lumma | d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2

Resubmissions

10-01-2025 20:32

250110-zbg4yswlht 10

10-01-2025 18:08

250110-wqvf2s1pfz 10

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DogusignReader1.26g.msi
Size

10.5MB
MD5

35f774e65e57f419fff8d8f74945ea51
SHA1

c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb
SHA256

d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2
SHA512

34db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26
SSDEEP

196608:xaZKIcPtwQbOmV7SPjZJrtiXPFsKASDdybmR67JU6OpkKM1sQT9nAJDPMRAl6q7r:Y3cPt30JrtiXdsKAcrR67J0kR1syAtMU

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 3184	1156	RttHlp.exe	99
PID 4416 set thread context of 2604	4416	RttHlp.exe	101

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57d810.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9E7FC4DE-E781-4DF2-B3A9-BEB9E721ACAB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8FB.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d812.msi	msiexec.exe
File created	C:\Windows\Installer\e57d810.msi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
1584	RttHlp.exe
4416	RttHlp.exe
1156	RttHlp.exe

Loads dropped DLL 19 IoCs

pid	Process
1584	RttHlp.exe
1584	RttHlp.exe
1584	RttHlp.exe
1584	RttHlp.exe
1584	RttHlp.exe
1584	RttHlp.exe
1584	RttHlp.exe
4416	RttHlp.exe
4416	RttHlp.exe
4416	RttHlp.exe
4416	RttHlp.exe
4416	RttHlp.exe
4416	RttHlp.exe
4416	RttHlp.exe
1156	RttHlp.exe
1156	RttHlp.exe
1156	RttHlp.exe
1156	RttHlp.exe
1156	RttHlp.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4012	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

GoLang User-Agent 6 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	58	Go-http-client/1.1
HTTP User-Agent header	59	Go-http-client/1.1
HTTP User-Agent header	67	Go-http-client/1.1
HTTP User-Agent header	75	Go-http-client/1.1
HTTP User-Agent header	76	Go-http-client/1.1
HTTP User-Agent header	79	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4776	msiexec.exe
4776	msiexec.exe
1584	RttHlp.exe
4416	RttHlp.exe
4416	RttHlp.exe
1156	RttHlp.exe
1156	RttHlp.exe
3184	cmd.exe
3184	cmd.exe
2604	cmd.exe
2604	cmd.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1156	RttHlp.exe
4416	RttHlp.exe
3184	cmd.exe
2604	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4012	msiexec.exe
Token: SeSecurityPrivilege	4776	msiexec.exe
Token: SeCreateTokenPrivilege	4012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4012	msiexec.exe
Token: SeLockMemoryPrivilege	4012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4012	msiexec.exe
Token: SeMachineAccountPrivilege	4012	msiexec.exe
Token: SeTcbPrivilege	4012	msiexec.exe
Token: SeSecurityPrivilege	4012	msiexec.exe
Token: SeTakeOwnershipPrivilege	4012	msiexec.exe
Token: SeLoadDriverPrivilege	4012	msiexec.exe
Token: SeSystemProfilePrivilege	4012	msiexec.exe
Token: SeSystemtimePrivilege	4012	msiexec.exe
Token: SeProfSingleProcessPrivilege	4012	msiexec.exe
Token: SeIncBasePriorityPrivilege	4012	msiexec.exe
Token: SeCreatePagefilePrivilege	4012	msiexec.exe
Token: SeCreatePermanentPrivilege	4012	msiexec.exe
Token: SeBackupPrivilege	4012	msiexec.exe
Token: SeRestorePrivilege	4012	msiexec.exe
Token: SeShutdownPrivilege	4012	msiexec.exe
Token: SeDebugPrivilege	4012	msiexec.exe
Token: SeAuditPrivilege	4012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4012	msiexec.exe
Token: SeChangeNotifyPrivilege	4012	msiexec.exe
Token: SeRemoteShutdownPrivilege	4012	msiexec.exe
Token: SeUndockPrivilege	4012	msiexec.exe
Token: SeSyncAgentPrivilege	4012	msiexec.exe
Token: SeEnableDelegationPrivilege	4012	msiexec.exe
Token: SeManageVolumePrivilege	4012	msiexec.exe
Token: SeImpersonatePrivilege	4012	msiexec.exe
Token: SeCreateGlobalPrivilege	4012	msiexec.exe
Token: SeBackupPrivilege	384	vssvc.exe
Token: SeRestorePrivilege	384	vssvc.exe
Token: SeAuditPrivilege	384	vssvc.exe
Token: SeBackupPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4012	msiexec.exe
4012	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4796	4776	msiexec.exe	92
PID 4776 wrote to memory of 4796	4776	msiexec.exe	92
PID 4776 wrote to memory of 1584	4776	msiexec.exe	94
PID 4776 wrote to memory of 1584	4776	msiexec.exe	94
PID 4776 wrote to memory of 1584	4776	msiexec.exe	94
PID 1584 wrote to memory of 4416	1584	RttHlp.exe	97
PID 1584 wrote to memory of 4416	1584	RttHlp.exe	97
PID 1584 wrote to memory of 4416	1584	RttHlp.exe	97
PID 4416 wrote to memory of 1156	4416	RttHlp.exe	98
PID 4416 wrote to memory of 1156	4416	RttHlp.exe	98
PID 4416 wrote to memory of 1156	4416	RttHlp.exe	98
PID 1156 wrote to memory of 3184	1156	RttHlp.exe	99
PID 1156 wrote to memory of 3184	1156	RttHlp.exe	99
PID 1156 wrote to memory of 3184	1156	RttHlp.exe	99
PID 4416 wrote to memory of 2604	4416	RttHlp.exe	101
PID 4416 wrote to memory of 2604	4416	RttHlp.exe	101
PID 4416 wrote to memory of 2604	4416	RttHlp.exe	101
PID 1156 wrote to memory of 3184	1156	RttHlp.exe	99
PID 4416 wrote to memory of 2604	4416	RttHlp.exe	101
PID 3184 wrote to memory of 1508	3184	cmd.exe	105
PID 3184 wrote to memory of 1508	3184	cmd.exe	105
PID 3184 wrote to memory of 1508	3184	cmd.exe	105
PID 3184 wrote to memory of 1508	3184	cmd.exe	105
PID 2604 wrote to memory of 1460	2604	cmd.exe	106
PID 2604 wrote to memory of 1460	2604	cmd.exe	106
PID 2604 wrote to memory of 1460	2604	cmd.exe	106
PID 2604 wrote to memory of 1460	2604	cmd.exe	106
PID 2604 wrote to memory of 1460	2604	cmd.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DogusignReader1.26g.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4796
- C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe
  "C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
    C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Users\Admin\AppData\Roaming\configRemote_PZ4\GDXSPGEPLYUNRE\RttHlp.exe
      C:\Users\Admin\AppData\Roaming\configRemote_PZ4\GDXSPGEPLYUNRE\RttHlp.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3184
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d811.rbs

Filesize
8KB

MD5
3e1e0b137801ee2440fe01f37a3abd67

SHA1
2813aee14c97f34efdef6a1305d9ba766d03dfc4

SHA256
436b3bee521a266e7ba7d9056ba7cedb3f35e06e46b959400c078f5ad6ea23eb

SHA512
bac7147b53a50d50dda23acd4fbba6d597000c75d0c6d77ab24a25ed907b9f738296ccd969abe8e630317594e0fb4f277eaf6088003fb794a9655ebb2f6fd6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\98e0e8c9

Filesize
12.9MB

MD5
ba49c6c82b617efb8e60236dd5f0b697

SHA1
f92b82e43ef773909f492eb4a1a90a81a14106d9

SHA256
6ffe17ca77a1e6a3e2a7356c91bece9900b625b62b534ca3342461c47bd82766

SHA512
d3a91237ba3be8c21d4c14b1c5af1dcb56e4fb113557684a5bbad8b855a1d009df57d4d23c3f554fd6370cc7fbae1680b8b6cd7cd87fcbef705c8ff659f805e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c7950b4

Filesize
1.0MB

MD5
b497b4bf35ec28b156aabb2d28f81539

SHA1
2630f736f945941360be70ea71ad3797e59e4a75

SHA256
0dd8687071419038a20bca4b81e73f48e53c4bc0c4de1a20111b35a92b00f635

SHA512
f58a944b8ef4d6ba496c5737daf63ad09f8517ecb4eab9f65d15f0479197a9c76f34b2e4c9e995911008ca171506984624a3f0fc849670bcd567bf9cd87bcef6

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\Register.dll

Filesize
1.0MB

MD5
40b9628354ef4e6ef3c87934575545f4

SHA1
8fb5da182dea64c842953bf72fc573a74adaa155

SHA256
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

SHA512
02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe

Filesize
135KB

MD5
a2d70fbab5181a509369d96b682fc641

SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\burro.ini

Filesize
10.5MB

MD5
95a61e7f85bc8b48e6e52992d39eefc6

SHA1
df90ab3e50a7e566948ff56dde540139d23934c0

SHA256
0cea6a8a1b71eaaf329b70552ebe353d1a468ae2da5ac9c018d1927b55406bf5

SHA512
7a2ebb2caebe5efed73b701ee96a7880dea32301776a16beb288ab008531b396d06e36f6d0c4e60590c02355b4e1fc206e1468bc181042900fc18bc7b9f20086

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\magnesium.csv

Filesize
52KB

MD5
038c02b1cdce1b2738c09d9d2b8bbd74

SHA1
0f20d6c4a1cb65ca8a33c613b0f297148f9a39b2

SHA256
ff5f5110ca6ca5d57db34ec4ea566d28d4b2535d71540331448711a25a89b3f4

SHA512
afb692a8bddf29feb352a3129165c045187c5a41ac134515d5d5ff884b26f24789113929e9c49f0277b8e509755566f5725be05d15a268fd07f03771ab004717

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\rtl120.bpl

Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\vcl120.bpl

Filesize
1.9MB

MD5
37c89f8997af129d230837c87997b737

SHA1
5031df412eaf09cc72688e7865e4604cda6c2fbd

SHA256
f3ea5d6457089b4c4ab207f0b96dd5f321cdc7b3360ca27cd6ed273ec25d807e

SHA512
3ede7277cb8d16c83e65bb6e6626f30b124ff9cb1579cfc8fbea7358489f9520d416238e998707219b4b0debb6cc1fc2634133f2fe9457a840d8b2bc76ddb3bf

Download Submit
C:\Users\Admin\AppData\Roaming\configRemote_PZ4\GDXSPGEPLYUNRE\burro.ini

Filesize
791KB

MD5
28431839e39dffad0485cc51b34c705f

SHA1
0b63857ea0abe841fdae8fd8b9f9b3ef0af881a0

SHA256
d832c2fd66e09b3eb829901fa6e7a2b610a398d8e007d6352edf4763ea3ce363

SHA512
cca16a18f52f2d059308214897673acd48cfca144a5075fba372ad33b8c645d202ebf32576d9d299d95e37e059d78dfdf70f7e844c479bd8c8484dc06bfe9d03

Download Submit
C:\Windows\Installer\e57d810.msi

Filesize
10.5MB

MD5
35f774e65e57f419fff8d8f74945ea51

SHA1
c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb

SHA256
d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2

SHA512
34db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
796de20cffaa1f2436972e1ed00b5be0

SHA1
a2f2ada8d6586f1cf735d1532f1f752a39b430ca

SHA256
65a6971da4a87a26d194742fb6a8fa9f3d56c2659f89a54037303ffec0693357

SHA512
ed09d2cc5db0401f1f8abd540ce66da8abf492af2b24f58ce7fbb298be851691d6532ee48acbd0e9ea06dc41360eea575c77d4407463b3599ff57cbd86b5b7c0

Download Submit
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0fc29244-0a4e-4784-bda6-8bca21bbde46}_OnDiskSnapshotProp

Filesize
6KB

MD5
afdb2563b71f582c50f1fc1621ab8eb4

SHA1
1d87489f1582afdfc77bffd9f653ef055602221c

SHA256
672d057d6281c8330a3c26376895e2e2513e7836001f8eaaeccd7fad98e888c3

SHA512
ea36f136f580106adaaae156d34c13aa38d767e878e26b2c2066b7ea0d4b03aa6c5e1c1830d3d9f30e18fecb856f7aec81a6cd846a34c0e33b424fc543b30ca6

Download Submit
memory/1156-101-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1156-102-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1156-98-0x0000000074E70000-0x0000000074FEB000-memory.dmp

Filesize
1.5MB

Download
memory/1156-96-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/1156-95-0x0000000074E70000-0x0000000074FEB000-memory.dmp

Filesize
1.5MB

Download
memory/1460-133-0x0000000000D40000-0x00000000014B4000-memory.dmp

Filesize
7.5MB

Download
memory/1460-130-0x0000000000D40000-0x00000000014B4000-memory.dmp

Filesize
7.5MB

Download
memory/1460-131-0x0000000000D40000-0x00000000014B4000-memory.dmp

Filesize
7.5MB

Download
memory/1460-132-0x0000000000D40000-0x00000000014B4000-memory.dmp

Filesize
7.5MB

Download
memory/1460-135-0x0000000000D40000-0x00000000014B4000-memory.dmp

Filesize
7.5MB

Download
memory/1460-136-0x0000000000D40000-0x00000000014B4000-memory.dmp

Filesize
7.5MB

Download
memory/1460-122-0x0000000000D40000-0x00000000014B4000-memory.dmp

Filesize
7.5MB

Download
memory/1460-121-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/1460-137-0x0000000000D40000-0x00000000014B4000-memory.dmp

Filesize
7.5MB

Download
memory/1508-125-0x0000000000670000-0x00000000006CA000-memory.dmp

Filesize
360KB

Download
memory/1508-118-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/1508-120-0x0000000000670000-0x00000000006CA000-memory.dmp

Filesize
360KB

Download
memory/1584-44-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/1584-54-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1584-55-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1584-56-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1584-43-0x0000000074E70000-0x0000000074FEB000-memory.dmp

Filesize
1.5MB

Download
memory/2604-114-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3184-115-0x0000000074E70000-0x0000000074FEB000-memory.dmp

Filesize
1.5MB

Download
memory/3184-107-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4416-105-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/4416-97-0x0000000074E70000-0x0000000074FEB000-memory.dmp

Filesize
1.5MB

Download
memory/4416-72-0x0000000074E70000-0x0000000074FEB000-memory.dmp

Filesize
1.5MB

Download
memory/4416-70-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4416-69-0x0000000074E70000-0x0000000074FEB000-memory.dmp

Filesize
1.5MB

Download