lumma | 3a9369aefe2a1212ca0bfadc0925d0149caf6436d1d9934e35c976fc9194a344

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Browser_128_344_166.msi
Size

1.2MB
MD5

6265ad87754194af5bbd40aada2930a9
SHA1

211b19af5e77f153f431ac223b9c22e8a5275ae9
SHA256

3a9369aefe2a1212ca0bfadc0925d0149caf6436d1d9934e35c976fc9194a344
SHA512

fe16f9d906996db99c55ed815fbe5c3be722c49a1a916a89c71c46a7fd2b7c40f2dadabe54a7dfe38a78a85d2115dd34c276f881c910a8cd1505090a2db3779e
SSDEEP

24576:y/QsaepAxRKUMbZHkw92S1SBcKLmv47n4pQixafg9WPo7:BsTpAxrYMpmK41Mfg9N

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://handlequarte.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 2468	1360	steamerrorreporter.exe	37

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76e1a9.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76e1a8.msi	msiexec.exe
File created	C:\Windows\Installer\f76e1ab.msi	msiexec.exe
File created	C:\Windows\Installer\f76e1a8.msi	msiexec.exe
File created	C:\Windows\Installer\f76e1a9.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE282.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1232	steamerrorreporter.exe
1360	steamerrorreporter.exe

Loads dropped DLL 5 IoCs

pid	Process
1232	steamerrorreporter.exe
1232	steamerrorreporter.exe
1232	steamerrorreporter.exe
1360	steamerrorreporter.exe
1360	steamerrorreporter.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2172	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2432	msiexec.exe
2432	msiexec.exe
1232	steamerrorreporter.exe
1360	steamerrorreporter.exe
1360	steamerrorreporter.exe
2468	cmd.exe
2468	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1360	steamerrorreporter.exe
2468	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2172	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeSecurityPrivilege	2432	msiexec.exe
Token: SeCreateTokenPrivilege	2172	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2172	msiexec.exe
Token: SeLockMemoryPrivilege	2172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2172	msiexec.exe
Token: SeMachineAccountPrivilege	2172	msiexec.exe
Token: SeTcbPrivilege	2172	msiexec.exe
Token: SeSecurityPrivilege	2172	msiexec.exe
Token: SeTakeOwnershipPrivilege	2172	msiexec.exe
Token: SeLoadDriverPrivilege	2172	msiexec.exe
Token: SeSystemProfilePrivilege	2172	msiexec.exe
Token: SeSystemtimePrivilege	2172	msiexec.exe
Token: SeProfSingleProcessPrivilege	2172	msiexec.exe
Token: SeIncBasePriorityPrivilege	2172	msiexec.exe
Token: SeCreatePagefilePrivilege	2172	msiexec.exe
Token: SeCreatePermanentPrivilege	2172	msiexec.exe
Token: SeBackupPrivilege	2172	msiexec.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeShutdownPrivilege	2172	msiexec.exe
Token: SeDebugPrivilege	2172	msiexec.exe
Token: SeAuditPrivilege	2172	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2172	msiexec.exe
Token: SeChangeNotifyPrivilege	2172	msiexec.exe
Token: SeRemoteShutdownPrivilege	2172	msiexec.exe
Token: SeUndockPrivilege	2172	msiexec.exe
Token: SeSyncAgentPrivilege	2172	msiexec.exe
Token: SeEnableDelegationPrivilege	2172	msiexec.exe
Token: SeManageVolumePrivilege	2172	msiexec.exe
Token: SeImpersonatePrivilege	2172	msiexec.exe
Token: SeCreateGlobalPrivilege	2172	msiexec.exe
Token: SeBackupPrivilege	3028	vssvc.exe
Token: SeRestorePrivilege	3028	vssvc.exe
Token: SeAuditPrivilege	3028	vssvc.exe
Token: SeBackupPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2876	DrvInst.exe
Token: SeRestorePrivilege	2876	DrvInst.exe
Token: SeRestorePrivilege	2876	DrvInst.exe
Token: SeRestorePrivilege	2876	DrvInst.exe
Token: SeRestorePrivilege	2876	DrvInst.exe
Token: SeRestorePrivilege	2876	DrvInst.exe
Token: SeRestorePrivilege	2876	DrvInst.exe
Token: SeLoadDriverPrivilege	2876	DrvInst.exe
Token: SeLoadDriverPrivilege	2876	DrvInst.exe
Token: SeLoadDriverPrivilege	2876	DrvInst.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2172	msiexec.exe
2172	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1232	2432	msiexec.exe	35
PID 2432 wrote to memory of 1232	2432	msiexec.exe	35
PID 2432 wrote to memory of 1232	2432	msiexec.exe	35
PID 2432 wrote to memory of 1232	2432	msiexec.exe	35
PID 1232 wrote to memory of 1360	1232	steamerrorreporter.exe	36
PID 1232 wrote to memory of 1360	1232	steamerrorreporter.exe	36
PID 1232 wrote to memory of 1360	1232	steamerrorreporter.exe	36
PID 1232 wrote to memory of 1360	1232	steamerrorreporter.exe	36
PID 1360 wrote to memory of 2468	1360	steamerrorreporter.exe	37
PID 1360 wrote to memory of 2468	1360	steamerrorreporter.exe	37
PID 1360 wrote to memory of 2468	1360	steamerrorreporter.exe	37
PID 1360 wrote to memory of 2468	1360	steamerrorreporter.exe	37
PID 1360 wrote to memory of 2468	1360	steamerrorreporter.exe	37
PID 2468 wrote to memory of 2960	2468	cmd.exe	39
PID 2468 wrote to memory of 2960	2468	cmd.exe	39
PID 2468 wrote to memory of 2960	2468	cmd.exe	39
PID 2468 wrote to memory of 2960	2468	cmd.exe	39
PID 2468 wrote to memory of 2960	2468	cmd.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Browser_128_344_166.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2172

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000328" "00000000000005A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e1aa.rbs

Filesize
8KB

MD5
5ba874879e033cea7b02d3e3b91d2384

SHA1
9e90cd3928df8e1ce8c4109143ae4a7ac6d2ee2e

SHA256
8d41a90f2fbda8676c810d234650bc020cef775aa17ceaa46dd676e00b2c2698

SHA512
3183c0982420ff8347c65537ec9eee39792b53d262e9d81e98e6563904c9acc34b469898bd7b89ed874b4faef54928ee36e51152b7fd87b6f0a1ee5f66e7fae5

Download Submit
C:\Users\Admin\AppData\Local\Pulu\bookmark.pkg

Filesize
807KB

MD5
bfa7cf4e086bfa4d7d705c00a8804993

SHA1
bab0b20067646f0ce6667bf295e1b1e27c8c8d45

SHA256
b522c814134b6f0ccfd956b332125a7b79875a50c546339547bacc75f0e4724f

SHA512
c1f23e06071fb5d1158a0c9d671e7c72924a45c335fc01cb5037a45755700d3aa8ffd24d4534394682625da42fbecfb01e4995a2ffaeb6416340ca3412533c33

Download Submit
C:\Users\Admin\AppData\Local\Pulu\camellia.ai

Filesize
35KB

MD5
ef4cc2dc2376885bd5fe462f2e2c2306

SHA1
569c6142aad7df78e15248e1ec330aa257c822c6

SHA256
a4e58970b06198c3ba9ccea820107cbb9ffd3e6a573cb88fac2b9cf1189bfdb9

SHA512
75c3911ff3d8fe1cdf3ac658f0ba8be7c1e23ada08fbac5ec0ef7315728c74e8a470b5f96c287f3e8c93e95bb08f5c60eba4246260e83d949dd980440cadb489

Download Submit
C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe

Filesize
560KB

MD5
dc1681b98049f1df46dd10d7f4c26045

SHA1
4c7f5cf7c00b6139979f8aa41f46979666369224

SHA256
594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

SHA512
c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8529.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar854B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d43ee63b

Filesize
1.0MB

MD5
ec6566662072c98dbc395cce7f9e95bb

SHA1
a84a0602fd2556757a3efdb0c00a96ab27e67640

SHA256
e6482cf91a8112d68a71fda50480c6643facbf9210ffc0d08260006abed12b65

SHA512
4f7d0b3688832b52c42b620b3dbea434e534afb6d5ec1ceea7636bae859a8150740850d984e922eb0d6fc1a01cf48b1b173e46593adbc64a7e150923a1ebe63b

Download Submit
C:\Windows\Installer\f76e1a8.msi

Filesize
1.2MB

MD5
6265ad87754194af5bbd40aada2930a9

SHA1
211b19af5e77f153f431ac223b9c22e8a5275ae9

SHA256
3a9369aefe2a1212ca0bfadc0925d0149caf6436d1d9934e35c976fc9194a344

SHA512
fe16f9d906996db99c55ed815fbe5c3be722c49a1a916a89c71c46a7fd2b7c40f2dadabe54a7dfe38a78a85d2115dd34c276f881c910a8cd1505090a2db3779e

Download Submit
\Users\Admin\AppData\Local\Pulu\tier0_s.dll

Filesize
330KB

MD5
86e38e6248c90cf7b79541f5cf565cce

SHA1
a746e8e6ee1a5010e5fa34cee7a3d29a11e9d035

SHA256
021152ff66cc6a397f1f2e26575d73c19c7e065ad23e2d811340abf759d6b2e8

SHA512
2d0d3238988e41ad47f0f35c6271e7f25379d3de5b949b63f795d80fbdb02594398fa3c7830418ff8feb67c6cac2ccd7d4ec64ade9fec2a1b072718215a9a54d

Download Submit
\Users\Admin\AppData\Local\Pulu\vstdlib_s.dll

Filesize
530KB

MD5
bf433279dfa1820d93ef9417fceaf306

SHA1
21dfda7d0ce11dba8f786c72d0a4db1dd3a82308

SHA256
3fa60435cba38c85310eeba1032bf1d305aeea2e4cf890c17966366d63d43963

SHA512
dd1823f68a25cb9d25d125267e9ea4fb0803ec0133b5fd183cf0d832ad1dceca53a8a7d4d79b94ce0b67ef3050334373ec80c211fa1ff8888c4a724d64a1b250

Download Submit
memory/1232-34-0x0000000074B40000-0x0000000074CB4000-memory.dmp

Filesize
1.5MB

Download
memory/1232-35-0x00000000774E0000-0x0000000077689000-memory.dmp

Filesize
1.7MB

Download
memory/1360-53-0x00000000774E0000-0x0000000077689000-memory.dmp

Filesize
1.7MB

Download
memory/1360-54-0x0000000074A50000-0x0000000074BC4000-memory.dmp

Filesize
1.5MB

Download
memory/1360-52-0x0000000074A50000-0x0000000074BC4000-memory.dmp

Filesize
1.5MB

Download
memory/2468-57-0x00000000774E0000-0x0000000077689000-memory.dmp

Filesize
1.7MB

Download
memory/2468-58-0x0000000074A50000-0x0000000074BC4000-memory.dmp

Filesize
1.5MB

Download
memory/2960-60-0x00000000774E0000-0x0000000077689000-memory.dmp

Filesize
1.7MB

Download
memory/2960-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2960-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download