lumma | 01e47666d5b3c98c9fdfb3994128a7a23b109f27a526b5cc554e35201a8bfc89

Resubmissions

03-01-2025 22:24

250103-2bfbgawqaz 10

03-01-2025 22:23

250103-2askeawpgs 1

03-01-2025 22:00

250103-1wyg4syjhj 1

Analysis

max time kernel
60s
max time network
64s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-01-2025 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.rar
Size

107.9MB
MD5

a2de105be06859e11c9fe5c1aaddcfa4
SHA1

61d8cea24341fb94b6de5d3d27588af400309226
SHA256

01e47666d5b3c98c9fdfb3994128a7a23b109f27a526b5cc554e35201a8bfc89
SHA512

4c6d641e1bb413b5b7f42c76ab0a6c622aefa5b3bd7eb2ca8819b19badda9fa13b80b1ec3b302371f145ec7e808336a45163325a1573450e8b4779e60eb0e39a
SSDEEP

3145728:puwjTEHG8aPVkp1hSDkz/RfXEVA5o7kN3Toingp01COy:puwjIHG8a9kpUktXHOwDgpMfy

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://begguinnerz.biz/api

Extracted

Family

lumma

https://begguinnerz.biz/api

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 9 IoCs

pid	Process
3632	Cheats.exe
1592	Cheats.exe
3384	Cheats.exe
1856	Cheats.exe
4612	Cheats.exe
3876	Cheats.exe
1180	Cheats.exe
1504	Cheats.exe
2676	Cheats.exe

Loads dropped DLL 9 IoCs

pid	Process
3632	Cheats.exe
1592	Cheats.exe
3384	Cheats.exe
1856	Cheats.exe
4612	Cheats.exe
3876	Cheats.exe
1180	Cheats.exe
1504	Cheats.exe
2676	Cheats.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3632 set thread context of 2108	3632	Cheats.exe	93
PID 1592 set thread context of 4084	1592	Cheats.exe	98
PID 3384 set thread context of 2756	3384	Cheats.exe	101
PID 1856 set thread context of 3604	1856	Cheats.exe	104
PID 4612 set thread context of 1064	4612	Cheats.exe	107
PID 3876 set thread context of 1780	3876	Cheats.exe	110
PID 1180 set thread context of 4356	1180	Cheats.exe	123
PID 1504 set thread context of 4480	1504	Cheats.exe	126
PID 2676 set thread context of 1932	2676	Cheats.exe	129

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1800	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1800	7zFM.exe
Token: 35	1800	7zFM.exe
Token: SeSecurityPrivilege	1800	7zFM.exe
Token: SeSecurityPrivilege	1800	7zFM.exe
Token: SeSecurityPrivilege	1800	7zFM.exe
Token: SeSecurityPrivilege	1800	7zFM.exe
Token: SeSecurityPrivilege	1800	7zFM.exe
Token: SeSecurityPrivilege	1800	7zFM.exe
Token: SeSecurityPrivilege	1800	7zFM.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe
1800	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3632	1800	7zFM.exe	90
PID 1800 wrote to memory of 3632	1800	7zFM.exe	90
PID 1800 wrote to memory of 3632	1800	7zFM.exe	90
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 3632 wrote to memory of 2108	3632	Cheats.exe	93
PID 1800 wrote to memory of 1592	1800	7zFM.exe	96
PID 1800 wrote to memory of 1592	1800	7zFM.exe	96
PID 1800 wrote to memory of 1592	1800	7zFM.exe	96
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1592 wrote to memory of 4084	1592	Cheats.exe	98
PID 1800 wrote to memory of 3384	1800	7zFM.exe	99
PID 1800 wrote to memory of 3384	1800	7zFM.exe	99
PID 1800 wrote to memory of 3384	1800	7zFM.exe	99
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 3384 wrote to memory of 2756	3384	Cheats.exe	101
PID 1800 wrote to memory of 1856	1800	7zFM.exe	102
PID 1800 wrote to memory of 1856	1800	7zFM.exe	102
PID 1800 wrote to memory of 1856	1800	7zFM.exe	102
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104
PID 1856 wrote to memory of 3604	1856	Cheats.exe	104

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\7zO807D0097\Cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO807D0097\Cheats.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
- C:\Users\Admin\AppData\Local\Temp\7zO80762387\Cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO80762387\Cheats.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4084
- C:\Users\Admin\AppData\Local\Temp\7zO8078EF87\Cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8078EF87\Cheats.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\7zO807B3887\Cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO807B3887\Cheats.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3604
- C:\Users\Admin\AppData\Local\Temp\7zO807E2A87\Cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO807E2A87\Cheats.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064
- C:\Users\Admin\AppData\Local\Temp\7zO807174B7\Cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO807174B7\Cheats.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4060

C:\Users\Admin\Desktop\Setup\Cheats.exe
"C:\Users\Admin\Desktop\Setup\Cheats.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356

C:\Users\Admin\Desktop\Setup\Cheats.exe
"C:\Users\Admin\Desktop\Setup\Cheats.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4480

C:\Users\Admin\Desktop\Setup\Cheats.exe
"C:\Users\Admin\Desktop\Setup\Cheats.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cheats.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE807C5908\Setup\database\Data\cef.pak

Filesize
3.9MB

MD5
4290bf19c70db819b4ca7a80ebabca3c

SHA1
2aaefa1183234d661f9e82ba40bd3c58e106d42b

SHA256
fb346203c063d5e48ea230b2c4947e5b9e8e600a0b5940e42b325426637c441a

SHA512
c2a9afce86f768e4406c4d51dd659bcd0428ddffea5b3032ca2783dae646f7274480cc74ca5dc0151c69d734ffb6c1e9188e41c62cf8bd2ea46fe890fec09944

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE807C5908\Setup\database\Data\cef_100_percent.pak

Filesize
637KB

MD5
20c53b63527023e3bc2300fe83e62941

SHA1
0dccc5c4fa3e79cb258406050eeda2c224b6ce31

SHA256
65eb3dcbadc41708c3b6347f13ef1d6b0fdc48fe72dac91c41ff38d390231af7

SHA512
ef54e4a0c47b0621845b1f677b0136933a571c857f46ef7b556f509a5d36c771708505e3216248b540ffbcada08dc289167d91c4ceba7d678de70f499900cd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE807C5908\Setup\database\Data\data_0

Filesize
44KB

MD5
ccdad492bf2837b5c39af24e1edeba19

SHA1
559849e557ea273c8b093520f25f71999bb842dd

SHA256
48b6feeab56e590821508aca66a4d4347276719248a39caf4019c41884b51c65

SHA512
638b4a53e3c8210cd60b16b69b8ac96745451f9b28abca9106e56bc740f98461cf06d8be0b355f429db358bcdcdc232c6d6e10eb51948d5f43783901658807a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE807C5908\Setup\database\Data\data_1

Filesize
264KB

MD5
abac4265c823916c5e7eff156e9efa0c

SHA1
afe2336ff1030e766bdc0f23bb489518fecf9245

SHA256
c1fee2558ca5efb77691635b1ff92ba3661b8217653f2ffe6150699d44137e6b

SHA512
ee27854a771076d397b0135e7c4cf415d59031479be5739b99b51ec54ca1bee6d0f411ffe7ffee1f2df2a5aa88360ddb94621f6c5ac8ec30c120d7b86c9ef95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE807C5908\Setup\database\Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE807C5908\Setup\database\Data\data_3

Filesize
4.0MB

MD5
9cee917599959084a52bab23760d377a

SHA1
f656fd8a9ba69ab6ab6b4197a5ea315391c987e4

SHA256
11b5e06939869ecee30f05494b91b4707ac8ecd0cdd376e88e0fb0d4ac925900

SHA512
54576a2d1f9062cf58022b1e3c84129ad427f5e47e301cc4819d34aa168a958600d47827f16ee44f350b39ae703dd6106352470adb75068fbf6d5b8ad319bea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE807C5908\Setup\database\Data\index

Filesize
256KB

MD5
2b19239fdfc1ce97f23509562dae213c

SHA1
89874206b901d33a4033cde558f515000d436183

SHA256
2947e7b436276b77907ca9cc9a6a9a0521701086f3bc373e285ddd7bd9551b6c

SHA512
8c92dc7046b25a4537ef88cbc83016894f2b41e04b14bcbae2e947342c15d563998868b27fd119d8b067e9c12914d3e1a37e3be019333f407e3d4551ce511dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO807D0097\Cheats.exe

Filesize
513KB

MD5
55169a2310f81a77eca19373c123c399

SHA1
6255c3de01d648d28968eb7383b10b615ac337eb

SHA256
0a412b396322accac4586c60a046879586b1a44182b9c33c644e9b690ef1e20c

SHA512
de4c598c46766ed492f391b2f2a333b24ff92fb638b3aea05c162d1492ec92042cc79d081cf680621be520fac7af99e6a60402e22f81bb7bc5af1e4d010b4ae2

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
454KB

MD5
18db3e49cb8b11e5659e247119ebcaa9

SHA1
805455507d9ae2c96590262afe2948e68dafe75d

SHA256
5c8f459b9d632bbdfd28e413e100b63cf5c9bf4af1efe7a51d994f9bf2a9362e

SHA512
5f0cdb4213d3974f36e6bc402a179805aae4e8e35149e78775d60a4a7421a8e8954e74b275874ddfbb660bc467bf64c177ad26aac1ceaca2e2f8e6bbd2286eae

Download Submit
memory/1064-141-0x00000000009F0000-0x0000000000A5A000-memory.dmp

Filesize
424KB

Download
memory/1064-143-0x00000000009F0000-0x0000000000A5A000-memory.dmp

Filesize
424KB

Download
memory/1932-279-0x0000000000B50000-0x0000000000BBB000-memory.dmp

Filesize
428KB

Download
memory/1932-282-0x0000000000B50000-0x0000000000BBB000-memory.dmp

Filesize
428KB

Download
memory/2108-33-0x0000000001300000-0x000000000135B000-memory.dmp

Filesize
364KB

Download
memory/2108-24-0x0000000001300000-0x000000000135B000-memory.dmp

Filesize
364KB

Download
memory/2108-30-0x0000000001300000-0x000000000135B000-memory.dmp

Filesize
364KB

Download
memory/2756-85-0x00000000010F0000-0x000000000115A000-memory.dmp

Filesize
424KB

Download
memory/2756-89-0x00000000010F0000-0x000000000115A000-memory.dmp

Filesize
424KB

Download
memory/2756-86-0x00000000010F0000-0x000000000115A000-memory.dmp

Filesize
424KB

Download
memory/3604-112-0x0000000000CF0000-0x0000000000D5B000-memory.dmp

Filesize
428KB

Download
memory/3604-113-0x0000000000CF0000-0x0000000000D5B000-memory.dmp

Filesize
428KB

Download
memory/3604-116-0x0000000000CF0000-0x0000000000D5B000-memory.dmp

Filesize
428KB

Download
memory/3632-34-0x00000000752A0000-0x0000000075A51000-memory.dmp

Filesize
7.7MB

Download
memory/3632-25-0x00000000752A0000-0x0000000075A51000-memory.dmp

Filesize
7.7MB

Download
memory/3632-23-0x00000000752A0000-0x0000000075A51000-memory.dmp

Filesize
7.7MB

Download
memory/3632-16-0x0000000000BF0000-0x0000000000C76000-memory.dmp

Filesize
536KB

Download
memory/3632-15-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/4084-60-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/4084-62-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/4356-258-0x0000000000790000-0x00000000007FB000-memory.dmp

Filesize
428KB

Download
memory/4356-255-0x0000000000790000-0x00000000007FB000-memory.dmp

Filesize
428KB

Download
memory/4480-270-0x00000000011A0000-0x000000000120B000-memory.dmp

Filesize
428KB

Download
memory/4480-267-0x00000000011A0000-0x000000000120B000-memory.dmp

Filesize
428KB

Download