lumma | 1afe857d1b5f2c0ff48ebbd2f32abf11f9b310416b1273e77adc7ee37f001ff8

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Samples 1/3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7.exe
Size

8.3MB
MD5

a2d3e4fd65182c4ca56f1ec78131acc5
SHA1

baab9ae70a2df25c3692886fe031e8d26080aeb7
SHA256

3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7
SHA512

31726ede8167e38cf71d17107098bbf806294fb2f1c64da237f583691e2e6d35f293130c8e1ccea37fbe9af07cbd2f71379a902cc7c3e0cd80c7c0e65c5e6357
SSDEEP

196608:ErV67DFXZM2t60xR4UbC1m94O9A9ddFq/gnR:EkFXt/RbbCY9B9AfmYR

Score

10^/10

lumma stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 1 IoCs

Processes:

resource	yara_rule
behavioral24/memory/4968-328-0x0000000000E80000-0x0000000000F0E000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

_is56DA.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation _is56DA.exe
Executes dropped EXE 3 IoCs

Processes:

_is56DA.exevmtoolsd.exevmtoolsd.exe

pid process

4648 _is56DA.exe
452 vmtoolsd.exe
4696 vmtoolsd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	_is56DA.exe

Loads dropped DLL 16 IoCs

Processes:

_is56DA.exevmtoolsd.exevmtoolsd.exeComSecure.exe

pid	process
4648	_is56DA.exe
452	vmtoolsd.exe
452	vmtoolsd.exe
452	vmtoolsd.exe
452	vmtoolsd.exe
452	vmtoolsd.exe
452	vmtoolsd.exe
452	vmtoolsd.exe
4696	vmtoolsd.exe
4696	vmtoolsd.exe
4696	vmtoolsd.exe
4696	vmtoolsd.exe
4696	vmtoolsd.exe
4696	vmtoolsd.exe
4696	vmtoolsd.exe
4968	ComSecure.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

vmtoolsd.execmd.exe

description	pid	process	target process
PID 4696 set thread context of 4812	4696	vmtoolsd.exe	cmd.exe
PID 4812 set thread context of 4968	4812	cmd.exe	ComSecure.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vmtoolsd.execmd.exe

pid process

4696 vmtoolsd.exe
4812 cmd.exe
4812 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

vmtoolsd.execmd.exe

pid process

4696 vmtoolsd.exe
4812 cmd.exe
4812 cmd.exe

pid	process
4696	vmtoolsd.exe
4812	cmd.exe
4812	cmd.exe

pid	process
4696	vmtoolsd.exe
4812	cmd.exe
4812	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7.exe_is56DA.exevmtoolsd.exevmtoolsd.execmd.exe

description	pid	process	target process
PID 4732 wrote to memory of 4648	4732	3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7.exe	_is56DA.exe
PID 4732 wrote to memory of 4648	4732	3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7.exe	_is56DA.exe
PID 4732 wrote to memory of 4648	4732	3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7.exe	_is56DA.exe
PID 4648 wrote to memory of 452	4648	_is56DA.exe	vmtoolsd.exe
PID 4648 wrote to memory of 452	4648	_is56DA.exe	vmtoolsd.exe
PID 4648 wrote to memory of 452	4648	_is56DA.exe	vmtoolsd.exe
PID 452 wrote to memory of 4696	452	vmtoolsd.exe	vmtoolsd.exe
PID 452 wrote to memory of 4696	452	vmtoolsd.exe	vmtoolsd.exe
PID 452 wrote to memory of 4696	452	vmtoolsd.exe	vmtoolsd.exe
PID 4648 wrote to memory of 3048	4648	_is56DA.exe	cmd.exe
PID 4648 wrote to memory of 3048	4648	_is56DA.exe	cmd.exe
PID 4648 wrote to memory of 3048	4648	_is56DA.exe	cmd.exe
PID 4696 wrote to memory of 4812	4696	vmtoolsd.exe	cmd.exe
PID 4696 wrote to memory of 4812	4696	vmtoolsd.exe	cmd.exe
PID 4696 wrote to memory of 4812	4696	vmtoolsd.exe	cmd.exe
PID 4696 wrote to memory of 4812	4696	vmtoolsd.exe	cmd.exe
PID 4812 wrote to memory of 4968	4812	cmd.exe	ComSecure.exe
PID 4812 wrote to memory of 4968	4812	cmd.exe	ComSecure.exe
PID 4812 wrote to memory of 4968	4812	cmd.exe	ComSecure.exe
PID 4812 wrote to memory of 4968	4812	cmd.exe	ComSecure.exe
PID 4812 wrote to memory of 4968	4812	cmd.exe	ComSecure.exe

C:\Users\Admin\AppData\Local\Temp\Samples 1\3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7.exe
"C:\Users\Admin\AppData\Local\Temp\Samples 1\3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Local\Temp\{582CFCF0-EAD0-4852-B547-3344E0CDE758}\_is56DA.exe
"C:\Users\Admin\AppData\Local\Temp\{582CFCF0-EAD0-4852-B547-3344E0CDE758}\_is56DA.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Samples 1" ORIGINALSETUPEXENAME="3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\{582CFCF0-EAD0-4852-B547-3344E0CDE758}\_is56DA.exe"
3⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\vmtoolsd.exe
"C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\vmtoolsd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4812

C:\Users\Admin\AppData\Local\Temp\ComSecure.exe
C:\Users\Admin\AppData\Local\Temp\ComSecure.exe
2⤵
- Loads dropped DLL
PID:4968

C:\Users\Admin\AppData\Roaming\FWPUCLNT\vmtoolsd.exe
"C:\Users\Admin\AppData\Roaming\FWPUCLNT\vmtoolsd.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ComSecure.exe
Filesize
134KB

MD5
7fc4562eb0ce9a9bd5e7a4523c60bdc3

SHA1
c3630fc5748ed826206863c9598523e05a93b077

SHA256
cabe256289e00e9079deb943ff1330b8063397152d0d4ff1433c84097693d232

SHA512
745d51c96fe3ad77f8942ad343e05706d831f0e300f3b26ee9c4446b6f423b95a52d295932457921bb52ae3065dea192aa66ea12b599cbec08171863effebb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\c06f5899
Filesize
26KB

MD5
d779679ea9575e739950aea152718f0f

SHA1
bee39642640400ee499303f1ddddfe161a5a6fa6

SHA256
5dc69a59b1807002b4d0123f97a66893f7fc9e3503f9360976d8b640faad417a

SHA512
d6fd15bbd8b59c839a7a6c349318ec5cfb370f8445b24a34a1e4d652fc81a9b47afd97b415c14f783e96dfe9d17343210f45c3cd303c72233628a9a2d40a8573

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\ISLogoSmall.png
Filesize
1KB

MD5
0de9d9bd4ae583015157d5d3bc77801f

SHA1
6201c31badab2c50fd0c619704622e0e0cad9f5e

SHA256
3039e1e23afc42bd3c07a8f4b65fb5d0377ca70f9f4ffb6fd7e7f33d82d837d1

SHA512
b393ad1dadb60723b6032c0dc6cb9c50709b516c5f5d414b788e79b944e8a4c988c2425798f4a9b8bd05bc6d18f37cb3fba55ce93228e13d38e974eb18ee3ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\area.app
Filesize
64KB

MD5
45b8977fd6aa3e4d87ff6cffcff94f34

SHA1
6e95d51c68f22fd669d23c0d0aaa1ffa52b5d7e5

SHA256
b434b8f473adc4f39dfa7aa09d5dbb98f766cc813f1c54bed3932bf610dc7a0e

SHA512
4e7c335c91a2c5a3e17c5fda17c4d91462c40b649500f83bbb6905bd5c3d297e0ed68f174b51216be73e2934be1276d1b2bcc40444202179f4b793a188e89e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\glib-2.0.dll
Filesize
266KB

MD5
172591aa73e8ed7722ef023ecffac515

SHA1
94bb74705c1386d59ea8a33e14d013df6cf14717

SHA256
4475848926b6b909fbfeb5e698bd101a8498ec9a0ca0aa62a438bcf5ac485278

SHA512
b9173fdc1978a7b3650db8f4bbdfb654b45231a638df1b7e835612730fa42e26ec4822f24d0900ae8bf56e7f0f3ce2148433e2311b61f6662ad93e804a82f654

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\glib-2.0.dll
Filesize
325KB

MD5
407fbd6bbdd735d1bc5212362b5b9c74

SHA1
4b2a4c22307235fc8b957e48cbb61850a2ea9c96

SHA256
8ddb1ae0e6ee31a9e941e44eefe3783c56c18f24d9f1277647ef2576da5c6833

SHA512
b4217fbbcd8a56bab9d1b9505cc663ccc7cadc350be5b9da7cfd341293cf807c1cfdb671aa04240475d16e4dbca0cf7407f1d88c88f2755ebc43d904907793c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\gobject-2.0.dll
Filesize
153KB

MD5
17d2b62116bc320b3a22d239596c01ea

SHA1
a233311a5d725bc6ad6f7d39b59402bac0010596

SHA256
19e5348535f840fce1508bd4853e04871a207bd0f17d904e08b778e95d449f3e

SHA512
72333ca6fef2a34e94857406746528210bbf610ab8378744c2a986df63e8f7034f8975e533a62ec978cf359dfc2105920bd9aaedbffea80db0e198838dcac1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\gobject-2.0.dll
Filesize
92KB

MD5
a707adf6b7dbefc32e3e16ff089b4630

SHA1
62d584af06156db9c26094df5809be4de91a16ca

SHA256
effb582ceb8c0e44a5fd13c826fea81acff6c5c9ab54c741c145746a81131741

SHA512
44fc34c1bfce5c512c1e4be9236dc955f6950a308055181f36cd2c710f83072ea8011161a4ad76e9a5831ebed77807f9ce96d832608c51cbd2368add521da2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\iconv.dll
Filesize
38KB

MD5
7af81eb53aa6aa96183c39be61badd9b

SHA1
f6ff95267125ba5084cd7ab1c4793cf5137e9503

SHA256
dd21c9dc07adc0b24aa13d51931e9f4a173280a939a990464835d7e02c06a60b

SHA512
6f7f7a9160fadcf6f75306df492b2557cb7947ae689bb51e72e3f88205b5d403e129f2b17ca983547f1abc2ef028c468e3244bca4b59818d67dec4e9de9f0a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\iconv.dll
Filesize
37KB

MD5
6f855cedf221125ad0265cef8dc3efb0

SHA1
bf58bdd5ed5c67e3ceafa0ddac65fcc4417c7220

SHA256
2b734809b52cf1e0abbb3139ca87b4c9119212ef7296e30ce5af36987939eb29

SHA512
10593833cdcfdb882d404ec6473f1f4c6032948c1576a35e9e1be8c6d5721e6c54da8d9f53b108272d4799f62af0a4eda4928c7185e9fd8883966cb1cceb5ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\vmtools.dll
Filesize
141KB

MD5
ef64a312ff5180b5352026e993eadfca

SHA1
d6d86565952c9db4d1b9bf7c98e64e7df5dc4a39

SHA256
c2b1d2ff16fe4aed25053916748d752304e13bf93cc6cf262dbb1ca393b4b891

SHA512
5333f5639136eb48a8820119544189958873dbed988009d7c77385d55104fcf41150a27fa4c71fa46c7817b1bd66410051bb85c7aac5d04fc04575ede17044c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\vmtools.dll
Filesize
205KB

MD5
84292f0dc3b2247c0a9a8d149da4a184

SHA1
dfb65709b56cd2777bdf5e4ec6928ce691df2d21

SHA256
6e0c0ee0ba6656df27907e8a0a96f16385302886a435b88fe041c4225e498872

SHA512
b63c913a2791d98e408e02c29d873047b5269d4094063433d9d3e697e44fc78c6c5c76c7ca252d357b529a35fdb2a673f0138afc090e929574a2f86a56e8f5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\vmtoolsd.exe
Filesize
63KB

MD5
ae224c5e196ff381836c9e95deebb7d5

SHA1
910446a2a0f4e53307b6fdeb1a3e236c929e2ef4

SHA256
bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26

SHA512
f845dbb13b04f76b6823bec48e1c47f96bcbd6d02a834c8b128ac750fe338b53f775ee2a8784e8c443d49dfcb918c5b9d59b5492a1fe18743b8ba65b7d12514c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\SRI Java\vmtoolsd.exe
Filesize
42KB

MD5
4a4ffa3f1974ae1f34e13d80e2df829c

SHA1
72ca381b9d512a25a47e879bca022cf6529149b1

SHA256
2a70f19623f3886cc4b2c9c4ac4e64069d62a6a98a368b04753464b700431832

SHA512
23c6ca70bfda73cf717914c5226b4fc3c142fafba5b7b857c30484baf1acf6fdcdc9e71cedc83da80f460603377e012c371bf60c43aa812955593779b08e4c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C928975-865F-4DC6-B20D-EA6E201124E2}\Setup_UI.dll
Filesize
219KB

MD5
0643693a58e95f7bb289b9b9feb89780

SHA1
ef3605cab520a9d7038c6f0b9de691f91c0d5439

SHA256
45bb8566a284fefda1521487d4a1d1cf510257fa9a6a47506f5f93cb3d568429

SHA512
b1816832b5393810fffcaf02236618a565159fa03b87c44ba00e0752446b4c81a1c52a580c350f76320478171fc8e54de320697654f9f7e96b2738069444bd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\{582CFCF0-EAD0-4852-B547-3344E0CDE758}\SuiteSetup.ini
Filesize
127B

MD5
e45a9bc0a5f9a8334ddc22c1d6f2a182

SHA1
8251edf84a83f435907d9f54626b95882fc85de4

SHA256
c32b270d5d13fd5ea5616834517bc1591c4a5f8a392bed3dc7d70f3fbf79b75f

SHA512
a7a93b5e17226c9abb1e2005cdd2e54cea616f691f525bfb438509c616ca1f4f8179fc34cb31fad74fc8268895bd61b793618d05724b0d3a2e7f2b3a95df900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{582CFCF0-EAD0-4852-B547-3344E0CDE758}\_is56DA.exe
Filesize
230KB

MD5
93096371073fe673a13e1e498d714bec

SHA1
4f3df7cd3281a6e9d19a3aa18eb88a1332442e3c

SHA256
82efb76a91846218cb0713901bcf54b20b32ec10ef152545578368e2adb4b658

SHA512
6656624f509febc1fb86c74dd2a0632eadf3470345e07e3ce9cd9f6ab483e81f4756149b6763a1e26e302d313c9fcb1d0e096631fc6e6d9f9d791836c39f00a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{582CFCF0-EAD0-4852-B547-3344E0CDE758}\_is56DA.exe
Filesize
402KB

MD5
d3ce8e9ce8e2642090ff4aaf400a1dff

SHA1
475387eb6fe66e74f86b7b11f54be2ce46582ffd

SHA256
995b767140f71a21f2c2bc20a20deaaa430f0ba7dfc0678f5f9ec852ffcb7b7f

SHA512
18fc16b2b2392240a27ff2424f961a8f80e9d8dd25d3b18a186f854bde7bd999616fa10aee5000145a0cc2414e3b75550d4a2d5961e5426c49ab45a3141009e9

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\area.app
Filesize
164KB

MD5
6d4bf613ed021d23d92275140a5ecba5

SHA1
b277ab880560232841cb45d943fc5ec238e6c8c3

SHA256
d85eef20e0d8d3272c9f405a98d8a2192f0329ead950c5da41e8953f022b12de

SHA512
27c55e2e54b6e1b949a96068c30a514b081c81b47c8aa79c75693bfb0f268b3d1b428366cdd07987a3d8239759ae36c7f8d0676842293be724714b6a3cf8c751

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\glib-2.0.dll
Filesize
148KB

MD5
e86927581bb5f8fe794ad7e22c2e4612

SHA1
c1478fbf363cc12e897a583cd362d62026e4603f

SHA256
5f5b6303284f355e87bad75f537fadd41d5188955a207eb15f34a72dd6c071f1

SHA512
83ba76430dcd09bd0964cdd85a7124b81b13cf4b70407120955b96240b990b51887347c897f8ce8f95462ae669be4d6a53020979713c2382bc37ca61111806a6

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\glib-2.0.dll
Filesize
101KB

MD5
b1588fe175315e213954ad9b17704fdc

SHA1
29ffdd65ce8fa2ac91514b2fe5f3969d16ab333b

SHA256
6f16884a37ee02c58ba94a2f51a2ad4ac3526a5cbf6c0f66ec770add885d22c3

SHA512
317850803c2dea8bf53a09e2ea509d0b014c40d028fb504c24337b29063fd6deb3e9aae886bd4c83cdbfa09338bb4627e7562cacc3be20aac52334779ecd365a

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\gmodule-2.0.dll
Filesize
24KB

MD5
b0a421b1534f3194132ec091780472d8

SHA1
699b1edc2cb19a48999a52a62a57ffc0f48f1a78

SHA256
2d6bc34b38bc0abf0c5e2f40e2513b4df47af57848534e011a76d4e974ad958b

SHA512
ba74654843c5b0f94dfefbed81cbee4c5f360193ef8ea92836c712fbeada39fa8179a51f0849f6c4be23add1ced08f5e25f873c4b0e7533ae647fa2b19b83f98

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\gobject-2.0.dll
Filesize
198KB

MD5
4c0f34c6517a9257f449beeb261f3db2

SHA1
d8adbc42854f3b53359ba7e09ba2ba6fff29287f

SHA256
c0da0a6bb989c933fa108a844aab82bf815edb385ae9c1dd45f638cc78689b16

SHA512
14db914c281e63f441b7fb4a2297d419027c4677fbe945b958a666f71240d339abecd99109991ac5525a855e3f85e0778cadd52c629861791a00612a35e7e959

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\gobject-2.0.dll
Filesize
57KB

MD5
63f90d6ce41cd0465fde20a4777bb473

SHA1
139f229d6b430b36956cdbf4eb37a79769769aa3

SHA256
ac427f0161a32f3de8000bab798fe7c5cf8deb29ad21ec8f9b27014549435b61

SHA512
778985cf62000def5210765efb0f6a67eb0d29d574f19a71ae66b9095c3feeb5631d66956a6f65a7cb367d4ed820135d5ae62075b48e9ec32ae59d2dbd15e082

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\gthread-2.0.dll
Filesize
31KB

MD5
78cf6611f6928a64b03a57fe218c3cd4

SHA1
c3f167e719aa944af2e80941ac629d39cec22308

SHA256
dbaad965702b89c371462e735dd925c694eda8d8557b280f7264bba992c0e698

SHA512
5caf019a6b75ba0330b8d0b60d362201d4863c0f3d70d2a9c84b6dbea2027d09bc8a6433820f28a41d126c7aaa13dbe126b38dc5c6d14a67ddef402fed9d9b7c

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\iconv.dll
Filesize
117KB

MD5
d3097bda95e3dad8fc9fa6451c6b5c5a

SHA1
a97b85bceed3633ed484a8f352a7d73f589888a8

SHA256
0a23d4eec5be5b83bfbdfd9697a92c7a0b3f32103f4c4b0391723c2eba4d96e7

SHA512
78205f7c75e5a5dc9a09f42cd24d97da382310fef4e3d0fd37825cd88f1439e16841872b17c2396b42e98f53abfa03ef2d8bf6ebea9460b2b6f2f00a7ebe14a1

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\iconv.dll
Filesize
213KB

MD5
44f4a3dc1338ef0476f8113a3e8eda92

SHA1
5ac5496063e4dc57c5e1c2e066ea1265ea140180

SHA256
d57dbf594591bdde47c016e8d14d22b8b759ef6f04b11fba2e4e53b293033d25

SHA512
e3c78b0b3206529544447bb61bf6a2e612811234c65e49bfc35b22491bfbbf9ca137af1a0332a2e2e0f2abddaa0fbb553467eb1339d0a5432f27ce93d2ef6a74

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\intl.dll
Filesize
87KB

MD5
d1a21e38593fddba8e51ed6bf7acf404

SHA1
759f16325f0920933ac977909b7fe261e0e129e6

SHA256
6a64c9cb0904ed48ce0d5cda137fcfd6dd463d84681436ca647b195aa2038a7e

SHA512
3f4390603cd68d949eb938c1599503fb1cbb1b8250638e0985fad2f40f08d5e45ea4a8c149e44a50c6aa9077054387c48f71b53bf06b713ca1e73a3d5a6a6c2e

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\vmtools.dll
Filesize
227KB

MD5
e4391db853ee5d2c87a90a862f66ed92

SHA1
0a7b95b5e313fb485d51e7caabfa9d996075a24a

SHA256
cef5c4a2cfc02618353ebb8fe488531d28159ee69705b82110e25db346bf8200

SHA512
f313b96e69b7dd1b480d970a315357aa07316c6134ca715753652b66313722fddd77d115486828051d63b375dbcdb5be2478913dfccb2adb437d0ff22ddbadbe

Download Submit
C:\Users\Admin\AppData\Roaming\FWPUCLNT\vmtools.dll
Filesize
43KB

MD5
3152d5891fc0215f8af5b09b8989a23d

SHA1
a8e47b7d0f604c532cc58021a11c5c39a5d54658

SHA256
9681ce1a4287be30ee3e5331a9557fbda64ffbaecc7a70a844011c6806b69079

SHA512
5d9088e4cc293c86e6bce6debd6c7eb3832a2e4798adb64ec4dad1ed47bf18e4eca7dc6da785924e50ca0863b984a99cddd5d2f425efcb0b906d7e0474b5cbaf

Download Submit
memory/452-127-0x00000000727E0000-0x000000007295B000-memory.dmp

Filesize
1.5MB

Download
memory/4696-311-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

Filesize
1.5MB

Download
memory/4696-251-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

Filesize
1.5MB

Download
memory/4696-310-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

Filesize
1.5MB

Download
memory/4812-313-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

Filesize
1.5MB

Download
memory/4812-315-0x00007FFD3E050000-0x00007FFD3E245000-memory.dmp

Filesize
2.0MB

Download
memory/4812-319-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

Filesize
1.5MB

Download
memory/4812-317-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

Filesize
1.5MB

Download
memory/4812-322-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

Filesize
1.5MB

Download
memory/4968-321-0x0000000072A60000-0x0000000073CB4000-memory.dmp

Filesize
18.3MB

Download
memory/4968-326-0x00007FFD3E050000-0x00007FFD3E245000-memory.dmp

Filesize
2.0MB

Download
memory/4968-328-0x0000000000E80000-0x0000000000F0E000-memory.dmp

Filesize
568KB

Download