lumma | fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update_1.65.4.msi
Size

9.5MB
MD5

d330c09503e6c3d51cd2d3435de0795a
SHA1

5b7bbf5bc80f4b3863c263d1aed620faa4612c9d
SHA256

fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b
SHA512

ed3abd52e47d36ca3637dbf3d738d6509049162dd3f084dc7b9c286f517be815c6825df2c1070f36ac4e4445e62919c44a37793fc4bc0761076608340c35610e
SSDEEP

196608:0uVUeJYJMd0rWLhjx5YHU+tYERMN2fr/pa/3pqnLtAPLMgzWS3W9i4EzP:lV6WLR+tYiyURmpML6DMgzJsc

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4352 set thread context of 3304	4352	ReFB.exe	104

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C4AD535D-D136-4F91-8948-3E2C33960630}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI311D.tmp	msiexec.exe
File created	C:\Windows\Installer\e583064.msi	msiexec.exe
File created	C:\Windows\Installer\e583062.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e583062.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3596	ReFB.exe
4352	ReFB.exe

Loads dropped DLL 14 IoCs

pid	Process
3596	ReFB.exe
3596	ReFB.exe
3596	ReFB.exe
3596	ReFB.exe
3596	ReFB.exe
3596	ReFB.exe
3596	ReFB.exe
4352	ReFB.exe
4352	ReFB.exe
4352	ReFB.exe
4352	ReFB.exe
4352	ReFB.exe
4352	ReFB.exe
4352	ReFB.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1224	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2788	msiexec.exe
2788	msiexec.exe
3596	ReFB.exe
4352	ReFB.exe
4352	ReFB.exe
4352	ReFB.exe
3304	cmd.exe
3304	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4352	ReFB.exe
3304	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	2788	msiexec.exe
Token: SeCreateTokenPrivilege	1224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1224	msiexec.exe
Token: SeLockMemoryPrivilege	1224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1224	msiexec.exe
Token: SeMachineAccountPrivilege	1224	msiexec.exe
Token: SeTcbPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	1224	msiexec.exe
Token: SeTakeOwnershipPrivilege	1224	msiexec.exe
Token: SeLoadDriverPrivilege	1224	msiexec.exe
Token: SeSystemProfilePrivilege	1224	msiexec.exe
Token: SeSystemtimePrivilege	1224	msiexec.exe
Token: SeProfSingleProcessPrivilege	1224	msiexec.exe
Token: SeIncBasePriorityPrivilege	1224	msiexec.exe
Token: SeCreatePagefilePrivilege	1224	msiexec.exe
Token: SeCreatePermanentPrivilege	1224	msiexec.exe
Token: SeBackupPrivilege	1224	msiexec.exe
Token: SeRestorePrivilege	1224	msiexec.exe
Token: SeShutdownPrivilege	1224	msiexec.exe
Token: SeDebugPrivilege	1224	msiexec.exe
Token: SeAuditPrivilege	1224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1224	msiexec.exe
Token: SeChangeNotifyPrivilege	1224	msiexec.exe
Token: SeRemoteShutdownPrivilege	1224	msiexec.exe
Token: SeUndockPrivilege	1224	msiexec.exe
Token: SeSyncAgentPrivilege	1224	msiexec.exe
Token: SeEnableDelegationPrivilege	1224	msiexec.exe
Token: SeManageVolumePrivilege	1224	msiexec.exe
Token: SeImpersonatePrivilege	1224	msiexec.exe
Token: SeCreateGlobalPrivilege	1224	msiexec.exe
Token: SeBackupPrivilege	672	vssvc.exe
Token: SeRestorePrivilege	672	vssvc.exe
Token: SeAuditPrivilege	672	vssvc.exe
Token: SeBackupPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1224	msiexec.exe
1224	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 1492	2788	msiexec.exe	99
PID 2788 wrote to memory of 1492	2788	msiexec.exe	99
PID 2788 wrote to memory of 3596	2788	msiexec.exe	102
PID 2788 wrote to memory of 3596	2788	msiexec.exe	102
PID 2788 wrote to memory of 3596	2788	msiexec.exe	102
PID 3596 wrote to memory of 4352	3596	ReFB.exe	103
PID 3596 wrote to memory of 4352	3596	ReFB.exe	103
PID 3596 wrote to memory of 4352	3596	ReFB.exe	103
PID 4352 wrote to memory of 3304	4352	ReFB.exe	104
PID 4352 wrote to memory of 3304	4352	ReFB.exe	104
PID 4352 wrote to memory of 3304	4352	ReFB.exe	104
PID 4352 wrote to memory of 3304	4352	ReFB.exe	104
PID 3304 wrote to memory of 2684	3304	cmd.exe	111
PID 3304 wrote to memory of 2684	3304	cmd.exe	111
PID 3304 wrote to memory of 2684	3304	cmd.exe	111
PID 3304 wrote to memory of 2684	3304	cmd.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Update_1.65.4.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1492
- C:\Users\Admin\AppData\Local\Forfeiture\ReFB.exe
  "C:\Users\Admin\AppData\Local\Forfeiture\ReFB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Roaming\readertask_4\ReFB.exe
    C:\Users\Admin\AppData\Roaming\readertask_4\ReFB.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583063.rbs

Filesize
9KB

MD5
5f580e8039f23060153ebed8b1b556de

SHA1
47bf54fd983a757ddb658f1c79142fdd777d400f

SHA256
c433c6b7c8f759f87f13f633117fc2e24835f63fe5f48e90a50c69501b2d4805

SHA512
de5ce805f0370e61b1ae7e791b2a01ed1dd735a64fe3821ca0c7799a2e4345daf16351e576ed557b09a4e926b1b7bf517b156102ea4f1cf1c9b4f0e899349bdc

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\QtCore4.dll

Filesize
2.5MB

MD5
fecc62a37d37d9759e6b02041728aa23

SHA1
0c5f646caef7a6e9073d58ed698f6cfbfb2883a3

SHA256
94c1395153d7758900979351e633ab68d22ae9b306ef8e253b712a1aab54c805

SHA512
698f90f1248dacbd4bdc49045a4e80972783d9dcec120d187abd08f5ef03224b511f7870320938b7e8be049c243ffb1c450c847429434ef2e2c09288cb9286a6

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\QtGui4.dll

Filesize
8.2MB

MD5
831ba3a8c9d9916bdf82e07a3e8338cc

SHA1
6c89fd258937427d14d5042736fdfccd0049f042

SHA256
d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

SHA512
beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\QtWebKit4.dll

Filesize
12.5MB

MD5
e75606f270507c11094945e46a0a87b0

SHA1
cd0b160c96f2124ab2d92847bc80739f813f76e6

SHA256
0148dd8159d46463ad5c5b51dfe23e2cc16b7b08a1c057708f573684c00ddde9

SHA512
ee0cb735ac2cd82cfa524799b172100773996620f1a62d655b5d6a83f2e09034ca233988303660ad2a01d8ac45f456a0e3c41539f6b8b21eccbe043917362ecc

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\ReFB.exe

Filesize
80KB

MD5
2a8613b7d99903516b8fe02fd820bf52

SHA1
78a96addcb556ab1d490fac80f929305263d06b9

SHA256
f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407

SHA512
af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\cataract.css

Filesize
57KB

MD5
d1cc8a9122a2a717629f1a324610336c

SHA1
3329d052b890a577df9f77093a05643e545cb533

SHA256
623bc1dba626d13257b8bd2308dd1a268c5cf7a63d0bc25125045bac40052182

SHA512
a0bba719434f61e44c3055d97a5abcfd8ecb3ac51534d1e8bc1ccb04c29ecae60ee1ef37156d41ef5cc3447d5bda9be5329e17320e09ccd7679c045866054ea9

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\lollapalooza.m4a

Filesize
775KB

MD5
14116b49d2c306be3a5b16c0bface12e

SHA1
6c6fef088b4710f16d1098697dd9eeaa114bfab2

SHA256
17461e0f93ddf32026931fbfe7717368bcba30e660674b4a96d388e3bd8059cc

SHA512
c92a70bb66b32980ed324eb2848c63566e7d90f1050b2c21197ac0c40d3e4986f529a9455e4ef8c26da35cb89d9533af59ffc323c1b10bb3895b1d11c2f61aed

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\msvcp100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Users\Admin\AppData\Local\Forfeiture\msvcr100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\93e8caa

Filesize
1014KB

MD5
effa33b27a9dda3309c0cba13022eea6

SHA1
79c90c94ca7719044c5ec84a242925296859a42b

SHA256
aaab56d364eb6ef94c925d9c20d5d0644b12664d0ba1d6bec542056e8765570c

SHA512
ee61ee8cab1f825882188fbd66f93e556845139cbfd55d122e8f0923b084cbc0cf9eacefc154501a282c33c19151b1f9a6ecd600267c62b514b02f83e28f9ccd

Download Submit
C:\Users\Admin\AppData\Roaming\readertask_4\QtNetwork4.dll

Filesize
1.0MB

MD5
8a2e025fd3ddd56c8e4f63416e46e2ec

SHA1
5f58feb11e84aa41d5548f5a30fc758221e9dd64

SHA256
52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

SHA512
8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

Download Submit
C:\Windows\Installer\e583062.msi

Filesize
9.5MB

MD5
d330c09503e6c3d51cd2d3435de0795a

SHA1
5b7bbf5bc80f4b3863c263d1aed620faa4612c9d

SHA256
fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b

SHA512
ed3abd52e47d36ca3637dbf3d738d6509049162dd3f084dc7b9c286f517be815c6825df2c1070f36ac4e4445e62919c44a37793fc4bc0761076608340c35610e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
596ceccd2192bc86daff91294327fab4

SHA1
11095c48c0be905e9f23632156de08e3ccb7974d

SHA256
c344c0d78eceade58b64264e6da4d28287923ab16ad4ea48b884e42366c4e90e

SHA512
79ee6db790aaff3e26c809b937e43a8b008c5876b5c65f93ab2ebdedf7e2bd28d5c5e0e3a2de5054b71566f0fa53f8713db46b8b9d25d89e57bc8aca1d721efa

Download Submit
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3592693c-0d3d-4563-9a67-a81cefe4cfc4}_OnDiskSnapshotProp

Filesize
6KB

MD5
be25ababc0b93df0e6591d88a72784eb

SHA1
0b9c0b7684a2f566b5b82d0771c146125858aeec

SHA256
98d765d580211a911b438c1c3efbc387196388b1074ecbbe9885e95e88c3b61a

SHA512
d0298cf5394e4fd3e266644439e52d7f2d1754fc62dd0f96b67eccbbf40267c8a9f57941d0ddc60b4001ca2fdb1327b874696d3584f1a103fcdef36caae28a24

Download Submit
memory/2684-87-0x00007FFB43BD0000-0x00007FFB43DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2684-88-0x0000000000320000-0x0000000000377000-memory.dmp

Filesize
348KB

Download
memory/2684-89-0x0000000000320000-0x0000000000377000-memory.dmp

Filesize
348KB

Download
memory/3304-82-0x00007FFB43BD0000-0x00007FFB43DC5000-memory.dmp

Filesize
2.0MB

Download
memory/3304-85-0x0000000074290000-0x000000007440B000-memory.dmp

Filesize
1.5MB

Download
memory/3596-49-0x00007FFB43BD0000-0x00007FFB43DC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-48-0x0000000073DD0000-0x0000000073F4B000-memory.dmp

Filesize
1.5MB

Download
memory/4352-77-0x0000000074290000-0x000000007440B000-memory.dmp

Filesize
1.5MB

Download
memory/4352-79-0x0000000074290000-0x000000007440B000-memory.dmp

Filesize
1.5MB

Download
memory/4352-78-0x00007FFB43BD0000-0x00007FFB43DC5000-memory.dmp

Filesize
2.0MB

Download