1888	cmd.exe
1888	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1420	ReFB.exe
1888	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	2412	msiexec.exe
Token: SeCreateTokenPrivilege	2520	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2520	msiexec.exe
Token: SeLockMemoryPrivilege	2520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2520	msiexec.exe
Token: SeMachineAccountPrivilege	2520	msiexec.exe
Token: SeTcbPrivilege	2520	msiexec.exe
Token: SeSecurityPrivilege	2520	msiexec.exe
Token: SeTakeOwnershipPrivilege	2520	msiexec.exe
Token: SeLoadDriverPrivilege	2520	msiexec.exe
Token: SeSystemProfilePrivilege	2520	msiexec.exe
Token: SeSystemtimePrivilege	2520	msiexec.exe
Token: SeProfSingleProcessPrivilege	2520	msiexec.exe
Token: SeIncBasePriorityPrivilege	2520	msiexec.exe
Token: SeCreatePagefilePrivilege	2520	msiexec.exe
Token: SeCreatePermanentPrivilege	2520	msiexec.exe
Token: SeBackupPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	2520	msiexec.exe
Token: SeShutdownPrivilege	2520	msiexec.exe
Token: SeDebugPrivilege	2520	msiexec.exe
Token: SeAuditPrivilege	2520	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2520	msiexec.exe
Token: SeChangeNotifyPrivilege	2520	msiexec.exe
Token: SeRemoteShutdownPrivilege	2520	msiexec.exe
Token: SeUndockPrivilege	2520	msiexec.exe
Token: SeSyncAgentPrivilege	2520	msiexec.exe
Token: SeEnableDelegationPrivilege	2520	msiexec.exe
Token: SeManageVolumePrivilege	2520	msiexec.exe
Token: SeImpersonatePrivilege	2520	msiexec.exe
Token: SeCreateGlobalPrivilege	2520	msiexec.exe
Token: SeBackupPrivilege	2964	vssvc.exe
Token: SeRestorePrivilege	2964	vssvc.exe
Token: SeAuditPrivilege	2964	vssvc.exe
Token: SeBackupPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeLoadDriverPrivilege	2872	DrvInst.exe
Token: SeLoadDriverPrivilege	2872	DrvInst.exe
Token: SeLoadDriverPrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2520	msiexec.exe
2520	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 380	2412	msiexec.exe	34
PID 2412 wrote to memory of 380	2412	msiexec.exe	34
PID 2412 wrote to memory of 380	2412	msiexec.exe	34
PID 2412 wrote to memory of 380	2412	msiexec.exe	34
PID 380 wrote to memory of 1420	380	ReFB.exe	35
PID 380 wrote to memory of 1420	380	ReFB.exe	35
PID 380 wrote to memory of 1420	380	ReFB.exe	35
PID 380 wrote to memory of 1420	380	ReFB.exe	35
PID 1420 wrote to memory of 1888	1420	ReFB.exe	36
PID 1420 wrote to memory of 1888	1420	ReFB.exe	36
PID 1420 wrote to memory of 1888	1420	ReFB.exe	36
PID 1420 wrote to memory of 1888	1420	ReFB.exe	36
PID 1420 wrote to memory of 1888	1420	ReFB.exe	36
PID 1888 wrote to memory of 3052	1888	cmd.exe	39
PID 1888 wrote to memory of 3052	1888	cmd.exe	39
PID 1888 wrote to memory of 3052	1888	cmd.exe	39
PID 1888 wrote to memory of 3052	1888	cmd.exe	39
PID 1888 wrote to memory of 3052	1888	cmd.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Update_1.65.4.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2520

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Forfeiture\ReFB.exe
  "C:\Users\Admin\AppData\Local\Forfeiture\ReFB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Roaming\readertask_4\ReFB.exe
    C:\Users\Admin\AppData\Roaming\readertask_4\ReFB.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000598" "00000000000005DC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b9cf.rbs

Filesize
8KB

MD5
aff5509c770fdbfcb6ba903c7fc03850

SHA1
361f5bf647c7e8083b09e593864609a0380cf5bf

SHA256
67e75804c65d882f86525dca861db3c2a2435d048265f5a7a9af6983e12ab87e

SHA512
e485c004205f16ad961267707bc8beb1a138a8c6c9ecf0c1a1ec847d281bf5d0d236df4439116a4634d86c744c1f57c821c08829714b1d0cafd6fa913b2a332a

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\MSVCP100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\MSVCR100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\QtCore4.dll

Filesize
2.5MB

MD5
fecc62a37d37d9759e6b02041728aa23

SHA1
0c5f646caef7a6e9073d58ed698f6cfbfb2883a3

SHA256
94c1395153d7758900979351e633ab68d22ae9b306ef8e253b712a1aab54c805

SHA512
698f90f1248dacbd4bdc49045a4e80972783d9dcec120d187abd08f5ef03224b511f7870320938b7e8be049c243ffb1c450c847429434ef2e2c09288cb9286a6

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\QtGui4.dll

Filesize
8.2MB

MD5
831ba3a8c9d9916bdf82e07a3e8338cc

SHA1
6c89fd258937427d14d5042736fdfccd0049f042

SHA256
d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

SHA512
beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\QtNetwork4.dll

Filesize
1.0MB

MD5
8a2e025fd3ddd56c8e4f63416e46e2ec

SHA1
5f58feb11e84aa41d5548f5a30fc758221e9dd64

SHA256
52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

SHA512
8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\QtWebKit4.dll

Filesize
12.5MB

MD5
e75606f270507c11094945e46a0a87b0

SHA1
cd0b160c96f2124ab2d92847bc80739f813f76e6

SHA256
0148dd8159d46463ad5c5b51dfe23e2cc16b7b08a1c057708f573684c00ddde9

SHA512
ee0cb735ac2cd82cfa524799b172100773996620f1a62d655b5d6a83f2e09034ca233988303660ad2a01d8ac45f456a0e3c41539f6b8b21eccbe043917362ecc

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\ReFB.exe

Filesize
80KB

MD5
2a8613b7d99903516b8fe02fd820bf52

SHA1
78a96addcb556ab1d490fac80f929305263d06b9

SHA256
f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407

SHA512
af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\cataract.css

Filesize
57KB

MD5
d1cc8a9122a2a717629f1a324610336c

SHA1
3329d052b890a577df9f77093a05643e545cb533

SHA256
623bc1dba626d13257b8bd2308dd1a268c5cf7a63d0bc25125045bac40052182

SHA512
a0bba719434f61e44c3055d97a5abcfd8ecb3ac51534d1e8bc1ccb04c29ecae60ee1ef37156d41ef5cc3447d5bda9be5329e17320e09ccd7679c045866054ea9

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\lollapalooza.m4a

Filesize
775KB

MD5
14116b49d2c306be3a5b16c0bface12e

SHA1
6c6fef088b4710f16d1098697dd9eeaa114bfab2

SHA256
17461e0f93ddf32026931fbfe7717368bcba30e660674b4a96d388e3bd8059cc

SHA512
c92a70bb66b32980ed324eb2848c63566e7d90f1050b2c21197ac0c40d3e4986f529a9455e4ef8c26da35cb89d9533af59ffc323c1b10bb3895b1d11c2f61aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e9a350e

Filesize
1014KB

MD5
156765bb4da1c0edf0355fda60e6eca1

SHA1
f5dfe07986998195b27d941a9ad9ed2263c3cade

SHA256
b1f1825f72bc84e5416ee8308d5ce12240e00a3c1587a0c41f8200e5f4ae2e32

SHA512
056a7756fe9157e89613fa8945625df2d0764c566ae5797030f0c424b7950083aab254adb046206fdb9a253053a987e26876304a2cc9f2f6ed16e13852b6a97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab59F5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A07.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\f76b9cd.msi

Filesize
9.5MB

MD5
d330c09503e6c3d51cd2d3435de0795a

SHA1
5b7bbf5bc80f4b3863c263d1aed620faa4612c9d

SHA256
fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b

SHA512
ed3abd52e47d36ca3637dbf3d738d6509049162dd3f084dc7b9c286f517be815c6825df2c1070f36ac4e4445e62919c44a37793fc4bc0761076608340c35610e

Download Submit
memory/380-47-0x0000000077940000-0x0000000077AE9000-memory.dmp

Filesize
1.7MB

Download
memory/380-46-0x0000000074280000-0x00000000743F4000-memory.dmp

Filesize
1.5MB

Download
memory/1420-78-0x0000000074270000-0x00000000743E4000-memory.dmp

Filesize
1.5MB

Download
memory/1420-77-0x0000000077940000-0x0000000077AE9000-memory.dmp

Filesize
1.7MB

Download
memory/1420-76-0x0000000074270000-0x00000000743E4000-memory.dmp

Filesize
1.5MB

Download
memory/1888-81-0x0000000077940000-0x0000000077AE9000-memory.dmp

Filesize
1.7MB

Download
memory/1888-82-0x0000000074270000-0x00000000743E4000-memory.dmp

Filesize
1.5MB

Download
memory/3052-84-0x0000000077940000-0x0000000077AE9000-memory.dmp

Filesize
1.7MB

Download
memory/3052-85-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3052-86-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download