lumma | 7a611f7ede6f64d7deafdf2510ea740cf615ab0cd3d709cf17476c43a3b8aaee

Analysis

max time kernel
98s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-11-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.msi
Size

18.5MB
MD5

b4a8e2c2930ce08543812fc93d52c623
SHA1

46bd2b41d3f0d3d0ee4edbad3765534b9f8a4aa5
SHA256

7a611f7ede6f64d7deafdf2510ea740cf615ab0cd3d709cf17476c43a3b8aaee
SHA512

a689155826b93302649934648550e8c8a9a9a117cf72959ec153f8d5a443c14190f06a48b8e8ab0041c78e1d14c15a5859805e2eb955b7ac21c94814c33dd491
SSDEEP

393216:4/rBfNTzWDFhDxzDreUUrHhRVR6+U4BttD/HVQ20vngRTJVBaOlVcv+:urBf1WdLetDtR6IttD1QBSB7ry

Score

10^/10

lumma discovery evasion persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://bitte-grane.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

SynthFont2.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SynthFont2.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

SynthFont2.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Wine	SynthFont2.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow	pid	Process
4	1452	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Windows\Installer\e57e6a9.msi	msiexec.exe
File created	C:\Windows\Installer\e57e6a7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e6a7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{62CE5C99-B708-4933-B9B9-2FFDE041F5E7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE83D.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

SynthFont2.exe

pid	Process
4752	SynthFont2.exe

Loads dropped DLL 4 IoCs

Processes:

SynthFont2.exe

pid	Process
4752	SynthFont2.exe
4752	SynthFont2.exe
4752	SynthFont2.exe
4752	SynthFont2.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
behavioral1/files/0x0028000000045175-55.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
1452	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SynthFont2.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SynthFont2.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000719b916909da5b040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000719b91690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900719b9169000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d719b9169000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000719b916900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 1 IoCs

Processes:

SynthFont2.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	SynthFont2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid	Process
1724	msiexec.exe
1724	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	Process
Token: SeShutdownPrivilege	1452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1452	msiexec.exe
Token: SeSecurityPrivilege	1724	msiexec.exe
Token: SeCreateTokenPrivilege	1452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1452	msiexec.exe
Token: SeLockMemoryPrivilege	1452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1452	msiexec.exe
Token: SeMachineAccountPrivilege	1452	msiexec.exe
Token: SeTcbPrivilege	1452	msiexec.exe
Token: SeSecurityPrivilege	1452	msiexec.exe
Token: SeTakeOwnershipPrivilege	1452	msiexec.exe
Token: SeLoadDriverPrivilege	1452	msiexec.exe
Token: SeSystemProfilePrivilege	1452	msiexec.exe
Token: SeSystemtimePrivilege	1452	msiexec.exe
Token: SeProfSingleProcessPrivilege	1452	msiexec.exe
Token: SeIncBasePriorityPrivilege	1452	msiexec.exe
Token: SeCreatePagefilePrivilege	1452	msiexec.exe
Token: SeCreatePermanentPrivilege	1452	msiexec.exe
Token: SeBackupPrivilege	1452	msiexec.exe
Token: SeRestorePrivilege	1452	msiexec.exe
Token: SeShutdownPrivilege	1452	msiexec.exe
Token: SeDebugPrivilege	1452	msiexec.exe
Token: SeAuditPrivilege	1452	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1452	msiexec.exe
Token: SeChangeNotifyPrivilege	1452	msiexec.exe
Token: SeRemoteShutdownPrivilege	1452	msiexec.exe
Token: SeUndockPrivilege	1452	msiexec.exe
Token: SeSyncAgentPrivilege	1452	msiexec.exe
Token: SeEnableDelegationPrivilege	1452	msiexec.exe
Token: SeManageVolumePrivilege	1452	msiexec.exe
Token: SeImpersonatePrivilege	1452	msiexec.exe
Token: SeCreateGlobalPrivilege	1452	msiexec.exe
Token: SeBackupPrivilege	4888	vssvc.exe
Token: SeRestorePrivilege	4888	vssvc.exe
Token: SeAuditPrivilege	4888	vssvc.exe
Token: SeBackupPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeBackupPrivilege	3420	srtasks.exe
Token: SeRestorePrivilege	3420	srtasks.exe
Token: SeSecurityPrivilege	3420	srtasks.exe
Token: SeTakeOwnershipPrivilege	3420	srtasks.exe
Token: SeBackupPrivilege	3420	srtasks.exe
Token: SeRestorePrivilege	3420	srtasks.exe
Token: SeSecurityPrivilege	3420	srtasks.exe
Token: SeTakeOwnershipPrivilege	3420	srtasks.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exeSynthFont2.exe

pid	Process
1452	msiexec.exe
1452	msiexec.exe
4752	SynthFont2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SynthFont2.exe

pid	Process
4752	SynthFont2.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 1724 wrote to memory of 3420	1724	msiexec.exe	92
PID 1724 wrote to memory of 3420	1724	msiexec.exe	92
PID 1724 wrote to memory of 4752	1724	msiexec.exe	94
PID 1724 wrote to memory of 4752	1724	msiexec.exe	94
PID 1724 wrote to memory of 4752	1724	msiexec.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\SynthFont2.exe
  "C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\SynthFont2.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Identifies Wine through registry keys
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e6a8.rbs

Filesize
12KB

MD5
12f0d87f9b00d6e333e879aed3f32c3a

SHA1
62f624a6dbc737e69d170806b365b5138f4b4b44

SHA256
516fc8783445080ffedc5f80275ed0f8ca016096348f009e5816320a7cb62b74

SHA512
8e11a57204a993ef26b7a9af01dc6f13cb43a86aa3c13d2e53d1ea2605e88b93fee8a8058b0917377230c5d6a583f64d429fdc8655bd0482eadffac6a77a1849

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\3DGlue10-32.dll

Filesize
612KB

MD5
642c48d582bd0595fd8ab9bdc9e8a01f

SHA1
277744685ca3d504e5a7f05d1fb208112e8f4932

SHA256
677777a3557c2c25273764073ac6317d2d56249d55747549ce8f91c12f794ab1

SHA512
585d0b8f29c090353f6f8979b377ce1ec2b78bf52f770bde1a4016805bfd89f3f1300d4e5ed57008a2344258a858ba0211b8b7ecaf1cb63c8c0404a4d2210687

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\Plan.dat

Filesize
328KB

MD5
ffcf9875af4edf49030bfec6f4670d67

SHA1
b33e84e793585e25371ecf1a8fc8d0092cc36ab0

SHA256
40422ab8d750122bf3435636d5817c3b0468d0a876b5d569ef34070c42d4c7c1

SHA512
4c7d111285eb2152281e86c9f29002aaf4e0539fc391703d8ba61b86638d6c468f54a13a613cba1ced98198a263f0a5b95c55802df277e0b6976beab9b412758

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\QTSourcePXT.dll

Filesize
1.9MB

MD5
66c4863871eec6dc4822f7af7b4f68cb

SHA1
a412c63c256948277ae442f3c523388284ce55e6

SHA256
b2a81a022b6c221bd48f3160eefe97c66977b61f006b0ea9810aa80e04edccbf

SHA512
a8e9bfb84bf216c5743e1b7fc6476e35848cbff3bb8c0073424419a11c2aad03456ff79b411e2acd83351680f94dac9e74f9ee7aeb77eff2ffa256363f69d710

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\SynthFont.ini

Filesize
22B

MD5
bd43ef5c31b2f00e01b18492e2138391

SHA1
fcacf478671816f918a2f65d69ea7c3eea24bc8f

SHA256
32260f91d0109d9b92d396f7ca14d04e226f1b1186ce711319f2d4d9186ff509

SHA512
8f93f5621e6e24b596573134b907d94c6ce9bd865b63e5f9b83b602995ce71760c877c48f94e5a7f7a5a38607420cd207fbc9cff8485371e866f13399d4a8dea

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\SynthFont2.exe

Filesize
20.1MB

MD5
b9120e1fd2abcb3f70e298a2448a259a

SHA1
70b5b4a180ba6d639ef591ed61b1448228da45f0

SHA256
1f207a4c1c4cf1a3ee335ff529b7253db7d487338f399d94011aaf458f59e9c2

SHA512
2960c1648f859b9a6a01bfc4bab8afa46cb5c9bfd2645680abd65b1eb2ca037d75cdcae3d5214522fa3278fbc961e8e3b5cbbec7a958cbbbb45e9d2b52ae2956

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\report.wav

Filesize
3.6MB

MD5
fe7657fc50fd51ef452b74349956054c

SHA1
fafe06cdb90ee0a02aaf6fe4bfe5940a9f82a9f7

SHA256
4679825db2c4cc577c5f5bd1a04a62a168f4ab7100a1cbb35f5c1be15112d66f

SHA512
b080adce3e294f96db07a1c7f174293f76bcf5286b545f17271768a6e8feaa564c46d2c4744d5b549fe34629db8c22b6c27849514185f0539a5eefce84dcfbce

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\sfArkDLL.dll

Filesize
92KB

MD5
f16146b1c3d8bac544699aece383003a

SHA1
c8c17bccbaf1f36a97bf04773b6a9de70684f55c

SHA256
fc41a2f0716ca592182f8a1a08929a3f63863408fe5ea797ddc592b8ca212881

SHA512
ba3dd381f8f43819457f2bdcf5ae2021b257524edf94758e5f6bb0b3a68170aae9c8591fe8b660c5f6f607c51f8540fc87a3488b3041bbb80200b45cd9d5451f

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\winplay.dll

Filesize
9.3MB

MD5
b1258a8bf88edc6547c396b1d06edd93

SHA1
e96c28447890cc32deada0af3be6dd3df2d979fc

SHA256
39b2061a1275d4d8e8f56f600a265a10c23eafdb4ca40165b606f8079ce1f8fd

SHA512
62db68625d22d895f27e617a2c1a01e73acf3d74bcc854625b2ccbee15bc274a282d53a36072dd02521ab6ce2e5c87a73b665e0221dde604c5391a0e2ca4587b

Download Submit
C:\Users\Admin\AppData\Roaming\SynthFont\SynthFont.ini

Filesize
85B

MD5
5c26c93a1ab81ce9a91f3e30334dda67

SHA1
fe70678d408fd1a2aae08d7f6b764ca891b330b9

SHA256
ecabcff17883d94020e1e8fa9ef16cc8722f44460f72cac76eab075120a0f1d7

SHA512
56b7cd7ff786bcde890478e80b674c297d19d101fae039fd0501a3cc391ada23646b8abde5619af8b74bfea94f0ce39cce8b72db9ba2e51cae55b2b2cd8ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\SynthFont\SynthFont.ini

Filesize
118B

MD5
b10261ff927b7a317e611a7a147eda0e

SHA1
3b3738c43e002de6f885a7bf51baf5873461dfdd

SHA256
4e6da2a33412801fdde6f429867dd6814743ebe1b04d599b28f77d34ffead3fa

SHA512
f72600153053d1b0da7816600394afc969ac3c0fd5563ffcee4a78f2938da9a9354e461109693e88f60f4b78c72b88242528db64b55cfc10d35aff341c6cf002

Download Submit
C:\Users\Admin\AppData\Roaming\SynthFont\SynthFont.ini

Filesize
192B

MD5
a1e51871ededa35f00055b4b40aa02eb

SHA1
139ab21fdaf18d07d690038ac55d4ae163144387

SHA256
df94b60b5c586cc555c66e344b5dbf26bb0aa2705cae340bc43eeb18b2520f02

SHA512
92247b3858f89aef3c9fd68a521f23e2364e52e0be193e3f43834cc49629b33127c675f44fd6c8b2386e87a7846acf3497ed63858c4cd8635dab0c5deefe69b7

Download Submit
C:\Windows\Installer\e57e6a7.msi

Filesize
18.5MB

MD5
b4a8e2c2930ce08543812fc93d52c623

SHA1
46bd2b41d3f0d3d0ee4edbad3765534b9f8a4aa5

SHA256
7a611f7ede6f64d7deafdf2510ea740cf615ab0cd3d709cf17476c43a3b8aaee

SHA512
a689155826b93302649934648550e8c8a9a9a117cf72959ec153f8d5a443c14190f06a48b8e8ab0041c78e1d14c15a5859805e2eb955b7ac21c94814c33dd491

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.9MB

MD5
88a683713c76e6a75702ae010888fd06

SHA1
94b520a1e8e6ed19079b9d9346ab8d5140b6f6e6

SHA256
6356f1b71ef4e7a7705a2273e8f1a115b84234a91777a763d1d3e6ffe2e90c2c

SHA512
52e3dfc6ff297df53115646418f668c31956ca2e29b81ba85ec31568db8a2fa7989cef777f132c4a5fb2ffd39b8459d6516022a7b548990224d89cd6507b2689

Download Submit
\??\Volume{69919b71-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f68b7e7e-426d-46bf-9489-1602835b2c43}_OnDiskSnapshotProp

Filesize
6KB

MD5
55e0a18a46a14fa49ea1dd41c4c04e8b

SHA1
af2ad78fc4d8d3d04d87f4778dd3e667f32bfe5a

SHA256
f9761ee9242e65ee5237ce55377b20f607d5516b5b07b0815236d2cc3f4cf89a

SHA512
d789f9b20ea470a2e59cee24144e6a986440f687aa8c9f9840811b4c30f6157c877ed0fa09e58ab1a7ce197f91db4ee6af604952090e975d56092c660ac47d70

Download Submit
memory/4752-390-0x00000000096F0000-0x0000000009849000-memory.dmp

Filesize
1.3MB

Download
memory/4752-389-0x00000000096F0000-0x0000000009849000-memory.dmp

Filesize
1.3MB

Download
memory/4752-388-0x00000000096F0000-0x0000000009849000-memory.dmp

Filesize
1.3MB

Download
memory/4752-67-0x00000000096F0000-0x0000000009849000-memory.dmp

Filesize
1.3MB

Download
memory/4752-443-0x00000000732D0000-0x0000000073714000-memory.dmp

Filesize
4.3MB

Download
memory/4752-442-0x0000000000650000-0x00000000025E8000-memory.dmp

Filesize
31.6MB

Download
memory/4752-66-0x00000000732D0000-0x0000000073714000-memory.dmp

Filesize
4.3MB

Download
memory/4752-717-0x0000000000650000-0x00000000025E8000-memory.dmp

Filesize
31.6MB

Download
memory/4752-726-0x0000000000650000-0x00000000025E8000-memory.dmp

Filesize
31.6MB

Download
memory/4752-732-0x00000000096F0000-0x0000000009849000-memory.dmp

Filesize
1.3MB

Download
memory/4752-731-0x00000000096F0000-0x0000000009849000-memory.dmp

Filesize
1.3MB

Download
memory/4752-743-0x00000000732D0000-0x0000000073714000-memory.dmp

Filesize
4.3MB

Download