lumma | bb035bd88ef10bfa2776a3182246d1f7a92dbd2354c90d0559ac49c90b73b917

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb035bd88ef10bfa2776a3182246d1f7a92dbd2354c90d0559ac49c90b73b917.msi
Size

3.5MB
MD5

804ccc6f904756d4b96b1ac090e14902
SHA1

9616d4668249548716a64e0f9c735c30f3355ad4
SHA256

bb035bd88ef10bfa2776a3182246d1f7a92dbd2354c90d0559ac49c90b73b917
SHA512

c01056442a985308d86adaa6de32cd894901290aa8648766eab3303a996f9efaa6617e718201f88fd5448bb6f68349d0bedff525642978039b63faf01b61509d
SSDEEP

98304:h2n6ghelC44WGE4TVkjqUBRuQq7BPiNv:a6gkT7GnT+jqUBRxq7Bsv

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 3884	1344	msn.exe	105

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57cd35.msi	msiexec.exe
File created	C:\Windows\Installer\e57cd33.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cd33.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F4EFF517-218A-4E78-AAA3-252420C22CD7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE0E.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4036	msn.exe
1344	msn.exe

Loads dropped DLL 6 IoCs

pid	Process
4036	msn.exe
4036	msn.exe
4036	msn.exe
1344	msn.exe
1344	msn.exe
1344	msn.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4412	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1068	msiexec.exe
1068	msiexec.exe
4036	msn.exe
1344	msn.exe
1344	msn.exe
3884	cmd.exe
3884	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1344	msn.exe
3884	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4412	msiexec.exe
Token: SeSecurityPrivilege	1068	msiexec.exe
Token: SeCreateTokenPrivilege	4412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4412	msiexec.exe
Token: SeLockMemoryPrivilege	4412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4412	msiexec.exe
Token: SeMachineAccountPrivilege	4412	msiexec.exe
Token: SeTcbPrivilege	4412	msiexec.exe
Token: SeSecurityPrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeLoadDriverPrivilege	4412	msiexec.exe
Token: SeSystemProfilePrivilege	4412	msiexec.exe
Token: SeSystemtimePrivilege	4412	msiexec.exe
Token: SeProfSingleProcessPrivilege	4412	msiexec.exe
Token: SeIncBasePriorityPrivilege	4412	msiexec.exe
Token: SeCreatePagefilePrivilege	4412	msiexec.exe
Token: SeCreatePermanentPrivilege	4412	msiexec.exe
Token: SeBackupPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeShutdownPrivilege	4412	msiexec.exe
Token: SeDebugPrivilege	4412	msiexec.exe
Token: SeAuditPrivilege	4412	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4412	msiexec.exe
Token: SeChangeNotifyPrivilege	4412	msiexec.exe
Token: SeRemoteShutdownPrivilege	4412	msiexec.exe
Token: SeUndockPrivilege	4412	msiexec.exe
Token: SeSyncAgentPrivilege	4412	msiexec.exe
Token: SeEnableDelegationPrivilege	4412	msiexec.exe
Token: SeManageVolumePrivilege	4412	msiexec.exe
Token: SeImpersonatePrivilege	4412	msiexec.exe
Token: SeCreateGlobalPrivilege	4412	msiexec.exe
Token: SeBackupPrivilege	1596	vssvc.exe
Token: SeRestorePrivilege	1596	vssvc.exe
Token: SeAuditPrivilege	1596	vssvc.exe
Token: SeBackupPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4412	msiexec.exe
4412	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2872	1068	msiexec.exe	101
PID 1068 wrote to memory of 2872	1068	msiexec.exe	101
PID 1068 wrote to memory of 4036	1068	msiexec.exe	103
PID 1068 wrote to memory of 4036	1068	msiexec.exe	103
PID 1068 wrote to memory of 4036	1068	msiexec.exe	103
PID 4036 wrote to memory of 1344	4036	msn.exe	104
PID 4036 wrote to memory of 1344	4036	msn.exe	104
PID 4036 wrote to memory of 1344	4036	msn.exe	104
PID 1344 wrote to memory of 3884	1344	msn.exe	105
PID 1344 wrote to memory of 3884	1344	msn.exe	105
PID 1344 wrote to memory of 3884	1344	msn.exe	105
PID 1344 wrote to memory of 3884	1344	msn.exe	105
PID 3884 wrote to memory of 1828	3884	cmd.exe	110
PID 3884 wrote to memory of 1828	3884	cmd.exe	110
PID 3884 wrote to memory of 1828	3884	cmd.exe	110
PID 3884 wrote to memory of 1828	3884	cmd.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bb035bd88ef10bfa2776a3182246d1f7a92dbd2354c90d0559ac49c90b73b917.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Roaming\Pedicel\msn.exe
  "C:\Users\Admin\AppData\Roaming\Pedicel\msn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Users\Admin\AppData\Roaming\Channeldemo_test\msn.exe
    C:\Users\Admin\AppData\Roaming\Channeldemo_test\msn.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cd34.rbs

Filesize
9KB

MD5
3ed07bcc58f4cdb2c91dda58590636d7

SHA1
0eea194a372ddca2a80dadb28e75254eef53172d

SHA256
eb522c895ee2f95e7a1667ae34558521143269675c486cd0823ae614357eb35c

SHA512
fa4da446febfda62519fb2efbcaf4fe35f507dbca38176e20eed7d89c618019c710a5f3773f822b3cd5f69f372454c10d9db2ac82f183bb9b0e49afa29bb74e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7409b519

Filesize
1.0MB

MD5
aefb73f6b104a465b46c0066b7478f7a

SHA1
9b8143503921890f3df3467a86cb7554bb25f089

SHA256
20c04b5fd571237002dbb578616a93bf845d149ad9af423a5b1ed600b50ee013

SHA512
9c14bb24c0dab6f9efe6d1256d165759ea67bd7b03fbbbfd70eaebb5309a9aa5ca31046d432eaf16b5d11566e1a3fc2d69c411ea60f2ca310fc7f25cad4619c8

Download Submit
C:\Users\Admin\AppData\Roaming\Pedicel\admiral.swf

Filesize
791KB

MD5
1d1797335f3638578054449fc8706ad7

SHA1
7a00e491df86b032e5975342ea65fc7b25ebd72e

SHA256
201c3a314b6874b8faa2e18b396422c252ab323c37125ea771a33cc59dbc3e09

SHA512
27e75214a7ecceb0f6432fc2df5ceb7f315598e284cdf318a6004c4b03a44840ff0a0331e901f94610a210a85325b50da0372db406aa510d3431641cefba232d

Download Submit
C:\Users\Admin\AppData\Roaming\Pedicel\comp.pptx

Filesize
55KB

MD5
8357ece194ccdc0c4aceb399f9f62b58

SHA1
79f9b8f7e3e523fbd880dc57e4b7f4911d13e308

SHA256
8beaccb414c932f2aaf5092eade95b70fa3f9a804c2f9704edfac155256c2202

SHA512
e63cd5b859ca88f0e9d98c79303d1994da3369a7ffec1b07eb60f4494dfde47661b38c504b83e872dd1194f6a66b721efbbab0b2e7c34cdb07e06a43e272d1f8

Download Submit
C:\Users\Admin\AppData\Roaming\Pedicel\contactsUX.dll

Filesize
331KB

MD5
54ee6a204238313dc6aca21c7e036c17

SHA1
531fd1c18e2e4984c72334eb56af78a1048da6c7

SHA256
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd

SHA512
19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

Download Submit
C:\Users\Admin\AppData\Roaming\Pedicel\msidcrl40.dll

Filesize
791KB

MD5
ef66829b99bbfc465b05dc7411b0dcfa

SHA1
c6f6275f92053b4b9fa8f2738ed3e84f45261503

SHA256
257e6489f5b733f2822f0689295a9f47873be3cec5f4a135cd847a2f2c82a575

SHA512
6839b7372e37e67c270a4225f91df21f856158a292849da2101c2978ce37cd08b75923ab30ca39d7360ce896fc6a2a2d646dd88eb2993cef612c43a475fdb2ea

Download Submit
C:\Users\Admin\AppData\Roaming\Pedicel\msn.exe

Filesize
5.5MB

MD5
537915708fe4e81e18e99d5104b353ed

SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb

SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Pedicel\msncore.dll

Filesize
982KB

MD5
8cea78bab4ef0c6a419cd37f4cfde56d

SHA1
70ed9ecfb3bfd3fcd7ef69b4a4794b9672dd00d7

SHA256
4398fac24faab57eb0bab0315180033a9105e0fff6d476f0aebd3a42863d289e

SHA512
9efa2b8fbe337e0262e5122d3f0c6ac33282e901ad76549c95bd18945644f464775855f42d03473597c7f22b32af2ce57603c1d1768d4fbfdbfb693edcaed53a

Download Submit
C:\Users\Admin\AppData\Roaming\Pedicel\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Windows\Installer\e57cd33.msi

Filesize
3.5MB

MD5
804ccc6f904756d4b96b1ac090e14902

SHA1
9616d4668249548716a64e0f9c735c30f3355ad4

SHA256
bb035bd88ef10bfa2776a3182246d1f7a92dbd2354c90d0559ac49c90b73b917

SHA512
c01056442a985308d86adaa6de32cd894901290aa8648766eab3303a996f9efaa6617e718201f88fd5448bb6f68349d0bedff525642978039b63faf01b61509d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
71ff91adf2efe28a23286092dbdb0452

SHA1
7582e01f4524c5d2d67ced3a34d3a077dadc625f

SHA256
d3c7b83559f5ec3b627428a8c4af24b30f90b2354a94d270520a055d315c4286

SHA512
3fe6e6dae7f447296b7fa63aa390f18176c65dd6f6fd9acf331940febd0cd0878019ffb7c1d029f1f2fd52ea72e76aa49f7f29bf3c44dadea0d9cfa33f6bb560

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8180f8a2-d9bd-4f54-bf06-73e64d562a55}_OnDiskSnapshotProp

Filesize
6KB

MD5
1bb1e320b55de4d5d7a6485932dbb87f

SHA1
5ee7d09ec281ba7f7adfe32a2a5d047bd5145f7d

SHA256
4e3dc8b8a0ad43e30b34f4a82f87a6abaa6ebc629e2a59ed479abbfabb33cf52

SHA512
b57b95332be571d8b7fab90e31bb160f9a8a2125b41c268183e3a434bffd8023179d3dc70cb8ff7a5c3418d11ed2de0f0ac2d5882ba8ab0e6163f82f13a82c13

Download Submit
memory/1344-62-0x0000000073D80000-0x0000000073EFB000-memory.dmp

Filesize
1.5MB

Download
memory/1344-63-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-64-0x0000000073D80000-0x0000000073EFB000-memory.dmp

Filesize
1.5MB

Download
memory/1828-70-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1828-71-0x0000000000CD0000-0x0000000000D2B000-memory.dmp

Filesize
364KB

Download
memory/1828-72-0x0000000000CD0000-0x0000000000D2B000-memory.dmp

Filesize
364KB

Download
memory/3884-67-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

Filesize
2.0MB

Download
memory/3884-68-0x0000000073D80000-0x0000000073EFB000-memory.dmp

Filesize
1.5MB

Download
memory/4036-40-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-39-0x0000000073D80000-0x0000000073EFB000-memory.dmp

Filesize
1.5MB

Download