lumma | 828b3c4a8e2c1eddc6bc54c1928ec562a9d4254f84a5545fa83d23419686240c

Analysis

max time kernel
19s
max time network
24s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

120.0MB
MD5

6a4e34aa83f72c212e76e1c228af6666
SHA1

bff7c730078f0ccf5aa00c52ec0cc2fe38bd1f56
SHA256

828b3c4a8e2c1eddc6bc54c1928ec562a9d4254f84a5545fa83d23419686240c
SHA512

37f0d3ad8017357164aaed7664ce628491d5215c686fc798698db6d6b0f15705052dd6a10d39e8b5c98c6ba62e0f0eb451d581e3ecff530bd96cd4fb80998cfc
SSDEEP

24576:utnbbEhDUbdE6bLdFiClougeEqsseyHCIAtcVZ0EIrGFTb7Tb7j:MEs/PdlhgPqsseyQtxE/Fr

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://deedcompetlk.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1884	Folding.com

Loads dropped DLL 1 IoCs

pid	Process
2880	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2728	tasklist.exe
2608	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\UploadedNegotiations	Bootstrapper.exe
File opened for modification	C:\Windows\PermalinkModerator	Bootstrapper.exe
File opened for modification	C:\Windows\NeitherRelax	Bootstrapper.exe
File opened for modification	C:\Windows\EmpiricalPl	Bootstrapper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folding.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1884	Folding.com
1884	Folding.com
1884	Folding.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2608	tasklist.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1884	Folding.com
1884	Folding.com
1884	Folding.com
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1884	Folding.com
1884	Folding.com
1884	Folding.com
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2880	2532	Bootstrapper.exe	30
PID 2532 wrote to memory of 2880	2532	Bootstrapper.exe	30
PID 2532 wrote to memory of 2880	2532	Bootstrapper.exe	30
PID 2532 wrote to memory of 2880	2532	Bootstrapper.exe	30
PID 2880 wrote to memory of 2728	2880	cmd.exe	32
PID 2880 wrote to memory of 2728	2880	cmd.exe	32
PID 2880 wrote to memory of 2728	2880	cmd.exe	32
PID 2880 wrote to memory of 2728	2880	cmd.exe	32
PID 2880 wrote to memory of 2612	2880	cmd.exe	33
PID 2880 wrote to memory of 2612	2880	cmd.exe	33
PID 2880 wrote to memory of 2612	2880	cmd.exe	33
PID 2880 wrote to memory of 2612	2880	cmd.exe	33
PID 2880 wrote to memory of 2608	2880	cmd.exe	35
PID 2880 wrote to memory of 2608	2880	cmd.exe	35
PID 2880 wrote to memory of 2608	2880	cmd.exe	35
PID 2880 wrote to memory of 2608	2880	cmd.exe	35
PID 2880 wrote to memory of 2620	2880	cmd.exe	36
PID 2880 wrote to memory of 2620	2880	cmd.exe	36
PID 2880 wrote to memory of 2620	2880	cmd.exe	36
PID 2880 wrote to memory of 2620	2880	cmd.exe	36
PID 2880 wrote to memory of 2444	2880	cmd.exe	37
PID 2880 wrote to memory of 2444	2880	cmd.exe	37
PID 2880 wrote to memory of 2444	2880	cmd.exe	37
PID 2880 wrote to memory of 2444	2880	cmd.exe	37
PID 2880 wrote to memory of 2600	2880	cmd.exe	38
PID 2880 wrote to memory of 2600	2880	cmd.exe	38
PID 2880 wrote to memory of 2600	2880	cmd.exe	38
PID 2880 wrote to memory of 2600	2880	cmd.exe	38
PID 2880 wrote to memory of 2504	2880	cmd.exe	39
PID 2880 wrote to memory of 2504	2880	cmd.exe	39
PID 2880 wrote to memory of 2504	2880	cmd.exe	39
PID 2880 wrote to memory of 2504	2880	cmd.exe	39
PID 2880 wrote to memory of 1544	2880	cmd.exe	40
PID 2880 wrote to memory of 1544	2880	cmd.exe	40
PID 2880 wrote to memory of 1544	2880	cmd.exe	40
PID 2880 wrote to memory of 1544	2880	cmd.exe	40
PID 2880 wrote to memory of 1728	2880	cmd.exe	41
PID 2880 wrote to memory of 1728	2880	cmd.exe	41
PID 2880 wrote to memory of 1728	2880	cmd.exe	41
PID 2880 wrote to memory of 1728	2880	cmd.exe	41
PID 2880 wrote to memory of 1884	2880	cmd.exe	42
PID 2880 wrote to memory of 1884	2880	cmd.exe	42
PID 2880 wrote to memory of 1884	2880	cmd.exe	42
PID 2880 wrote to memory of 1884	2880	cmd.exe	42
PID 2880 wrote to memory of 1852	2880	cmd.exe	43
PID 2880 wrote to memory of 1852	2880	cmd.exe	43
PID 2880 wrote to memory of 1852	2880	cmd.exe	43
PID 2880 wrote to memory of 1852	2880	cmd.exe	43
PID 1432 wrote to memory of 2496	1432	chrome.exe	46
PID 1432 wrote to memory of 2496	1432	chrome.exe	46
PID 1432 wrote to memory of 2496	1432	chrome.exe	46
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47
PID 1432 wrote to memory of 2992	1432	chrome.exe	47

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 347157
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E National
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Cheese" Difficulties
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
    Folding.com j
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1884
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7b09758,0x7fef7b09768,0x7fef7b09778
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1516,i,16328234643211807177,5799422412469262767,131072 /prefetch:2
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1516,i,16328234643211807177,5799422412469262767,131072 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1516,i,16328234643211807177,5799422412469262767,131072 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1516,i,16328234643211807177,5799422412469262767,131072 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1516,i,16328234643211807177,5799422412469262767,131072 /prefetch:1
  2⤵
  PID:1628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\347157\Folding.com

Filesize
1KB

MD5
bc0c466ea461f70dc2bab92020f1e643

SHA1
f17c66912508e95eac59bda2e773849600471a88

SHA256
f3c6eb4b4f81b5e1aa458d46225dccd651a2d44d1367a14718b6bb76beec1de1

SHA512
b1d03c359b8fcf46e7f07536004f7d11ab7bdd0cb044ca7bcfe63501428c4c93e43591e8367e5676478da8d554e4bd579cb6e37dc617f97f8a54a372361073c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\347157\Folding.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\347157\j

Filesize
494KB

MD5
549720d78c44a4ca96f98a02d7376be0

SHA1
c18a7ddd59ea61df41acfac5544aadc72bb6acba

SHA256
37204d5c24cd97f012e61ba6c4aab3f6bd8778237ecbec3080fa54bfa5dcaf67

SHA512
392674f314a993f0eb2e22354a9922b006e28b01cb2abdf416a188e48b8fbbea8df93cb793cefd6e91259b7de71c502ac1e5c33273d94e1a3671ee1147cbdab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Accessibility

Filesize
118KB

MD5
539587208032af4b529a60d530f100a4

SHA1
ef39ddfa82f53bde5a674e51318aa3ce9a8789b2

SHA256
bcee5e27e34159419173575bf6e22e23f0dad46cf6fa6aa84a1bb01c96516662

SHA512
4c261199485e6a40ce46147c98e244f1297446115ebd6c944a29e4242b361816980ccb6096286c8f9dbec00f13ea9fdfa417648980bf06721abc866630c5e53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertise

Filesize
55KB

MD5
eaab0c7db38adca2364923dc1bb8bacf

SHA1
182819623bdee90678ae233b8094d05e51d48d68

SHA256
5a5c226453b9c7c7f7bdb980ad2a02838456f9420d182d14c7336f8264a894f0

SHA512
53d2c6559e2d1e71b62f91444608f1e61a246433499b75d6e3193cfd645ac4af3c4e4e1359da02b522d1e121de31f51d0010d96e8ef435a92328cef69aba4910

Download Submit
C:\Users\Admin\AppData\Local\Temp\Any

Filesize
15KB

MD5
59051edf957c7f4fec5e278f07cfdaa9

SHA1
409217185334c187412941583e5814753d3f670f

SHA256
71cb36f1506fa645a90a6f06619b67c4f2f0e1e0140bac2e6f8a91ed1988446f

SHA512
f1897fa7dcc38c845cc3862f1eb33d493ca6c09338a6a7817fac6e99a72ecd07001a84e1935eccddf58e163fd8396c3333fad4c365cd5c8ade281dbc84735aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Architectural

Filesize
102KB

MD5
ac3b8c0b9d965801a696519bc3bce457

SHA1
c2fb54f9d7ffbbea6e5db175ca214eccc0b8ee7c

SHA256
fbc3b647efe255870931d9dfa77a43c7248a7d8613712bcf0663862a4e97fb66

SHA512
0aeeb7d05c46063a892b3aae756bfb92f245aae66c2fcd4c34610a348ad0c0904addabb99d97ca0c9c3cba3df7e8e96500f084b840487a9ed2582d1badf638c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basement

Filesize
63KB

MD5
44a805a4e5ba191661485ef167275506

SHA1
45c2594c944f02e5260bd97a185c2f21ab232182

SHA256
e394dccd197c59fa4e2da7146174485a6681946d34faa3007bd5c1419d7125e0

SHA512
a3a8f7283ca0a0ae16b21f2b81b9cd48b953112c50e64b99daba378cd0e098108512566208365db4bb7b78355439f94bbcace6f5169091fab0202cf7d55f1952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bowling

Filesize
106KB

MD5
7cbcc0fbb084bead6d5bbb8a00cbb997

SHA1
75bfaaa5232ab2cf9f2291ee1ce08f2acb076ebb

SHA256
e0a98926b1e0968481640078ac6b833af96773a7f715851634346379f282795d

SHA512
6b33f8afe19a28e5b300e8a32c3ec98a0365fc1594c693c4527d9b0275f46f6558c50e29417499650d9c1ea7091ea7af340c4111b90af06c5ab4277170170c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Briefly

Filesize
23KB

MD5
bb009bb1ab11657dd763b3a85e90f26f

SHA1
32fb786e48105f1574e8d345e66d2b16fc051d6e

SHA256
e7b3f1da61a207080f7859d12764b1243ce5c84beaf1a7f026b3d0da5f9dec4c

SHA512
ac73396967c496b93f8d4084537a286b4d5fe1315b0fd5992b03cc019521c1c25bafcb9826f85af59495a01ec711a2ec789c43af5befa46557f99224d0ce92bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chapters

Filesize
56KB

MD5
19f399e75e91c4917cce10422db7b0fb

SHA1
145fb431681a91d64a77b0ca99ba31b4ed7457b9

SHA256
bbe32640a1be9b9dc5570043a2c72bd3d1da1e3480e61e41a1dc8daa42b07bd7

SHA512
25b85fe872e3e9fc5e70d3dfd1647a6bbf2919d67126bb9007dcc61aae549d64a9b79fd3c05bc996202b03630420ecb4eb5b5613d0a1adeab0d2670e6a5aff6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continuous

Filesize
119KB

MD5
87cfc9cbddca81f037640e23869fd727

SHA1
e71c0a8106944e238edba3b2d6194cf5cb383168

SHA256
f648aed5047fa8e5b99ce81cf85f05f4cfb193b8b349e6e5656e5c6dd0917cb2

SHA512
2a3c9bbdbd222f9328b1379de025bff3f8d2c693fe68558cdb24a516ee7c9ac6615a9d1d62e4682532f8567138e67e6c26b6c7068d87b00415fc915172928e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Destruction

Filesize
75KB

MD5
e9ed56e42470ceb7a46263c49b9d8110

SHA1
13794b6f705be789af214a4f81585dee3710512b

SHA256
d97494026b70f37cabc0ac614f54206ae2c5a5ab601b71888ae6491241dc2b20

SHA512
ca1c0f00a68267274e9d31f3a2de0fb34ccfce0a57d67ffe76633fe1a156c05f1381b0c696f75898fd8b370cb8a6e56174bdfb43729ab2668e444ee6748d8040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Difficulties

Filesize
1KB

MD5
d2ac6356ed5ed3a32e46acb2f47d68f5

SHA1
e41205fe32c1ed0cc4a265e942dd472a76a22592

SHA256
6b6a43352b0b87107609d9c91992b30069200b308e5a2a50ed5a931315f82bdc

SHA512
47bafca4c789c7fad4db0534a93b8c7b659abb999393425f58d9b28ba553be1cc45b9001da1d5820e65b107034f48cd441c6855c7d7fc08117985d81054394a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Florida

Filesize
81KB

MD5
35ee0a5fee1964bd57f2c66347d726df

SHA1
d37bb5ba2456a310891f93d8e9ae1ad196dabcf6

SHA256
9b8ab89609b074479bc9fe749e12792c34ab4799ea7ea5ac67cdd3758a1c1181

SHA512
2006b993a36599a56131d744ea750a3de3d5eeb629d111d751d552e86cf3a4ea1c7d9b9dbb727e77b65ec8684cf0f22476840aed73df15186041b087476c0689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msg

Filesize
91KB

MD5
478eae0d2d8bc46181226c275688315d

SHA1
674d1c954b6ba8bc77ea6e112912b2fbde64fbeb

SHA256
aae6d5fc0e80a6033d55b81e05db13c66604f5fe453f78440de3912a44c553c1

SHA512
9833ef8d0d29cbf1b1738eefd4c175a169c770f70f2699bde703092e5102439c779e7474866534bba6b58f49d160a49be0750b686c171415191ddb10469eb26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\National

Filesize
478KB

MD5
f5406ccecddc6c9bd30ed30343c756ab

SHA1
080ebf3593ee3c272e7e4f7c98fee6d326da45f8

SHA256
a46bd5c1472f8b655ace3314ca667d39b10d989b6f8ed17b6c753b8b947a6938

SHA512
a25eba5ea58855e65c529b858399b1574ccbed89038e90d50170562eceb11efba4f16242d54ad3b5232edc11f3f61109bbafc4398124c1bb45e43693657b1e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passenger

Filesize
68KB

MD5
355fafaeefdaaa291b3f48356e24216c

SHA1
c675a50bffcf18f357966ec51e0adaf05a25b86b

SHA256
d3210c22706049ab7ca2304fd17507bfa4a842af579a00b60644e09178f9fddb

SHA512
f2fb4e46b4d6b24cba584e51c6a43e8ed1174a5048a69bd61a6e24e2772f389e55c2f6384d1ffe7c6f44eab8a6fe059608e39a0a60ad30f06eb63589c723ab4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rt

Filesize
86KB

MD5
fc6c4e0bdb11443834c6af5b2ff6e6bb

SHA1
3c4bf0970e36371844c9a27a041fd09cbf65cf56

SHA256
445d2c74ae1ba5af2eba4cc4a4deeabbda1ef920e272ce9f54a7d9374eb23402

SHA512
9588272669bf2ecf277c83c836be28d4757a21b033e9919747fc11a7767abaf5d3af002d3379626b65e537aaa8fd2e30113994353592bcee577f3fbdd02dea5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Saddam

Filesize
54KB

MD5
7b8c4652937f053027395d23ef6c5b93

SHA1
3e203439da403069184a56d40d00b51e8a03a2cf

SHA256
733b3e2f49984688e345d1acb07d22c9d5e44742f572fd610c114c50c04c3024

SHA512
67b5aac27923f00fa7e39cefb6adc6714845cc9e3db51aa2fe8c910e09f95b2fe46ddc901257afa63ede0988792ee6245089ea419bd257e53f05c926793de929

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stretch

Filesize
58KB

MD5
110f9b2d470e415d55f8a0d78ae1f8a1

SHA1
eeb9c0bf82f9a797fceed7d9725221348f45dcf1

SHA256
fbafdc9359e5294e8410d3862aee050c5cc03aec557bd83345bdca27981c0138

SHA512
1a8bf9fe93ff1b8cff52191bae71fed8822f4d99dd59ee6420709d037e26a185695e819535c793ffbe849e63637725e9ebdf487b57bb8f1ec3b4852e93954551

Download Submit
C:\Users\Admin\AppData\Local\Temp\Terrace

Filesize
50KB

MD5
6f3b4f30afb0c2fc164daaee95348815

SHA1
c59e8d78f11d5af9aca282d52752c0846292d5e6

SHA256
987fdfe4cb214563ecd4ba6d1990284e485a7701c323c1564d9d4afd3554c890

SHA512
ce51ba253dc008b82ae51ac797362f93515b1ef481d6189f596f74c1172379bfa4bb86aa713ea62520a11c24281047aaee0d203d48fa1f3dcdc5121fff385809

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visa

Filesize
137KB

MD5
0fffca2125ec2d790c02b2bcd12ec8aa

SHA1
55883ab44b36fa0efe4747e2653786fbda5b60a5

SHA256
9dc03047dec2d31586916298828447b291b3eadae317bab07f8917e4bf4dde96

SHA512
53d6bb959d2d5ad5b3be4dde2b6c877eee4ae65e411f095bad980fc6ee58f49437dc8503186d544ab60aa6824cd70e616bf79cc13b713e27c5f75640db8ed70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Welding

Filesize
83KB

MD5
9a2d8d245f55c0918e6a7e8b9e22ed25

SHA1
827ace99c5e1570e3ea912e67dcf7ef6851c3ee1

SHA256
e252cd74c35df37627de02488911ecfc1d57320be7dec21a7de03ccb9664d84b

SHA512
076fba85e84cb31486a947e31c39464e08faacdad7b26645699f39fbe6f3d6bc6a7b926f46909f227e9c78f2ce8d9c2af0871e057db10345504db2226a2272c1

Download Submit
memory/1884-580-0x0000000003A50000-0x0000000003AAB000-memory.dmp

Filesize
364KB

Download
memory/1884-581-0x0000000003A50000-0x0000000003AAB000-memory.dmp

Filesize
364KB

Download
memory/1884-582-0x0000000003A50000-0x0000000003AAB000-memory.dmp

Filesize
364KB

Download
memory/1884-584-0x0000000003A50000-0x0000000003AAB000-memory.dmp

Filesize
364KB

Download
memory/1884-583-0x0000000003A50000-0x0000000003AAB000-memory.dmp

Filesize
364KB

Download